Privacy Statement for consumer customers

Privacy statement for consumer customers (B2C)

Last updated January 2024

This Privacy Statement informs about the processing of personal data of consumers in connection with sales and marketing of Ruukki and Plannja products and services for consumer customers. It answers the questions of what personal data we collect, use or share, for what purposes the data is collected and what rights persons have.

As Ruukki and Plannja are a part of SSAB group of companies, the personal data of consumer customers and potential consumer customers is processed not only by Ruukki and Plannja companies, but partly also by other companies and affiliates belonging to SSAB group (together referred to as “Ruukki”).

You can find more information about how SSAB/Ruukki, processes personal data of corporate customers, potential corporate customers, supplier representatives, other intermediaries and business partners, site visitors or internal and digital users visiting the website or other digital service platforms at https://www.ssab.com/en/privacy-statement.

SSAB has nominated a Group Data Protection Officer (DPO), who can be contacted for additional information or any inquiries or requests on personal data processing. Our Data Protection Officer can be contacted at: data.privacy@ssab.com.

Our websites may contain links to websites and services of third parties. These websites or services are subject to their own privacy statements. We do not take any responsibility of third parties’ privacy statements or the processing of personal data in third parties’ operations. Please pay attention to their respective privacy statements and subsequent changes to them.

1. DATA CONTROLLER

The data controller responsible for consumer customers’ and potential consumer customer’s personal data is primarily the local Ruukki/Plannja company. The local Ruukki/Plannja company is regarded as the data controller in the contractual or other cooperation relationship with you or in connection with certain statutory personal data processing and compliance with local legal requirements of an individual legal entity.

Details about Ruukki locations and contact information can be found at https://www.ruukki.com/about-ruukki/company/locations.

Your personal data may be shared for administrative purposes and to facilitate Ruukki’s business operations. The information of SSAB group of companies and affiliates can be found in the latest Annual Report at https://www.ssab.com/en/company/investors/reports-and-presentations and at https://www.ssab.com/en/company/about-ssab/our-business.

In addition, certain personal data processing also takes place on SSAB group level. The data controller responsible for such processing activities is SSAB AB (registration number: 556016-3429, address: P.O. Box 70, SE-101 21 Stockholm, Sweden). This includes accountability for all data processing on a corporate level, for example for marketing and digital service tools provided group-wide at SSAB.

Regardless of the data controller in a specific situation, the primary contact for privacy matters in SSAB and Ruukki is our Data Protection Officer, who can be contacted at: data.privacy(at)ssab.com.

SSAB and Ruukki are responsible for ensuring that personal data is processed in compliance with this Statement and applicable data protection laws.

2. LEGAL BASIS AND PURPOSE OF PROCESSING PERSONAL DATA

We process the personal data of consumer customers, potential consumer customers and website visitors (together referred to as “Customers”) for various purposes, which are explained below.

2.1 Contractual and other interaction with Customers

The main purpose of processing personal data is to deliver our products and services, as well as to source services and material for our business needs, and provide website and other digital services. The processing of personal data is primarily based on contract, including processing needed prior to entering into a contractual relationship to which the data subject is a party. In some cases, the processing is based on our legitimate interest to process data for being able to communicate with customers and potential customers, or for other purposes necessary to establish or mange the business relationship, including for example any required checks for credit worthiness.

2.2 Marketing and communications

Customers’ personal data is used to manage customer communications and for marketing purposes. In this respect, processing can be based on Ruukki's legitimate interest to provide existing Customers with relevant and up-to-date information as part of the website as well as through other digital platforms and services. Processing can also be based on Ruukki's legitimate interest to promote Ruukki's latest products and services as well as to personalize the existing Customers’ user experience and to evaluate customer satisfaction. In certain regions, marketing via electronic means is based on prior consent, for example for sending marketing messages. A Customer should refer to section 6 below for further information about marketing communications and individual rights in this respect. In most cases when it concerns consumer Customers, marketing activities are based on consent with certain exceptions.

2.3 Product and services development purposes

Ruukki aims to provide high-quality products and services and to give Customers relevant information about those products and services. Therefore, Ruukki may use certain personal data to analyze the market, Customer groups and use of websites or services for the purpose of developing and improving the quality of the website and Ruukki's products and services. This processing is based on Ruukki's legitimate interest to grow and develop. This can also include building User group profiles and profiles of individual customers or contacts by combining personal data collected by cookies or similar techniques, upon User’s consent for measurement and targeting purposes, with other existing information about the Users. This type of information can be used to improve our service offering and for marketing purposes as long as there is a valid legitimate interest or, if required, a User has provided a consent for use of personal data for marketing.

Ruukki uses cookies and other similar techniques inter alia for statistical purposes, for example to compile aggregated statistics that allow Ruukki to understand how Customers use the website and increase user-friendliness. Please see SSAB's Cookie Statement for further information related to statistical and other purposes of using cookies and the legal basis thereof.

2.4 Compliance with statutory obligations and legal proceedings

Sometimes personal data may be used to comply with a legal obligation. In Ruukki’s business operations, this means for example that personal data processing may be needed in order to be in compliance, with statutory requirements that relate i.a. to bookkeeping, reporting and audit or whistleblowing procedures. In addition, certain personal data may be stored for dispute resolution purposes to be able to establish and defend legal claims.

2.5 Processing of personal data internally within SSAB group

In addition to the legal entity that the Customer has been interacting with, the Customer’s personal data may also be processed by other companies belonging to SSAB group. In this case, the processing of personal data can be based on contractual obligation or SSAB's or Ruukki’s legitimate interest for internal administrative purposes to organize and manage e.g. customer and supplier relationships, marketing as well as information security measures and other business functions within the group in an appropriate and practical way.

3. COLLECTION OF DATA

Ruukki may collect personal data through different means, which are explained below.

3.1 Business relationship

Ruukki processes personal data for the purpose of maintaining a good business relationship, for example when providing and delivering products or services, maintaining Customer communications, sourcing material, products and services for its business needs, or otherwise interacting with business partners or other stakeholders. This personal data is mostly collected directly from Customers themselves.

Depending on the Customer’s interaction, Ruukki may collect the following personal data:

Basic information about the Customer, such as name, email address and phone number, home address, delivery address, social security or identification number (depending on country);
Information relating to the contractual relationship, such as products and services sourced or delivered, photographs related to delivery of products/services, the starting and end time of the business relationship, information required to prepare an offer, warranty information, contractual information;
Billing and credit information, such as account numbers, invoicing details, payments made and outstanding and bills delivered; and
Customer communications, including feedback, marketing and campaign history information.

3.2 User's interaction with Ruukki on website or otherwise

Ruukki may collect personal data when Customers contact Ruukki's customer service, e.g., by filling in forms, use website chat, deploy Ruukki’s digital service platforms, contact Ruukki otherwise, order Ruukki's newsletter or participate in surveys or competitions on websites or elsewhere. This personal data is collected directly from the Customers themselves. Ruukki may collect personal data that the Customer has shared with Ruukki, such as

Basic information, such as name, postal address, email address and phone number; information needed to make an offer to the Customer
Reasons for contacting Ruukki and details related to contact; and
Surveys and competitions participated in.

3.3 Automatically collected data of the use of website and services

Ruukki collects and processes the following technical data about the website visitors and the use of the website, products and services provided by Ruukki:

IP address, device ID, device type, operating system used and application settings;
User activity such as pages viewed and items ‘clicked’ on;
timestamps and log data relating to the use of the service; and
location/country of origin.

This technical data is collected through the use of website and services. Ruukki asks for Customers’s consent for using other than strictly necessary cookies. More information about the use of cookies and similar technologies on Ruukki websites can be found in the SSAB Cookie Statement.

3.4 Data collected from other sources

In some cases, the Customer contacts Ruukki’s reseller directly to order the products or services. We may receive data from resellers in circumstances where it may be required to process the Customers’ information in order to fulfil the contract. Some information may also be collected by our contractors in connection with the delivery of products and services.

Ruukki may, from time to time, also collect information from publicly available sources and third parties, such as social networks and marketing companies. For example, Ruukki may receive basic information about the Customer's social network profile, if the Customer interacts with Ruukki's website or services using a social network account.

4. SHARING OF DATA

Ruukki may disclose or transfer Customers' personal data to the following third parties which may act on Ruukki's behalf as data processors or as independent data controllers, depending on the case:

other SSAB group companies for the purposes listed above;
trusted service providers or Ruukki partners, such as suppliers, agents, distributors and marketing service providers for the purposes listed above. This also includes contractors that require certain information in order to assist in providing the product or service. To the extent that these trusted service providers act on Ruukki's behalf, and not as independent data controllers, Ruukki remains responsible for the use of Customers' personal data.;
when permitted or required by law to comply with requests by competent public authorities such as subpoenas or similarly binding acts;
if Ruukki is involved in a merger, acquisition, or sale of all or a portion of its assets; and
when Ruukki believes in good faith that disclosure is necessary to protect Ruukki's rights, investigate fraud or other violations of law, or respond to a government request.

5. TRANSFER OF PERSONAL DATA OUTSIDE OF THE EU/EEA

5.1 Intra-group transfers

As some SSAB group companies are located outside of the EU/EEA, Customers’ personal data may be transferred outside of EU/EEA, such as to the United States. In these circumstances, we will use the required established mechanisms for the transfer outside of the EU/EEA, including the Standard Contractual Clauses approved by the European Commission. Please contact data.privacy(at)ssab.com for more information about the applicable safeguards for international data transfer in question.

5.2 Service providers located outside of the EU/EEA

Ruukki may use subcontractors for the personal data processing set out above. When necessary and to the extent required, personal data may be transferred to a country outside of the EU/EEA. In this case, Ruukki will use the required established mechanisms that allow the transfer to subcontractors in those third countries, such as the Standard Contractual Clauses approved by the European Commission and additional safeguards to protect the transferred personal data. Please contact data.privacy(at)ssab.com for more information about the applicable safeguards for international data transfer in question.

6. MARKETING COMMUNICATIONS

When a Customer provides Ruukki with contact details, for example, in connection with the sale of a product or service, contacts Ruukki’s customer service, orders materials or service on the website or participates in competitions or surveys, Ruukki may use the Customer's personal data for marketing purposes and to promote products and services as well as to personalize the user experience. Pursuant to applicable laws, Customers are given the opportunity to give their prior consent or are allowed the opportunity to opt-out of receiving marketing communications from Ruukki.

6.1 eMarketing

Ruukki may provide a Customer with newsletters and other communications about existing or new products and services by email and text message (SMS) if the Customer has given prior consent or if Ruukki is otherwise permitted to do so under applicable law. You may unsubscribe from marketing communications at any time by clicking on the "unsubscribe" link located at the bottom of emails.

6.2 Statistics and segregation

Ruukki may create user group profiles or segment data for the purpose of creating aggregated statistics about the use of Ruukki's websites, products and services, such as to estimate the number of website visitors, viewed pages, email reads and detect which parts of the website users find the most useful, to identify features that could be improved and to provide context based advertising. Data collected for these purposes is not used to identify a particular user but to analyze how users in general or user groups use the website or services.

6.3 Targeted advertising

Ruukki or its advertising partners may display content or advertisements to a Customer, for example, the Customer might see an advertisement for a recently viewed product on Ruukki's website. Ruukki uses cookies and other similar technologies to display personalized adverts based on, for example, the Ruukki's browsing, purchase history or log-in information.

When Ruukki collects or uses information about a Customer's web browsing for e-marketing purposes, this will be based either on Customer’s consent or, if allowed by applicable law, Ruukki’s legitimate interest. If the processing of information about Customer is based on a legitimate interest, the Customer has the right to object to this at any time by contacting Ruukki. Regarding the right to object, please refer to section 8 below for further information.

7. RETENTION OF PERSONAL DATA

The personal data will be retained only for as long as necessary to fulfill the purposes defined in this Privacy Statement. After that, personal data will be removed except when personal data retention is required by law or rights or obligations by either party. Here are the main rules for the retention periods:

Personal data regarding Customers will be retained during the business relationship and after that for as long as necessary or required by law or rights or obligations by either party, for example for billing, bookkeeping or warranty purposes;
Data collected in connection with customer service, other interaction with SSAB, surveys and competitions will be retained for as long as necessary to manage and handle the matter in question.
Ruukki will delete or anonymize data used for marketing purposes after a reasonable period of time has lapsed from last contact between the Customer and Ruukki, unless data retention is required by law or rights or obligations by either party.
Should a Customer have a concern about data retention for marketing purposes, the Customer should refer to section 8 below for further information about Customer's rights in this respect.

8. PRIVACY RIGHTS

A Customer has the right to access personal data that Ruukki holds about him or her.

A Customer has the right to request their personal data to be corrected, updated or removed at any time. However, please note that certain information is strictly necessary in order to fulfil the purposes defined in this Statement and may also be required by law. Therefore, the deletion of such data may not be allowed by applicable law which prescribes mandatory retention periods or if there is an overriding interest to keep processing the data for the intended purpose.

A Customer has a right to object to processing that is based on a legitimate interest of Ruukki on grounds relating to their particular situation at any time. Furthermore, when Ruukki collects or uses information about a Customer's web browsing for e-marketing purposes, the Customer has the right to object to this at any time by contacting Ruukki. In addition, whenever the processing of personal data is based on User’s consent, a User has the right to withdraw the consent at any time. The way in which Users can exercise their right to object or withdraw their consent depends on the processing purpose and activity in question. These rights can be at all times exercised also by contacting SSAB by email at data.privacy@ssab.com. To the extent required by applicable data protection law, Customers have a right to restrict data processing.

A Customer has a right to data portability, i.e. the right to receive the personal data in a structured, commonly used machine-readable format and transmit the personal data to another data controller, to the extent required by applicable law. This applies only to personal data provided by the Customer based on customer contract or the Customer's consent.

Please send any requests regarding the above-mentioned rights to Ruukki at data.privacy(at)ssab.com. Any requests related to the exercise of privacy rights will be responded within one month or within the applicable regulatory time limit.

In case you wish to exercise any of your data privacy rights, our Data Privacy Organization can be contacted at data.privacy(at)ssab.com. We will use reasonable efforts to address and clarify any requests or complaints you might bring to our attention. In addition, you always have the right to approach, make a request or file a complaint to the competent data protection authority.

9. SECURITY

Ruukki maintains reasonable security measures, including physical, electronic and procedural measures, to protect personal data from loss, destruction, misuse, and unauthorized access or disclosure. For example, Ruukki limits access to this information to authorized employees and contractors who need to know that information in the course of their work or assignment and to third party service providers who may only process data in accordance with instructions provided by Ruukki.

Please be aware that although Ruukki endeavors to provide reasonable security measures for personal data, no security system can prevent all potential security breaches.

10. CHANGES TO THIS PRIVACY STATEMENT

Ruukki may amend this Privacy Statement and the related information. Ruukki recommends that Customers regularly access the Privacy Statement to find out about any changes to it. Ruukki will always provide the date of the Privacy Statement to allow the Customers to see changes. Please note that this Privacy Statement is for information purposes only.

Ruukki will inform Customers of any substantial changes by using reasonable and available channels.

11. DATA PROTECTION OFFICER’S CONTACT DETAILS

Our global Data Privacy Organization supports with any data protection and data privacy related requests or any other questions, concerns, comments or complaints.

SSAB Group has also nominated a Group Data Protection Officer (DPO) who performs the following tasks:

informs and advises SSAB organization and its employees about obligations pursuant to the EU General Data Protection Regulation (GDPR) and to other Union or Member State data protection provisions in relation to the data processing carried out by SSAB,
monitors compliance with the GDPR and with other Union or Member State data protection provisions and with SSAB’s policies related to the protection of personal data,
takes care of assignment of responsibilities, data protection awareness and training of employees involved in processing operations, and the related audits, and
provides advice on data protection impact assessments and monitoring their performance.

The DPO also co-operates with the supervisory authority and acts as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, regarding any other matter.

Our Data Privacy Organization and the Group Data Protection Officer (DPO) can be contacted at data.privacy(at)ssab.com.