Data protection information to customers

Processing of Customer data

We are committed to protect your personal data and comply with applicable data protection law, in particular the EU General Data Protection Directive ("GDPR"), and we only process your personal data on the basis of a statutory provision or if the data subject has declared consent.

In this data protection information, we explain which information (including personal data) are processed by us in connection with the business relationship between you and us.

Who is responsible for the processing of personal data?

The controller responsible for the processing of personal data is Xella Finland, Krookustie 3, FI-40520 Jyväskylä, 400 660 114, Any reference to "we" or "us" in this data protection information is a reference to the aforementioned entity. Our data protection officer may be contacted via the aforementioned means.

Which data we process?

The performance of our business relationships requires the processing of data related to our customers. If this data concern a natural person (e.g. if you are a single trader and enter into a business relationship with us), it is considered as personal data. Regardless of the legal form of our contract partners, we process data concerning the contact persons acting for a customer.

Please make this data protection information available to the persons within your organization that are involved in the business relationship with us ("contact persons")

Basic data: We process certain general data concerning our customers and the contact persons as well as the business relationship with us, collectively "basic data". Basic data include

any information provided to us in the course of establishing a business relationship or requested by us from our customers or a contact person (e.g., name, address and other contact details; [and]any information collected and processed by us in connection with the establishment of the business relationship (e.g., the details of the agreements entered into)

Performance data:
We process personal data collected in the course of the business relationship other than by merely updating basic data and that we refer to as "performance data". Performance data include

Information on the performance of contractual obligations by our customers on the basis of the agreements entered into;Information on the performance of contractual obligations by us on the basis oft he agreements entered into;Information provided by a customer or a contact person in the course of our business relationship, be it actively or upon our request; personal data that are provided to us in the course of our business relationship by our customer, a contact person or by third parties;

To the extent permitted by law, we can add personal data provided by third parties to the aforementioned basic and performance data. Such data may include information regarding the commercial standing / rating of our customers if necessary for the assessment of financial risks (e.g. late payments).

For which purposes and on which legal basis do we process your personal data?

We process basic, performance and usage data for the performance of the contractual relationships with our customers or for pre-contractual measures on the basis of Article 6 para 1 b) GDPR. Regardless of the legal form of our customers, we process basic and performance data concerning one or more contact persons for the purpose of our justified interest in the performance of the business relationship on the basis of Article 6 para 1 f) GDPR.

We may process basic, performance and usage data also for compliance with legal obligations to which we are subject; this processing is based on Article 6 para 1 c) GDPR. Legal obligations may in particular include the mandatory disclosure of personal data to (tax) authorities.

To extent necessary, we process personal data (in addition to the processing for the purposes of the business relationship or to comply with legal obligations) for the purposes of our justified interests or the justified interests of a third party on the basis of Article 6 para 1 f) GDPR. Justified interest may include

group-wide processes for internal administration of customer datathe establishment of or defence against legal claimsthe prevention and investigation of criminal offencesmaintenance of security for our information technology systemsthe maintenance of security of our premises and infrastructuremanagement and further development of our business operations including risk management

If we provide to a natural person the option to declare a consent in the processing of personal data, we process the personal data covered by the consent for the purposes specified in such consent on the basis of Article 6 para 1 a) GDPR.

Please note that

the declaration of consent is voluntarily,that failure to declare consent or the withdrawal of a consent may, nevertheless, have consequences, and we will inform about such consequences before you are given the option to declare your consentconsent may be withdrawn at any time with effect for the future, e.g. by providing notice to us via mail, fax, email using the contact information specified on the first page of this data protection notice

Is there an obligation to provide personal data?

The provision of the basic and performance data specified in section II above is necessary for entering into and maintaining a business relationship with us, unless specified otherwise before or at collection of the data. Without the provision of these data, were are not able to enter into and maintain a business relationship.

If we collect additional data, we will indicate if the provision of such information is based on a legal or contractual obligation or necessary for the performance of an agreement. We usually indicate which information may be provided voluntarily and is neither based on a legal or contractual obligation nor necessary for the purposes of an agreement.

Who has access to personal data?

Personal data are generally processed within our company. Depending on the categories of personal data, only dedicated departments / organizational units are granted access to your personal data. Such units include in particular the [#Sale department#] and – if data are processed via our IT infrastructure – also our IT department. Based on a role / rights management concept, access to personal data is limited to the functions and the extent necessary for the respective purpose of the processing.

If and to the extent permitted by law, we may transfer your personal data to recipients outside of our company. Such external recipients may include

affiliated companies within Xella-group, to which we may transfer personal data for the purpose of internal administration of employee data;service providers that – on the basis of separate agreements with us – provide certain services possibly including the processing of personal data, as well as approved subcontractors of our service providers;private or public bodies, to the extent we are obliged to transfer your personal data on the basis of a legal obligation to which we are subject;

Do we use automated decision-making?

In the course of the business relationship we generally do not use automated decision-making (including profiling) within the meaning of Article 22 GDPR. If we apply such processes in the future, we will inform data subjects separately in accordance with the applicable statutory provisions.

Are data transferred to countries outside the EU / the EEA?

Personal data is processed only within the European Union or the European Economic Area; we do not intend to transfer personal data to other countries ("third countries").

How long are your data stored?

We generally store personal data as long as we have a justified interest in the retention of such data and there the interest of the data subject in refraining from the further processing do not prevail.

Even without a justified interest, we may continue to store the data if there is a legal obligation (e.g. to comply with statutory retention obligations). We delete personal data even without an action by the data subject as soon as further retention is no longer necessary for the purposes for which the data were collected or otherwise processed or if further retention is not permitted by law otherwise.

In general, basic data and the additional data collected in the course of the business relationship at least until the end of the respective business relationship. The data are deleted in any case if the purposes for the collection or processing were achieved. This point in time may be after the end of the business relationship with us. If personal data need to be stored to comply with a legal obligation, such data is retained until the end of the respective retention period. If personal data are only processed to comply with a statutory retention obligation, the access to such data is usually restricted so that the data are only accessible if needed for the purpose of the retention obligation.

What are the rights of a data subjects?

A data subject may request access to his/her personal data, Article 15 GDPR;request the rectification of incorrect personal data, Article 16 GDPR;request the erasure of his/her personal data, Article 17 GDPR;request the restriction of the processing of his/her personal data, Article 18 GDPR;exercise the right to data portability, Article 20 GDPR;object the processing of his/her personal data, Article 21 GDPR.

The aforementioned rights may be asserted against us, e.g. by providing notice to us via the contact details specified on the first page of this data protection information.

In case of further questions, the data subject may also approach our data protection officer.

In addition, the data subject is entitled to lodge a complaint regarding the handling of personal data with the competent supervisory authority, Article 77 GDPR.