Your privacy is important to us. This privacy notice aims to give you a general idea on how we at Ensto Group collect, store, use and disclose your personal information whenever you purchase or use our products and services, visit our website, or work or otherwise interact with one of our local Ensto group companies. This privacy notice also aims to spell out the conditions that govern how we process and protect that information and the rights you have in relation to your personal data.
Please note that this privacy notice is not an exhaustive description of how we process your personal data. We may process your personal data in various circumstances and have therefore, for your convenience, prepared this general privacy notice to cover the most essential information that applies to all our processing activities. In case you are looking for more detailed information, we have also prepared separate and comprehensive privacy policies for each category of circumstances when we process your data. You may find links those privacy policies at the bottom of this page.
It is important that you read this at least this privacy notice, but preferably the specific privacy policy applicable to your particular situation, so that you are aware of how and why we are using your personal data. Please note that this policy does not form part of any contract to provide services to you or other parties. We may update this policy at any time in accordance with applicable data protection laws and will make an updated version available to you.
We have divided this privacy notice into different sections, so that you may easily find the information that interests you the most:
1. Introduction
2. Controller information
3. Purposes and legal bases of data processing
4. Categories of personal data and their retention periods
5. Sources of personal data
6. Recipients of personal data
7. Profiling
8. Your rights
8.1 Access
8.2 Rectification
8.3 Erasure (right to be forgotten)
8.4 Restriction of processing
8.5 Data portability
8.6 Object
8.7 Withdrawing your consent
8.8 Complaints
9. How to contact us
Please note that you have the right to object, on grounds relating to your particular situation, to the processing of your personal data at any time when we process your data based on our legitimate interests. Please see sections 4 and 8.6 of this document for further information.
Your personal data may be processed by one or more companies within the Ensto Group. Such company or companies may act as the controller(s) of your personal data, meaning that they decide what data is collected about you, how it is collected and for what purposes. In case they do not act as controllers, they may act as processors, meaning that they process your personal data on the controller’s behalf.
For example, if you are:
- Ensto Oy’s customer or partner, the controller of your personal data is Ensto Oy;
- Ensto Chago Oy’s and Ensto Finland Oy’s customer, they are both controllers of your customer data;
- Ensto Sweden AB’s potential customer, the controller of your personal data is Ensto Sweden AB;
- Ensto France SAS’s employee, the controller is Ensto France SAS;
- looking for career opportunities at, e.g., Ensto UK Ltd, it acts as the controller of the job application and other related data you have provided them in connection with your application;
- interested in career opportunities within the Ensto Group in general, your data may be processed by multiple Ensto group companies in a number of countries, each acting as a controller; or
- just visiting our website, the controller is Ensto Oy.
Please consult the privacy policy applicable to your particular situation for more detailed information privacy@ensto.com.
On occasion, we engage third parties outside the Ensto Group to process your personal data, either on our behalf or as controllers, depending on the situation. Please find a list of such third parties below, all of which may not apply to your particular case:
• Outside legal counsels
• Tax and other relevant authorities
• Auditors
• IT system management service providers
• Information security service providers
• Telephone service providers
• Event organizers
• Suitability test providers
• Business partners: distributors, suppliers and vendors, business-to-business customers in case you have permitted us to use you/your company as reference
• Third party as part of a merger or an acquisition
• Travel agencies, flight/ferry companies, hotels etc
• Leasing companies
• Occupational health service providers
• Recruiting companies
• Temporary staffing companies
• Training companies
• Survey companies
• Outsourced accounting and/or payroll companies
• Other cooperation partners (such as suppliers)
Please note that while most of the parties processing your personal data (either within or outside the Ensto Group) are located in Finland or elsewhere in the EU or EEA, some of those parties may be located or process data in third countries, depending on the person whose data is being processed and the situation at hand. If we and/or our service providers processing data on our behalf transfer your personal data from a country within the EU or the EEA to countries outside the EU or the EEA, the transfer is subject to standard data protection clauses adopted by the EU Commission or other appropriate safeguards such as binding corporate rules, unless the EU Commission has found that the level of data protection is adequate in the country in question. You can obtain a copy of said safeguards by contacting the contact person referred to in Section 2.1.
We are happy to assist you in case you have any questions or concerns over the processing of your personal data or the exercise of your rights. In order for us to provide you with sufficient information and pragmatic advice, we ask you to send your questions or comments in writing to the contact person indicated above in Section 2.1.
We may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
We only process your personal data when it is necessary and when we have legal grounds to do so. Depending on your particular situation, we may process your personal data for example for the following purposes:
Purpose |
Legal basis |
Creating, maintaining and enhancing Ensto group companies’ products, services and stakeholder relationships, and providing services related thereto |
|
Providing products and services and stakeholder management |
|
Complying with contractual obligations |
|
Business management and planning |
|
Organizing meetings and events |
|
Stakeholder communications and surveys |
|
Crisis communication |
|
Complying with legal obligations |
|
Supporting network and system security |
|
Identification purposes |
|
Direct marketing of Ensto group companies’ products and services (including newsletters), informing of events organized or attended by Ensto group companies such as fairs |
|
Recruitment and selection of employees |
|
Providing newsletters and chat services to website visitors |
|
Website and newsletter analytics |
|
Please find more detailed information in the privacy policy applicable to your situation.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymize your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. We may also be required to retain data longer than described below if necessary for an ongoing legal process or to comply with a decision from a court or authority.
Most typical personal data and their retention periods are listed below, but please consult the privacy policy applicable to your situation for more detailed information.
Data subject |
Data |
Retention periods |
Employees and job applicants |
Name, title and contact information: home address, home and work telephone number, private and work email, date pf birth, gender, education and training details, CV |
|
Permissions and consents |
|
|
Photographs |
|
|
Suitability test results |
|
|
Customers, partners, and potential customers |
Name of stakeholder, name and title of contact persons/representatives of stakeholder, Ensto group companies’ contact person, and contact details of the aforementioned: address, telephone number, email, permissions and consents, contractual details including goods and services provided, contact requests and claims, payment history |
|
Photographs |
|
|
Newsletter or other direct marketing subscriptions and analytics (e.g. about how many times you have opened a marketing email) |
|
|
Website visitors |
Name, company information, email, telephone number, relation to Ensto, product information and other data provided in connection with service requests, permissions and consents |
|
Newsletter subscriptions and analytics (e.g. about how many times you have opened a marketing email) |
|
|
Electronic identification data including IP address and information collected through cookies, device ID, Ensto website analytics, user browser history, user activity details and preferences |
|
We collect your personal data mainly directly from you. However, we may collect personal data also from the below-listed organizations and sources, among others:
• Ensto group companies
• Recruiting companies
• Companies providing credit reference information
• Professional social networking channels and social media channels
• Temporary staffing companies
• Cookies and other similar technologies
• External contact lists obtained from customers, suppliers, distributors, vendors and other business partners as well as during seminars, events, and exhibitions
Please find more detailed information in the privacy policy applicable to your situation. Also, please note that depending on the situation, we may be required to request your consent prior to collecting your data, in which case the consent will be asked from you separately. We may also be required to inform you of any information collected from the above sources and will then let you know accordingly of any such information prior to using it in any decision-making concerning you.
The provision of personal data is not mandatory but may be required in order for us to provide services and products to you or enter into a contract with you, communicate with you or personalize our marketing and communications to suit you best. Once you have entered into a contract with us, the provision of personal data may also be an implicit contractual requirement in order for us to comply with its contractual and legal obligations. In case you do not provide us with the data we request, we might not be able to do business with you, contact you, or recruit you, and may be prevented from complying with our obligations, and thus we may be forced to terminate our contractual or other relationship with you.
We may use cookies and similar technologies when we send out newsletters and marketing messages to collect and analyze analytics, user browser history, user activity details and preferences. Based on our findings we may, for example, provide you with tailored marketing messages. For more information about the cookies we use and how you can choose not to be subject to them, see our cookie policy at https://www.ensto.com/terms-and-conditions/cookies-policy/.
We may ask employees to participate in occupational personality tests to assess, for example, personal behavioral preferences, i.e. how you like to work. We may also use third party recruiting tools when recruiting new employees. It is not compulsory to take party in any such test. The tests and tools previously mentioned often generate reports on the results automatically. We will share any reports generated with you and you will have a chance to provide your views on the results either orally or in writing.
You have the right to obtain from us confirmation as to whether or not we process your personal data, and, when we do process such data, you have the right to obtain access to your personal data and the following information:
• the purposes of processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom personal data have been or will be disclosed, in particular recipients in countries outside the EU and EEA or international organizations;
• where possible, the envisaged period for which personal data will be stored or, if not possible the criteria used to determine that period;
• the existence of the right to request from us the rectification or erasure of personal data or restriction of processing of personal data concerning you or to object such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from you, any available information as to their source;
• the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you; and
• the appropriate safeguards applied to transfers of personal data to countries outside the EU and EEA
You have the right to receive a copy of the personal data undergoing processing as long as the copy does not adversely affect the rights and freedoms of others. For any further copies requested by you, we may charge a reasonable fee based on administrative costs. In case you have participated in a suitability test, we will provide you with the test results free of charge upon your request.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us or during the recruitment process.
You have the right to have your inaccurate personal data rectified by us without undue delay. You also have the right to have incomplete personal data completed.
We will communicate any rectification of your personal data to each recipient to whom we have disclosed your personal information, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients upon your request.
You have the right to have your personal data erased by us without undue delay where one of the following grounds applies:
• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• you withdraw your consent on which the processing is based and there is no other legal ground for the processing;
• you object to the processing and there are no overriding legitimate grounds for the processing;
• you object to the processing of your personal data for the purposes of direct marketing;
• your personal data have been unlawfully processed; or
• the personal data have to be erased for compliance with a legal obligation to which we are subject.
Please note that the GDPR recognizes situations where processing may be necessary regardless of the applicability of the abovementioned grounds. We will always inform you separately of such circumstances and our grounds for processing.
We will communicate any erasure of your personal data to each recipient to whom we have disclosed your personal information, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients upon your request.
You have the right to restrict the processing of your data in the following situations:
• you contest the accuracy of the personal data we process and as a result processing is restricted while the accuracy is verified;
• the processing is unlawful, but you oppose to the erasure of the personal data and instead request us to restrict their use;
• we no longer need the personal data for the purposes of the processing presented in this document, but the data are required by you for the establishment, exercise, or defence of legal claims; or
• you have objected to processing on grounds relating to your particular situation and such processing is legally based on our legitimate interests as presented in this document, and as a result processing is restricted while it is verified whether our legitimate grounds override those of yours.
If your processing has been restricted, we will inform you before the restriction is lifted.
We will communicate any restriction of processing to each recipient to whom we have disclosed your personal information, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients upon your request.
You have the right to receive your personal data that you have provided to us, in a structured, commonly used and machine-readable format (such as XML-format with relevant meta data), and you have the right to transmit such data to another controller, when:
• we process your personal data based on your consent; or
• we process your personal data because it is necessary for the performance of our contract with you; and
• we process such personal data by automated means; and
• this right does not adversely affect the rights and freedoms of others.
In the above situation, you also have the right to have your personal data transmitted directly from us to another controller, where that is technically feasible.
You have the right to object to processing of your personal data at any time on grounds relating to your particular situation, if we process your personal data based on our legitimate interests as presented in this document. After such objection, we will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing and these grounds override your interests, rights and freedoms, or unless we need them for the establishment, exercise or defense of legal claims.
In the limited circumstances we process your personal data based on your consent, you have the right to withdraw such consent at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so.
You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, in case you feel we are not complying with applicable data protection legislation.