Kemira Group Privacy Notice for customers, suppliers and other stakeholders

May 2018

1) What is the purpose and scope of this Privacy Notice?

Kemira is committed to protecting the privacy and security of your personal data. This Privacy Notice explains how we collect and use personal data about you and what rights you have under the applicable laws, particularly under EU’s General Data Protection Regulation (GDPR).

This Privacy Notice applies to the processing of personal data by any Kemira Group company in the EU with respect to:

• contact persons and representatives of Kemira’s prospective, current and former customers, suppliers and other business partners
• persons who visit our websites or submit their contact information e.g. to subscribe to our publications, leave an inquiry, request information, fill out a survey, participate in a competition or attend an event
• other stakeholders who interact with us such as prospective investors or analysts

This Notice doesn’t apply to processing undertaken by a local Kemira entity entirely outside of the EU.

2) Who is the data controller?

Data controller, i.e. the legal entity responsible for collection and use of personal data under this Privacy Notice, is Kemira Oyj whose registered address is Porkkalankatu 3, 00180 Helsinki, Finland. Our Privacy Team can be contacted via email at privacy@kemira.com.

In limited circumstances, other companies of the Kemira Group may also operate as data controllers, either independently or jointly with Kemira Oyj, for their own purposes and under the same principles as defined in this Notice.

3) Why do we process your personal data?

The main purposes for processing your data relate to your professional relationship with us and include the following:

• delivery or purchase of products and services
• managing customer, supplier and business partner relations
• marketing and development of our products and services
• providing you information you have requested from us
• facilitating communication between you and us, including customer and supplier feedback and satisfaction surveys
• improving customer experience and developing our customer insight
• operating and improving our websites
• analyzing, profiling, reporting, segmentation, and statistics for the purposes explained above

4) What is the legal basis for processing your data?

We will only process your personal data when the law allows us to. Our legal basis for processing your data is:

• the performance of a contract between us and a customer, supplier or another business partner as well as taking steps prior to entering into a contract, e.g. to manage requests for information or quotation
• legitimate interest of Kemira based on a business or other relationship, which includes e.g. relationship management and marketing of our products and services
• your consent or
• compliance with a legal obligation

5) What kind of personal data do we process about you?

We may process the following information about you for the purposes described above:

• Basic information about you, e.g. name, title, your employer or the organization you represent, your industry, as well as contact details such as postal address, phone number and email address
• Information on the business relationship, e.g. your product and application interests and the use of Kemira’s products and services
• Information relating to your use of our digital services, e.g. registration data for a digital account such as username and password; information about the service use; information collected using cookies and other online technologies, such as type of web browser you use, the device type you use, your web browsing history on our websites, your IP address, links you have clicked in an email or on a website, materials you have downloaded or the websites from which you have arrived at our websites
• Information related to contacts, meetings and communication, e.g. feedback and contact requests, digital forms, marketing efforts performed, or meetings and events you have participated
• Profile and analysis data, e.g. marketing segments and profiles derived from the data described above

6) What is the source of your personal data?

The personal data that we process about you is:

• given to us by yourself e.g. when using our websites, registering as a user of our services, sending a request for information, filling a form, purchasing, ordering or offering products and services, participating events, or otherwise interacting with us personally, by phone or digitally;
• given to us by your employer or the organization you represent in connection with the business or other relationship between us and your employer/organization;
• collected automatically through electronic means, including cookies, e.g. when you engage in an online marketing campaign or use our websites or other digital services; or
• collected from other legitimate sources, e.g. public and private company and business registers, public authorities, postal operators, public telephone directories, direct marketing and other data brokers, and other similar public and private registers.

7) What are cookies?

Cookies are small files that may be stored on your device when you visit a Kemira website. We use cookies to improve our websites, to obtain information regarding visits to the websites, and to better tailor our services and products to match your interests and needs.

To learn more about cookies and how we use them, please see our Cookie policy.

8) Who has access to your personal data?

We may share your data with service providers and business partners that operate and process personal data as data processors on our behalf. These data processors may include IT, technology and tools providers hosting and maintaining our data as well as possible market research partners or other professional service providers.

Such service providers are only allowed to process your personal data to the extent necessary for them to provide the service we have requested from them. We require that all our service providers keep the personal data we provide them confidential and adequately secure. They are also required to comply with the applicable data protection laws, our privacy and information security policies, and the relevant service and other agreements.

In limited circumstances, Kemira may also make your personal data available to other third parties when required by law or if we have a legitimate interest to do so.

Additionally, we may disclose and transfer your personal data within the Kemira group of companies to Kemira employees who need access to such information to perform their duties.

9) Where is your personal data processed?

As Kemira is a global group of companies with affiliates and service providers both within and outside the EU and the EEA, your personal data may be processed, transferred or made accessible across country borders. If your data is transferred outside of the EU or the EEA, we rely on adequacy decisions, data transfer agreements or other EU approved mechanisms for such transfers.

We contractually require recipients to only use personal data for the intended purpose of the disclosure and to destroy or return it when it is no longer needed.

Transfers of personal data from the EU or the EEA to Kemira affiliates outside of the EU or the EEA are primarily done on the basis of intra-group agreements, which are based on the EU’s standard contractual clauses for export of personal data to third countries.

10) How long do we keep your personal data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for or as required by applicable legislation. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which we process the data, the time limits on legal claims and the applicable legal requirements.

11) What are your rights and how can you exercise your rights?

You have certain rights over your personal data, including:

• Information and access: You may request to access your personal data, be provided with supplemental information, and be provided with a copy of your personal data.
• Rectification: You may request to rectify and/or update your inaccurate or out-of-date personal data.
• Erasure: You may have the right to have your personal data erased.
• Restriction: You may have the right to have your personal data restricted. Restriction means that your personal data is only stored by us, and not further processed. The restriction of processing is typically only temporary and may be lifted once we’ve dealt with your complaint.
• Object to processing: You may have the right to object to specific types of processing. These types are direct marketing, processing for research or statistical purposes and processing based on legitimate interests. The right to object to processing based on legitimate interests may be subject to demonstration by us of grounds which override your right to object.
• Data portability: You may have the right to request data portability. Data portability is the provision of your personal data in a structured, commonly used and machine-readable form so that it may be transferred by you or by us to another company easily.
• Right not to be subject to decisions based solely automated decision making: You may have the right not to be subject to decisions based solely on automated processing (i.e. without human intervention), if those decisions produce legal effects or significantly affect you. Automated processing is processing of your personal data by automated means.

These rights are not absolute: they do not always apply and there may be restrictions or exemptions. For example, your right to access may be denied in the case of recurrent access requests within a short time interval, or where providing such access or correction could compromise the privacy of another person or unreasonably expose sensitive company information.

If you want to review, verify, correct or request erasure of your personal information, restrict or object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please submit your request via the contact details provided above in the section “Who is the data controller?”.

You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

12) Withdrawal of consent

In cases where your consent is the legal basis for processing your personal data, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us via the contact details provided above in the section “Who is the data controller?”. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legal basis for doing so.

13) Complaints

If you are not satisfied with the response you’ve received or if you feel that we have not dealt correctly with your personal data, you have the right to make a complaint to the relevant data protection regulator, also known as a “supervisory authority”. The relevant supervisory authority is likely to be the supervisory authority of the country where you are located or where the alleged infringement took place.

14) Changes to this Privacy Notice

We reserve the right to update this Privacy Notice at any time. The current version can always be found from our website. We recommend that you revisit this Privacy Notice from time to time to review any possible changes.