May 2018
Kemira is committed to protecting the privacy and security of your personal data. This Privacy Notice explains how we collect and use personal data about you and what rights you have under the applicable laws, particularly under EU’s General Data Protection Regulation (GDPR).
This Privacy Notice applies to the processing of personal data by any Kemira Group company in the EU with respect to:
This Notice doesn’t apply to processing undertaken by a local Kemira entity entirely outside of the EU.
Data controller, i.e. the legal entity responsible for collection and use of personal data under this Privacy Notice, is Kemira Oyj whose registered address is Energiakatu 4, 00180 Helsinki, Finland. Our Privacy Team can be contacted via email at privacy (at) kemira.com.
In limited circumstances, other companies of the Kemira Group may also operate as data controllers, either independently or jointly with Kemira Oyj, for their own purposes and under the same principles as defined in this Notice.
The main purposes for processing your data relate to your professional relationship with us and include the following:
We will only process your personal data when the law allows us to. Our legal basis for processing your data is:
We may process the following information about you for the purposes described above:
The personal data that we process about you is:
Cookies are small files that may be stored on your device when you visit a Kemira website. We use cookies to improve our websites, to obtain information regarding visits to the websites, and to better tailor our services and products to match your interests and needs.
To learn more about cookies and how we use them, please see our Cookie policy.
We may share your data with service providers and business partners that operate and process personal data as data processors on our behalf. These data processors may include IT, technology and tools providers hosting and maintaining our data as well as possible market research partners or other professional service providers.
Such service providers are only allowed to process your personal data to the extent necessary for them to provide the service we have requested from them. We require that all our service providers keep the personal data we provide them confidential and adequately secure. They are also required to comply with the applicable data protection laws, our privacy and information security policies, and the relevant service and other agreements.
In limited circumstances, Kemira may also make your personal data available to other third parties when required by law or if we have a legitimate interest to do so.
Additionally, we may disclose and transfer your personal data within the Kemira group of companies to Kemira employees who need access to such information to perform their duties.
As Kemira is a global group of companies with affiliates and service providers both within and outside the EU and the EEA, your personal data may be processed, transferred or made accessible across country borders. If your data is transferred outside of the EU or the EEA, we rely on adequacy decisions, data transfer agreements or other EU approved mechanisms for such transfers.
We contractually require recipients to only use personal data for the intended purpose of the disclosure and to destroy or return it when it is no longer needed.
Transfers of personal data from the EU or the EEA to Kemira affiliates outside of the EU or the EEA are primarily done on the basis of intra-group agreements, which are based on the EU’s standard contractual clauses for export of personal data to third countries.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for or as required by applicable legislation. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which we process the data, the time limits on legal claims and the applicable legal requirements.
You have certain rights over your personal data, including:
These rights are not absolute: they do not always apply and there may be restrictions or exemptions. For example, your right to access may be denied in the case of recurrent access requests within a short time interval, or where providing such access or correction could compromise the privacy of another person or unreasonably expose sensitive company information.
If you want to review, verify, correct or request erasure of your personal information, restrict or object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please submit your request via the contact details provided above in the section “Who is the data controller?”.
You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
In cases where your consent is the legal basis for processing your personal data, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us via the contact details provided above in the section “Who is the data controller?”. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legal basis for doing so.
If you are not satisfied with the response you’ve received or if you feel that we have not dealt correctly with your personal data, you have the right to make a complaint to the relevant data protection regulator, also known as a “supervisory authority”. The relevant supervisory authority is likely to be the supervisory authority of the country where you are located or where the alleged infringement took place.
We reserve the right to update this Privacy Notice at any time. The current version can always be found from our website. We recommend that you revisit this Privacy Notice from time to time to review any possible changes.
We use cookies to improve your experience on our website. Read more about our cookie policy and privacy statement.