Information about the processing of personal data

Last updated April 2023

This information text describes the processing of personal data for:

  • Users of our websites and digital channels, e.g. our social media pages.
  • A designated contact or representative of a customer, supplier or partner of ours.
  • A third party who is in contact with, or otherwise communicates with us or is affected by our personal data processing in general and is not covered by the categories above, e.g. if you own or live in a property affected by our work.

“Personal data” means information that can directly or indirectly identify you as an individual, e.g. your name or IP address.

Who is the data controller for the processing of your personal data?

The NCC company providing the website you are visiting is normally the personal data controller for such processing of personal data in accordance with this information text.

The NCC company with which your company has a business relationship is normally responsible for managing data in our business portals within the framework of contract management and procurement.

Each NCC company is responsible for Know Your Customer checks, user account management in our business portals, and for reporting violations of NCC’s policies and guidelines, as well as for fulfilling its own legal obligations and for establishing and asserting legal claims.

From which sources do we collect personal data?

We collect personal data from:

  • You. We collect the personal data that you provide to us, e.g. in connection with the use of our websites and other digital channels or when you contact us.
  • Employees. We may collect personal data about you from employees who provide your personal data to us, e.g. in connection with communication or when the employee voluntarily submits your data to us or in connection with the receipt of whistleblowing reports.
  • Partners. We may collect your personal data from business partners, e.g. in connection with carrying out an event or other activity together with said business partners. When conducting Know Your Customer (KYC) checks on senior executives of customers and suppliers, data may also be collected from independent companies that assist us with such surveys. We may also obtain information from credit reference agencies.
  • Social networking platforms. If you visit our social media channels, we will collect the personal data that you provide to us via these channels, e.g. to answer any questions you ask or to communicate about us, our business, or our services and offers.
  • Group companies. The companies within the NCC Group work collaboratively and therefore share information with each other, e.g. when communicating about the management of customer and supplier relationships.
  • Third parties. We may also collect personal data about you from third parties who provide your personal data to us, e.g. in connection with communication or an event or other activity, or in connection with the receipt of whistleblowing reports.
  • Public data sources. We may collect personal data about you from public sources, such as government agencies and public records, e.g. corporate engagement in order to manage orders and manage the relationship with the firm or organization to which you belong.

Which personal data do we collect?

The personal data we collect depends on how you interact with us. We only collect the personal data that we need, mainly within the following categories of personal data:

  • Identity data. Data that makes it possible to identify you, e.g. your name and, where appropriate, your personal identity number or equivalent.
  • Contact details. Information that makes it possible to contact you, e.g. address, email address and telephone number.
  • User-generated data. Information about your activity on and use of our websites and digital channels, e.g. clicks and visits to the website, and otherwise your behavior on our websites and in our digital channels.
  • Order details. Information about ordered goods or services, e.g. the goods or service, price and delivery or assignment period.
  • Billing data. This may include terms of payment, cost center, or reference number, number of hours, staff involved.
  • Profile data. Data relating to your profile, e.g. your title, name and address of the firm or organization to which you belong, and department.
  • Image and sound material. Information such as a still or moving image of you or a recording of your voice, e.g. photography, video or audio recording.
  • Communication. Content of communication with us, e.g. content of emails or responses you provide when you e.g. participate in a survey or provide feedback and comments.
  • Technical data. Technical details of the device you use when visiting our website or digital channels, e.g. type of device, version of browser and operating system.

If necessary in order to fulfill the purpose of the processing of personal data, in some cases we may also collect and process other types of personal data.

For which purposes and on which legal basis do we use your personal data?

We use your personal data when you use our website and our digital channels, when we provide our services and products to you, your firm or your organization, when you communicate with us, in order to meet legal requirements and comply with legislation.

Below we list more detailed information about why we use your personal data in different cases. All processing of personal data may not necessarily apply to you; which processing you are covered by will depend on how you interact with us.

Providing information and communicating news

If you subscribe to newsletters, catalogs, press releases and similar information about NCC and its operations, or order such information on an occasional basis, we will process your personal data for the purpose of providing you with the requested subscription or information.
You have the opportunity to communicate with us by asking questions or giving us feedback about our services and operations, e.g. by email or on our websites. If you do so, NCC will process your personal data for the purpose of answering your questions or managing your feedback.

Personal data

Legal basis
  • Identity data
  • Communication
  • Contact details
  • Profile data

Contractual fulfillment. The processing is necessary in order to satisfy our legitimate interest in providing you with subscriptions and information requested by you, as well as answering questions and managing other feedback.

Quotes, purchase inquiries and orders

If you send us a request for a quote or a request to purchase our products or services, e.g. by email or via one of our websites, or if you place an order for products (e.g. asphalt) or services, NCC will process your personal data for the purpose of responding to and managing your request, as well as placing the order and billing.

Personal data

Legal basis
  • Identity data
  • Communication
  • Contact details
  • Profile data

Contractual fulfillment. The processing is necessary in order to satisfy our legitimate interest in providing you with subscriptions and information requested by you, as well as answering questions and managing other feedback.

  • Corporate Identity Number
  • Billing data
  • Order details
  • Credit check
  • Other company and financial information that is available

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in responding to and managing your quotation and purchase requests, and managing your orders

The processing of personal identity numbers for consumers or sole traders is necessary for the purpose in question

 

Managing and responding to your requests and messages in our business portals

Business customers and suppliers at NCC have access to some of our business portals, where you, in your role as a designated contact, can e.g. view and manage ongoing projects and contracts, submit tenders and manage bills. If you, in your role as a designated contact at a business customer or supplier of NCC, use these functions, NCC will process personal data in order to be able to manage the ongoing relationship, and to respond to and evaluate tenders.

Personal data

Legal basis
  • Identity data, incl. personal identity number
  • Communication
  • Technical data
  • Contact details
  • Profile data
  • Billing data
  • Company information in the public domain (e.g. number of employees and VAT registration number)

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in responding to and managing your inquiries and messages in our business portals.

The processing of personal identity numbers for consumers or sole traders is necessary for the purpose in question.

Contacting customers for marketing purposes  (only valid in Finland)

NCC collects and processes personal data for the purposes of contacting customers, marketing of NCC’s products and services including targeted email marketing, online advertising, and personal sales calls.

Personal data

Legal basis
    •  Identity data
    • Communication
    • Technical data
    • Contact details
    • User generated data 

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in marketing NCC by keeping contact with our B2B customer base.

Consent. The usage of cookies and similar techniques is based on the cookie policy.

 

Know Your Customer (KYC) checks of suppliers, partners and business customers, as well as senior executives

When a supplier or a business customer intends to enter into a business relationship with NCC, we process personal data concerning senior executives in the supplier’s or the customer’s business in order to be able to perform KYC checks. Such checks are carried out as part of our standard procedure before entering into contracts with new suppliers and business customers, for the purpose of enabling NCC to make well-informed business decisions.

Personal data

Legal basis
  • Identity data, incl. personal identity number
  • Communication
  • Contact details
  • Profile data
  • Financial information, incl. credit reports and information from the Swedish Enforcement Authority
  • Directorships and information about deputies
  • Other information of relevance that emerges during checks

Legitimate interest. The processing is necessary in order to make well-informed business decisions prior to NCC entering into business relationships with suppliers and business customers.

In the event that NCC processes data about criminal offenses (in accordance with Article 10 of the GDPR), such processing will take place in order to satisfy NCC’s legitimate interest in establishing, asserting or defending legal claims.

The processing of personal identity numbers is necessary for the purpose in question.

The processing of personal identity numbers for consumers or sole traders is necessary for the purpose in question.

Creating personal user accounts on our websites and in our business portals

Some of NCC’s websites and business portals enable users to create personal user accounts with login. If you create an account, NCC will process your personal data for the purpose of creating and managing your personal account, creating your login and giving you access to your account.

Personal data

Legal basis
  • Identity data
  • Communication
  • Contact details
  • Customer number

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in creating and managing your user account.

Handling complaints and fulfilling our warranty obligations regarding our products

If you lodge a complaint with us regarding our products or services, e.g. via one of our websites or via email, NCC will process your personal data for the purpose of investigating, handling and responding to your complaints in order to fulfill our warranty obligations.

Personal data

Legal basis
  • Identity data
  • Communication
  • Contact details
  • Order details
  • Billing data

Legitimate interest. The processing is necessary in order to investigate, handle and respond to your complaints.

Contractual fulfillment. If you are a consumer who has purchased our products or services, we will process your personal data in order to fulfill the obligations set out in the purchase agreement that exists between NCC and you.

Managing your registration for and participation in events, training courses and briefings

If you register for events or training courses, e.g. via one of our websites or email, NCC will process your personal data for the purpose of managing and responding to your expressions of interest and registrations. If you sign up for an event or training course, we will also use your personal data to be able to carry out the event or training course, e.g. to send you an invitation to attend.

Personal data

Legal basis
  • Identity data, incl. personal identity number
  • Communication
  • Contact details
  • Profile data
  • Dietary preferences

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in administering your expressions of interest and participation in training courses or events.

Consent. We will ask for your consent regarding dietary preferences.

Administering expressions of interest in commercial properties

If you submit an expression of interest in commercial properties, e.g. via one of our websites or email, NCC will process your personal data in order to administer and respond to your expression of interest.

Personal data

Legal basis
  • Identity data
  • Communication
  • Contact details
  • Profile data

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in managing your expression of interest in our commercial properties

 

Marketing NCC on social media

NCC has active profiles on social media, such as Facebook, Instagram, LinkedIn and YouTube. On these platforms, NCC may publish articles, images and videos for the purpose of marketing NCC.

Personal data

Legal basis
  • Identity data
  • Communication
  • Image and sound material

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in marketing NCC

Contractual fulfillment. In certain cases, we will have entered into a special model contract with you regarding photography and the use of images for publication. The use of personal identity numbers may occur in this respect.

Following up on the use of, and enabling functionality on our websites and digital channels

It is important for us to understand how our websites and digital channels are used, in order to continuously improve our websites and digital channels. We therefore process your personal data for this purpose, e.g. when we collect and analyze visitor and user statistics on how our website, digital channels and services are being used. In order to enable the functionality of our websites, e.g. to remember your settings, we use your personal data when necessary in order to provide a better user experience on the website.

Personal data

Legal basis
  • User-generated data
  • Technical data

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in being able to monitor the use of our websites and digital channels.

Creating traffic control plans

If you request the creation of a traffic control plan, e.g. via one of our websites or email, NCC will process your personal data for the purpose of administering your request, communicating with you and determining the traffic control plan.

Personal data

Legal basis
  • Identity data
  • Communication
  • Contact details

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in managing your request to create a traffic control plan.

Providing information about blasting operations and other measures that may affect properties in connection with our construction projects

NCC processes personal data about property owners and other stakeholders in order to provide information about e.g. blasting operations and other measures that may affect properties in connection with our construction projects.

Personal data

Legal basis
  • Identity data
  • Communication and other information necessary for the purpose
  • Contact details
  • Information about property, e.g. property designation

Legal obligation. The processing takes place in order to fulfill our legal obligations to the extent that our disclosure of information is required by law and for our legitimate interest in providing such information in other cases.

Visitor registration and access to our workplaces

If you visit one of our workplaces, we process your personal data in order to register you as a visitor, manage parking permits and give you access to our premises.

Personal data

Legal basis
  • Identity data
  • Contact details
  • Profile data
  • Vehicle license plate number
  • Technical data

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in managing visitors to our workplaces. In cases where CCTV surveillance has been installed at the workplace, the information in the corresponding information text applies.

Following up, developing, documenting and improving our business

We process your personal data when we perform overall analyses to follow up, develop and improve our business, business methods and strategies. We also process your data in order to document our operations where appropriate, e.g. to manage and save contracts, decision-making documentation, minutes and presentations.

Personal data

Legal basis
  • Identity data
  • Contact details
  • Profile data
  • Vehicle license plate number
  • Technical data

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in managing visitors to our workplaces. In cases where CCTV surveillance has been installed at the workplace, the information in the corresponding information text applies.

Ensuring compliance with our guidelines, policies, procedures and applicable legislation, including audits and investigations in connection with this

Where applicable, NCC processes personal data in order to ensure that suppliers, business customers and other organizations with whom NCC has contact (e.g. in collaboration) and its employees, as well as senior executives, comply with and apply our guidelines, policies, procedures (e.g. the NCC Code of Conduct for Suppliers) and applicable legislation. Such processing may include verification of driver’s logs and invoices, as well as anti-corruption and anti-bribery measures, and may take place as a result of a routine action by NCC or if we have reason to suspect misconduct or crime. In exceptional cases, in the event of strong suspicions of a criminal offense, we may conduct investigations, which may include site visits, review of email correspondence and material from CCTV surveillance, as well as interviews with the individuals concerned.

Personal data

Legal basis
  • Identity data
  • Contact details
  • Communication
  • Details of suspected misconduct or crime
  • Image and sound material
  • Tasks related to routine checks (e.g. time worked and location data)

Legitimate interest.

The processing is necessary in order to satisfy our legitimate interest in ensuring compliance with our guidelines, policies, procedures and applicable legislation.

In the event that NCC processes data about criminal offenses (in accordance with Article 10 of the GDPR), such processing will take place in order to satisfy NCC’s legitimate interest in establishing, asserting or defending legal claims.

Managing and meeting legal requirements

We use your personal data if necessary for the establishment, assertion and defense of legal claims, e.g. in connection with a dispute or legal proceedings.

Personal data

Legal basis
  • Identity data
  • Communication
  • Contact details
  • Profile data
  • Technical data
  • Other information necessary for the purpose

Legitimate interest.

The processing is necessary in order to satisfy our legitimate interest in the establishment, assertion and defense of legal claims.

In the event that NCC processes data about criminal offenses (in accordance with Article 10 of the GDPR), such processing will take place in order to satisfy NCC’s legitimate interest in establishing, asserting or defending legal claims

Managing whistleblowing reports

NCC processes personal data about individuals mentioned in whistleblowing reports in order to be able to receive, investigate and provide feedback on such reports and to be able to take corrective action.

Personal data

Legal basis
  • Identity data
  • Billing data
  • Communication
  • Contact details
  • Profile data
  • Order details
  • Other information necessary for the purpose

Fulfilling legal obligations and legitimate interests. The processing takes place in order to fulfill legal obligations and our legitimate interest in being able to take corrective action where appropriate. If the NCC company concerned has fewer than 50 employees, the legal basis will be legitimate interest. In the event that NCC is processing data about criminal offenses (in accordance with Article 10 of the GDPR), such processing will take place in order to fulfill legal obligations and to be able to establish, assert and defend legal claims.

Fulfilling legal obligations

NCC processes Personal Data for the purpose of fulfilling legal obligations in areas such as taxation and accounting.

Personal data

Legal basis
  • Identity data
  • Communication
  • Contact details
  • Billing data
  • Other information necessary for the purpose

Fulfilling legal obligations. The processing takes place in order to fulfill legal obligations.

How do we protect your personal data?

We take measures to ensure that the personal data we process is always protected and that our processing is carried out in accordance with applicable data protection rules, as well as our internal guidelines and procedures. Information security and ensuring the appropriate protection of personal data are of the utmost importance to us. We strive to implement security measures in accordance with the ISO 27000 international standard, in order to determine the appropriate level of protection for data, and to prevent and detect disclosure of personal data to unauthorized parties.

Which recipients do we share your personal data with?

Below we describe which recipients we share your personal data with. The recipients with whom we share your personal data will depend on how you interact with us. Unless stated otherwise below, the recipient is responsible for their own processing of your personal data.

Service providers

In order to process personal data, we share personal data with service providers that we have hired. These service providers provide e.g. IT services. When the service providers process personal data on our behalf and in accordance with our instructions, they are data processors for us and we are responsible for the processing of your personal data. Service providers may not use your personal data for their own purposes and they are required by law and contractual obligations with us to protect your data.

Group companies

The companies in the Group work collaboratively and therefore share information with each other. To the extent that Group companies process personal data on our behalf and in accordance with our instructions, e.g. to manage the assignment, they are data processors for us and we are responsible for their processing of your personal data.

Intended purpose

Personal data

Legal basis
Communication between employees and third parties
  • Remuneration data
  • Billing data
  • Identity data
  • Communication
  • Contact details

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in the communication between employees and third parties.

Managing and meeting legal requirements

Only the categories of personal data that are necessary for managing and meeting the legal requirement on a case-by-case basis.

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in managing and meeting legal requirements.

Investigative and security reasons
  • Image and sound material
    Identity data
  • Incident data
  • Communication
  • Contact details
  • Billing data
  • Remuneration data
  • Log data
  • Profile data

Legitimate interest. The processing is necessary in order to fulfill our legitimate interest in processing personal data for investigative and security reasons. In the event that NCC processes data about criminal offenses (in accordance with Article 10 of the GDPR), such processing will take place in order to satisfy NCC’s legitimate interest in establishing, asserting or defending legal claims.

Managing whistleblowing reports
  • Identity data
  • Communication
  • Contact details
  • Profile data
  • Remuneration data
  • Billing data

Legitimate interest. The processing is necessary in order to fulfill our legitimate interest in processing personal data in order to manage whistleblowing reports.

Other categories of recipients

NCC may also disclose personal data to recipients outside the NCC Group such as:

Recipient

Intended purpose

Legal basis
Courts, mediators and representatives In order to establish, assert and defend legal claims

In order to satisfy our and your legitimate interest in having disputes settled by competent authorities.

Suppliers, customers
and partners

Managing our relationship with suppliers, customers and partners

To satisfy our legitimate interest in managing our relationship with suppliers, customers and partners.

Authorities and trade union organizations

To comply with legal obligations

To fulfill legal obligations (e.g. in the areas of taxation and labor law).

Business customers

To provide aggregated data regarding workplace accidents and near-accidents

To satisfy our legitimate interest in preventing workplace accidents and near-accidents.

Insurance companies

Establishing, asserting and defending legal claims

To satisfy our legitimate interest in establishing, asserting and defending legal claims.

Potential buyers

Implementing any divestment of all or parts of our business

In order to satisfy our legitimate interest in implementing any divestment.

Credit reference agencies and companies that perform background checks

Conducting credit checks in preparation for the customer/supplier relationship on legal entities, as well as background checks.

To satisfy our legitimate interest in conducting credit checks in preparation for the customer/supplier relationship with legal entities, as well as background checks.

Furthermore, NCC may disclose personal data to third parties such as IT suppliers, communication agencies and others who provide services who process personal data in accordance with NCC’s instructions and assignments.

Where do we process and store the personal data?

We always strive to store personal data within the EU. In some cases, your personal data is shared with recipients outside the EU/EEA, e.g. service providers hired by us.

To ensure that personal data is protected, we ensure that appropriate safeguards are in place with all service providers who process your personal data outside the EU/EEA, in light of the legislation of the recipient country. We normally enter into data transfer contracts that contain so-called standard contractual clauses for the transfer of personal data.

If you would like more information about the countries outside the EU/EEA to which we transfer your personal data, and the safeguards we have put in place to protect your personal data, please contact us.

How long do we store your personal data?

NCC retains your personal data for as long as necessary in order to fulfill the purposes set out in this information text, unless a longer retention period is required or permitted by local law to which NCC is subject. We use the following criteria to determine the retention period:

  • As long as we have an ongoing relationship with you (either as an individual or in your role as an employee of a firm hired by NCC);
  • as long as required by legal obligations to which NCC is subject (such as fiscal and accounting obligations);
  • as long as appropriate in light of our legal position (such as applicable provisions in statutes of limitations); and
  • as long as necessary for other legitimate business reasons (e.g. follow-up on supplier relationships and documentation of the business).