Last updated November 2023
This Privacy Statement informs about the processing of personal data by SSAB group companies including SSAB AB and its affiliates Tibnor and Ruukki, among others ("SSAB"). It answers the questions of what personal data SSAB collects, uses or shares, for what purposes the data is collected and what rights persons have. The persons whose information is processed can be SSAB’s customers, representatives of corporate customers or potential customers, supplier representatives, other intermediaries and business partners, shareholders, site visitors or internet and digital users visiting the website or other digital service platforms or other persons having a connection to SSAB ("Users").
SSAB also processes personal data of its consumer customers and contacts in the course of Ruukki and Plannja business activities. For this purpose, we have a separate B2C Privacy Statement which you can find at www.ruukki.com/b2cprivacy.
SSAB's website may contain links to websites and services of third parties. These websites or services are subject to their own privacy statements. SSAB does not take any responsibility of third parties’ privacy statements or the processing of personal data in third parties’ operations. Please pay attention to their respective privacy statements and subsequent changes to them.
SSAB has nominated a Group Data Protection Officer (DPO), who can be contacted for additional information or any inquiries or requests on personal data processing by SSAB. Our SSAB Data Protection Officer can be contacted at: data.privacy(at)ssab.com.
The data controller responsible for the SSAB group’s personal data processing activities is SSAB AB (registration number: 556016-3429, address: P.O. Box 70, SE-101 21 Stockholm, Sweden). This includes accountability for all data processing on a corporate level, for example for marketing and digital service tools provided in SSAB group companies. SSAB is responsible for ensuring that personal data is processed in compliance with this Statement and applicable data protection laws.
In addition, SSAB affiliate can be regarded as the data controller in separate contractual or other cooperation relationship or in connection with certain statutory personal data processing and compliance with local legal requirements of an individual legal entity part of the SSAB group. SSAB group companies also share personal data for administrative purposes and to facilitate the business operations of the group and the individual legal entities. The information of SSAB group companies and affiliates can be found in the latest Annual Report at https://www.ssab.com/en/company/investors/reports-and-presentations and at https://www.ssab.com/en/company/about-ssab/our-business. Regardless of the data controller in a specific situation, the primary contact for privacy matters in SSAB is: email: data.privacy(at)ssab.com.
SSAB processes the personal data of Users for various purposes, which are explained below.
The main purpose of processing personal data is to deliver SSAB's products and services, as well as to source services and material for SSAB’s business needs, and provide website and other digital services. The processing of personal data is primarily based on SSAB’s legitimate interest to process data for fulfilling its contractual obligations and being able to communicate with SSABs customers, suppliers and other business contacts, including processing needed prior to entering into a contractual relationship with the company or organization the User is representing, or in some cases also with the User directly.
Users' personal data is used to manage communication with Users and for marketing purposes. In this respect, processing can be based on SSAB's legitimate interest to provide Users with relevant and up-to-date information as part of the website as well as through other digital platforms and services. Processing can also be based on SSAB's legitimate interest to promote SSAB's latest products and services as well as to personalize the User experience and to evaluate customer satisfaction.
In certain regions, marketing via electronic means is based on Users' prior consent, for example for sending marketing messages. Users should refer to section 6 below for further information about marketing communications and Users' rights in this respect.
SSAB aims to provide high-quality products and services and to give Users relevant information about those products and services. Therefore, SSAB may use personal data to analyze the market, User groups and use of websites or services for the purpose of developing and improving the quality of the website and SSAB's products and services. This processing is based on SSAB's legitimate interest to grow and develop.
SSAB uses cookies and other similar techniques inter alia for statistical purposes, for example to compile aggregated statistics that allow SSAB to understand how Users use the website and increase user-friendliness. Please see SSAB's Cookie Statement for further information related to statistical and other purposes of using cookies and the legal basis thereof.
SSAB may process technical data, including some personal data for information security and access surveillance purposes and fraud prevention. SSAB maintains also information and facility security measures to safeguard health and safety as well as business information and business assets in order to avoid injuries at its facilities, to prevent property damage and criminal activities and to ensure the availability of the websites and services. This processing is based on SSAB's legitimate interest to ensure an appropriate level of network, facility and information security and the safety of others. SSAB also processes information about visitors to its facilities. This processing of visitor information is based on SSAB’s legitimate interest to enable external visits to its facilities and business premises.
Sometimes personal data may be used to comply with a legal obligation. In SSAB’s business operations, this means for example that personal data processing may be needed in order to be in compliance, with i.a. the following statutory requirements: (i) reporting and audit, (ii) Market Abuse Regulation, (iii) sanctions and other compliance screening, (iv) whistleblowing procedures, (v) corporate governance requirements and (vi) share and shareholder registers (incl. attendance at shareholders’ meetings). In addition, certain personal data may be stored for dispute resolution purposes to be able to establish and defend legal claims.
Users' personal data may be processed in other SSAB group companies. In this case, the processing of personal data can be based on contractual obligation or SSAB's legitimate interest for internal administrative purposes to organize and manage e.g. customer and supplier relationships, marketing as well as information security measures and other business functions within the group in an appropriate and practical way.
SSAB may collect personal data through different means, which are explained below.
SSAB processes personal data for the purpose of maintaining a good business relationship, for example when providing and delivering products or services, maintaining customer communications, sourcing material, products and services for its business needs, or otherwise interacting with business partners or other stakeholders. This personal data is mostly collected directly from Users. Depending on the Users' interaction, SSAB may collect the following personal data:
SSAB may collect personal data when Users contact SSAB's customer service, use website chat, deploy SSAB’s digital service platforms, contact SSAB otherwise, order SSAB's newsletter or participate in surveys or competitions on websites or elsewhere. This personal data is collected directly from the Users.
SSAB may collect personal data that the User has shared with SSAB, such as
SSAB collects and processes the following technical data about the User and the use of the website, products and services provided by SSAB:
This technical data is collected through the use of website and services. SSAB asks for User’s consent for using other than strictly necessary cookies. More information about the use of cookies and similar technologies on SSAB websites can be found in the SSAB Cookie Statement.
SSAB may, from time to time, also collect information from publicly available sources and third parties, such as social networks and marketing companies. For example, SSAB may receive basic information about the User's social network profile, if the User login to SSAB's website or services using a social network account.
SSAB may disclose Users' personal data to the following third parties:
As some SSAB group companies are located outside of the EU/EEA, Users' personal data may be transferred outside of EU/EEA, such as to the United States. In these circumstances , SSAB will use the required established mechanisms for the transfer outside of the EU/EEA, including the Standard Contractual Clauses approved by the European Commission. Please contact data.privacy(at)ssab.com for more information about the applicable safeguards for international data transfer in question.
SSAB may use subcontractors for the personal data processing set out above. When necessary and to the extent required, personal data may be transferred to a country outside of the EU/EEA. In this case, SSAB will use the required established mechanisms that allow the transfer to subcontractors in those third countries, such as the Standard Contractual Clauses approved by the European Commission and additional safeguards to protect the transferred personal data. Please contact data.privacy(at)ssab.com for more information about the applicable safeguards for international data transfer in question.
When a User provides SSAB with contact details, for example, in connection with the sale of a product or service, contacts SSAB's customer service, orders a handbook or other materials on the website or participates in competitions or surveys, SSAB may use the User's personal data for marketing purposes and to promote SSAB's latest products and services as well as to personalize the User experience. Pursuant to applicable laws, Users are given the opportunity to give their prior consent or are allowed the opportunity to opt-out of receiving marketing communications from SSAB or other group companies.
SSAB may provide a User with product and service updates, newsletters and other communications about existing or new products and services by email and text message (SMS) if the User has given prior consent or if SSAB is otherwise permitted to do so under applicable law.
A User may unsubscribe from marketing communications at any time by clicking on the "unsubscribe" link located at the bottom of emails.
SSAB may create User group profiles or segment data for the purpose of creating aggregated statistics about the use of SSAB's websites, products and services, such as to estimate the number of Users, viewed pages, email reads and detect which parts of the website Users find the most useful, to identify features that could be improved and to provide context based advertising to User groups. Data collected for these purposes is not used to identify a particular User but to analyze how Users in general or User groups use the website or services.
SSAB or SSAB's advertising partners may display content or advertisements to a User, for example, the User might see an advertisement for a recently viewed product on SSAB's website. SSAB uses cookies and other similar technologies to display personalized adverts based on, for example, the User's browsing, purchase history or log-in information.
When SSAB collects or uses information about a User's web browsing for e-marketing purposes, this will be based either on User’s consent or SSAB’s legitimate interest. If the processing of information about User is based on a legitimate interest, the User has the right to object to this at any time by contacting SSAB. Regarding the right to object, please refer to section 8 below for further information
The personal data will be retained only for as long as necessary to fulfill the purposes defined in this Privacy Statement. After that, personal data will be removed except when personal data retention is required by law or rights or obligations by either party.
Here are the main rules for the retention periods:
A User has the right to access personal data that SSAB holds about him or her.
A User has the right to request their personal data to be corrected, updated or removed at any time. However, please note that certain information is strictly necessary in order to fulfil the purposes defined in this Statement and may also be required by law. Therefore, the deletion of such data may not be allowed by applicable law which prescribes mandatory retention periods or if there is an overriding interest to keep processing the data for the intended purpose.
A User has a right to object to processing that is based on a legitimate interest of SSAB on grounds relating to their particular situation at any time. To the extent required by applicable data protection law, Users have a right to restrict data processing.
A user has a right to data portability, i.e. the right to receive the personal data in a structured, commonly used machine-readable format and transmit the personal data to another data controller, to the extent required by applicable law. This applies only to personal data provided by the User based on customer contract or the User's consent.
Please send any requests regarding the above-mentioned rights to SSAB at data.privacy(at)ssab.com. Any requests related to the exercise of privacy rights will be responded within one month or within the applicable regulatory time limit.
In case you wish to exercise any of your data privacy rights, SSAB’s Data Privacy Organization can be contacted at data.privacy(at)ssab.com. We will use reasonable efforts to address and clarify any requests or complaints you bring to our attention. In addition, you always have the right to approach, make a request or file a complaint to the competent data protection authority.
SSAB maintains reasonable security measures, including physical, electronic and procedural measures, to protect personal data from loss, destruction, misuse, and unauthorized access or disclosure. For example, SSAB limits access to this information to authorized employees and contractors who need to know that information in the course of their work or assignment and to third party service providers who may only process data in accordance with instructions provided by SSAB.
Please be aware that although SSAB endeavors to provide reasonable security measures for personal data, no security system can prevent all potential security breaches.
From time to time, SSAB may amend this Privacy Statement and SSAB recommends that You will regularly access the Privacy Statement to find about the latest version. SSAB will always provide the date of the Privacy Statement under the header of the Privacy Statement. Please note that this Privacy Statement is for information purposes only.
When required, SSAB will inform Users of any substantial changes by using reasonable and available channels.
SSAB’s global Data Privacy Organization supports with any data protection and data privacy related requests or any other questions, concerns, comments or complaints.
SSAB has also nominated a Group Data Protection Officer (DPO) who performs the following tasks:
The DPO also co-operates with the supervisory authority and acts as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, regarding any other matter.
SSAB’s Data Privacy Organization and the Group Data Protection Officer (DPO) can be contacted at data.privacy(at)ssab.com.