Privacy Policy

Lindström Privacy Policy

General

This privacy policy is given by Lindström Oy, a limited company with business-ID 1712792-1 (“Lindström”, “we” and” us”). All Lindström Oy’s subsidiaries also apply this policy. All collection of data takes place according the following principles.

This privacy policy also complements service-specific privacy statements as well as our license terms and other, shorter notices on case-specific data collection. It is possible that some sections of this policy may not apply to you or may apply in part; this depends on the Lindström services you may use or which interaction you may be in with Lindström.

Contact Information

Lindström Group, Hermannin Rantatie 8, 00580 Helsinki, +358 20 111 600

Data protection specialists:

Harri Puputti, Vice President, Quality

Harri.Puputti@lindstromgroup.com

Tel: +358 40 580 7894

Ilona Laine, Quality Specialist

Ilona.Laine@lindstromgroup.com

Tel: +358 40 779 2096

Definitions

This is what we mean when we make certain references within this privacy policy.

End-user; “you”, refers to a private individual, our customer’s employee using our services, Lindström employed user, subcontractor’s employee or any other data subject who is registered for the use of or uses our services, is employed by us and/or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services (including web solutions), websites, telephone, e-mail, registration forms, corporate IT systems or other similar channels.

Customer; means the organisation that Lindström has agreed to provide services.

Subcontractor; refers to the organisation that participates in and supports Lindström in providing services to Lindström’s Customers or provides services that Lindström uses to implement tools used by the employees or service providers that offer regulatory employment related services such as healthcare plan, or other business partners relating to our services.

Regulatory agencies; means governmental authorities to whom personal data needs to be disclosed pursuant to applicable legislation.

Personal data; refers to any information any information relating to an identified or identifiable natural person. This information may include names, e-mail and mailing addresses, telephone numbers, billing and account information, garment size information, and other information incidental to the services and their provisioning.

Website; means the public website of Lindström, namely lindstromgroup.com and or any other web site that it hosts or controls, including sub-sites and browser-based service portals.

Services; means any services, designs or solutions that are created, manufactured or distributed by Lindström or its subsidiaries, including designs, devices, software, web solutions, mobile solutions, cloud solutions, textiles, hygiene products, personal protective products, ideas, concepts and related support services.

Categories and Sources of Processed Data

Service data; the data that we automatically process to service you or to provide the services you requested. This includes all data you submit to us when subscribing to our services. This privacy policy covers such activities. Please see below and appendix 1 in this document for further information.

Security data; the data that is being collected in order to ensure the safety and security of your computing services and therefore to protect e.g. personal data and other confidential data, data integrity and data availability when you use our internal IT services and extranet services. This data is collected in an automated manner.

Employment data; the data that is collected in order to enable working for Lindström. Please see below for further information.

Analytics data; this data is anonymous or pseudonymous data that we collect in order to learn how our services are found and used. This is explained in detail in the legal notice in our websites.

The adjoining service and interaction-specific policies explain in more detail the personal data collected per service type. If there is no specific policy for a service or interaction, this main ‘privacy policy’ document shall apply.

Categories of Collected Data in Services

We may need to ask at least for your email address, postal address, phone number, and name to be able to provide services. We may collect other personal data in specific services, for example related to clothing. To ensure the security of the services you use, Lindström may also collect additional data directly both on our service and from your device and related data traffic. In cases of such automated collection, the focus of data collection is on our services, not on your private data. The adjoining service and interaction-specific policies explain in more detail the personal data collected per service type. If there is no specific policy for a service or interaction, the sections concerning services of this main privacy policy shall apply.

Please see the full list of categories of collected data in services from appendix 1 of this document.

Categories of Collected Data while Working for Lindström

To carry out our responsibilities as employer, Lindström needs to ask for your date of birth, social security number or other identification number, home address, bank account number and tax information. During the employment, Lindström processes additionally your salary, absence and vacation details, competence details and health certificates, employment start and end dates and the reason for the termination of employment. When you use buildings that have digital access control, you may be awarded with access token as a key. In order to enable the digital access control, Lindström may have to ask at least your name and the company name.

Automated Collection of Data

While working for Lindström or using our services, Lindström may also collect additional data directly from your device and from the related data traffic and IT service logs. In case of such automated collection of data, the focus of data collection is on our services, not on your private data.

We need to automatically collect and process relevant personal data for our services and tools needed while being employed or while subcontracting for Lindström, to enhance them, and to provide them to you. As such processing is inseparable from the services we provide to you, this gives us a valid need to process your data and legal authorization to do so.

To ensure the security and safety at work, Lindström may collect additional data directly both from our services, while you are working for Lindström, from digital access management of a building, your device and related data traffic and IT service logs in automated manner.

Purposes and the Legal Basis of Processing personal data

We process personal data for the following purposes:

Purpose of data processingLawfulness of processingData Subjects
Delivery of services; to deliver services to you, maintain and develop our services, identify authorized users and check customer qualifications, process and track transactions such as administering accounts, shipping, invoicing, and managing licenses. Performance of a contract or legitimate interests.WearersCustomer Contact Persons  
Enable your working for Lindström; i.e., to make it possible for you to work in or work for Lindström.Processing is necessary for compliance with a legal obligation to which the controller is subject to as an Employer.Performance of a contract or legitimate interests. EmployeesConsultantsOutsourced employees
 Analysis; to track how our services are acquired, to understand how you feel about using our services, to better manage our customer relationships and to approach you with relevant messages. Legitimate interestsAgreement Contact Persons
 Communicate; by sending you information relating to Lindström services, marketing and advertising Lindström services to you. Consent or legitimate interestsAgreement Contact PersonsTarget of Marketing
 Regulatory; to fulfil our obligations as a private company, to prevent fraudulent activities, to remove or stop sharing of illegal or infringing material, and to comply with legal or regulatory requirements. Compliance with a legal obligation or legitimate interestsEmployees

By using our services, by using our services while being an employee of our customer, by being employed by us or by being a subcontractor’s employee providing services to Lindström, you are our end-user. Because of this relationship, we have a right to process relevant personal data on the legal grounds specified above. We have a right to process your personal data if you are assigned with responsibility to represent a Customer. We will do this only to the extent necessary.

Such data processing may occur when you communicate with us or our business partners relating to our services, use our services, you are employed to Lindström or to Lindström’s subcontractor or fill out a form or survey, register to use our services, submit information through our web site or independent campaign sites, enter a contest or sweepstakes, register your e-mail address with us, or send us e-mail.

The adjoining service and interaction-specific policies explain in more detail the specific purposes for the collected personal data. While some of our services and functions may have dedicated policies to help you better understand the data collected by that particular service, interaction or function, we consider you an end user, a subcontractor or a customer of Lindström as a whole and not in conjunction with specific service, interaction or function.

Categories of Recipients and International Data Transfers

Partners help us provide our services and provide tools for our employees and sometimes for our subcontractors. This also means that we exchange data with our partners. When doing so, we focus in sharing only the necessary personal data. Such sharing may take place only in the following circumstances and only if sharing the personal data to others is necessary.

Subcontracting; we may disclose some personal data to subcontractors or other business partners, when those provide services to or otherwise co-operate with Lindström , or if the subcontractor participates in service providing to a Customer. Where our end-user’s personal data needs to be disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services and act in a manner consistent with this privacy policy as well as applicable laws. When subcontractor disclose personal data of their employees to us, we require a subcontractor to inform without undue delay when need of processing end-user’s personal data ends.

Services; we may disclose our end-user’s personal data to our Customer. While doing so, we require our Customer to offer the same level of data protection as we seek to provide to the personal data of our end-user.

International transfers; we have subsidiaries belonging to the Lindström Group in third countries outside the geographical area of the European Economic Area (EEA) or the European Union (EU). Additionally, some of our partners are located outside the EEA or the EU. We implement either standard data protection clauses adopted by the European Commission in order to enable the transfer of personal data or secure such transfers of personal data otherwise according to the requirements of the applicable laws.

Other disclosures; in some cases, we may be obligated to disclose your personal data to Regulatory agencies, as required by the applicable laws. We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of Lindström, where the information is provided to the new controlling entity in the regular course of business. In any such action, we will act according to the applicable laws.

Data Retention

We follow the main principles of Finnish and European Union laws on data retention, meaning that the personal data should be deleted or anonymized once we no longer need it for the purpose it was collected.

We store the data of our end-users for varying durations in specific services depending on the type of data but so that we are able to perform our duties as employer and as a party in a contract with a customer or subcontractor. Also, a valid reason to continue processing of personal data for us may be related to that we seek to limit damages we may have to sustain and pursue available remedies, to solve or contain a recurring problem, to prevent fraudulent activity and if applicable laws so require. If the data doesn’t contain personal data, for example security data or aggregate analytics data, retention period of such data is at our discretion.

Data Security

We implement industry’s best practices of information security management. Related computer systems, networks and processes have been implemented with security in mind. Additionally, systems and services are monitored and Lindström is prepared to respond to security incidents.

Your Rights

We seek to keep your personal data accurate, complete, and up to date. You have the right to obtain information on the personal data concerning you and ask us what personal data we have on you. You have the right to have any incorrect, incomplete or otherwise inaccurate personal data erased or rectified. You have also the right to request for the restriction of processing concerning you or to object to processing as well as the right to data portability. Additionally, you have the right to lodge a complaint with a supervisory authority, if you consider the processing unlawful.

You can cancel the consent of processing your personal data, but such cancellation does not affect the lawfulness of processing of your personal data prior to such cancellation.

You can contact us for more details about how your personal data is processed, to cancel your consent or to use your abovementioned rights. Our contact information is included in this policy. You can unsubscribe from receiving marketing messages by following the instructions that are included in each message.

Changes

This version of the policy replaces the previous policy. We reserve the right to keep this policy up to date and to make changes and additions also in the future. Any changes will apply starting from the date that we publish the revised privacy policy.

APPENDIX 1 Categories of Collected Data in Services

List of personal data disclosed from ERP to all other systems and from eLindström to ERP (Solar and ABSSolute
User IDIdentification number to specify a wearer or an end user in the IT system
First nameName of the Wearer, to establish garment item order, lease or laundry service order
Family NameName of the Wearer, to establish garment item order, lease or laundry service order
CompanyCompany name, employer of the wearer
SexMale or female
AddressPlace or work, delivery address
TagIDPhysical identifier of a Tag, read from a clothing tag e.g. at the laundry line and door reader
Shoe sizeSize of shoes individual use
Shirt sizeSize of shoes individual use
Trouser sizeSize of shoes individual use
List of Personal Data for Customer Management (CRM)
Contact person first nameContact person detail
Contact person last nameContact person detail
Delivery customer first nameDelivery customer detail
Delivery customer last nameDelivery customer detail
Service customer first nameService customer detail
Service customer last nameService customer detail
CompanyWorkplace of a customer
Company Address, City and CountryLocation of workplace
Contact person phone numberPhone number
Delivery customer phone numberPhone number
Service Customer phone numberPhone number
Contact person emailemail address
Delivery customer emailemail address
Service Customer emailemail address
Owner of the Customer in Lindström, first nameLindström employee name
Owner of the Customer in Lindström, last nameLindström employee name
Owner of the Customer in Lindström, phone numberLindström employee phone number
Owner of the Customer in Lindström, emailLindström employee email
List of Personal Data for Direct Marketing and Lead Generation
Contact first nameDirect marketing contact given name
Contact family nameDirect marketing contact family name
Contact email addressDirect marketing contact email address
Contact phone numberDirect marketing contact phone number
ConsentConsent or objection to receive marketing communications. This personal data is only received from HubSpot.
List of personal data This is the extent of personally identifiable data being processed within eLindström Service.
User IDIdentification number to specify a user
First nameName to establish garment item order
Family NameName to establish garment item order
CompanyCompany to establish garment order
Shoe sizeNumber
Shirt sizeNumber or letter
Trouser SizeNumber or letter
SexMale/Female
User roleUser role in the system (Contact person, Administrator, end user)
AddressLocation
UsernameUser credential of eLindström portal
PasswordUser credential of eLindström portal
List of personal data in O365
HR PersonecPlease see HR Personec solution description documentation.
On premise Active Directory (AD)Please see Lindström IAM architecture documentation for AD
Azure Active Directory (AD)Same as with on premise AD.