Lindström Privacy Policy

General

This privacy policy is given by Lindström Oy, a limited company with business-ID 1712792-1 (“Lindström”, “we” and” us”). All Lindström Oy’s subsidiaries also apply this policy. All collection of data takes place according the following principles.

This privacy policy also complements service-specific privacy statements as well as our license terms and other, shorter notices on case-specific data collection. It is possible that some sections of this policy may not apply to you or may apply in part; this depends on the Lindström services you may use or which interaction you may be in with Lindström.

Contact Information

Lindström Group, Hermannin Rantatie 8, 00580 Helsinki, +358 20 111 600

Data protection specialists:

Harri Puputti, Vice President, Quality

Harri.Puputti@lindstromgroup.com

Tel: +358 40 580 7894

Ilona Laine, Quality Specialist

Ilona.Laine@lindstromgroup.com

Tel: +358 40 779 2096

Definitions

This is what we mean when we make certain references within this privacy policy.

End-user; “you”, refers to a private individual, our customer’s employee using our services, Lindström employed user, subcontractor’s employee or any other data subject who is registered for the use of or uses our services, is employed by us and/or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services (including web solutions), websites, telephone, e-mail, registration forms, corporate IT systems or other similar channels.

Customer; means the organisation that Lindström has agreed to provide services.

Subcontractor; refers to the organisation that participates in and supports Lindström in providing services to Lindström’s Customers or provides services that Lindström uses to implement tools used by the employees or service providers that offer regulatory employment related services such as healthcare plan, or other business partners relating to our services.

Regulatory agencies; means governmental authorities to whom personal data needs to be disclosed pursuant to applicable legislation.

Personal data; refers to any information any information relating to an identified or identifiable natural person. This information may include names, e-mail and mailing addresses, telephone numbers, billing and account information, garment size information, and other information incidental to the services and their provisioning.

Website; means the public website of Lindström, namely old.lindstromgroup.com and or any other web site that it hosts or controls, including sub-sites and browser-based service portals.

Services; means any services, designs or solutions that are created, manufactured or distributed by Lindström or its subsidiaries, including designs, devices, software, web solutions, mobile solutions, cloud solutions, textiles, hygiene products, personal protective products, ideas, concepts and related support services.

Categories and Sources of Processed Data

Service data; the data that we automatically process to service you or to provide the services you requested. This includes all data you submit to us when subscribing to our services. This privacy policy covers such activities. Please see below and appendix 1 in this document for further information.

Security data; the data that is being collected in order to ensure the safety and security of your computing services and therefore to protect e.g. personal data and other confidential data, data integrity and data availability when you use our internal IT services and extranet services. This data is collected in an automated manner.

Employment data; the data that is collected in order to enable working for Lindström. Please see below for further information.

Analytics data; this data is anonymous or pseudonymous data that we collect in order to learn how our services are found and used. This is explained in detail in the legal notice in our websites.

The adjoining service and interaction-specific policies explain in more detail the personal data collected per service type. If there is no specific policy for a service or interaction, this main ‘privacy policy’ document shall apply.

Categories of Collected Data in Services

We may need to ask at least for your email address, postal address, phone number, and name to be able to provide services. We may collect other personal data in specific services, for example related to clothing. To ensure the security of the services you use, Lindström may also collect additional data directly both on our service and from your device and related data traffic. In cases of such automated collection, the focus of data collection is on our services, not on your private data. The adjoining service and interaction-specific policies explain in more detail the personal data collected per service type. If there is no specific policy for a service or interaction, the sections concerning services of this main privacy policy shall apply.

Please see the full list of categories of collected data in services from appendix 1 of this document.

Categories of Collected Data while Working for Lindström

To carry out our responsibilities as employer, Lindström needs to ask for your date of birth, social security number or other identification number, home address, bank account number and tax information. During the employment, Lindström processes additionally your salary, absence and vacation details, competence details and health certificates, employment start and end dates and the reason for the termination of employment. When you use buildings that have digital access control, you may be awarded with access token as a key. In order to enable the digital access control, Lindström may have to ask at least your name and the company name.

Automated Collection of Data

While working for Lindström or using our services, Lindström may also collect additional data directly from your device and from the related data traffic and IT service logs. In case of such automated collection of data, the focus of data collection is on our services, not on your private data.

We need to automatically collect and process relevant personal data for our services and tools needed while being employed or while subcontracting for Lindström, to enhance them, and to provide them to you. As such processing is inseparable from the services we provide to you, this gives us a valid need to process your data and legal authorization to do so.

To ensure the security and safety at work, Lindström may collect additional data directly both from our services, while you are working for Lindström, from digital access management of a building, your device and related data traffic and IT service logs in automated manner.

Third Party Processors

Our carefully selected partners and service providers may process personal information about you on our behalf as described below:

“Digital Marketing Service Providers

We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information.  Our appointed data processors include:

(i)Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy policy here: http://sopro.io.  Sopro are registered with the ICO Reg: ZA346877 their Data Protection Officer can be emailed at: dpo@sopro.io.”

Purposes and the Legal Basis of Processing personal data

We process personal data for the following purposes:

Purpose of data processing Lawfulness of processing Data Subjects
Delivery of services; to deliver services to you, maintain and develop our services, identify authorized users and check customer qualifications, process and track transactions such as administering accounts, shipping, invoicing, and managing licenses. Performance of a contract or legitimate interests. Wearers Customer Contact Persons
Enable your working for Lindström; i.e., to make it possible for you to work in or work for Lindström. Processing is necessary for compliance with a legal obligation to which the controller is subject to as an Employer.Performance of a contract or legitimate interests. Employees Consultants

Outsourced employees

Analysis; to track how our services are acquired, to understand how you feel about using our services, to better manage our customer relationships and to approach you with relevant messages.

Legitimate interests Agreement Contact Persons

Communicate; by sending you information relating to Lindström services, marketing and advertising Lindström services to you.

Consent or legitimate interests Agreement Contact Persons Target of Marketing

Regulatory; to fulfil our obligations as a private company, to prevent fraudulent activities, to remove or stop sharing of illegal or infringing material, and to comply with legal or regulatory requirements.

Compliance with a legal obligation or legitimate interests Employees

By using our services, by using our services while being an employee of our customer, by being employed by us or by being a subcontractor’s employee providing services to Lindström, you are our end-user. Because of this relationship, we have a right to process relevant personal data on the legal grounds specified above. We have a right to process your personal data if you are assigned with responsibility to represent a Customer. We will do this only to the extent necessary.

Such data processing may occur when you communicate with us or our business partners relating to our services, use our services, you are employed to Lindström or to Lindström’s subcontractor or fill out a form or survey, register to use our services, submit information through our web site or independent campaign sites, enter a contest or sweepstakes, register your e-mail address with us, or send us e-mail.

The adjoining service and interaction-specific policies explain in more detail the specific purposes for the collected personal data. While some of our services and functions may have dedicated policies to help you better understand the data collected by that particular service, interaction or function, we consider you an end user, a subcontractor or a customer of Lindström as a whole and not in conjunction with specific service, interaction or function.

Categories of Recipients and International Data Transfers

Partners help us provide our services and provide tools for our employees and sometimes for our subcontractors. This also means that we exchange data with our partners. When doing so, we focus in sharing only the necessary personal data. Such sharing may take place only in the following circumstances and only if sharing the personal data to others is necessary.

Subcontracting; we may disclose some personal data to subcontractors or other business partners, when those provide services to or otherwise co-operate with Lindström , or if the subcontractor participates in service providing to a Customer. Where our end-user’s personal data needs to be disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services and act in a manner consistent with this privacy policy as well as applicable laws. When subcontractor disclose personal data of their employees to us, we require a subcontractor to inform without undue delay when need of processing end-user’s personal data ends.

Services; we may disclose our end-user’s personal data to our Customer. While doing so, we require our Customer to offer the same level of data protection as we seek to provide to the personal data of our end-user.

International transfers; we have subsidiaries belonging to the Lindström Group in third countries outside the geographical area of the European Economic Area (EEA) or the European Union (EU). Additionally, some of our partners are located outside the EEA or the EU. We implement either standard data protection clauses adopted by the European Commission in order to enable the transfer of personal data or secure such transfers of personal data otherwise according to the requirements of the applicable laws.

Other disclosures; in some cases, we may be obligated to disclose your personal data to Regulatory agencies, as required by the applicable laws. We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of Lindström, where the information is provided to the new controlling entity in the regular course of business. In any such action, we will act according to the applicable laws.

Data Retention

We follow the main principles of Finnish and European Union laws on data retention, meaning that the personal data should be deleted or anonymized once we no longer need it for the purpose it was collected.

We store the data of our end-users for varying durations in specific services depending on the type of data but so that we are able to perform our duties as employer and as a party in a contract with a customer or subcontractor. Also, a valid reason to continue processing of personal data for us may be related to that we seek to limit damages we may have to sustain and pursue available remedies, to solve or contain a recurring problem, to prevent fraudulent activity and if applicable laws so require. If the data doesn’t contain personal data, for example security data or aggregate analytics data, retention period of such data is at our discretion.

Data Security

We implement industry’s best practices of information security management. Related computer systems, networks and processes have been implemented with security in mind. Additionally, systems and services are monitored and Lindström is prepared to respond to security incidents.

Your Rights

We seek to keep your personal data accurate, complete, and up to date. You have the right to obtain information on the personal data concerning you and ask us what personal data we have on you. You have the right to have any incorrect, incomplete or otherwise inaccurate personal data erased or rectified. You have also the right to request for the restriction of processing concerning you or to object to processing as well as the right to data portability. Additionally, you have the right to lodge a complaint with a supervisory authority, if you consider the processing unlawful.

You can cancel the consent of processing your personal data, but such cancellation does not affect the lawfulness of processing of your personal data prior to such cancellation.

You can contact us for more details about how your personal data is processed, to cancel your consent or to use your abovementioned rights. Our contact information is included in this policy. You can unsubscribe from receiving marketing messages by following the instructions that are included in each message.

Changes

This version of the policy replaces the previous policy. We reserve the right to keep this policy up to date and to make changes and additions also in the future. Any changes will apply starting from the date that we publish the revised privacy policy.

APPENDIX 1 Categories of Collected Data in Services

List of personal data disclosed from ERP to all other systems and from eLindström to ERP (Solar and ABSSolute
User ID Identification number to specify a wearer or an end user in the IT system
First name Name of the Wearer, to establish garment item order, lease or laundry service order
Family Name Name of the Wearer, to establish garment item order, lease or laundry service order
Company Company name, employer of the wearer
Sex Male or female
Address Place or work, delivery address
TagID Physical identifier of a Tag, read from a clothing tag e.g. at the laundry line and door reader
Shoe size Size of shoes individual use
Shirt size Size of shoes individual use
Trouser size Size of shoes individual use
List of Personal Data for Customer Management (CRM)
Contact person first name Contact person detail
Contact person last name Contact person detail
Delivery customer first name Delivery customer detail
Delivery customer last name Delivery customer detail
Service customer first name Service customer detail
Service customer last name Service customer detail
Company Workplace of a customer
Company Address, City and Country Location of workplace
Contact person phone number Phone number
Delivery customer phone number Phone number
Service Customer phone number Phone number
Contact person email email address
Delivery customer email email address
Service Customer email email address
Owner of the Customer in Lindström, first name Lindström employee name
Owner of the Customer in Lindström, last name Lindström employee name
Owner of the Customer in Lindström, phone number Lindström employee phone number
Owner of the Customer in Lindström, email Lindström employee email
List of Personal Data for Direct Marketing and Lead Generation
Contact first name Direct marketing contact given name
Contact family name Direct marketing contact family name
Contact email address Direct marketing contact email address
Contact phone number Direct marketing contact phone number
Consent Consent or objection to receive marketing communications. This personal data is only received from HubSpot.
List of personal data This is the extent of personally identifiable data being processed within eLindström Service.
User ID Identification number to specify a user
First name Name to establish garment item order
Family Name Name to establish garment item order
Company Company to establish garment order
Shoe size Number
Shirt size Number or letter
Trouser Size Number or letter
Sex Male/Female
User role User role in the system (Contact person, Administrator, end user)
Address Location
Username User credential of eLindström portal
Password User credential of eLindström portal
List of personal data in O365
HR Personec Please see HR Personec solution description documentation.
On premise Active Directory (AD) Please see Lindström IAM architecture documentation for AD
Azure Active Directory (AD) Same as with on premise AD.