Data Protection - Vendors

As a rule:

•  your essential personalization information;
•  information of the company you represent;
•  your contact details;

Depending on your activity:

•  technical identifiers;
•  behavioural data (e.g. how you have used our digital services);

Examples of data attributes include:

• your first and last name
• job role and title
• company name
• job related address, e-mail, phone number
• usernames and passwords
• behavioural data from our websites;
• attendance information related to our events;

For Chinese vendor contacts, below personal data will be processed:

• Full name
• Salutation (gender)
• Company email address
• Personal email address
• Job position or title
• Phone number
• Mobile number
• Fax number
• Company name
• Usernames and passwords
• Home address
• ID (only for individual vendor) - (may be sensitive personal data)
• Bank account (only for individual vendor) - (may be sensitive personal data)
• Passport and/or ID for business trip - (may be sensitive personal data)
• Itinerary and/or accommodation for business trip - (may be sensitive personal data)

Konecranes Plc (established in Finland and being the parent company of Konecranes Group) has the overall responsibility and supreme decision-making power. Konecranes Global Corporation (established in Finland) has the limited responsibility for Konecranes Group centralized IT systems/applications (incl. subcontracting) as well as international transfers of personal data outside EU/EEA.

You can contact us by sending an email to data.protection(a)konecranes.com

For Chinese vendor contacts, please note:

We have a lawful right to process your personal data based on our legitimate interest to conduct business with the company you represent.

For Chinese vendor contacts, normally the legal basis for processing their personal data is consent. While under the relevant laws, we do not require your consent to process your personal data when:

• the processing is necessary for the conclusion or performance of a contract to which the individual is a contracting party or for conducting human resource management under the labor rules and policies developed in accordance with the laws and a collective contract signed in accordance with the laws;
• the processing is necessary to fulfill statutory functions or statutory obligations;
• the processing is necessary to respond to public health emergencies or protect the life, health or property safety of natural persons under emergency circumstances;
• personal data is processed within a reasonable scope to conduct news reporting, public opinion-based supervision, or other activities in the public interest;
• the personal data that has been disclosed by the individuals themselves or other personal data that has been legally disclosed is processed within a reasonable scope in accordance with the Laws; or
• under any other circumstance as provided by any law or administrative regulation.

Generally, we need to process your personal data in order to enable successful direct and indirect business transactions with the company you represent - such as sending of orders and receipt of products and services  (direct) as well as development of our internal processes and systems to support these transactions (indirect).
In detail, we use your personal data for the following purposes:
1) Business development and reporting;
2) Quality management;
3) Production, management, maintenance and research and development of processes, IT services and infrastructure;
4) Purchasing activities;
5) Inventory management and activities;
6) Manufacturing of products;
7) Delivery of products;
8) Vendor and subcontractor management (incl. access to KC Group digital channels and as appropriate to KC Group IT systems and products);
9) Invoicing, taxation and related financial transactions;
10) Ensuring the integrity of KC Group business environment and processes (incl. system/security monitoring for the prevention or inspection of misuse as the case may require);
11) Background studies of vendors (incl. vendor contacts as necessary);
12) Organizing events;
13) Archiving of non-active personal data in the scope of other purposes of uses and defined retention rules; and
14) Ensuring personnel safety (incl. vendor contacts);
15) Fulfilling and/or defending the rights and obligations of the company;

For China vendor contacts –

The processing purpose of your personal data are:

The processing purposes of your sensitive personal data are:

For individual vendors, the processing purposes of your sensitive personal data are:

The necessity of our processing of your sensitive personal data:

The impact of our processing of your sensitive personal data on data subjects’ personal rights and interests: Misuse of the personal data by a third party, resulting in damage to data subject’s privacy and personal dignity or suffering damages to bodily or property safety in case of accidental leakage of such sensitive personal data.

The processing method of your personal data (including sensitive personal data) includes collection, storage, usage, transmission, provision, and deletion.

Our use of your personal data enables and supports you for its part in fulfilling your employment duties related to business transactions between us and the company you represent.

You have always the right to:

• Object the processing of your personal data on the grounds of our legitimate interest; and
  • "HOWEVER, AS REQUIRED BY MANDATORY DATA PROTECTION LAWS, KONECRANES HAS ALREADY IN ADVANCE COMPLETED A THOROUGH BALANCE TEST ASSESSING YOUR RIGHTS AND KONECRANES BENEFITS THUS TAKING DULY INTO ACCOUNT AND SECURING YOUR RIGHTS AND FREEDOMS IN PERSONAL DATA PROCESSING."
• Opt-out from receiving any of our direct marketing messages and materials

At any time, you have also the right to:

• Verify the accuracy of your personal data;
• At your request, have your incomplete, inaccurate or outdated personal data amended, modified or erased; and
• Under certain circumstances, restrict the processing of your personal data;
• Under certain circumstances, be forgotten by us; and
• Lodge a complaint with a supervisory authority.

You can exercise these rights by sending us email to data.protection(a)konecranes.com or by filling out the form in

For Chinese vendor contacts, the data subjects also have the below legal rights under China data protection laws:

As required by mandatory data protection laws, we have completed a thorough analysis concerning the risks potentially caused by our Vendor Contact Data processing to your rights and freedoms.

As with any data processing, certain risks are possible also in ours relating mainly to

• the level of  confidentiality of your personal data;
• general data security matters; and
• your inability to access our systems and services.

However, levels of these risks have been recognized to be low and having a remote possibility only. Moreover, we mitigate these risks actively i.a.by:

• continuously training our personnel,
• providing and developing detailed instructions; and
• implementing and enhancing our data security practices.

We collect your personal data:

• directly from you e.g. when you register to our digital services or participate in a sales meeting or have a phone call with us;
• from your superiors or colleagues;
• from our own employees or business partners; and
• to a limited extend by observing your behaviour in our digital services.

Yes, depending on the case we may transmit your personal data outside EU/EEA:

• In doing so we rely either on EU Commission adequacy decisions or EU Commission standard contractual clauses (of type controller to processor, EU Commission decision 2010/87/EU) as appropriate or suitable safeguards for such international data transfers.

• inside our group of companies but also to our external business partners who provide services to us.

Your personal data may be transferred to following countries for processing:

• Australia
• Austria
• Bangladesh
• Belgium
• Brazil
• Canada
• Chile
• China
• Czech Republic
• Denmark
• Estonia
• Finland
• France
• Germany
• Greece
• Hungary
• India
• Indonesia
• Italy
• Japan
• Korea
• Latvia
• Lithuania
• Malaysia
• Mexico
• Morocco
• Netherlands
• New Zealand
• Norway
• Peru
• Philippines
• Poland
• Portugal
• Qatar
• Romania
• Russia
• Saudi Arabia
• Singapore
• Slovakia
• Slovenia
• South Africa
• Spain
• Sweden
• Switzerland
• Thailand
• Turkey
• Ukraine
• United Kingdom
• United Arab Emirates
• United States of America
• Vietnam

We use reliable subcontractors to provide us e.g. with IT services enabling our personal data processing - these services include, without limitation, provision of different infrastructure, software and applications utilized routinely in contact data processing within global groups of companies.

• Following mandatory data protection legislation, we always require our personal data service providers to enter into binding data processing agreements (e.g. as required by the EU GDPR) with us.

As a rule, we do not disclose your data out of our effective control except if so required by the law in case a court or the police or other law enforcement agency has asked us for it.

Additionally, your data may be disclosed in a limited manner to our trusted business partners.

Your personal data is protected by technical and organizational measures against accidental and/or unlawful access, alteration, destruction or other processing including unauthorized disclosure and transfer of your personal data.

Such measures include but are not necessarily limited to proper firewall arrangements, appropriate encryption of telecommunication and messages as well as use of secure and monitored equipment and server rooms. Data security is of special concern when third parties (e.g. data processing subcontractors) providing and implementing IT systems and services are retained.

Data security requirements are duly observed in IT system access management and monitoring of access to IT systems. Personnel processing your personal data as part of their tasks is trained and properly instructed in data protection and data security matters.

At most ten (10) years after the last business activity where you have been involved.

Additionally, as the case may require, we may have to extend your personal data retention on the grounds of establishment, exercise or defence of legal claims or execution of our internal investigations.

For China vendor contacts –

It is not statutory to provide your personal data, but certain personal data is required to execute or enter into a business activity (such as business contract) with us.