Integrity Policy

This integrity policy is effective from 25 May 2018 and was last updated 19 May 2023.

OX2 Group and all of our subsidiaries work to ensure that your privacy and integrity are protected when you use our products and services. Our goal is to help you feel confident that your personal privacy is respected and that your personal information is processed correctly. We take responsibility to ensure that personal data that is processed by OX2 Group is used only for initial purposes and is protected against accidental or unlawful destruction, loss, use, or alteration and against unauthorized disclosure or access.

All processing of personal data by the OX2 Group and our subsidiaries is carried out in accordance with applicable privacy legislation, since 25 May 2018, the General Data Protection Regulation (GDPR EU 2016/679).

Who is responsible for your personal information?

OX2 Group is the main data controllers. In addition, subsidiaries of OX Group can also be data controllers (including as “joint-controllers”) and process personal data as described in this privacy policy. Your relationship with OX2 will determine which of our group companies have access to and processes your personal data, and which of our group companies are the data controller(s) responsible for the personal information.

How and when do we process your personal information?

1. Supplier and stakeholder relationship management

To administer our supplier or stakeholder relationship to fulfil our contract with you.

Description of the processing activities
Collection, recording, structuring, storage, use, disclosure by transmission, erasure or destruction.

Categories of personal data obtained
Name, contract details (such as address, e-mail, address, phone number)

Lawful basis of the processing
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subjects prior to entering into a contract (article 6.1 b GDPR).

Automated decision-making, including profiling (if applicable): No

Categories of recipients:
OX2 AB (org.nr 556675-7497)
OX2 AB Finland (org.nr 2530053-6)
OX2 AB Branch Italy (org.nr 11843050961)
OX2 AB Stockholm (org.nr RO44426220)
OX2 AB Denmark (org.nr 43311158)
OX2 Construction AB (org.nr 556807-5252)
OX2 Construction AB Finland (org.nr 2520214-5)
OX2 Construction AB Norway (org.nr 917088403)
OX2 Construction AB Prywatna Poland (org.nr KRS0000815065)
OX2 Construction AB Italy (org.nr 12602080967)

The retention periods
We will save your personal data as long it’s necessary for the performance of a contract which the data subject is party (article 6.1 b GDPR).

2. Business relationships

In the context of the business relationship with us we process the personal data for the following purposes:

Communicating with Business partners about our products and services (e.g., responding to inquiries or request providing you with information).
Planning, performing and managing the contractual relationship with you as Business partner.
Maintaining and protecting the security of our products and services, preventing and detecting security threats, frauds or other criminal activities.
Ensuring compliance with legal obligations (such as record keeping obligations, compliance background checks and our policies or industry standards.
Solving disputes, enforce our contractual agreements and to establish, exercise or defend legal claims.

Description of the processing activities
Collection, recording, structuring, storage, use, disclosure by transmission, erasure or destruction.

Categories of personal data obtained
In the context of the business relationship with us, we may process the following categories of personal data of customers and contact personas (prospective) customers, suppliers, vendors and partners (each a “Business partner”:

Contact information such as full name, contact information.
Organisational information including job position and company name.
Contractual data such as data necessary for processing fraud preventions.
Further information necessarily processed in a project or contractual relationship with us provided by the Business partner, such as personal data relating to orders placed, payments made, requests and project milestones.
Personal data collected from publicly available resources, credit agencies and information that are legally required for Business partner compliance screenings such as date of birth, nationality, place of residence, ID-numbers, identify cards and information about relevant and significant litigation or other legal proceedings against Business partners.

More specific:

To provide our products and services: Contract performance (article 6.1 b GDPR).
Payments: Contract performance (article 6.1 b GDPR).
To verify your identity and necessary screenings: Contract performance (article 6.1 b GDPR); Legal obligation.
To fulfil your requests or instructions: Contract performance (article 6.1 b GDPR); Legitimate interest (article 6.1 f GDPR).
When necessary to enforce the contractual agreement, to establish and preserve legal claims or defense, to prevent fraud or other criminal activities: Compliance with legal obligations (article 6.1 c GDPR); Legitimate interest (article 6.1 f GDPR).

Automated decision-making, including profiling (if applicable): No

The retention periods
We will save your personal data as long it’s necessary in compliance with the initial purpose and applicable legal obligations.

3. Billing

To handle payment transactions for our products and services.

Description of the processing activities
Collection, recording, structuring, storage, use, disclosure by transmission, erasure or destruction

Categories of personal data obtained
Billing information (such as name, address, purchased product or service), transaction history.

Automated decision-making, including profiling (if applicable): No

The retention periods
We will save your personal data as long it’s necessary in compliance with applicable legal obligation.

4. Cookies and online identifiers or other tracking technologies

We have an interest in making our websites operate efficiently, providing account related functionalities, understanding how you interact with our websites and what service you are interest in.

Description of the processing activities
Collection, recording, structuring, storage, use, disclosure by transmission, erasure or destruction

Categories of personal data obtained
We use cookies or other tracking technologies to monitor how you interact with our websites.

Lawful basis of the processing
The data subject has given consent to the processing of his or her personal data for one or more specific purposes (article 6.1 a GDPR).

Automated decision-making, including profiling (if applicable): No

The retention periods
We will save your personal data as long it’s necessary for the initial purpose. You control and/or delete cookies as you wish – for details, see our cookie policy.

5. Advertisement and marketing

We disclosure information about our products and services with the purpose to market our products and services to individuals who consent to receive such information.

Description of the processing activities
Collection, storage, use, disclosure by transmission, erasure or destruction

Categories of personal data obtained
E-mail address

Lawful basis of the processing
The data subject has given consent to the processing of his or her personal data for one or more specific purposes (article 6.1 a GDPR). You can withdraw your consent to our marketing at any time by contacting us.

Automated decision-making, including profiling (if applicable): No

The retention periods
As long as we have your consent to provide you with information and marketing.

6. Survey

Processing of your contact information to carry out surveys (e.g., community surveys)

Description of the processing activities
Collection, storage, use, structuring, erasure or destruction.

Categories of personal data obtained
E-mail address

Automated decision-making, including profiling (if applicable): No

The retention periods
As long as we have your consent to provide you with information.

Security

To protect your personal data against accidental or unlawful destruction, loss, use, or alteration and against unauthorized disclosure or access, we use adequate physical, technical (e.g. encryption and pseudonymization) and organizational (e.g. access control, standard procedures, data processing agreements, data protection impact assessment) security measures. For example, we ensure that your personal data is only processed by our personal data assistants, who carry out tasks on behalf of the OX2 companies. In addition, disclose of information is always in according to legal obligations, practices and standard procedures.

International data transfers

In the event that we transfer your personal data outside the European Economic Area (EEA), we ensure that your data is protected in a manner which is consistent with the GDPR (EU 2016/679). Therefore, and if required by applicable law, we take the following measures:

We share your personal data with affiliated companies outside the European Economic Area only if they have implemented our Binding Corporate Rules („BCR“) for the protection of personal data.
We transfer personal data to external recipients outside the European Economic Area (EEA) only if the recipient has (i) entered into EU Standard Contractual Clauses with us, or (ii) implemented Binding Corporate Rules in its organization. You may request further information about the safeguards implemented in relation to specific transfers by contacting us.

Your rights

The General Data Protection Regulation (GDPR) grants you as an individual specific rights in relation to your personal data. In particular, and subject to the legal requirements, you may be entitled to

Obtain from us confirmation as to whether or not personal data concerning you are being processed, and where that is the case, access to the personal data;
Obtain from us the correction of inaccurate personal data concerning you;
Obtain from us the erasure of your personal data;
Obtain from us restriction of processing regarding your personal data;
Data portability concerning personal data, which you actively provided;
Object, on grounds relating to your particular situation, to further processing of personal data concerning you; and
Withdraw your consent to our processing of your personal data

Further information for OX2 Groups employees

Further OX2 Groups privacy notices are available in the OX2’s intranet (OX2 intranet access is required).

Data privacy contact

If you have any questions concerning how we process your personal data or want to contact us for any other reason relating to your personal data, concerns or complains or in case you wish to exercise any of your data privacy related rights, please contact our data privacy organization at privacy@ox2.com. The data privacy organization will always use reasonable efforts to address and settle any requests or complaints you bring to its attentions.

Your Competent Data Protection Authority

Besides contacting our Data Privacy Organization, you always have the right to approach the competent Data Protection Authority with your request or complaint: