Hiab Group
Privacy Statement - Customers, Partners and Vendors

Privacy Statement - Customers, Partners and Vendors

Last updated on 01/04/2025

Hiab Corporation (“we” or “Hiab”) recognizes the importance of protecting individuals’ privacy and processing personal data in accordance with the applicable privacy laws. The purpose of this Privacy Statement (“Statement”) is to communicate the ways we process personal data in connection with managing our customer, partner and vendor relationships. Such personal data may concern the personnel, contractual partners or shareholders of our customers, partners or vendors. With respect to dispute resolution, the personal data may also concern other persons that are on the opposing party or otherwise involved in the matter.

We comply with the European Union (EU) General Data Protection Regulation 2016/679 (GDPR) as well as with any other applicable data protection legislation. Should any applicable mandatory laws or regulations be in conflict with this Statement, we will respect such laws and regulations over any conflicting parts in this Statement. 

Contact information of the data controller

Data controller, and therefore the legal entity responsible for collection and use of personal data under this privacy policy is Hiab Corporation. The contact information of the data controller is the following:

Hiab Corporation 

Business ID: 1927402-8

Address: Itämerenkatu 25, 00180 Helsinki, Finland

Please contact us at privacy@hiab.com if you have any questions in regards to the protection of your personal data or if you wish to exercise your legal rights.

In regards to detailed data processing activities, individual Hiab affiliate companies may also operate as data controllers, either independently or jointly with Hiab. The contact information of the individual Hiab affiliate companies is available upon request. 

Purposes of processing personal data 

We collect the personal data for the following purposes:

  • To provide our products and services to our customers, including providing related maintenance, support, and customer service;
  • To manage our customer, vendor and partner relationships, including managing contracts, accounts and licenses with us, processing feedback, and providing communications to you;
  • To provide and manage warranties, and ensure product safety, including notifying customers of product recalls and potential safety issues concerning our products;
  • To manage invoices and transactions;
  • To comply with our contractual obligations and enforce our contractual rights;
  • To execute the legal obligation to prevent, detect and investigate bribery, corruption, money laundering and financing of terrorism and to bring money laundering, terrorist financing and the crime by which the property or criminal benefit that is the subject of money laundering or terrorist financing has been obtained, under investigation (hereinafter “KYC/KYP process”);
  • To execute obligations related to sanctions;
  • To prevent abuses and unauthorized use of our products and services;
  • To comply with other applicable legal or regulatory requirements and internal policies, documentation and requirements;
  • To handle inquiries, complaints and claims from third parties;
  • If necessary, to bring legal claims and/or respond to and defend against legal claims; and
  • To handle inspections and inquiries of supervisory authorities and for the purposes of external audits. 

Categories of personal data 

We may collect and process the following categories of personal data:

  • Name;
  • Business contact information, such as email address, postal address and phone number;
  • Title and role in the company;
  • Login information to our services, such as your username and password;
  • Information relating to contracts, transactions and deliveries with us;
  • Information relating invoices; 
  • Information relating to vendor personnel and contractors working with us, such as personal identification number, CVs and competency related information;
  • Feedback and communications, including information received in connection with or needed to resolve a support request; and
  • Information relating to audits conducted to verify compliance with applicable laws and Hiab’s ethical principles.

Furthermore, for the purposes of KYC/KYP process, we may collect and process additionally the following categories of personal data:

  • Social security number;
  • Nationality;
  • Information on why the individual is a beneficial owner;
  • Date of birth;
  • Gender; 
  • Personal contact details, such as home address, email address and phone number;
  • Country of residence;
  • Photo; 
  • Employment and education history; 
  • Criminal and regulatory history; 
  • Ownership of shares; and 
  • Any status as or relation to a politically exposed person.

We always screen companies and contact persons against the European Union (EU), Office of Foreign Assets Control (OFAC), and the United Nations (UN) sanctions lists. 

Sources from which we gather your personal data 

We collect the personal data either directly from you, through your employer company or the company to which you are otherwise related to, such as the dealer company you purchased Hiab products or services from, or through publicly available resources such as social media channels. We may also collect your personal data from public authorities, Hiab affiliate companies and other third party relations, depending on the type of the services provided. Examples of third party sources include:

  • Registers held by governmental agencies
  • Financial sanction lists 
  • Registers held by credit-rating agencies and other commercial information providers providing information on e.g. beneficial owners and politically exposed persons.

Legal basis of processing personal data 

We collect and process your personal data based on one or more of the following legal bases:

1. On the basis of a contract

We process your personal data to collect and verify the data prior to entering into a contractual relationship with the customer, partner or vendor. We also process personal data to document and complete tasks to fulfil contractual obligations, such as to provide our products and services to the customer.

2. On the basis of a legal obligation to which Hiab is subject 

Processing of personal data also takes place to fulfil our obligations under applicable legislation, other regulations or authority decisions. Examples of legal obligations include: KYC/KYP processes, prevention of money laundering and terrorist financing, bookkeeping regulations, reporting to tax authorities and supervisory authorities, and other obligations related to service or product specific legislations.

3. On the basis of the consent of a data subject

We may collect and process your personal data on the basis of your consent. Examples of such situations include processing of special categories of personal data. Information about the purpose, processing activity, categories of personal data and your right to withdraw your consent will be provided when you are asked to give us your consent. Please note that in case you have provided your consent to the processing of your personal data, you can always withdraw the consent at any given time.

4. On the basis of the legitimate interests of Hiab

We also collect and process your personal data when necessary to advance our legitimate interests provided that those legitimate interests are not overridden by your interests or fundamental rights and freedoms. The legitimate interests pursued by Hiab include the following: 

  • Taking care of business risks;
  • Ensuring effective delivery of our products and services to you; 
  • Managing the customer, partner or vendor relationship;
  • Managing invoices and transactions;
  • Ensuring effective delivery of services from our vendors for the purposes specified above in section “Purposes of Processing”; 
  • Preventing abuses and unauthorized use of our products and services; and
  • Compliance with internal policies and documentation requirements and establishment, exercise and defence of legal claims. 

These purposes are necessary for the operation of our business in an efficient manner and therefore require the collection and processing of your personal data. We note that the rights of individuals may sometimes override the legitimate interests of a data controller. However, we have made sure that a fair balance is made between the rights of data subjects and the legitimate interests of individuals.

Disclosures of personal data 

We may share your personal data with service providers and business partners that operate and process personal data as data processors on our behalf. These data processors may include IT and technology providers hosting and maintaining our data. We may share your personal data with our affiliate companies for any of the legitimate purposes described in this Statement. We may share your personal data with authorized third parties, such as insurance companies and our resellers. 

Your personal data may be also shared where required under any applicable law or regulation or by the order of a court or public authority, to protect or exercise our or your rights, or to prepare or carry out a merger, asset sale, acquisition or other similar arrangement.

We are committed to applying adequate measures to make sure your personal data is secured reasonably and effectively in all instances, including granting access to personal data only to persons who have a reasonable requirement to access the data to be able to perform tasks they are required to do.

Third country transfers 

We may transfer your personal data outside the European Union and/or the European Economic Area. In order to ensure adequate protection of any such transferred data, we will ensure that the following conditions apply:

  • The EU Commission has decided that there is an adequate level of protection in the country in question;
  • other appropriate safeguards have been taken, for example the use of the Standard Contractual Clauses approved by the EU Commission or the data processor has valid Binding Corporate Rules (BCR) in place; or
  • there are exceptions in special situations, such as to fulfil a contract with you or your consent to the specific transfer.

In any case, we will always ensure that your personal data is adequately protected as required by applicable laws and regulations. To receive more information on the recipients outside the European Union and/or the European Economic Area and applicable legal transfer mechanism, please contact us at privacy@hiab.com

Retention of personal data

We retain the personal data for only as long as that data is necessary for the purposes we have collected it, or if we are required to retain that data for longer periods in order to comply with applicable laws. Therefore, we will retain your personal data for as long as it is necessary for the performance of a contract, or as long as required by retention requirements in applicable laws and regulations. 

Please note that the data retention obligations will differ within Hiab due to differences in local laws. In general, Hiab will store customer, vendor and partner data for ten years after the end of the respective relationship to establish, exercise and defend against legal claims and to demonstrate compliance with legal and regulatory obligations upon request by authorities. The retention period applied to the personal data in a specific case will, however, depend on the purpose of processing. Examples of different purposes together with applicable retention periods are listed below:

  • Information stored for KYC/KYP processes are retained for a minimum of five years after termination of the business relationships or the performance of the individual transaction
  • Information stored for bookkeeping purposes is stored due to legal requirement for up to ten years

We will delete or upon notice correct any incorrect or inaccurate data. We are committed to applying our internal data retention policies, as they are in force from time to time. 

Please contact us at privacy@hiab.com for more detailed information on our data retention policies.

Our information security practices 

Personal data may be stored either in hardcopy or electronic form. We recognise our obligation to safeguard the sensitive nature of all personal data. We are, therefore, committed to applying protective measures to secure against the unauthorized access, modification, collection, copying, use, and disclosure of any personal data. These measures include: (i) limiting the access and uses of information to those Hiab personnel, contractors and suppliers and other persons who, for in order to be able to perform their relevant tasks need to have, on a fair and lawful basis, access to the personal data; (ii) use of physical and electronic access codes and passwords to control and restrict access; (iii) training and raising awareness on relevant employees and other personnel about data protection and privacy; (iv) applying updates and at-minimum-industry standard technical security measures.

Rights of the data subjects 

As a data subject you have the right to ask us to tell you what personal data we at any given time store about it. Subject to local applicable laws you also have the right to:

  1. Request to access your personal data we are keeping about you;
  2. Request correction of incorrect or incomplete personal data;
  3. Request us to erase your personal data if you deem that it should be erased, subject to applicable laws and our retention criteria;
  4. Request us to restrict the use of your personal data;
  5. Object the processing of your personal data if we process your personal data based on a legitimate interest;
  6. Request us to transfer your personal data over to you or to another data controller in accordance with the applicable law;
  7. If we have requested and you have given us your consent to process your personal data, you have the right to withdraw that consent in accordance with applicable laws; and
  8. Lodge a complaint with a relevant data protection authority if you deem that we have processed your personal data in violation of the applicable data protection laws. Contact details of data protection authorities in EU Member States can be found in the directory maintained by the European Data Protection Board.

We will review such requests and execute them to the fullest extent possible in accordance with applicable laws. If you want to review or verify personal data about you, or to have it corrected or request its erasure, or to restrict or object to the processing of your personal data, or to request a copy of such data, you may exercise your rights by contacting us at privacy@hiab.com

You will not have to pay a fee to access your personal data or to exercise any of your other rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the data or to exercise any of your other rights. This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Changes to this Statement

We reserve the right to update this Statement at any time and encourage you to review this Statement from time to time for any amendments.

See also: 

Cookie Policy

Privacy Statement – Website and Marketing 

Legal Notice

 

Supplemental Privacy Provisions Concerning California

If you are a California resident, you have rights under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Acts of 2020 (CPRA), from hereon referred to as “CCPA”. This supplement to the Privacy Statement - Website and Marketing is an overview of the information that is required by the CCPA, and provides instructions for how to exercise the rights granted by the CCPA. “Personal Information” has the meaning given in the CCPA.

Personal Information collected during the preceding 12 months

As set out in the ‘Categories of personal data’, above.

Purposes of processing Personal Information within the past 12 months

As set out in ‘Purposes of processing personal data’, above.

Sources

As set out in the ‘Sources from which we gather your personal data’, above.

Personal Information disclosed for a business purpose during the preceding 12 months

As set out in the ‘Disclosures of personal data’, above.

Sale and share

We do not sell and have not sold Personal Information for the purposes of the CCPA in the last 12 months.

Rights relating to your Personal Information

As a California resident, you have the right to:

  • Know your Personal Information: You can request specific pieces of Personal Information, or information about the categories, purposes of use, sources or disclosures of Personal Information that we hold about you by sending an email to privacy@hiab.com or by calling (toll free) (800) 837-2351.
  • Request Deletion or Rectify your Personal Information: You can request the deletion of or seek to rectify (correct, update or modify) the Personal Information that we hold about you by sending an email to privacy@hiab.com or by calling (toll free) (800) 837-2351.
  • Limit the Use or Disclosure of Sensitive Personal Information
    • We do not collect Sensitive Personal Information. 

The verifiable consumer request must: (1) provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information, and (2) describe your request with sufficient detail to enable us to properly understand and respond to it.

You have the right to make a free request two times in any 12-month period. We will make the disclosure within 45 days of receiving your request, unless we request an extension. In the event that we reasonably need a 45-day extension, we will notify you of the extension within the initial 45-day period.

Authorized agent

If you want to make a request to know or a request to delete as an authorized agent on behalf of a California resident, you may use the submission methods noted above. As part of our verification process, we may additionally request that you provide proof concerning your status as an authorized agent. 

Non-discrimination

You have the right to be free from unlawful discriminatory treatment for exercising your rights under the CCPA.

Children’s information

We do not knowingly sell or share the personal data of children under the age of 16.

How to contact us

Questions about this supplement or about our handling of your Personal Information may be submitted by sending an email to privacy@hiab.com or by calling (toll free) (800) 837-2351.

For more information on our privacy practices that apply to the Personal Information we collect, use and share, see the Privacy Statement - Customers, Partners and Vendors.