This Privacy Policy applies to general data processing activities of the Hydro Group companies ("Hydro") in relation to personal data related to individuals outside our organization (external/third parties).
Effective date: June 13th, 2018
Hydro respects your privacy and will process any personal data according to the EU General Data Protection Regulation (GDPR). This Privacy Policy is intended to help you understand what data we collect, why we collect it, and what we do with it, as well as your choices regarding use, access and correction of personal information.
Each Hydro Group company is the Controller for their respective processing of personal data. The general data processing activities are described in this Privacy Policy. The companies may have more specific privacy policy describing their particular activities or services.
1 Hydro's Data Protection Procedure (the Hydro Binding Corporate Rules – BCR)
The Hydro Group companies have committed themselves to a general principle of the protection of personal data through the Hydro Code of Conduct. To implement such protection, Hydro has adopted a Data Protection Procedure.
The Data Protection Procedure ensures consistent and uniform data protection principles in Hydro. In addition, the Data Protection Procedure is approved by European Data Protection Authorities as a basis for transferring personal data from Hydro companies established within the European Economic Area ("EEA") to Hydro companies established outside the EEA.
A public version of the Data Protection Procedure is available here. The public version explains the Hydro Binding Corporate Rules (BCR) for processing of personal data, the legal basis for transfer of personal data to third countries and affected data subject’s rights pursuant to these rules.
2 How and why we collect and use personal data
2.1 Our website
We collect and use personal data through our websites. This includes data collected by cookies and it also includes for example if you contact us via contact forms, if you apply for a position through our recruitment portal or if we conduct online surveys where you freely give us your personal data. These activities and the data processing is described in further detail in the privacy policy available in the footer of each respective website
2.2 Marketing
You will receive marketing communications (including newsletters) if you have requested such information from us, or purchased goods or services from us, or if you provided us with your details when you entered a contact form and have given your consent to receive marketing communications from us.
If you subscribe to receive newsletters, press releases or other marketing communication, we will collect and store your name and your email address to be able to send you the materials requested. You can also follow us on social media, in which case each individual social media channel provider will store your personal data as per information in their respective privacy policy.
2.3 Recruitment
We process personal data concerning you if you apply for a position with us. We will collect and use the personal data you provide us with, which typically includes your name, your email address and telephone number, information on your CV and other information in your application.
The purpose of such processing is to handle your application, and the legal basis for the processing is your consent. You can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of the processing based on the consent prior to you withdrawing it. You can find more information about data processing relating to our recruitment portal on-line.
For some positions, we also conduct background checks of candidates as part of our recruitment process. The purpose is to verify the candidate's identity, education, employment history, certificates and other aspects relevant for the position. Such processing can include personal data about the person's name, age, references, financial history and criminal records, in addition to information that is publicly available.
Where appropriate or required by applicable law, the legal basis for processing of personal data relating to background checks is your consent. You may withdraw you consent at any time. Please be aware that withdrawing your consent will not affect the lawfulness of processing based on the consent prior to the withdrawal. If background checks are required by applicable law, the relevant law is the legal basis for the processing. In other instances, the legal basis for the processing is our legitimate interests in safeguarding our business.
2.4 Security
Hydro companies have implemented various security measures that requires processing of personal data. This is to safeguard against illegal or unauthorized access to areas, buildings, rooms, systems, processes or equipment. For example, Hydro premises can have activity logs, camera surveillance, controls of delivery vehicles and the drivers and visitor and employee access control. Which personal data we collect and use, depend on the security measures in question, and includes images and videos of you, your name, telephone number and place of employment, date and time you access premises and information about the vehicle you are driving.
The legal bases for such processing of personal data are our legitimate interests in safeguarding of our business and any applicable legal requirements relating to this.
2.5 Business relations purposes
We process personal data to support and manage customer, supplier and partner relationships mainly for contract initiation and contract execution
We process personal data for such business relations purposes based on your consent and our legitimate interests in promoting our relationship with, and ensuring good management of and support for our customers, suppliers and partners. For processing based on your consent, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of the processing based on the consent prior to you withdrawing it.
2.6 Social events
Hydro may handle the registration for a social event in which Hydro is the organiser or sponsor. In such cases, Hydro processes personal data about the people invited to the event and people registering for the event. This processing is limited to the information needed for the purpose of organizing the social event, and includes personal data such as name, email address and telephone number, place of employment and position and any special needs. We process personal data for such purposes, based on your registration and your consent provided in doing so. The personal data will be deleted once the purposes have been met. You may withdraw your consent at any time, by un-registering from the event. Withdrawing your consent will not affect the lawfulness of the processing based on the consent prior to you withdrawing it.
2.7 Integrity Due Diligence
As part of our Integrity Due Diligence process we collect information about our suppliers and business partners in order to ensure compliance with inter alia anti-corruption laws and export controls. This process may include collection of personal data of persons associated with such suppliers and business partners. The legal bases for Integrity Due Diligence processing are legal obligations and our legitimate interests in safeguarding our business.
2.8 Legal obligations and legal proceedings
Hydro companies have various legal obligations that necessitate processing of personal data. These legal obligations vary from country to country and from company to company, and typically include obligations relating to tax and accounting. These legal obligations are the basis for such processing of personal data.
Hydro also processes personal data in relation to legal proceedings. The purpose and legal basis for such processing is Hydro's legitimate interests in establishing, exercising or defending legal claims.
3 Who we share personal data with
Hydro only shares personal data in accordance with our Data Protection Procedure (the Hydro Binding Corporate Rules) and applicable data protection law.
We share personal data with:
- Other companies in the Hydro Group
- Our third-party service providers
- Public authorities and private entities (e.g. financial institutions), as mandated by law
In cases where we sell or buy businesses or assets, we may disclose your personal data to prospective buyers or sellers.
If the sharing of personal data involves transfers of personal data to a recipient that is established outside the EU/EEA, the transfers will follow the procedures set out in our Data Protection Procedure (the Hydro Binding Corporate Rules).
4 Information security
Hydro protects your personal data through technical and organizational security measures.
5 Your rights
You are entitled to be informed upon request of what personal data, if any, Hydro processes about you. You may also request that any excessive personal data we may happen to process is deleted or blocked, and request rectification of any wrongful personal data that we may process. You can also contact your national Data Protection Authority to lodge a complaint, see more information below.
If you want more information than provided in this policy for example on how your information is used, how we maintain the security of your information, and your rights to access information we hold on you, please contact us by using the contact form provided on www.hydro.com (choose topic: “Data Privacy”) or contact us by telephone: +47 22 53 81 00.
6 Complaints
6.1 Complaints to Hydro
If you are unhappy with how personal data concerning you are processed, you may file a complaint to Hydro. To file the complaint, please use Hydro's contact scheme on www.hydro.com, and choose the topic "Data Privacy".
Generally, you will receive a written response from us within four (4) weeks after we receive your complaint. If, due to the complexity of the complaint, we cannot provide you with a response within the four (4) weeks, we will inform you and provide you with a reasonable estimate of when you can expect a response. The time limit will not exceed three (3) months from the time we received the complaint.
6.2 Complaints to a Data Protection Authority
You can bring your complaint to a Data Protection Authority. You can choose whether to make the complaint to the Data Protection Authority where you live, where you work or where you claim the infringement of your rights has taken place.
We ask that you consider making a complaint directly to Hydro before contacting the Data Protection Authority.
7 Contact details
If you have any questions or concerns regarding your privacy or you want to exercise your rights, you can contact us by using the contact form on www.hydro.com (choose topic: “Data Privacy”), contact us by telephone: +47 22 53 81 00 or approach our local Data Privacy Officers.
8 Changes to this privacy policy
We keep our Privacy Policy under regular review. The Privacy Policy was last updated on June 13th, 2018. New versions will be posted on the website and notified to you in due course.
Updated: April 04, 2019