Privacy Statements

This Privacy Statement describes how Nokian Tyres in the context of its business process the personal data of consumers and corporate business contacts (“customer”). Protection of customer’s privacy is important to us. Nokian Tyres is committed to processing personal data transparently and in compliance with applicable data protection laws. 

CONTROLLER AND CONTACT INFORMATION 

Nokian Tyres plc is the controller of our customers’ personal data. Any questions regarding our customers’ privacy can be directed to us: 

Nokian Tyres plc 
Privacy 
Pirkkalaistie 7 
37100, Nokia, FINLAND 
[email protected] 

PURPOSES OF PROCESSING, CATEGORIES OF PERSONAL DATA & LEGAL BASIS 

CUSTOMER – CORPORATE BUSINESS CONTACT 

Personal data is primarily obtained in situations where a corporate customer has acquired products or services from Nokian Tyres or when a corporate business contact has registered into our digital services. Personal data is processed for the following purposes:  

• To deliver products and services for our corporate customers.   

Personal data processed for this purpose includes contact information, billing information and other information that customer or employee of a customer has provided us during the provision of our products. 

• To maintain business relationship with our corporate customers in context of customer service and communication, managing customer meetings and leads.  

Personal data processed for this purpose includes information related to customer service such as contact information, information submitted via surveys and feedback forms, information about participation to events and campaigns, newsletter subscriptions or other data provided to us in the context of customer service requests. Phone calls to customer service are recorded in order to ensure the quality of customer service.  

• To develop our products and services in context of customer surveys and reviews, and website analytics.  

Personal data processed for this purpose includes contact information, terminal equipment identifiers, online identifiers, data related to our customers online activity and preferences, and data that might be inferred. Usually, the personal data will be aggregated, or other ways anonymised for compiling statistics and reports for business and product development. More information about our practice regarding cookies is available here.  

• To sell and market our products and services such as online and postal advertisement. 

Personal data processed for this purpose includes contact information, behavioural information, terminal equipment identifiers, online identifiers and purchase information. Collected personal data is further processed in order to create target audiences and offer targeted content. Targeted content is always based on segments or audiences and not on our customers individual behaviour.  

• To provide Nokian Tyres Dealer Services for our corporate customers. 

Personal data processed for this purpose includes contact information, terminal equipment identifiers, online identifiers and information related to identity management such as authorization information.  

• To organize and manage customer events such as trade fairs and Nokian Tyres product launches.  

Personal data processed for this purpose includes contact information and travel and accommodation information.  

• Fulfilling statutory obligations and any other official rules and regulations 

Personal data processed for this purpose includes any information relevant regarding a statutory requirement.  

Legal basis for processing our corporate customer’s personal data is always one of the following:  

• Consent 

With regards to newsletter subscription, we process personal data only if a customer has given consent for it. Customers can withdraw their consent for direct electronic marketing purposes by using “unsubscribe link” at the end of the received email message.  

• Contract 

We process our corporate customer’s personal data on a contractual basis when providing our Marketing Toolbox -service.  

• Legal Obligation 

In relation to fulfilling our statutory obligations the legal basis of processing is our legal obligation.  

• Legitimate interest 

We process personal data based on our legitimate interest in the context of developing, selling, marketing, delivering and providing our products and services, to maintain business relationship with our customers, and to organize and manage customer events. 

To ensure that a significant and pertinent relationship exists between Nokian Tyres and a customer, and to demonstrate that our legitimate interest does not cause any significant intrusion of our customers’ privacy, or any other undue impact on interests and rights, we assess the processing with balancing tests. More information on the balancing test can be requested by contacting [email protected]. 

PURPOSES OF PROCESSING, TYPES OF PERSONAL DATA & LEGAL BASIS 

CONSUMER CUSTOMER 

Personal data is primarily obtained during the sign-up for our services, when ordering our publications such as newsletters, or in connection with our surveys and competitions. In addition, personal data may also be obtained and derived from service use. We process personal data for the following purposes:  

• To deliver newsletter and other publications to recipients who have subscribed to receiving these. 

Personal data processed for this purpose includes contact information such as contact information, terminal equipment identifiers and behavioural information.   

• To provide customer service for our consumer customers 

Personal data processed for this purpose includes information related to customer service such as contact information, information submitted via feedback forms or other data provided to us in the context of customer service requests. Phone calls to customer service are recorded in order to ensure the quality of customer service.  

• To market and advertise our products and services such as online and postal advertisement.   

Personal data processed for this purpose includes contact information, terminal equipment identifiers, online identifiers, behavioural data, data related to our customers online activity and preferences, and data that might be inferred from other data we collect. Collected personal data is further processed in order to create target audiences and offer targeted content. Targeted content is always based on segments or audiences and not on our consumer customers’ individual behaviour. More information about our practice regarding cookies is available here.  

• To offer our services such as Aramid guarantee or Nokian Tyres’ Satisfaction Promise.  

Personal data processed for this purpose includes contact information, vehicle and tire information and purchase information.  

• To organize competitions and draws for our consumer customers. 

Personal data processed for this purpose includes contact information and possible competition specific information. 

• To develop our products and services based on our customers feedback, product reviews and online activity. 

Personal data processed for this purpose includes contact information, terminal equipment identifiers, online identifiers, behavioural data, customer feedback and product reviews. More information about our practice regarding cookies is available here.  

• Fulfilling statutory obligations and any other official rules and regulations 

Personal data processed for this purpose includes any information relevant regarding a given statutory requirement.  

Legal basis for processing our consumer customer’s personal data is always one of the following:  

• Consent 

With regards to newsletter subscription, we process personal data only if a customer has given consent for it. Customers can withdraw their consent for direct electronic marketing purposes by using “unsubscribe link” at the end of the received email message.  

• Contract 

Legal basis for processing is contract when we process personal data for the purpose of organizing competitions or draws, or with regards to product guarantees where processing is necessary for a contractual relationship and enforcing the service contract.   

• Legal Obligation 

In relation to fulfilling our statutory obligations the legal basis of processing is our legal obligation.  

• Legitimate interest 

We process personal data based on our legitimate interest to develop our products and services, to provide customer service, and to market and advertise our products and services.  

To demonstrate that our legitimate interest does not cause any significant intrusion into our customer’s privacy, or any other undue impact on interests and rights, we assess the processing with balancing tests. More information on the balancing test can be requested by contacting [email protected].  

PERSONAL DATA TRANSFERS AND DISCLOSURES 

Personal Data Transfers 

As a global company, Nokian Tyres uses subcontractors and service providers to operate our business efficiently. For example, we use subcontractors to carry out campaigns and direct marketing or service providers for payment and billing management.  

The processing of personal data in relation to our subcontractors is always commissioned by Nokian Tyres and the other parties will act only on our behalf as personal data processors. Such processing is always protected with contractual arrangements to ensure that our service providers and partners process our customers’ personal data in accordance with the laws and good data processing practices.  

In a case our subcontractor or service providers is located outside the European Union (EU) or the European Economic Area (EEA) we ensure the adequate level of protection of our customers’ personal data with appropriate safeguards by using standard contractual model clauses approved by the European Commission or another valid mechanism provided under applicable legislation.

Personal Data Disclosures  

We only disclose personal data that is strictly necessary for complying with the statutory requirement. Example, when we give assistance in investigations of accidents, we need to disclose relevant information to support the investigative authorities.  

We might disclose personal data to other companies within Nokian Tyres group. This usually happens for the purposes of customer service, customer relationship management and marketing.  

In a case we sell, merge or otherwise re-arrange our business operations or assets, we need to disclose personal data to purchaser or prospective seller or buyer of such business or assets in compliance with applicable laws. In such a case we process personal data based on our legitimate interest to ensure our business continuity. In case a customer objects to such processing, the purchaser of our business may not be able to provide services anymore.  

SECURITY OF PERSONAL DATA  

We use technical and organisational measures to ensure the security of personal data from loss, misuse or other similar unlawful access. Such methods include the use of firewalls, encryption technologies and safe server premises. Access to personal data is limited on “need-to-know” basis and controlled by system access rights, as well as through granting and controlling access rights.  

In the event of a personal data breach, we will notify local supervisory authorities and everyone whose personal data may have been endangered in accordance with applicable legislation.  

DATA SUBJECT RIGHTS  

As a responsible company we want to be open and transparent on the processing of our customers’ personal data. This means we give our customers the opportunity to control the processing of personal data.  

Right of Access. Customers have the right to receive a confirmation whether we are processing their personal data, what personal data we process about them and to receive a copy of their personal data.  

Right to Rectification. In case personal data of our customers is inaccurate or incomplete, customers have the right to request rectification or completion of their data.  

Right to Restrict Processing. Customers have the right to request restriction by contesting the accuracy of their personal data. In such a situation, the processing activities are restricted for the period of time taken to verify the accuracy of personal data.  

Right to Object. Customers have the right to object to the processing of their personal data. Our customers have the right to object the processing of their personal data for the purposes of direct marketing at any time.  

Right to be Forgotten. Customers have the right to request their personal data to be erased. In some cases, there may still be an overriding purpose for processing and retaining personal data e.g. in order to fulfil legal obligations or for the warranty needs.  

Right to Data Portability. Customers have the right to request their personal data in machine-readable format in situations where we process personal data based on contract or consent. This only applies to personal data customers have provided us with.  

Right to Withdraw a Consent. Customers have the right to withdraw their consent at any time. Customers can withdraw their consent for direct electronic marketing purposes by using “unsubscribe link” at the end of the received email message.  

If customers consider that the processing of personal data infringes their rights, customers may contact the supervisory authority and lodge a complaint about our processing of personal data.  

Any questions or requests regarding above mentioned rights can be sent via email to [email protected].  

RETENTION PERIODS 

Personal data is retained as long as is necessary for the purpose they were collected for, or until we receive a request for erasure – unless we have a legal obligation to retain it for a longer period. The retention period of personal data is determined by the following criteria: 

• If a customer has a Dealer Service account with us, we will retain personal data while your account is active or for as long as needed to provide services to customer.  

• For guarantees and other product related programmes we need to retain personal data for the duration of the validity of the guarantee or programme in each specific case and in any case until any possible claims towards Nokian Tyres have expired. 
• For purposes of organizing competitions or draws, personal data will be retained until the competition has ended and all the following measures has been carried out. More information on retention periods is always provided in the competition terms. 
• When a customer has subscribed into receiving electronic direct marketing communications, we process personal data for those purposes as long as their subscription remains in force. In case a customer withdraws their consent, we will discontinue the processing of personal data and erase personal data if there is no other valid purpose for processing. 

Any questions regarding retention periods of our customers’ personal data can be sent via email to [email protected].  

REVISIONS TO THIS PRIVACY STATEMENT  

We are continuously developing our services and this privacy statement is subject to changes. Changes may also be based on changes in legislation. We recommend our customers to visit this privacy statement in regular basis in order to keep track of possible changes. 

INTRODUCTION

Nokian Tyres Oyj (“Nokian Tyres” or “we”) acts as the controller for personal data processed in connection with the INTUITU™ service (hereinafter “Intuitu”). We process personal data transparently and in accordance with applicable data protection laws. In this privacy statement, we explain how and for what purposes we process the personal data in connection with the Intuitu service.

The Intuitu service is an active tire condition monitoring system, which consists of a sensor system that is physically connected to the tire and an Intuitu application that presents tire data. The Intuitu service can be used in two ways. If a user has smart tires with sensors, they can register as a user of the Intuitu application, in which case tire data is automatically collected in the application from the tire sensors. The Intuitu service can also be used without a sensor mounted on the smart tire. In this case, the user can download the application and enter the information related to their tires into the application manually.

CONTROLLER AND CONTACT INFORMATION

 

PURPOSES OF PROCESSING & LEGAL BASIS

For the implementation and development of the Intuitu service, the personal data of both private and business customers (service user) are processed for the following purposes:

• To provide Intuitu service to customers

Nokian Tyres processes the personal data of Intuitu users in order to provide the Intuitu service. Personal data is used to analyze the condition and use of the tires of the vehicle registered on the service, to handle possible claims regarding Nokian Tyres' products and services, to communicate with customers and to personalize the user experience.

At the time of product registration, vehicle information is collected so that we can determine the correct tire settings during the registration phase and instruct on their optimal use. Vehicle data is also collected to provide additional benefits or services to the purchaser of our products. If the application is not connected to a smart tire, the application provides users with information about the products and related operating instructions.

With user´s consent, location data is processed in the background of the application for the purpose of technically enabling the Bluetooth connection between the sensor and the application. In addition, the speed of the vehicle is stored and processed to provide information about the safe use of tires to users.

• Development of the Intuitu service and other Nokian Tyres services

We utilize the data collected through the Intuitu service both in the implementation and further development of the Intuitu application and service, and more generally in the implementation of Nokian Tyres' product and service development, for example by combining personal data from different Nokian Tyres services.

• Marketing and advertising

We process user information related to the Intuitu service to market and advertise our products. Marketing and advertising is either traditional printed advertising, or electronic direct marketing for which we always ask a separate consent from the user. The Intuitu service includes simple profiling of users so that the tire data collected can be used to derive vehicle-specific and driver-specific analyses (tire use and driving behaviour) used to generate Intuitu hint texts and other announcements, user segmentation and ad targeting.

• Warranty issues

By registering tires on Nokian Tyres' Intuitu application, Nokian Tyres can offer its users an additional guarantee for the normal tire warranty, as well as a direct communication channel with Nokian Tyres. The additional warranty is valid under the warranty terms applicable in each case. In the event of warranty and claims, it can be verified on the basis of the data collected from the tires if the usage of tires has been in accordance with the instructions.

The legal basis for the processing of personal data is always one of the following:

• Contract

With regard to the providing the service, the processing of personal data is based on a service agreement between the registered user and Nokian Tyres. Verification of the use of the tire in accordance with the instructions in the warranty cases on the basis of the tires-related data collected in the application is based on the terms of use approved by the service user.

 

• Legitimate interest

The processing of personal data is based on the legitimate interest of Nokian Tyres when we develop or market our products, services or business and when we provide customer service.

With regard to advertising and marketing, user segmentation and the production of hint texts and announcements based on it are based on Nokian Tyres' legitimate interest in providing additional services that it deems useful to its customers.

We have assessed the processing of personal data based on our legitimate interests through balancing tests to ensure that there is a relevant and appropriate relationship between Nokian Tyres and the service user and to demonstrate that our legitimate interest does not significantly interfere with or override our users' privacy or rights.

• Consent

Location data is processed only with the consent of the service user. Location data is processed in the background of the application for the purpose of technically enabling the Bluetooth connection between the sensor and the application. Location data is not stored by the service. The speed of the vehicle is stored and processed to provide information about the safe use of tires to users. Users of the service may at any time revoke their consent to the processing of location data through the settings of operating system. If the user withdraws consent, the tires cannot be connected to the sensors.

With regards to electronic direct marketing, such as newsletters, we process personal data only if service user has given consent for it. Service users can withdraw their consent for direct electronic marketing purposes by using “unsubscribe link” at the end of the received email message.

CATEGORIES OF PERSONAL DATAAND SOURCES TO BE PROCESSED

We collect data primarily through the Intuitu sensor solution, from the mobile device, and from the users of the service themselves. In addition, the system generates technical information to enable analysis. Data that can be linked to users is also derived from raw data using analytics.

In connection with the Intuitu service, we collect personal data from the following data sources:

• service users
• service measurement electronics (sensors attached to the tires)
• mobile application of the service
• mobile device (speed information, device model, device type)
• other registers of Nokian Tyres Group companies

The Intuitu application starts processing data after the application is activated and the user registers for the service. If a registered user adds a vehicle to the Intuitu service that includes tires with an Intuitu sensor, the data generated during the use of the service is automatically collected in the application by using a Bluetooth connection, provided that consent for location processing has been given by the user. The speed of the vehicle is stored and processed to provide information about the safe use of tires to users. The Intuitu application allows the user to view relevant information about the use of their tires derived from the data thus collected. The application periodically sends the collected data to the system's cloud service, where the application's information is stored.

The following categories of personal data are processed in connection with the Intuitu service:

• User information about Intuitu service registered users (name, login information, contact information, company contact information) and unregistered users (e-mail address, recipient of the invitation, sender of the invitation, status of the invitation). When the service is used as a member of a corporate customer company, the user data can be combined with both company data and data of other registered users of the same company. Service users in the same organization can see the names and email addresses of other service users of the organization. In addition, the Intuitu service can process the e-mail addresses of non-logged-in persons to send service activation invitations.
• Vehicle information, such as the vehicle model and the vehicle description and registration number provided by the service user. Each user of the service can be linked to at least one vehicle in the user account information of the application. If the service user does not have a smart tire with sensors, the serial number of the tires and their location in the vehicle can be manually entered into the application.
• Vehicle tire measurement results such as tire pressure, wear, temperature, and the exact time and place of the measurement. Tire measurement data can be linked to an individual service user using technical identifiers.
• The speed of the vehicle. With the user´s consent, the location information is processed in the background for the purpose of technically enabling the Bluetooth connection between the sensor and the application. In addition, the driving speed is stored. Real-time information about whether a vehicle is in active mode (vehicle is moving) is visible to all users that are members of a same organization. No history data regarding the vehicle status and no vehicle location data is disclosed to organizations’ users. By stopping the application from collecting data either by logging out from the application, or turning off Bluetooth, user can stop sharing the vehicle status to other users.
• Behavioral information, such as how often the application is used and for how long, and on what type of device the application is used. With the help of analytics, we create statistics and other aggregation-based reports on the usage habits of service users, from which an individual service user cannot be identified.
• Information for handling customer feedback and customer support requests , such as the customer's contact information for fulfilling the request and responding to the feedback, and the content of such request or feedback.
• Technical identifiers and other technical information that can be used to identify service users, tires, mobile devices and vehicles. Such information includes e.g. technical data for establishing connections (IP address and MAC address of the device) and technical data resulting from data modification, deletion and error situations.

Cookies

Nokian Tyres uses cookies and other standard automated data processing methods and tools on the Intuitu website and in newsletters. Cookies and technical features make it possible to monitor the effectiveness of online and other advertising, and some of them are necessary for the functionality of the website and/or the flexible usability of the service. Please find more information about our use of cookies from our www.nokiantyres.com/privacy-statement/

PERSONAL DATA TRANSFERS AND DISCLOSURES

Personal Data Transfers

As a global company, Nokian Tyres uses subcontractors and service providers to operate our business efficiently. We use partners, for example, in the technical maintenance and development of the Intuitu service. We use service providers also for commonly used support functions indirectly related to the Intuitu service, such as data and analytics services, and advertising and marketing services to perform certain tasks involving the processing of personal data on our behalf.

The processing of personal data in relation to our subcontractors is always commissioned by Nokian Tyres and the other parties will act only on our behalf as personal data processors. Such processing is always protected with contractual arrangements to ensure that our service providers and partners process our customers’ personal data in accordance with the laws and good data processing practices.

In case our subcontractor or service providers is located outside the European Union (EU) or the European Economic Area (EEA) we ensure the adequate level of protection of our customers’ personal data with appropriate safeguards by using standard contractual clauses approved by the European Commission or another valid mechanism provided under applicable legislation.

Personal data disclosures

We only disclose personal data that is strictly necessary for complying with the statutory requirement.

We disclose personal data to other companies within Nokian Tyres group. This usually happens for the purposes of customer relationship management and marketing.

In a case we sell, merge or otherwise re-arrange our business operations or assets, we need to disclose personal data to purchaser or prospective seller or buyer of such business or assets in compliance with applicable laws. In such a case, we process personal data based on our legitimate interest to ensure our business continuity. If the Nokia Tyres’ customer or Intuitu’s service user objects to such processing, the purchaser of our business may no longer be able to provide the services.

SECURITY OF PERSONAL DATA

 

We use technical and organisational measures to ensure the security of personal data from loss, misuse or other similar unlawful access. Such methods include the use of firewalls, encryption technologies and safe server premises. All employees handling personal information are committed to confidentiality. Access to personal data is limited on “need-to-know” basis and controlled by system access rights, as well as through granting and controlling access rights. We regularly train our employees to ensure that your personal data is processed lawfully and according to best practices.

In the event of a personal data breach, we will notify local supervisory authorities and everyone whose personal data may have been endangered in accordance with applicable legislation.

DATA SUBJECT RIGHTS

As a responsible company we want to be open and transparent on the processing of our customers’ personal data. This means we give our customers the opportunity to control the processing of personal data.

Right of Access. Users of the service have the right to receive a confirmation whether we are processing their personal data, what personal data we process about them and to receive a copy of their personal data.

Right to Rectification. In case personal data we process is incorrect or incomplete, the user of the service has the right to request the rectification or completion of the personal data.

Right to Restrict Processing. In certain situations, the service user has the right to request for a restriction on the processing of personal data. This may be the case, for example, if the data subject disputes the accuracy of his or her personal data. In such a situation, the processing activities are restricted for the period of time taken to verify the accuracy of personal data.

Right to Object. Users of the service have the right to object the processing of their personal data for the purposes of direct marketing at any time. The user of the service also has the right to object to the processing of personal data for reasons related to a specific personal situation when we process personal data on the basis of our legitimate interests.

Right to be Forgotten. Users of the service have the right to request for the deletion of their personal data. In some cases, there may still be an overriding purpose for processing and retaining personal data e.g. in order to fulfil legal obligations or for the warranty needs.

Right to Data Portability. Users of the service have the right to request their personal data in machine-readable format in situations where we process personal data based on contract or consent. This only applies to personal service users have provided us with.

Right to Withdraw a Consent. If the basis for processing personal data is consent, the service user has the right to withdraw the consent at any time. Consent to electronic direct marketing can be revoked by using “unsubscribe link” at the end of the received email message.

****

Please note that as a registered user, you can edit and delete your information directly in the application. You can also manage your consents in the application settings. Questions and requests regarding the rights of the data subject can be sent by e-mail to [email protected] .

If the data subject feels that his or her personal data are not being processed properly, he or she has the right to lodge a complaint with the supervisory authority. Up-to-date contact information and procedural instructions of the Data Protection Supervisor can be found on the Data Protection Supervisor's website https://tietosuoja.fi .

PERSONAL DATA RETENTION PERIODS

We have defined retention periods for personal data based on the processing purpose and applicable law. Unless otherwise required by law, Nokian Tyres will retain the personal data of Intuitu service users only for as long as is necessary to fulfill the purposes defined in this privacy statement:

• The identification data that can be linked to the user will be deleted or anonymised after the end of the customer relationship with the service and no later than five (5) years after the user’s last logged in to the service, unless required by applicable law to keep the user data longer. The customer relationship is considered terminated when the user submits a request to Nokia Tyres to delete their data.
• In connection with electronic direct marketing communications, we process personal data for as long as the consent given is valid. If the consent is revoked, we will suspend the processing of personal data for electronic direct marketing and delete the personal data if there is no other purpose for its processing.
• The Service does not contain any personal data of non-registered user, except for service activation invitations. Invitations are retained for 30 days.
• Vehicle data connected to the service will be erased after the service user removes the vehicle from the service. Where the user account belongs to an organization, vehicle data will be erased after the administrator user removes the vehicle from the service.

Any questions regarding retention periods of personal data can be sent via email to [email protected] .

REVISIONS TO THIS PRIVACY STATEMENT

We are constantly developing our services and this privacy statement is subject to changes. Changes may also be based on changes in legislation. We recommend our customers to visit this privacy statement on a regular basis in order to keep track of possible changes. Yet, if anything materially changes in our processing of personal information, we strive to openly notify customers of the changes. Information about material changes will be provided to registered users of the Intuitu service by e-mail to the address provided by the user to us upon registration or in the Intuitu application.

In this privacy statement for Nokian Tyres’ whistleblowing channel, we describe the personal data that Nokian Tyres Group companies (hereinafter “Nokian Tyres” or “we”) may process in the whistleblowing channel, for what purposes we process the personal data, to whom we may disclose this information, as well as your rights regarding personal data that is processed in the whistleblowing channel.  

Nokian Tyres has a defined whistleblowing process for investigating reports made to its whistleblowing channel. Personal data of various data subjects may be processed during the investigation. Data subjects usually involve the person making a report (“the whistleblower”) and the person mentioned in a report (“the alleged wrongdoer”). Depending on the case under investigation, personal data of the investigator and witnesses may also be processed.

We are continuously developing our operations, and this privacy statement is subject to changes. Changes may also be based on changes in legislation. We recommend our data subjects to visit this privacy statement in regular basis in order to keep track of possible changes.

Protection of data subjects’ privacy is important to us. Nokian Tyres is committed to processing personal data transparently and in com­pliance with applicable da­ta pro­tec­tion laws.

 

Controller and Contact Information

The whistleblowing channel is used in all Nokian Tyres group companies. The controller for whistleblowing reports submitted in the group level channel is Nokian Tyres plc. The whistleblower may also choose to submit the report to certain local companies defined in the whistleblowing channel, instead using the group level channel. In such case the controller is the local company to whom the report is submitted.

 

Any questions regarding our privacy practices can be directed to us at:

 

Controller for group channel:

Nokian Tyres plc

Privacy

Pirkkalaistie 7

37100, Nokia, FINLAND

[email protected]

 

Controllers for country-specific channels:

Nokian Heavy Tyres Ltd

Privacy

Pirkkalaistie 7

37100, Nokia, FINLAND

[email protected]

 

 

Nokian Tyres Europe Operations S.R.L

c/o Nokian Tyres

Privacy

Pirkkalaistie 7

37100, Nokia, FINLAND

[email protected]

 

Nokian Tyres s.r.o.

c/o Nokian Tyres

Privacy

Pirkkalaistie 7

37100, Nokia, FINLAND

[email protected]

 

Vianor Oy

c/o Nokian Tyres

Privacy

Pirkkalaistie 7

37100, Nokia, FINLAND

[email protected]

 

Vianor AB

c/o Nokian Tyres

Privacy

Pirkkalaistie 7

37100, Nokia, FINLAND

[email protected]

 

Purposes of Processing & Legal Basis

The purpose of the whistleblowing channel is to allow employees and external stakeholders to report concerns about a misconduct at Nokian Tyres, including violations of our Code of Conduct or other policies, without the risk of retaliation.

Purposes of processing personal data:

• Investigating reports made to the whistleblowing channel
• Preventing, identifying and   investigating   suspected criminal offences, irregularities and violations or other actions in breach of EU or national laws, or our internal policies, within a work-related context.

We will process your personal data based on the following legal grounds:

• If the subject of the whistleblowing report is a suspected violation that falls within the scope of EU Whistleblower Directive^[1] (“Directive”), the legal basis for processing is legal obligation.
• If the subject of the whistleblowing report is a suspected violation that falls out of the scope of the Directive, the legal basis for processing is our legitimate interest to monitor compliance with applicable laws and Nokian Tyres’ Code of Conduct and other guidelines. In this respect, we will always determine case by case whether our interests are not overridden by the interests, fundamental rights and freedoms of the data subjects involved.
• As a general rule, no special categories of personal data are processed in the whistleblowing channel. However, if under exceptional circumstances, the report and investigation relate to special categories of personal data, the legal basis for such processing is that it is necessary for the purposes of carrying out the obligations and exercising the specific rights of Nokian Tyres, or that the processing is necessary for the establishment, exercise or defence of legal claims.

 

Sources & Categories of Personal Data

Initially personal data is primarily obtained through the whistleblowing channel (via a specific whistleblowing service). Depending on the case under investigation, the whistleblowing team may request information and expertise from other individuals or authorities within or outside Nokian Tyres.

In most cases the personal data processed in connection to the whistleblowing channel includes:

• Data received via whistleblowing report such as name and contact details of the whistleblower (unless report is made anonymously) and the alleged wrongdoer, and a description of the suspected misconduct. Due to the nature of the whistleblowing channel and varying case contexts, the received data can vary significantly on each case. Depending on the received report, processed personal data can also include special categories of personal data.
• Data obtained through investigative measures such as employment information, records of working hours, witness testimonies and case relevant information from public registers or other public or internal information.

The whistleblowers are instructed to not include any non-relevant personal data in the report, such as health status, political or religious beliefs or sexual orientation.

 

Personal Data Transfers and Disclosures

 

Personal data transfers

The whistleblowing service we use for our whistleblowing channel is managed by our external subcontractor Navex WhistleB, which processes personal data on behalf of Nokian Tyres to the extent necessary to provide the service related to the whistleblowing channel. In this case, the data processing activities apply to the personal data that emerges in connection with the whistleblowing report and any related clarifications and communication.

The investigation of a report made is primarily outsourced to the group parent company and the whistleblowing team. Depending on the case and provided that it is necessary to conduct the investigation, we may also involve other expert individuals from within or outside the group companies to whom the  identity of the whistleblower (if the report has not been made anonymously) or other persons referred to in the report may be provided (subject to local laws). Such expert individual is also bound to confidentiality.

The processing by subcontractors is protected with contractual arrangements to ensure that our subcontractors process personal data in accordance with the laws and good data processing practices to maintain high integrity of the investigation.

Personal data processed in connection with the whistleblowing channel is not, in principle, transferred outside the European Union or the European Economic Area. If a data transfer is necessary, for example in connection with an investigation related to a whistleblowing report or other follow-up measures, it will only be carried out if the conditions for data transfer set by data protection regulations are met.

 

Personal Data Disclosures

In principle, personal data related to the whistleblowing channel is not disclosed by Nokian Tyres to third parties, except when the processing, clarification or bringing under investigation of the whistleblowing report or, for example, a request for information from an authority necessarily requires it.

In these cases, the data may be disclosed, within the limits permitted by law, to the preliminary investigation or other competent authorities insofar as is justifiably necessary. Before disclosing data, we make sure that there is a legal basis for the disclosure, and that the disclosure takes place in compliance with the applicable regulatory obligations. 

In a case we sell, merge or otherwise re-arrange our business operations or assets, we need to disclose personal data to purchaser or prospective seller or buyer of such business or assets in compliance with applicable laws. In such a case we process personal data based on our legitimate interest to ensure our business continuity.

 

Security of Personal Data

Nokian Tyres´ whistleblowing channel is based on a secure and encrypted platform managed by an external service provider, Navex WhistleB, which ensures the appropriate data protection and information security of the whistleblowing channel.

To ensure the anonymity of the whistleblower sending the message, the service provider deletes all meta data, including IP addresses. The whistleblower also remains anonymous in the subsequent dialogue with responsible receivers of the report.

Access to messages received through our whistleblowing channel is restricted to members of the whistleblowing team with the authority to handle whistleblowing cases. Members of the whistleblowing team are appointed by the President and CEO. The user rights for accessing systems that contain personal data are personal, and the use of the rights is monitored. Individuals that process personal data are bound by, in addition to the statutory obligation of secrecy, a separate non-disclosure agreement. Their actions are logged in the whistleblowing channel.  

In the event of a personal data breach, we will notify local supervisory authorities and everyone whose personal data may have been endangered in accordance with applicable legislation.

 

Data Subject Rights

As a responsible company we want to be open and transparent on the processing of personal data. This means we give our data subjects the opportunity to control the processing of personal data. However, because of the nature of the processing in whistleblowing investigations, we have the right to derogate from exercising the data subjects’ rights in certain situations based on legal grounds.

 

Right of Access. Data subjects have the right to receive a confirmation whether we are processing their personal data, what personal data we process about them and to receive a copy of their personal data. Legislation, the rights and freedoms of other individuals and other special grounds my limit your right to access some of your personal data. The right to access the personal data can be partially or completely restricted if and to the extent that is necessary and proportionate to ensure the accuracy of the report or to protect the identity of the whistleblower, or if providing the information could hinder the investigation. 

Right to Rectification. In case personal data of our data subjects regarding the whistleblowing process is inaccurate or incomplete, data subjects have the right to request rectification or completion of their data.

Right to Restrict Processing. Data subjects have the right to request restriction by contesting the accuracy or lawfulness of their personal data. In such a situation, the processing activities are restricted for the period of time taken to verify the accuracy of personal data. The right to restriction of processing is assessed on a case-by-case basis. In cases which are likely to have legal effects on the data subject, the data may still be processed, subject to the establishment, exercise or defense of legal cases, compliance with laws or for the protection of the rights of another natural or legal person or, despite the request for restriction of the data subject.

Right to Object. Data subjects have the right to object to the processing of their personal data, when the processing is based on our legitimate interest. The objections are assessed on case-by-case basis and we may restrict the data subjects’ right to object the personal data processing, for instance, for the establishment, exercise or defence of legal claims.

Right to be Forgotten. Data subjects have the right to request their personal data to be erased. In some cases, there may still be an overriding purpose for processing and retaining personal data e.g. to fulfil legal obligations or for another legal basis, such as the establishment, exercise or defence of legal claims.

If data subjects consider that the processing of personal data infringes their rights, they may contact the supervisory authority and lodge a complaint about our processing of personal data.

 

Any questions or requests regarding above mentioned rights can be sent via email to [email protected].

 

Retention Periods

Personal data is retained as long as is necessary for the purpose they were collected for, or until we receive a request for erasure – unless we have a legal obligation or legitimate interest to retain it for a longer period. We erase or anonymize the data when their retention period expires.   

The personal data will be processed and retained as long as necessary to process and investigate the whistleblowing report, or, if applicable, as long as necessary to initiate sanctions or to meet any legal or financial requirement or to exercise or defence of legal claims. In any case, if judicial or disciplinary proceedings are initiated, the personal data provided will be kept until those proceedings are definitively closed. If not otherwise determined in local applicable laws, Nokian Tyres retains all received whistleblowing reports and their related material, which have been seen as significant for the investigation or conclusion of investigation, including any possible summaries or document listings, for five years from the date on which the case has been resolved or deemed not to require further investigative measures.

 

Any questions regarding retention periods of our data subjects’ personal data can be sent via email to [email protected].

 

 

[1] Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law