Privacy notices

  • In relationships with our main stakeholders, we need to collect and process personal data for several purposes and ways. We do it only for specified, explicit and legitimate purposes and only when valid legal grounds exist.

    Gren Group, including its subsidiaries, is committed to respecting privacy and complying with applicable
    data privacy laws.

    We care about the privacy of our customers, employees and job applicants, consultants and vendors and here you can learn more about how we do it:

     

  • For customers

    This privacy notice describes how we process our customers’ personal data. The notice applies when you use our products and services or otherwise interact with us. This notice also applies if you are a business customer.

    We may also provide you with additional product or service specific privacy information in the service or product specific terms, privacy supplement or other notices you may see while using our product or service.

    • Gren collects and processes various types of personal data, where applicable, such as:

      • Personal details – including your contact details (such as your name, address, phone number, and email address), demographic data (such as your gender, age, language, nationality, professional details, and additional details such as your interests or a segment group), and your national identity number when required for verifying your identity.
      • Agreement & transaction data – such as information about your agreements, orders, purchases, payment status, and invoices; recorded and transcribed phone calls; subscriptions and opt-outs; and your other  transactions with us such as service requests and messaging with our customer service.
      • Payment & credit data – such as your payment card information and bank account information that are needed for verifying purchases or returning funds, credit worthiness.
      • Online data & identifiers – data that is collected with cookies or similar technologies about your use of our services, such as your browsing activities and segments, your IP address, cookie ID, mobile device ID, details about browser and device, and location.
      • Security data – data that is used for securing the use of our services and our premises, such as your password and login details, security logs, and camera surveillance recordings.
      • Technical and consumption data – such as data related to the operation of a device or application, including the measurement of consumption and production of heat and other utilities, and data from smart devices, including data from any sensors (e.g. temperature).
    • The personal data which we process about you comes from different sources:

      • You – when you order or use our services, when you fill in a form of interest, participate in a survey or competition, create an account, browse our website, or otherwise interact with us.
      • Third parties – such as public address registers, credit reference agencies, debt collection agencies, installation partners, marketing partners, and other data providers.
      • Gren Group companies – which share information for purposes mentioned below in section 6.
    • We will use your personal data for predefined purposes based on contract, consent, legal obligation and legitimate interest. We will use your personal data for the following purposes:

      3.1. Service delivery & customer service

      We collect and use personal data about you to process orders, deliver products and services, provide customer service, and manage payments, contracts and transactions.

      The data needed for delivering services vary depending on the product or service in question. For example, online services may require the user to authenticate, whereas heating contracts require us to measure the consumption. Our customer service handles your requests and messages to serve you. Customer service may also offer you the optimal contract type that we calculate for you. We may communicate with you on contract-related matters via phone, mail, email, SMS, chat, automated calls, and other digital channels including social media.

      The basis for processing your data for service delivery and customer service is typically the contract. When
      required by law, we may ask for your consent to deliver certain services, for example, location-based services.

    • 3.2. Sales, marketing, and stakeholder communications

      We may contact you through marketing even if you are not our customer. We will ask for your consent to contact you when required by law, otherwise, our contact is based on legitimate interest. Without consent, we can send automated electronic marketing messages that relate to your customer or professional
      relationship with us, and use traditional marketing channels (e.g. post, telephone, door-to-door), when
      allowed by local law. We also conduct lotteries and contests.

      3.2.1. Customer marketing
      Customer marketing is electronic automated marketing that is sent without consent to existing
      customers and business customers in those countries where such practice is allowed.

      To our consumer customers, who are currently ordering our products and services, we send regular
      offers and information about products and services that are relevant for the customer relationship.
      We send these communications to the contact address (phone or email) that you have given in
      connection with your relationship.

      To our business customers (employees of our current and prospective client companies and business
      partners, other stakeholders) we send offers and information about products, services, promotional
      events and services that are relevant to their professional role. We send these communications to
      the work contact address which we have received from the customer, their company, or a public
      source.

      3.2.2. Consent based marketing
      We send you automated electronic marketing and newsletters if you have agreed to subscribe to
      them. This marketing can contain information about any Gren group company products and services
      or about partner products and services. We may also collect marketing consent on behalf of our
      partners.

      3.2.3. Traditional marketing channels
      We may use traditional marketing channels (post, telephone, door-to-door) to contact you about our
      products or services and our partners’ products or services, unless you have blocked the use of your contact details.

      3.2.4. Stakeholder relations
      We manage stakeholder relationships by communicating about relevant topics and promoting events which we arrange. Communications are sent directly by email to the contact addresses received from the stakeholders or their companies.

    • 3.3. Product and service development

      We process personal data to improve and develop better services for our customers, support our business decision-making, and consider our customers’ feedback and needs. The basis for processing data for product and service development is a legitimate interest. This is done, for example, by collecting feedback directly from users using surveys, test panels, interviews, questionnaires, and other forms of market research; by utilizing the data generated from the use of our services in analytics; by using recorded or transcribed phone calls for training and service quality improvement; and by testing system functionality with temporary sample data that is collected during normal service use. Data processing for our product and service development generally happens with de-identified data to the
      extent possible. In the case that the customer’s real contact details are collected in connection to the survey, or if we conduct interviews personally with the customer, we may inform you specifically about the use of the contact details in connection to the survey or interview. We may occasionally use samples of real data, for example, to test the functioning of our systems.

      3.4. Legal obligations

      We process personal data to comply with our legal requirements, for example, accounting and tax laws,
      and anti-money laundering laws.

      3.5. Defense of legal rights & ensuring the security of our services and customers

      We use personal data to defend and secure our own rights and our customers’ rights. The basis for processing data for the defense of legal claims, debt collection, credit checking, information security, and prevention of fraud and misconduct is typically legitimate interest. Personal data is used for ensuring the security of our products and services, for example, by keeping access logs and system backups, authenticating users, and preventing attacks.

    • If we use automated decision-making with legal or similarly significant effects on you, we will inform you in advance. If such automated decision-making is not authorized by legislation, not necessary for the performance or entering into a contract with us, we will ask for your consent.

      You can always express your opinion or contest a decision based solely on automated processing, as well as to request a manual decision-making process by contacting us.

    • Gren deletes or de-identifies personal data when it is no longer necessary for the purposes it was collected
      for. For information on how long we hold your personal data for, please contact us.

    • Where applicable, we may share your personal data with:

      • Gren Group companies – our Group companies may use your personal data for the purposes defined in this notice, based on legitimate interest to the extent permitted by applicable law, including for marketing their products and services to you.
      • Consent, contract or request. We may share your personal data if we have your consent to do so. Some of our products and services allow you to share your personal data with others. We may also share your personal data with a third party when this is required to fulfill our obligations under contract with you or to fulfill a request by you. As an example, we will disclose your address to the postal, courier or installation service to be able to deliver a product or service which you have ordered.
      • Our subcontractors – we use subcontractors to provide services. Such subcontractors may have access to your personal information and are processing it on our behalf but they are not allowed to use the personal data for any other purpose than to provide the service agreed with us. We ensure through appropriate contractual arrangements that the processing of personal data is in accordance with this notice. Typical
        service providers that process personal data include for example network construction partners, payment and invoicing partners, and IT software & service providers.
      • Acquisitions and divestments – if we decide to acquire, sell, merge or otherwise reorganize its businesses, this may involve disclosing personal data to prospective or actual purchasers and their advisers.
      • Authorities, legal proceedings and law – we will disclose your data to competent authorities, such as the police, to the extent required by law. We may also disclose your personal data in relation to legal proceedings
        or at the request of an authority on the basis of applicable law, or court order or in connection with a trial or authority process, or as otherwise required or permitted by law.
    • Some of our service providers and group companies operate internationally, which means that data
      occasionally could be located or transferred to the other country, including outside of the European
      Economic Area. When personal data is transferred outside the EU or the EEA, Gren uses appropriate
      safeguards, such as the standard contractual clauses provided by the European Commission.

    • When you use our services or visit our websites, Gren can collect data about your devices using cookies and
      other similar technologies. You can get more information about how to manage cookies and online data use by reading our cookie policy.

    • Below, you can see your rights regarding personal data that Gren processes about you. Please note that
      some of the rights may not be applicable, for example, if the data cannot be connected to you:

      • Right to access personal data – you have the right to be informed about the processing that we do and to request a copy of your personal data.
      • Right to correct personal data – you can ask for the information about you to be corrected, if it is not accurate or if it needs to be updated.
      • Right to data portability – you are able to obtain and reuse the personal data you have provided us. We can provide a selected set of the data delivered in a machine-readable format, where the basis of processing has been either contract or consent.
      • Right to deletion – we will delete the data at your request if it is no longer legitimately needed.
      • Right to withdraw your consent – if you have given consent for data processing, you are always entitled to withdraw your consent.
      • Right to object to the processing – you have the right to object to the processing of your personal data on Gren legitimate interests, such as developing our products and services, and other purposes explained above in sections 3 and 6 above. Gren may reject your request if there is a compelling reason for continuing the processing.
      • Right to restrict the processing – in certain circumstances, you have the right to have the processing restricted.
      • To opt out from electronic marketing communications and customer surveys – if you no longer want to receive marketing messages from Gren, you can choose to opt out at any time. The easiest way is to click the link at the end of the marketing message.
      • To opt out from telephone and postal marketing – if you no longer want to receive marketing calls or postal marketing from Gren, you can contact our privacy team by informing the customer service representatives during the marketing call.Please note that you may still receive marketing messages for a short period after opting out while we update our systems.
    • Gren reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be
      notified about on our website, or by communicating directly to you.

    • Gren Group and its subsidiaries are the controllers of your personal data. If you want to exercise your rights or have any queries about the processing of your personal data, contact us by using our privacy request form.

      Further questions and comments regarding your privacy can be addressed to:

      • Gren Eesti
        Niidu 24
        80047 Pärnu
        Estonia
      • Gren Tartu
        Sõrba 54/1
        50106 Tartu
        Estonia
      • Gren Latvija
        Pasta 47
        Jelgava, LV-3001
        Latvia
      • Gren Lietuva
        J. Jasinskio g. 16B,
        LT-03163
        Lithuania
  • For employees

    This privacy notice describes how Gren process our employees’ personal data. This notice applies to the processing of personal data in the employment context.

    We may also provide additional privacy information in supplements or other notices regarding the particular system, product, or service.

    • Gren collects and processes various types of personal data, where applicable, such as:

      • Personal details – including your contact details (e.g. your name, address, phone number, and email address), demographic data (e.g. your gender, age, language, nationality, professional details, and your identification related information where needed (e.g. national ID number, passport number) but also contact information of others that you provide (e.g. emergency contact, details of your dependents, children and other similar information).
      • Recruitment information – such as your resumé, previous employments, references from previous employers and other third-party references, information about your competences, qualifications, skills, work experience, and education, and where applicable, the results of background checks and assessments, as well as credit information.
      • Employment administration information – such as employment, work and career history, photographs, absence and leave records, accident records, time and attendance management records, skills and competencies records, any disciplinary and grievance records, career development, occupational health-related data allowed by local law; and information about work-related equipment and services that you use in connection with work, including, e.g. recorded and transcribed phone calls, recordings of trainings, messaging, and information you publish about yourself in internal and external channels.
      • Financial data – such as your bank account information, company credit card information, details of your compensation, benefits and pension arrangements, tax codes, insurance information, travel expenses, company car arrangements, trade union deductions information.
      • Online data & identifiers – data that is collected with cookies or similar technologies about your use of our internal services, your IP address, cookie ID, mobile device ID, details about browser and device, and location.
      • Security data – data that is used for securing the use of our services and our premises, such as your password and login details, employee ID, security logs, facility entry logs, and CCTV camera recordings.
    • The personal data which we process about you comes from different sources:

      • You – we receive information directly from you, during the recruitment process and during your employment at Gren.
      • Third parties – we may receive information from third parties, such as national authorities (e.g. tax, police, and other enforcement agencies).
      • Gren Group companies – which share information for purposes mentioned below in section 6.
    • We will use your personal data for predefined purposes based on contract, consent, legal obligation and
      legitimate interest. Typically, the legal basis for data processing in the employment context are employment
      contracts, employment-related laws, or our legitimate interest as an employer to administer employee
      information in order to enable employment-related processes and practicalities. In addition, we have certain other legal obligations that require us to process employee data. Consent may be used in certain specific
      situations.

    • We will use your personal data for the following purposes:

      • Employee recruitment and onboarding – we process personal data to manage a professional recruitment process and onboarding with our employees. We review the personal data which you share with us, such as CV and references; we also assess and select applicants in the process. Furthermore, as allowed by local law, we may conduct health tests, drug tests, and background clearances. Read more about privacy in the recruitment process in our Privacy notice for Job applicants.
      • Employment contract management and general administration – we process personal data to manage the relationship with our employees, including management of contracts with employees. This includes, for example, providing you with work related tools, trainings and services, and management of travel and expense claims, working hours, performance evaluation, international assignments, promotions and other development, working orders, payroll, incentives, pension, insurances, and payments, and complaints and grievances.
      • Service development & reporting – we process personal data to improve and develop HR and other internal services. Service development is done, for example, by collecting feedback directly from you in surveys and questionnaires; by utilizing the data generated from the use of our services in analytics; and by using recorded or transcribed sales and customer care phone calls for training and service quality improvement. We also have internal reporting processes that utilize employee data.
      • Legal obligations – we process personal data to comply with our legal obligations, for example, to comply with tax, accounting, securities, employment, anti-bribery, anti-money laundering, health and safety rules and other legal obligation placed on Gren.
      • Ensuring security, safety and legal rights – we use personal data to ensure the security and safety of our information, facilities, products, services, and personnel. This is done subject to local law, for example by keeping access logs and system backups, preventing attacks, monitoring system use, identifying and authenticating individuals, and monitoring access and facilities (including CCTV) and locating individuals in emergency situations. We also process personal data for defending legal rights, including preventing and investigating fraud, industrial espionage and other crime.
    • If we use automated decision-making with legal or similarly significant effects on you, we will inform you
      about it in advance. If such automated decision-making is not authorized by legislation, not necessary for the
      performance or entering into a contract with us, we will ask for your consent. You may always express your opinion or contest a decision based solely on automated processing, as well as request a manual decision making by contacting us.

    • Gren deletes or de-identifies personal data when it is no longer necessary for the purposes it was collected
      for. For information on how long we hold your personal data for, please contact us.

    • Where applicable, we may share your personal data with:

      • Gren Group companies – our Group companies may use your personal data for the purposes defined in this notice based on a legitimate interest to the extent permitted by applicable law.
      • Authorized third parties – we may share your personal data with authorized third parties, based on our legitimate interest, to the extent permitted by applicable law. In such cases Gren will ensure there is a genuine need to share your personal data. Authorized third parties include, for example, travel agencies, banks, telecom operators, benefit, salary surveys, insurance providers, auditors, professional advisors, external legal counsels, actuaries, medical practitioners, trustees or other third-party suppliers.
      • Our subcontractors – we use subcontractors to provide us services. Such subcontractors may have access to your personal information and process it on our behalf, but they are not allowed to use the personal data for any other purpose than to provide the service agreed with us. We ensure that the processing of personal data by our subcontractors is done in accordance with this notice through appropriate contractual arrangements. Typical service providers that process personal data include for example payroll and IT software and service providers.
      • Acquisitions and divestments – if we decide to acquire, sell or merge or otherwise reorganize its businesses, this may involve disclosing personal data to prospective or actual purchasers and their advisers.
      • Authorities, legal proceedings and law – we will disclose your data to certain competent authorities, such as government agencies responsible for tax collection, statistical information or to the police, other law enforcement agencies, to the extent required under mandatory law. We may also disclose your personal data in relation to legal proceedings or at the request of an authority on the basis of applicable law, or court order or in connection with a trial or authority process, or as otherwise required or permitted by law.
    • Gren is a global company that has affiliates, business processes, management structures and technical
      systems that cross national borders. This means that your data is transferred to countries other than the one
      where you are employed by Gren, including also outside of the European Economic Area. When personal
      data is transferred outside the EU or the EEA, Gren uses appropriate safeguards, such as the standard
      contractual clauses provided by the European Commission. You can obtain more information about the transfers by contacting us.

    • Gren employs appropriate organizational and technical security measures to protect your data from loss or misuse. We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within Gren. By conducting awareness programs, we engage Gren employees in privacy and security considerations. Where we contract with third-party suppliers to provide services that may enable them to access your personal data, we require them by contract to have similar security controls in place.

    • When you use our services or visit our websites, Gren can collect data about your devices using cookies and
      other similar technologies. You can get more information about how to manage cookies and online data use by reading our cookie policy.

    • Below you can see the list of your rights regarding personal data that Gren process about you. Please note that some of the rights may not be applicable, for example, if the data cannot be connected
      to you.

      • Right to access personal data – you have the right to be informed about the processing that we do and to request a copy of your personal data.
      • Right to correct personal data – you can ask for the information about you to be corrected if it is not accurate or if it needs to be updated.
      • Right to data portability – you are able to obtain and reuse the personal data you have once provided us. We can provide a selected set of the data delivered in a machine-readable format, where the basis of processing has been either a contract or consent.
      • Right to deletion – we will delete the data at your request, if it is no longer legitimately needed.
      • Right to withdraw your consent – if you have given a consent for data processing, you are always entitled to withdraw your consent.
      • Right to object to the processing – you have the right to object to the processing of your personal data based on Gren legitimate interests, such as developing our products and services, and other purposes explained in sections 3 and 6 above. Gren may reject your request if there is a compelling reason for us to continue the processing.
      • Right to restrict the processing – in certain circumstances you have the right to have the processing restricted.
    • Gren reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be
      notified on this site, or by communicating directly to you.

    • Gren Group and its subsidiaries are the controllers of your personal data. If you want to exercise your rights or have any queries about the processing of your personal data, contact us by using our privacy request form.

      Further questions and comments regarding your privacy can be addressed to:

      • Gren Eesti
        Niidu 24
        80047 Pärnu
        Estonia
      • Gren Tartu
        Sõrba 54/1
        50106 Tartu
        Estonia
      • Gren Latvija
        Pasta 47
        Jelgava, LV-3001
        Latvia
      • Gren Lietuva
        J. Jasinskio g. 16B,
        LT-03163
        Lithuania
  • For job applicants

    This privacy notice informs you about how we process our job applicants’ personal data. This notice applies to the
    processing of personal data in the context of recruitment and resourcing activities.

    We may also provide additional privacy information in supplements or other notices regarding particular system, product or service.

    • Gren collects and processes various types of personal data, including:

      • Personal details – including your contact details (such as your name, address, phone number, and email address), demographic data (such as your gender, age, language and nationality).
      • Recruitment information – such as your application and resume, interview information, video interviews, references from previous employers and other third-party references, information about your competencies, qualifications, skills, work experience, and education. As we take steps prior to entering into a possible employment contract, we may also collect results of the necessary health, drug, background (including security check), psychometric, and aptitude tests and depending on the position for which you are applying, and where necessary for the recruitment activities.
      • Identification information – such as proof of identity and your national identity number.
      • Online data & identifiers – data that is collected with cookies or similar technologies about your use of services, including your IP address, cookie ID and mobile device ID.
    • The personal data which we process about you comes from different sources:

      • You – when you submit us your data including application or resume or when you otherwise interact with us.
      • Third parties – such as recruitment agencies, your references and previous employers, medical or health check providers and authorities or other parties providing background checks. We will obtain your consent for such collection when required by applicable law.
      • Gren Group companies – which share information for purposes mentioned below in section 6.
    • We will use your personal data for predefined purposes based on legitimate interest and legal obligation. Also, we may use your personal data based on your consent in addition to reliance on legitimate interest (this especially if additional consents are needed under applicable law).

      The main purposes for which we process personal data are listed below:

      • Recruitment and resourcing – we use your personal data to contact you, for instance, to inform you about the status of your application or to obtain additional information. We also use your personal data to set up and conduct interviews and assessments, evaluations, references, background checks as permitted by applicable law.
      • Creating an employee record – if Gren hires you, the personal data you have given during the application process may become part of your employee record and be used to manage your career at Gren.
      • Service development and analytics – we may use your personal data to improve and develop our recruitment processes and other related services, and to create analytics. We endeavor to use de-identified data when possible.
      • Security of our services and others – personal data is used for ensuring the information security of our services and systems.
      • Legal obligations – we process personal data to comply with our legal obligations.
    • If we use automated decision-making with legal or similarly significant effects on you, we will inform you in advance. If such automated decision-making is not authorized by legislation, not necessary for performance or entering into a contract, we will ask for your consent.

    • Gren deletes or de-identifies personal data when it is no longer necessary for the purposes it was collected
      for. If Gren hires you, your personal data may become part of your employee record. For information on how
      long we hold your personal data, please contact us.

    • Where applicable, we may share your personal data with:

      • Gren Group companies – our Group companies may use your personal data for the purposes defined in this notice based on legitimate interest to the extent permitted by applicable law.
      • Third parties – Gren may share your personal data with authorized third parties who process personal data for Gren for the purposes described in this Statement. These may include recruitment consultants or agencies, test providers, IT software & service providers, and others who help us fill vacancies and assess the suitability of job applicants. These authorized third parties are not  permitted to use your personal data for any other purposes. We require them to act consistently with this Statement and to use appropriate measures to protect your personal data.
      • Acquisitions and divestments – if we decide to acquire, sell, merge or otherwise reorganize its businesses, this may involve disclosing personal data to prospective or actual  purchasers and their advisers.
      • Authorities, legal proceedings and law – we will disclose your data to competent authorities, such as the police, to the extent required by law. We may also disclose your personal data in relation legal proceedings or at the request of an authority on the basis of applicable law or court order or in connection with a trial or authority process or as otherwise required or permitted by law.
    • Some of our service providers and group companies operate internationally, which means that data occasionally could be located or transferred to the other country, including outside of the European Economic Area. When personal data is transferred outside the EU or the EEA, Gren uses appropriate safeguards, such as the standard contractual clauses provided by the European Commission. You can obtain more information about the transfers by contacting us.

    • Gren employs appropriate organizational and technical security measures to protect your data from loss or misuse. We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within Gren. By conducting awareness programs, we engage Gren employees in privacy and security considerations. Where we contract with third-party suppliers to provide services that may enable them to access your personal data, we require them by contract to have similar security controls in place.

    • When you use our services or visit our websites, Gren can collect data about your devices using cookies and
      other similar techniques. You can get more information about how to manage cookies and online data use by reading our
      cookie policy.

    • Below you can see the list of your rights regarding personal data that Gren process about you. . Please note that some of the rights may not be applicable, for example, if the data cannot be connected to you.

      • Right to access personal data – you have the right to be informed about the processing that we do and to request a copy of your personal data.
      • Right to correct personal data – you can ask information about you to be corrected if it is not accurate or needs to be updated.
      • Right to data portability – you are able to obtain and reuse the personal data you provided to us. We can provide a selected set of the data delivered in a machine-readable format, where the basis of processing has been consent.
      • Right to deletion – we will delete the data at your request if it is no longer legitimately needed.
      • Right to withdraw your consent – if you have given a consent for data processing, you are always entitled to withdraw your consent.
      • Right to object to the processing – you have the right to object to the processing of your personal data on Gren legitimate interests such as developing of our recruitment process.
      • Right to restrict the processing – in certain circumstances you have the right to have the processing restricted. 
    • Gren reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be
      notified about on our website, or by communicating directly to you.

    • Gren Group and its subsidiaries are the controllers of your personal data. If you want to exercise your rights or have any queries about the processing of your personal data, contact us by using our privacy request form.

      Further questions and comments regarding your privacy can be addressed to:

      • Gren Eesti
        Niidu 24
        80047 Pärnu
        Estonia
      • Gren Tartu
        Sõrba 54/1
        50106 Tartu
        Estonia
      • Gren Latvija
        Pasta 47
        Jelgava, LV-3001
        Latvia
      • Gren Lietuva
        J. Jasinskio g. 16B,
        LT-03163
        Lithuania
  • For consultants and vendors

    This privacy notice describes how Gren Group and its subsidiaries process the personal data of our consultants and vendors.

    We may also provide additional privacy information in supplements or other notices regarding particular system, product or service.

    • Gren collects and processes various types of personal data, where applicable, such as:

      • Personal details – including your contact details (such as your name, address, phone number, and email address), demographic data (such as your gender, age, language, nationality, professional details) and your identification-related information where needed (e.g. national ID number, passport number).
      • Administrative information – such as your resumé and competencies, information about previous assignments or projects where you have been involved, where applicable, the results of background checks, credit information, photographs, accident records, project time and attendance management and information about work-related equipment and services that you use in connection with working with us, including, e.g. recorded and transcribed phone calls, recordings of trainings, messaging, and information you publish about yourself in internal and external channels.
      • Financial data – such as your bank account information, travel and other expenses, insurance information, tax numbers.
      • Online data & identifiers – data that is collected with cookies or similar technologies about your use of our internal services, your IP address, cookie ID, mobile device ID, details about browser and device, and location.
      • Security data – data that is used for securing the use of our services and our premises, such as your password and login details, employee ID, security logs, facility entry logs, and CCTV camera recordings.
    • The personal data which we process about you comes from different sources:

      • You and your employer – we receive information directly from you and the company with which you are working.
      • Third parties – we may receive information from third parties, such as national authorities (e.g. police and other enforcement agencies).
      • Gren Group companies – which share information for purposes mentioned below in section 6.
    • We will use your personal data for predefined purposes based on contract, consent, legal obligation and legitimate interest. Typically, the legal basis for data processing in the supplier relationship context is our legitimate interest to administer our contact persons’, project workers’ or consultants’ information for work-related matters. In addition, we have certain legal and contractual obligations that require us to process personal data. Consent may be used in certain specific situations.

      We will use your personal data for the following purposes:

      • Supplier & consultant relationship management – we process personal data to manage a professional relationship with our business partners. This involves contacting our stakeholders and arranging events.
      • Managing work orders and assignments, evaluation, and general administration – we process personal data of consultants in order to administer their work and assignments. We provide consultants with work-related tools, training and services, manage travel and expense claims and project hours, conduct contract performance evaluation, and manage insurances and payments. Personal data is also processed in supplier contract management, for example when signing non-disclosure agreements.
      • Service development & reporting – we process personal data to improve and develop our internal services. Service development is done, for example, by collecting feedback directly from you in surveys and questionnaires; by utilizing the data generated from the use of our services in analytics; and by using recorded or transcribed phone calls in certain operations for training and service quality improvement. We also have internal reporting processes that utilize personal data.
      • Legal obligations – we process personal data to comply with our legal obligations, for example, to comply with tax, accounting, securities, anti-bribery, anti-money laundering, health and safety rules and other legal obligation placed on Gren.
      • Ensuring security, safety and legal rights – we use personal data to ensure the security and safety of our information, facilities, products, services, and personnel. This is done subject to local law, for example by keeping access logs and system backups, preventing attacks, monitoring system use, identifying and authenticating individuals, and monitoring access and facilities (including CCTV) and locating individuals in emergency situations. We also process personal data for defending legal rights, including preventing and investigating fraud, industrial espionage and other crime.
    • If we use automated decision-making with legal or similarly significant effects on you, we will inform you
      about it in advance. If such automated decision-making is not authorized by legislation, not necessary for the
      performance or entering into a contract with us, we will ask for your consent.

    • Gren deletes or de-identifies personal data when it is no longer necessary for the purposes it was collected
      for. For information on how long we hold your personal data for, please contact us.

    • Where applicable, we may share your personal data with:

      • Gren Group companies – our Group companies may use your personal data for the purposes defined in this notice, based on legitimate interest to the extent permitted by applicable law.
      • Your employer – we may share your personal data for the purposes defined in this notice with the company with which you are legally employed by, based on our legitimate interest, to the extent permitted by applicable law.
      • Authorized third parties – we may share your personal data with authorized third parties, based on our legitimate interest, to the extent permitted by applicable law. In such cases, Gren will ensure there is a genuine need to share your personal data. Authorized third parties include, for example, Gren’s customers, travel agencies, banks, telecom operators, insurance scheme providers, auditors, professional advisors, external legal counsels, actuaries, medical practitioners, trustees or other third-party suppliers.
      • Our subcontractors – we use subcontractors to provide services to us. Such subcontractors may have access to your personal information and process it on our behalf, but they are not allowed to use the personal data for any other purpose than to provide the service agreed with us. We ensure that the processing of personal data by our subcontractors is done in accordance with this notice through appropriate contractual arrangements. Typical service providers that process personal data include for example IT software and service providers.
      • Acquisitions and divestments – if we decide to acquire, sell, merge or otherwise reorganize its businesses, this may involve disclosing personal data to prospective or actual purchasers and their advisers.
      • Authorities, legal proceedings and law – we will disclose your data to certain competent authorities, such as government agencies responsible for tax collection, statistical information or to the police, other law enforcement agencies, to the extent required under mandatory law. We may also disclose your personal data in relation to legal proceedings or at the request of an authority on the basis of applicable law, or court order or in connection with a trial or authority process, or as otherwise required or permitted by law.
    • Some of our service providers and group companies operate internationally, which means that data
      occasionally could be located or transferred to the other country, including outside of the European
      Economic Area. When personal data is transferred outside the EU or the EEA, Gren uses appropriate
      safeguards, such as the standard contractual clauses provided by the European Commission. You can obtain
      more information about the transfers by contacting us.

    • Gren employs appropriate organizational and technical security measures to protect your data from loss or misuse. We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within Gren. By conducting awareness programs, we engage Gren employees in privacy and security considerations. Where we contract with third-party suppliers to provide services that may enable them to access your personal data, we require them by contract to have similar security controls in place.

    • When you use our services or visit our websites, Gren can collect data about your devices using cookies and
      other similar technologies. You can get more information about how to manage cookies and online data use by reading our cookie policy.

    • Below, you can see your rights regarding personal data that Gren processes about you. Please note that
      some of the rights may not be applicable, for example, if the data cannot be connected to you.

      • Right to access personal data – you have the right to be informed about the processing that we do and to request a copy of your personal data.
      • Right to correct personal data – you can ask for the information about you to be corrected, if it is not accurate or if it needs to be updated.
      • Right to data portability – you are able to obtain and reuse the personal data you have provided us. We can provide a selected set of the data delivered in a machine-readable format, where the basis of processing has been either contract or consent.
      • Right to deletion – we will delete the data at your request if it is no longer legitimately needed.
      • Right to withdraw your consent – if you have given a consent for data processing, you are always entitled to withdraw your consent.
      • Right to object to the processing – you have the right to object to the processing of your personal data on Gren legitimate interests, such as developing our products and services, and other purposes explained above in sections 3 and 6 above. Gren may reject your request if there is a compelling reason for continuing the processing.
      • Right to restrict the processing – in certain circumstances you have the right to have the processing restricted.
    • Gren reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be
      notified about on our website, or by communicating directly to you.

    • Gren Group and its subsidiaries are the controllers of your personal data. If you want to exercise your rights or have any queries about the processing of your personal data, contact us by using our privacy request form.

      Further questions and comments regarding your privacy can be addressed to:

      • Gren Eesti
        Niidu 24
        80047 Pärnu
        Estonia
      • Gren Tartu
        Sõrba 54/1
        50106 Tartu
        Estonia
      • Gren Latvija
        Pasta 47
        Jelgava, LV-3001
        Latvia
      • Gren Lietuva
        J. Jasinskio g. 16B,
        LT-03163
        Lithuania