Privacy notice

Epiroc AB, reg. no. 556041-2149, and its subsidiaries (collectively referred to as “Epiroc,” “we,” “us” and “our”) care about your privacy and are committed to protecting your personal data in accordance with fair information practices and applicable data privacy laws. Regardless of in which capacity you share information with us, e.g. as a customer, supplier, shareholder etc., it is important to us that you feel safe about how we treat your personal data.

The Controller of your data is the company that initially collected your data and decided the purposes and means for using your data. This Privacy Notice applies to situations where Epiroc and, or its subsidiaries act solely or collectively as data controllers/joint controllers or equivalent local law concept.

Additional data privacy information may be provided for our websites, events, products, services and any other tools, offerings or platforms that may involve processing of personal data by us. Our privacy practices may vary in connection with different products, services, and solutions as well as in different locations in which we operate. We encourage you to read the Privacy Notice of each legal entity and website, app, service, or solution you visit, review, use or otherwise interact with, where available.

This Privacy Notice explains how we collect, use and share personal data that you provide to us, or that we may otherwise obtain or generate, which relates to you (“personal data”). Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This Privacy Notice applies to the personal data we obtain through our normal business activities, both online and offline, i.e. collection in connection with sales and marketing, partner and supplier engagement and investor relations. As this Privacy Notice is intended to cover a variety of situations, there may be information contained in the Privacy Notice that does not apply to you.

Epiroc will always abide local laws and regulations and will refrain from the collection or use or personal data in a location where it is prohibited by law. If Country specifics items exists, they can be found at the bottom of this page.

In summary, Epiroc may process your personal data for the following purposes:

• to fulfil agreements entered into with customers, suppliers, consultants and other contracting parties;
• to provide and administrate support and customer services;
• to provide efficient marketing;
• to provide information to Epiroc’s shareholders;
• to register and administrate your user account;
• to mitigate cyber security threats and to provide secure information technology environments;
• to provide, improve and develop this website, our business or new services and products by analyzing your use of this website, our products and other analytics/statistics;
• to assess your abilities and suitability for current or future roles within the company as a job applicant;
• to comply with any legal or regulatory obligations, requirements or requests;
• to protect, defend or enforce our legal rights, or those of others; or
• to enable mergers, divestitures, restricting, reorganization, dissolution and other sale or transfers of Epiroc’s assets.

Below, you are provided with more information about e.g. why we process your personal data, which personal data we keep in order to achieve the purposes of the processing and for how long we keep your personal data. 

The personal data that we process about you is data that you have provided us with or that we have otherwise acquired as part of the provision of our services. We collect personal data:

• when you create an account to use our services or create a new user for that account;
• when you submit user-interaction data via our products or to our services;
• when you complete transactions through this website, such as fulfilling an order for our services and products;
• when you contact our support or customer service;
• when you apply for a position at Epiroc;
• through forms or other paper interaction with us;
• through submittal of written documentation and emails sent to and from Epiroc; and
• when you share information with us through other means, such as meetings, collaboration tools, conversations, social media, online forms or otherwise through our websites;

We retain your personal data for as long as necessary for the purposes for which we originally collected the data in accordance with this Privacy Notice. When we no longer need to save your data, we will remove it from our systems, databases, and backups. In the tables above under section 2, you will find more information about how long we keep your personal data for different purposes.

We may be required to keep your personal data for other reasons, such as to comply with legal obligations or to safeguard our legal interest, or for any other important public interest.

We may share personal data with third parties that are trusted recipients and with whom we have an agreement ensuring that your personal data is processed in accordance with this Privacy Notice. We may share data with:

• our subsidiaries and affiliates;
• third party service providers;
• a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Epiroc’s assets; and
• suppliers in the event of need for sub suppliers on particular components.

In certain circumstances, we may also need to disclose personal data upon the request from authorities or to third parties in connection with court proceedings or business acquisition or combination processes, or other similar processes.

We will not sell your personal data.

Because Epiroc is a global company with locations in many different countries, we may transfer your personal data to countries that are both in and outside the EU/EEA when transferring from one affiliated company to another in order to accomplish the purposes listed above.

When transferring personal data outside the EU/EEA, we will ensure that there is a legal basis for the transfer and that the level of protection is equivalent to that applicable within the EU/EEA, either by ensuring that the country has an adequate level of protection, that we have taken adequate protective measures such as the European Commission’s standard contractual clauses, that the data subjects have given their explicit consent or that the transfer is necessary with regards to the purposes set out in article 49 of the GDPR.

In the capacity of data controller, we are responsible for ensuring that your personal data is processed in compliance with applicable laws. In relation to applicable data protection laws, you as a data subject may have the following rights in relation to your personal data. To exercise these rights, you may contact us at provided contact details in the end of this Privacy Notice.

For specific data privacy rights of data subjects, see country specific privacy notices in the end of this Privacy Notice.

Where GDPR are applicable we have an obligation to respond to your requests to exercise your rights within one month of receiving your request. If your request is complex or if we have received many requests, we have the right to extend this deadline to two months. If we are unable to take the action you request within one month, we will inform you of the reason for the delay and of your right to lodge a complaint with a supervisory authority and to seek judicial remedy. You will not be charged for requesting information, for communication or measures that we carry out. However, if your request is manifestly unfounded or excessive, we may charge an administrative fee for providing the information or taking the action requested or refuse to act on your request altogether.

Right to access to your personal data. You have the right to obtain confirmation on whether we process personal data about you and receive a copy of such data as well as information on how we process your personal data.

Right to request a copy of the European Commission’s standard contractual clauses and its appendices that we use with any third parties, as mentioned in section 7.

Right to rectification. You have the right to rectify any inaccurate personal data we process about you or have any incomplete personal data about you completed.

Right to erasure of your personal data. You have the right to request that we delete your personal data if there is no compelling reason for us to continue processing the data. Personal data should therefore be erased if:

• it is no longer needed for the purpose for which we collected it;
• we process your personal data based on consent provided by you and you withdraw your consent;
• you object to us processing your data based on a legitimate interest assessment and we have no compelling interest that overrides your interests and rights;
• we have processed the personal data unlawfully; or
• we have a legal obligation to erase the personal data.

However, there may be legal requirements or other compelling reasons that prevent us from immediately erasing your personal data. We will then stop processing your personal data for purposes other than in compliance with the law or where there are no compelling legitimate grounds for doing so.

Restriction of processing. This means that we temporarily restrict the processing of your data. You may have the right to request restriction when:

• you consider your data to be inaccurate and you have requested rectification as defined above, while we establish the accuracy of the data;
• the processing is unlawful, and you do not want the data to be erased;
• as the personal data controller, we no longer need the personal data for our processing purposes, but you need them to be able to establish, exercise or defend a legal claim; or
• you have objected to the processing as defined below, while waiting for us to consider whether our legitimate interests override yours.

We will take all reasonable measures possible to notify everyone who has received personal data as stated in section 6 above if we have rectified, erased or restricted access to your personal data after you have requested us to do so. If you request information on recipients of your personal data, we will inform you about the recipients.

Right to object to processing. You have the right to object to the processing of your personal data if our processing is based upon legitimate interests. If you object to such processing, we will cease processing of your personal data, unless we can demonstrate compelling legitimate grounds for the processing overriding your interests, or if the data is needed for the establishment, exercise, or defense of legal claims. You always have the right to opt out of receiving direct marketing from us.

Right to information. You have the right to receive transparent information about how we process your personal data.

Right to withdraw your consent. When we need your consent in order to process your personal data, you always have the right to withdraw such consent at any time by contacting us. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

This applies where the GDPR is applicable. If consent is used as a legal basis based on other countries' Data Privacy legislation (outside the EU/EEA), the rules for the respective country's interpretation of consent will apply. We aim to, to the extent possible, handle consent based on EU/EEA interpretation also for processing’s based on consent as legal base for processing from other countries' Data Privacy legislation, where the GDPR is not applicable.

Right to data portability. You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, and you may have that data ported directly to another controller, where such personal data is processed based on your consent or to perform a contract with you.

Right to complain. If you are not satisfied with our processing of your personal data, do not hesitate to contact us at the email-address under section 12, and label the email “Privacy Complaint”. You also have the right to lodge a complaint with the supervisory authority if you are not satisfied with our processing of your personal data. For EU and EEA countries, you can find your local supervisory authority here.

Please note that a number of these rights only apply in certain circumstances, and all these rights may be limited by law. If you wish to exercise your rights or have any questions regarding the processing of your personal data, please contact us using the contact details set out in section 12.

We always want you to feel confident about providing us with your personal data. We have therefore taken appropriate security measures to protect your personal data against unauthorized access, alteration and erasure.

Even though we work hard to protect your data, no security measures are perfect or impenetrable. Should a security breach occur that may materially impact you or your personal data, e.g. risk of fraud or identity theft, we will contact you to explain what action you can take to mitigate potential adverse effects of the breach.

We strongly advise you to be cautious and to protect your own personal data. You are responsible for keeping your passwords confidential and to avoid others from observing your personal data when using our services in public spaces. 

We may, from time to time, make changes to this Privacy Notice to reflect any changes in our data processing practices. We recommend that you visit this Privacy Notice on occasion to learn about new privacy practices or changes.  If we make material changes to the way in which we use information we collect, we will use reasonable efforts to notify you by means consistent with applicable law and will take additional steps as required by applicable law.

This Privacy Notice was last updated:  May 22nd, 2024.

Do not hesitate to contact us if you have any questions about this Privacy Notice or our processing of your personal data at:

Epiroc AB, reg. no. 556041-2149. Email: dataprivacy@epiroc.com. If you wish to exercise your rights, please contact the Epiroc IT Service Desk at: service.desk.it@support.epiroc.com, and label the email “Data Subject Right Request” or “Data privacy breach”.