Version updated: 29.4.2025
As data controllers, Assemblin Caverion Group (the “Company” or “We”) companies are required to protect your personal information, and our aim is to make you feel secure when we process your personal data. We protect your privacy in compliance with the EU General Data Protection Regulation as well as all other applicable laws.
We encourage you to read this privacy notice thoroughly.
When we refer to Assemblin Caverion Group in this privacy notice, we mean Assemblin Caverion Group AB and its affiliates.
Group contact information:
Assemblin Caverion Group AB
Legal & Compliance function
Västberga Allé 1, SE 126 30 Hägersten, Sweden
Email: privacy@caverion.com
Organisation number: 559427-2006
We take privacy and security of your personal data seriously. All personal data you provide to the Company is being stored on secure servers and only employees and third parties who need to access to this information shall have access to your personal data. Those individuals who have access to the personal data are required to maintain the confidentiality of such information. The Company and our service providers will always take all reasonable measures to make sure your personal data is being protected.
We use appropriate technical, administrative, and organisational security measures to protect personal data against unauthorised access, disclosure, destruction, or other unauthorised processing. The servers are located in the EU, or they are GDPR compliant by separate agreements. Network services are protected by a HTTPS connection, which encrypts communications.
We will only collect such personal information that is relevant for the purposes described in this privacy notice. We collect information that is (a) provided by you but also (b) information collected automatically or (c) obtained through other external sources. We describe here how we handle personal data of different data subject groups. Note that we sometimes combine information we receive from you, information collected online, information collected offline, and information collected from third party sources, always in compliance with applicable laws and regulations pertaining to processing of personal data.
We will use your personal data only for the purposes stated in this privacy notice, unless we receive your consent for other purposes.
Information collected of you when you are browsing on our website typically includes:
Purposes of collecting data:
Website users’ (who may also be customers, potential customers, candidates or other) personal data is collected to personalise your experience on our website or display advertising on third party sites or otherwise market our services. Some of our third-party partners use cookies or similar technologies to provide you advertising based on your browsing activities and interests. Personal data is also collected to optimise the functionalities of Assemblin Caverion Group companies’ webpages. More information about the details of processing is provided in https://www.caverion.com/about-us/cookie-notice/. This data is processed based on legitimate interest. Legitimate interest is used to process website users’ data since the Company has an interest to market its services in order to continue its business. The collected data about individuals is very limited and does not include sensitive personal data.
We need information for various purposes if you are our customer. Most of the information is provided by you, but we collect some information also from other sources. Your personal details can also be provided also by a contact in your company/organisation, like your manager or a colleague, and we will update the data accordingly to our customer database.
The information which we collect about customers typically includes:
Purposes of collecting personal data:
Customer data is processed to provide services to customers and to manage customer relationship. We may also process customer data for e.g. for surveys, competitions or event management. This data is processed based on contractual necessity or legitimate interest. No sensitive data about individuals is processed except for temporary situations like dietary requirements for event organisation.
Information collected of you typically includes:
Purposes of collecting data:
Potential customers’ data is processed for creating new customer relationship, for advertisement purposes and understanding the market. This data is processed based on legitimate interest. Legitimate interest is used to process potential customers’ data since the Company has an interest to market its services in order to run its business. The collected data about individuals is limited and does not include sensitive personal data.
When you apply for a job at any Assemblin Caverion Group company, we need specific personal information from you. Based on your application and your given data, we will collect and use your personal data to check your suitability for the jobs within the recruitment process. Sensitive data is collected only if you voluntarily provide this information in your application.
Information collected of you typically includes:
We do not collect sensitive personal data unless you have voluntarily submitted it as part of application, given consent or alternative legitimate basis for processing exists.
Purposes of collecting personal data
Candidate data is processed for recruitment purposes and to ensure the Company hires such persons who can comply with its policies and legal obligations. This data is processed based on legitimate interest of the Company.
Candidate data can be processed based on legitimate interest. The Company has a need to process candidate data because otherwise it would not be able offer job to new people or ensure compliance with its policies and applicable laws. The data is not shared with parties who should not access it and stored in accordance with the GDPR and internal guidelines of the Company.
We are using your personal data while you are working for the Company as an external workforce. We will only collect such personal information that is relevant for the purposes described in this privacy notice. The Company will, when permitted or required by law, collect and maintain for example the following external workforce’s personal data:
Information collected of you typically includes:
We do not collect sensitive personal data unless you have voluntarily submitted it as part of application, given consent or alternative legitimate basis for processing exists.
Purposes of collecting personal data:
Personal data of external workforce is processed to organise their work in customer assignments, manage the contractual obligations with them and ensuring sufficient training and compliance with applicable laws. The personal data of external workforce is managed based on contractual necessity, legal obligations and legitimate interest. Legitimate interest is used where the Company has a need to process the personal data because otherwise it would not be able to provide services to its customers and, thus, not be able to offer job to its external workforce. The data is not shared with parties who should not access it, and it is stored in accordance with the GDPR and internal guidelines of the Company.
We are using your personal data while you are a vendor of the Company. We will only collect such personal information that is relevant for the purposes described in this privacy notice. The Company will, when permitted or required by law, collect and maintain vendor’s personal data for example in these cases:
Information collected of you typically includes:
Purposes of collecting personal data:
Service providers’, business partners’ and other stakeholders’ employees’ data is processed to buy services from these companies or to otherwise co-operate with them in relation to our business. We may also process their data for surveys, competitions or event management. This data is processed based on contractual necessity or legitimate interest. Service providers’, business partners’ and other stakeholders' personal data can be processed since the Company cannot do any business if it does not first market its services to potential customers. No sensitive data about individuals is processed.
When you visit our facilities, we will collect certain personal information about you. This typically includes:
Purposes of collecting personal data:
Building visitors data is processed to ensure security of our working facilities. This data is processed based on legitimate interest. Legitimate interest is used to process building visitors' data since the Company has a strong interest to ensure the safety of its facilities and persons working or visiting the facilities. The collected data about individuals does not include sensitive personal data.
The Company transfers personal data only to persons and companies who need it to perform their duties. We ensure that the parties we transfer personal information to, are properly informed of the purpose of the processing, and we ensure the lawful processing of the personal data through contractual arrangements. We also ensure that the recipients of personal data commit to comply with the restriction on use of that personal data, including keeping the personal information confidential.
In case personal data is transferred outside EU/EEA, such transfers are either made to a country that is deemed to provide a sufficient level of privacy protection by the European Commission or transfers are carried out by using appropriate safeguards such as EU commissions standard contractual clauses and identifying needs for supplementary measures.
Due to our common IT infrastructure and knowledge sharing within the group, your personal data will be accessible by companies of Assemblin Caverion Group for the purposes listed in this privacy notice.
We are using external service providers for certain parts of business operations, e.g. IT system maintenance.
We will share the data with other partners or stakeholders when necessary for our business. When third parties are used, we will ensure they follow our privacy guidelines. We also use cookies and web beacons on our websites and therefore share information with third parties collecting the data, e.g. social media platforms. Read our Cookie Notice: Cookie notice - Caverion.
You, as a data subject, have certain rights concerning your personal data as indicated below.
You can contact us and we will inform what personal data we have collected and processed regarding you and the purposes such data are used for. You have the right to ask to correct any incorrect or incomplete, personal data stored about you by contacting us. You can object to use of certain personal data, including direct marketing, if such data is processed for other purposes than purposes necessary for the performance of our services or for compliance with a legal obligation. You can also object any further processing of personal data after prior given consent. If you object to the further processing of personal data, this may lead to fewer possibilities to use our services.
You can also ask us to delete your personal data from our systems. We will comply with such request unless we have a legitimate ground not to delete the data. After the data has been deleted, we may not be able to delete immediately all residual copies from our active servers and backup systems. Such copies shall be deleted as soon as reasonably possible. Even though you can request us to restrict processing of certain personal data; this may however lead to fewer possibilities to use our website and other services.
You have the right to receive personal data provided by you to us in a structured, commonly used and machine-readable format when the data is processed automatically and is processed based on consent or fulfilment of contract or steps preparatory to a contract.
These rights (5.1.-5.3.) can be exercised by using the Data Subject Request form. We can reject requests that are unreasonably repetitive, excessive or manifestly unfounded or when the applicable law does not require us to comply with the request.
If the personal data you have given us is based on your consent, you have the right to withdraw that consent at any time. You can opt-out your digital marketing consent here.
If you have given consent for visual materials (images, videos) or contents (blog posts, articles), you can withdraw your consent here. Note that processing your personal data is necessary for us to provide you our products and services. Withdrawing your consent may lead to a situation where we cannot necessarily provide our services to you.
If you are not satisfied with the decision or actions of the Company, you have always right to lodge a complaint to local data protection authority.
We use cookies and beacons on our websites. Please see our Cookie notice: Cookie notice - Caverion.
We have the right to store your personal data as long as needed for legitimate purpose or as long as required by law. The criteria used to determine the period of storage of personal data is the respective statutory retention period and legitimate purpose. The information and the length of the storage time vary depending on the data in question and applicable law. The general retention times are stated below per user group. We continuously erase and/or anonymise your personal data when it is no longer relevant for the purposes for which we are processing it.
Most of the potential customers’ personal data is deleted 5 years from the latest interaction with the Company. Interaction can include any activity recorded to your related company during these years.
Most of the customers’ personal data is deleted 10 years after the latest interaction with the customer company (i.e. their employer). Interaction can include any activity recorded to your related company during these years (e.g. logged meeting, email)
Most of the candidate's personal data is deleted in accordance with the relevant country legislation. Typical retention time is 3 years after the recruitment process has ended.
Most of the external workforce’s personal data is deleted 10 years after the latest agreement with the external workforce (or their employer) has ended.
Most of the vendors’ personal data is deleted 10 years after the latest agreement with the vendor (i.e. their employer) has ended.
Most of the building visitors’ personal data is deleted 2 years after the visit at any of the Company premises.
We reserve the right to review, modify and update this privacy notice from time to time. If we make such changes, we will record the date of the amendment or modification to this privacy notice. Please review this privacy notice regularly and especially before submitting any personal data to us. We will not alert our users of all the updates but if there are really important changes to the privacy notice or how we use your information, we will utilise commercially reasonable efforts to provide appropriate notification to you.