Privacy Notice

Privacy Notice for Business Partners and Website Users

Please read this Privacy Notice carefully. It explains why and how Sappi collects personal data about you or Sappi receives from you when you access the www.sappi.com, www.sappiandyou.sappi.comwww.ecommerce.sappi.com, www.octoboost.com, www.rockwellsolutions.com and www.cham-group.com websites. It also sets out how we protect your personal data and for how long we will retain it. Sappi keeps your personal data as safe and secure as reasonably possible. We protect it against loss and unauthorised disclosure or access. We will handle your personal data in strict compliance with applicable data protection laws, in particular the General Data Protection Regulation 2016/679 of 27 April 2016 (‘GDPR’). This Privacy Notice is applicable for citizens of the European Union (EU)1.

This Privacy Notice has been set up as a Q&A list. It applies to all individual contact persons representing our (potential) business partners such as customers, also using our digital products (OctoBoost), suppliers or partner companies (‘Business Partners’). It also applies to all visitors of our premises (‘Visitors’) and users of our website (‘Website Users’). Each Business Partner can find the individual details of its personal data processing in specific sections in this Privacy Notice.

In this Privacy Policy, references to ‘we’, ‘us’ or ‘our’ means Sappi. References to ‘you’ and ‘your’ are to our Business Partners. Our Privacy Policy must be read together with any other legal notices or terms and conditions available on other pages of our Website.

1    Who will process my personal data? 

The so-called ‘Controller’ of your personal data are the following legal entities, either acting separately or jointly with associated companies of the Sappi group (‘Sappi’):

 

Sappi Europe SA
Head office of Sappi Europe
Chaussée de la Hulpe/Terhulpsesteenweg 166
1170 Brussels
Belgium
Company number: 0449.887.582

Sappi Papier Holding GmbH
Brucker Strasse 21
8101 Gratkorn
Austria
Company number: FN 167931h

www.sappi.com 

Sappi is a leading global provider of sustainable woodfibre products and solutions. All associated Sappi entities can be found at www.sappi.com/locations or are available upon request from your Sappi contact (see Section 10). This list may be updated periodically.

2    What is the purpose for processing my personal data?

Sappi will only collect, use and otherwise handle your personal data which are required for conducting its ordinary course of business or in connection with operating its Websites, including e-commerce platforms and digital products. Sappi’s legitimate business reasons are specified below:

A.    Visitors

Access control to a certain Sappi location (check-in) including safety briefings and tests at some Sappi locations required for your health and safety during your stay at Sappi’s premises and when leaving (check-out).

B.    Website Users

Dealing with your enquiries and requests; providing technical support if required;

Information about our products and  services;

Direct marketing including customised offers, local promotions and sales support;

Provision of an e-commerce platform including financial reports and product availability;

Hosting and maintaining our Website; ensuring network and information security;

Statistics and analysis of visits to our Website to measure behaviour and interest in the various content hosted on our Websites. Please refer also to our separate Cookie Policy which can be found in our legal notices.

C.    (potential) Customers

Dealing with your enquiries and requests;

Provision of information about Sappi’s products, services and technical-commercial information;

Direct marketing including customised offers, local promotions and sales support;

Central customer relationship management and administration of our Customer Relationship Management system (CRM);

Conducting Customer satisfaction surveys;

Order and supply management including logistics and transport services;

Evaluation of Customer credit worthiness and risk, establishing sales terms and credit policies, and designing an appropriate collection process (Account Receivable Management);

Contract negotiation; claim and dispute management. 

For Sappi’s digital products (OctoBoost): processing and hosting your customer’s print orders through e-commerce and print efficiency digital solutions.

D.    (potential) Suppliers

Evaluation and negotiation of the purchase of goods and services required in our business including logistics and transport, consulting, etc.;

Order management; Receipt of goods and services;

Management of our billing process and trade credit purchases (Account Payables Management);

Contract negotiation; claim and dispute management.

3    What are the legal grounds for processing your personal data? 

Your personal data are processed on the following legal grounds: 

1.    Entering into and the performance of a contract with you: for example, sales, supply, distribution, agency, transport, cooperation contract, etc.  It is inevitable to process your data to allow adequate order and supply management or billing commitments;

2.    Complying with legal obligations applicable to Sappi: for example, in the field of health and safety, tax and fiscal matters, etc.;

3.    Sappi’s legitimate interests: for example, properly managing and growing our business, providing correct billing information, secure operation of our Website or careful and reliable Customer and Supplier management and network and information security. We only process data in a professional context, in a transparent and secure manner, strictly limited to the minimum required, for legitimate purposes in a business-to-business environment. Therefore our legitimate interests do not conflict with your fundamental right to privacy.

4.    Your explicit consent for most of our data processing activities is not required. Exceptionally, for certain processing activities we will seek your approval.  .

4    Which categories of your personal data will be processed? 

Personal data is all information relating to you or on the basis of which you may be identified. Sappi only processes personal data of individuals in their professional capacity or if it is required for the above purposes. We are not interested in and do not process private e-mail addresses or any other non-professional information unless specially provided by yourself.

Categories of personal data will include the following:

A.    Visitors

Personal identification data such as name, surname, title/position, business contact data such as email address, phone number, mobile, fax, address;

Your number plate in case of entering our premises by car.

B.    Website Users

When filling in contact forms: Personal identification data such as name, surname, title/position, business contact data such as email address, phone number, mobile, fax, address;

Electronic identification data such as username, login data, IP addresses, cookies identifiers, logged data.

C.    (potential) Customers

Personal identification data such as name, surname, title/position, business contact data such as email address, phone number, mobile,  fax, address;

Electronic identification data such as username, login data, IP addresses, cookies identifiers, logged data;

Professional activity (data on professional activities of the person in the file);

If you explicitly ask Sappi to make travel arrangements on your behalf, we are obliged to process data as required by the travel agency, airline, train, hotel, transfer provider etc. including financial identification data (bank account numbers, credit or debit cards details) or a copy of your identity card;

In case of certain small businesses or sole proprietorship standard corporate data may turn out to be your personal data such as VAT or bank account numbers, creditworthiness and financial means (data on income, possessions, investments, financial position);

Optional: Personal characteristics and specifics (gender, date of birth, civil status, nationality, hobbies, lifestyle, etc.);

OctoBoost: If you wish to use Sappi’s OctoBoost, Sappi becomes a ‘processor’ and processes the above-mentioned data from your customers on your behalf. As required by Article 28 GDPR, we have entered into a respective processor contract with you.

D.    (potential) Suppliers

Personal identification data such as name, surname, title/position, business contact data such as email address, phone number, mobile,  fax, address;

Professional activity (data on professional activities of the person in the file)

If you explicitly ask Sappi to make travel arrangements on your behalf, we are obliged to process data as required by the travel agency, airline, train, hotel, transfer provider etc. including financial identification data (bank account numbers, credit or debit cards details) or a copy if your identity card;

Optional: Personal characteristics and specifics (gender, date of birth, civil status, nationality, hobbies, lifestyle, etc.).

Sappi may occasionally be granted access by Business Partners to certain special categories of data, for example individual health data so as to enabling you safe access to our premises or accommodate special culinary requirements. We will not process this data unless you give us your consent.

5    Where do your personal data come from and how do we use your data?

The personal data that we process as described in this Privacy Notice mainly come from you. However, regarding potential Customers we also use publicly accessible information from the Internet, e.g. your company’s website or social media site.

We use your personal data as follows:

1.    Contact Forms: Sappi may collect the personal data which you choose to provide when you fill in forms, either at the reception of a specific Sappi location or on our Website.

2.    Business cards

3.    Events: if you register for one of our events, we will share your name, position and company and possibly your professional contact details with the other people that are attending the same event.

4.    For (potential) Customers and Website Users: If you have given us your contact details, we may contact you by phone or by post for marketing purposes, unless you let us know that you do not want to receive this type of marketing information. We may also contact you for direct marketing purposes by electronic means such as email. At any time you are entitled to opt-out from receiving our marketing communication. You can opt-out free of charge by using the contact details provided in this Privacy Policy (see Section 10). Alternatively use the ‘unsubscribe’ option included in any marketing email or other marketing material received from us.

If you choose not to provide personal data requested by us, we may not be able to provide you with the information and/or services you have requested or otherwise fulfil the purpose(s) for which we have asked for your personal data. Aside from this, your visit to the Website will remain unaffected.

6    Who will have access to your personal data? 

Internal use

A.    Visitors

The receptionist at the respective Sappi location. See also below under ‘external use’.

B.    Website Users

IT department; Corporate Communications; Sales and Marketing.

C.    (potential) Customers

Sales and Marketing; Technical and Customer Service; Logistics and Supply Chain; Research and Development; Manufacturing; Finance; In-house counsels in case of contract negotiations, claim and dispute management.

D.     (potential) Suppliers

Purchase department; any department requiring goods or services; Finance; In-house counsels in case of contract negotiations, claim and dispute management.

External use

A.    Visitors

Contractors such as security companies and gatekeepers.

B.    Website Users

Web analytics providers such as IBM Coremetrics or Google Analytics.

C.    (potential) Customers

IT service providers for Customer software programs such as SAP, cloud processors for data archived in the cloud; specialised service providers for various business services such as software development, conducting customer surveys, evaluating Customer credit worthiness and risk, marketing and design agencies running (electronic or postal) marketing campaigns, distribution centers for delivering samples and other promotional material, transport and logistics providers, etc.

D.    (potential) Suppliers

IT service providers for Supplier software programs such as SAP, SAP Ariba, cloud processors for data archived in the cloud, etc.

The employees, managers and/or representatives of the above-mentioned external users are obliged to respect the confidential nature of these data and may only use these data in line with Sappi’s instructions. To this end, Sappi has entered into the required contracts with them.

7    Will your personal data be transferred outside the European Union?

For the purposes of administration of Sappi’s global Customer and Supplier Relationship Management (CRM and SRM) tools and databases and the global management of our Website, it is inevitable that a Sappi affiliate located outside the European Union2 such as Sappi’s group headquarters in South Africa, our group companies in North and South America and Asia have access to your personal data or store these personal data. To transfer your personal data in full compliance with the data protection principles, Sappi has implemented appropriate safeguards in line with the GDPR3. A copy of these standard data protection clauses is available upon request from your Sappi contact (see Section 10). 

8    Will Sappi make use of automated decision-making?

No, your personal data will not be used for automated decision-making.

9    How long will your personal data be retained? 

Your personal data will be retained no longer than necessary for the purposes described above. In principle, we process and store your data for the duration of our contractual relationship including the negotiation and initiation of the relevant contract. Additionally, we are subject to various retention obligations, which result, amongst others, from civil or fiscal law. Further, specific legal requirements may require longer retention periods, e.g. obligation to safeguard evidence in case of claims.

Please note that each Member State of the EU in which a Sappi Europe group company is located applies its own set of statutory retention and limitation periods. Consequently, Sappi is subject to a wide-ranging diversity of these periods which can vary between six months up to thirty years upon the end of our business relationship. To ensure compliance with the GDPR principle of storage limitation, Sappi regularly reviews its files and deletes personal data that is no longer required on a case-by-case basis.

 

10    What are your rights with regard to the processing of your personal data by Sappi and who can you contact?

You have at any time the right to contact Sappi if you want to:

−    Access your personal data. This includes the right to ask a copy;
−    Rectify your personal data including supplementing incomplete data should the data not be kept accurately ;
−    Erase your personal data if there is no (longer a) lawful ground to process it;
−    Restrict your personal data if you were to object to the processing or to the accuracy of the processed data or if you wish to retain certain personal data in the context of a possible claim while Sappi no longer needs the data in the light of the purposes mentioned under Section 3. 

You have at any time the right to object to the processing for which Sappi based itself in Section 3 on the legitimate interest. Sappi will then cease the processing unless there are compelling legitimate grounds.

Additionally, you also have the right - if you feel that Sappi did not act in line with data protection legislation - to lodge a complaint with the supervisory authority of your habitual residence, of your place of work or of the place of the alleged infringement.

Your contact at Sappi for any further information about these rights can be reached under gdpr@sappi.com. In your email please indicate your primary Sappi contact, if any, whom we may need to involve in dealing with your request. 

11    Changes 

We may amend this Privacy Notice from time to time, within the limitation set out by GDPR and any relevant national data protection laws.


1. or of the European Economic Area (i.e. the European Union plus Norway, Iceland and Liechtenstein, EEA).
2. or outside the EEA
3. under the form of the standard data protection clauses for the transfer of personal data from the Community to third countries (controller to controller transfers), Commission Decision C(2004)5721.

Europe

Privacy Notice for Business Partners and Website Users

Please read this Privacy Notice carefully. It explains why and how Sappi collects personal data about you or Sappi receives from you when you access the www.sappi.com, www.sappiandyou.sappi.comwww.ecommerce.sappi.com, www.octoboost.com, www.rockwellsolutions.com and www.cham-group.com websites. It also sets out how we protect your personal data and for how long we will retain it. Sappi keeps your personal data as safe and secure as reasonably possible. We protect it against loss and unauthorised disclosure or access. We will handle your personal data in strict compliance with applicable data protection laws, in particular the General Data Protection Regulation 2016/679 of 27 April 2016 (‘GDPR’). This Privacy Notice is applicable for citizens of the European Union (EU)1.

This Privacy Notice has been set up as a Q&A list. It applies to all individual contact persons representing our (potential) business partners such as customers, also using our digital products (OctoBoost), suppliers or partner companies (‘Business Partners’). It also applies to all visitors of our premises (‘Visitors’) and users of our website (‘Website Users’). Each Business Partner can find the individual details of its personal data processing in specific sections in this Privacy Notice.

In this Privacy Policy, references to ‘we’, ‘us’ or ‘our’ means Sappi. References to ‘you’ and ‘your’ are to our Business Partners. Our Privacy Policy must be read together with any other legal notices or terms and conditions available on other pages of our Website.

1    Who will process my personal data? 

The so-called ‘Controller’ of your personal data are the following legal entities, either acting separately or jointly with associated companies of the Sappi group (‘Sappi’):

 

Sappi Europe SA
Head office of Sappi Europe
Chaussée de la Hulpe/Terhulpsesteenweg 166
1170 Brussels
Belgium
Company number: 0449.887.582

Sappi Papier Holding GmbH
Brucker Strasse 21
8101 Gratkorn
Austria
Company number: FN 167931h

www.sappi.com 

Sappi is a leading global provider of sustainable woodfibre products and solutions. All associated Sappi entities can be found at www.sappi.com/locations or are available upon request from your Sappi contact (see Section 10). This list may be updated periodically.

2    What is the purpose for processing my personal data?

Sappi will only collect, use and otherwise handle your personal data which are required for conducting its ordinary course of business or in connection with operating its Websites, including e-commerce platforms and digital products. Sappi’s legitimate business reasons are specified below:

A.    Visitors

Access control to a certain Sappi location (check-in) including safety briefings and tests at some Sappi locations required for your health and safety during your stay at Sappi’s premises and when leaving (check-out).

B.    Website Users

Dealing with your enquiries and requests; providing technical support if required;

Information about our products and  services;

Direct marketing including customised offers, local promotions and sales support;

Provision of an e-commerce platform including financial reports and product availability;

Hosting and maintaining our Website; ensuring network and information security;

Statistics and analysis of visits to our Website to measure behaviour and interest in the various content hosted on our Websites. Please refer also to our separate Cookie Policy which can be found in our legal notices.

C.    (potential) Customers

Dealing with your enquiries and requests;

Provision of information about Sappi’s products, services and technical-commercial information;

Direct marketing including customised offers, local promotions and sales support;

Central customer relationship management and administration of our Customer Relationship Management system (CRM);

Conducting Customer satisfaction surveys;

Order and supply management including logistics and transport services;

Evaluation of Customer credit worthiness and risk, establishing sales terms and credit policies, and designing an appropriate collection process (Account Receivable Management);

Contract negotiation; claim and dispute management. 

For Sappi’s digital products (OctoBoost): processing and hosting your customer’s print orders through e-commerce and print efficiency digital solutions.

D.    (potential) Suppliers

Evaluation and negotiation of the purchase of goods and services required in our business including logistics and transport, consulting, etc.;

Order management; Receipt of goods and services;

Management of our billing process and trade credit purchases (Account Payables Management);

Contract negotiation; claim and dispute management.

3    What are the legal grounds for processing your personal data? 

Your personal data are processed on the following legal grounds: 

1.    Entering into and the performance of a contract with you: for example, sales, supply, distribution, agency, transport, cooperation contract, etc.  It is inevitable to process your data to allow adequate order and supply management or billing commitments;

2.    Complying with legal obligations applicable to Sappi: for example, in the field of health and safety, tax and fiscal matters, etc.;

3.    Sappi’s legitimate interests: for example, properly managing and growing our business, providing correct billing information, secure operation of our Website or careful and reliable Customer and Supplier management and network and information security. We only process data in a professional context, in a transparent and secure manner, strictly limited to the minimum required, for legitimate purposes in a business-to-business environment. Therefore our legitimate interests do not conflict with your fundamental right to privacy.

4.    Your explicit consent for most of our data processing activities is not required. Exceptionally, for certain processing activities we will seek your approval.  .

4    Which categories of your personal data will be processed? 

Personal data is all information relating to you or on the basis of which you may be identified. Sappi only processes personal data of individuals in their professional capacity or if it is required for the above purposes. We are not interested in and do not process private e-mail addresses or any other non-professional information unless specially provided by yourself.

Categories of personal data will include the following:

A.    Visitors

Personal identification data such as name, surname, title/position, business contact data such as email address, phone number, mobile, fax, address;

Your number plate in case of entering our premises by car.

B.    Website Users

When filling in contact forms: Personal identification data such as name, surname, title/position, business contact data such as email address, phone number, mobile, fax, address;

Electronic identification data such as username, login data, IP addresses, cookies identifiers, logged data.

C.    (potential) Customers

Personal identification data such as name, surname, title/position, business contact data such as email address, phone number, mobile,  fax, address;

Electronic identification data such as username, login data, IP addresses, cookies identifiers, logged data;

Professional activity (data on professional activities of the person in the file);

If you explicitly ask Sappi to make travel arrangements on your behalf, we are obliged to process data as required by the travel agency, airline, train, hotel, transfer provider etc. including financial identification data (bank account numbers, credit or debit cards details) or a copy of your identity card;

In case of certain small businesses or sole proprietorship standard corporate data may turn out to be your personal data such as VAT or bank account numbers, creditworthiness and financial means (data on income, possessions, investments, financial position);

Optional: Personal characteristics and specifics (gender, date of birth, civil status, nationality, hobbies, lifestyle, etc.);

OctoBoost: If you wish to use Sappi’s OctoBoost, Sappi becomes a ‘processor’ and processes the above-mentioned data from your customers on your behalf. As required by Article 28 GDPR, we have entered into a respective processor contract with you.

D.    (potential) Suppliers

Personal identification data such as name, surname, title/position, business contact data such as email address, phone number, mobile,  fax, address;

Professional activity (data on professional activities of the person in the file)

If you explicitly ask Sappi to make travel arrangements on your behalf, we are obliged to process data as required by the travel agency, airline, train, hotel, transfer provider etc. including financial identification data (bank account numbers, credit or debit cards details) or a copy if your identity card;

Optional: Personal characteristics and specifics (gender, date of birth, civil status, nationality, hobbies, lifestyle, etc.).

Sappi may occasionally be granted access by Business Partners to certain special categories of data, for example individual health data so as to enabling you safe access to our premises or accommodate special culinary requirements. We will not process this data unless you give us your consent.

5    Where do your personal data come from and how do we use your data?

The personal data that we process as described in this Privacy Notice mainly come from you. However, regarding potential Customers we also use publicly accessible information from the Internet, e.g. your company’s website or social media site.

We use your personal data as follows:

1.    Contact Forms: Sappi may collect the personal data which you choose to provide when you fill in forms, either at the reception of a specific Sappi location or on our Website.

2.    Business cards

3.    Events: if you register for one of our events, we will share your name, position and company and possibly your professional contact details with the other people that are attending the same event.

4.    For (potential) Customers and Website Users: If you have given us your contact details, we may contact you by phone or by post for marketing purposes, unless you let us know that you do not want to receive this type of marketing information. We may also contact you for direct marketing purposes by electronic means such as email. At any time you are entitled to opt-out from receiving our marketing communication. You can opt-out free of charge by using the contact details provided in this Privacy Policy (see Section 10). Alternatively use the ‘unsubscribe’ option included in any marketing email or other marketing material received from us.

If you choose not to provide personal data requested by us, we may not be able to provide you with the information and/or services you have requested or otherwise fulfil the purpose(s) for which we have asked for your personal data. Aside from this, your visit to the Website will remain unaffected.

6    Who will have access to your personal data? 

Internal use

A.    Visitors

The receptionist at the respective Sappi location. See also below under ‘external use’.

B.    Website Users

IT department; Corporate Communications; Sales and Marketing.

C.    (potential) Customers

Sales and Marketing; Technical and Customer Service; Logistics and Supply Chain; Research and Development; Manufacturing; Finance; In-house counsels in case of contract negotiations, claim and dispute management.

D.     (potential) Suppliers

Purchase department; any department requiring goods or services; Finance; In-house counsels in case of contract negotiations, claim and dispute management.

External use

A.    Visitors

Contractors such as security companies and gatekeepers.

B.    Website Users

Web analytics providers such as IBM Coremetrics or Google Analytics.

C.    (potential) Customers

IT service providers for Customer software programs such as SAP, cloud processors for data archived in the cloud; specialised service providers for various business services such as software development, conducting customer surveys, evaluating Customer credit worthiness and risk, marketing and design agencies running (electronic or postal) marketing campaigns, distribution centers for delivering samples and other promotional material, transport and logistics providers, etc.

D.    (potential) Suppliers

IT service providers for Supplier software programs such as SAP, SAP Ariba, cloud processors for data archived in the cloud, etc.

The employees, managers and/or representatives of the above-mentioned external users are obliged to respect the confidential nature of these data and may only use these data in line with Sappi’s instructions. To this end, Sappi has entered into the required contracts with them.

7    Will your personal data be transferred outside the European Union?

For the purposes of administration of Sappi’s global Customer and Supplier Relationship Management (CRM and SRM) tools and databases and the global management of our Website, it is inevitable that a Sappi affiliate located outside the European Union2 such as Sappi’s group headquarters in South Africa, our group companies in North and South America and Asia have access to your personal data or store these personal data. To transfer your personal data in full compliance with the data protection principles, Sappi has implemented appropriate safeguards in line with the GDPR3. A copy of these standard data protection clauses is available upon request from your Sappi contact (see Section 10). 

8    Will Sappi make use of automated decision-making?

No, your personal data will not be used for automated decision-making.

9    How long will your personal data be retained? 

Your personal data will be retained no longer than necessary for the purposes described above. In principle, we process and store your data for the duration of our contractual relationship including the negotiation and initiation of the relevant contract. Additionally, we are subject to various retention obligations, which result, amongst others, from civil or fiscal law. Further, specific legal requirements may require longer retention periods, e.g. obligation to safeguard evidence in case of claims.

Please note that each Member State of the EU in which a Sappi Europe group company is located applies its own set of statutory retention and limitation periods. Consequently, Sappi is subject to a wide-ranging diversity of these periods which can vary between six months up to thirty years upon the end of our business relationship. To ensure compliance with the GDPR principle of storage limitation, Sappi regularly reviews its files and deletes personal data that is no longer required on a case-by-case basis.

 

10    What are your rights with regard to the processing of your personal data by Sappi and who can you contact?

You have at any time the right to contact Sappi if you want to:

−    Access your personal data. This includes the right to ask a copy;
−    Rectify your personal data including supplementing incomplete data should the data not be kept accurately ;
−    Erase your personal data if there is no (longer a) lawful ground to process it;
−    Restrict your personal data if you were to object to the processing or to the accuracy of the processed data or if you wish to retain certain personal data in the context of a possible claim while Sappi no longer needs the data in the light of the purposes mentioned under Section 3. 

You have at any time the right to object to the processing for which Sappi based itself in Section 3 on the legitimate interest. Sappi will then cease the processing unless there are compelling legitimate grounds.

Additionally, you also have the right - if you feel that Sappi did not act in line with data protection legislation - to lodge a complaint with the supervisory authority of your habitual residence, of your place of work or of the place of the alleged infringement.

Your contact at Sappi for any further information about these rights can be reached under gdpr@sappi.com. In your email please indicate your primary Sappi contact, if any, whom we may need to involve in dealing with your request. 

11    Changes 

We may amend this Privacy Notice from time to time, within the limitation set out by GDPR and any relevant national data protection laws.


1. or of the European Economic Area (i.e. the European Union plus Norway, Iceland and Liechtenstein, EEA).
2. or outside the EEA
3. under the form of the standard data protection clauses for the transfer of personal data from the Community to third countries (controller to controller transfers), Commission Decision C(2004)5721.