Privacy Notice

Quick links: 1. Introduction | 2. Employees | 3. Customer contacts | 4. Partners | 5. Employee candidates | 6. Suppliers including business partners | 7. Shareholders and shareholder representatives | 8. Visitors to our website and digital channels | 9. Disclosure of personal data | 10. Where we process your personal data | 11. Your rights | 12. Contact information

Privacy Policy Version 3.0 updated November 13, 2025

1 Introduction

[back to top]

This privacy notice provides information regarding how AFRY Group (“AFRY”, “we”, “us” or “our”) collects, processes, stores, and shares your personal data.

Throughout this privacy notice, the term “processing” refers to activities involving your personal data, such as collecting, handling, storing, sharing, accessing, using, transferring, and disposing of it. The term “personal data” refers to any information relating to an identified or identifiable natural person.

The personal data we collect, how we process it, our legal basis, retention period, and which group company acts as the data controller depend on the nature of your relationship to AFRY. To make the information more relevant to you, we have divided the privacy notice into sections that provide specific details based on the different roles you might have when we process your personal data (e.g., employee, customer contact, website visitor, etc.). Please refer to the sections relevant to you in 2-8 below.

We may update this privacy notice at our discretion at any time (the last update date is noted above). If significant changes are made, we will provide notice on our website before the changes take effect.

2 Employees

[back to top]

2.1 Who is the data controller for the processing?

Each entity of AFRY Group processes personal data of their own employees as a data controller in the context of the employment relationship. Further, each company of AFRY Group processes personal data of all AFRY employees as a separate data controller in the context of client assignments and other common projects between the group companies.

2.2 From where do we collect your personal data?

We collect your personal data from:

• Yourself, which you submit to us so that we e.g. can pay salaries and other benefits, direct and distribute work as well as enabling you to communicate through our IT resources.
• Emergency contacts, in the event of an accident or other emergency situations.
• Public authorities, such as tax authorities, e.g. for the purposes of managing your salary and employment benefits, directing and distributing work and fulfilling legal obligations.
• Banks, insurance companies, as well as pensions and insurance administrators/advisers, for the purpose of managing your salary and employment benefits and to establish, exercise and defend legal claims.
• Trade unions and other parties, e.g. to fulfil legal obligations in connection with business changes or to establish, exercise and defend legal claims.

2.3 Purposes of the processing of your personal data

2.3.1 General administration of employment relationship

AFRY processes your personal data within the scope of the general administration of the employment, e.g. to enter into the employment agreement with you, to be able to contact you, store basic information about you such as name, position, etc., and handling changes of position. The needed information will slightly vary in different countries based on the local legislation.

2.3.2 Payment of salary and benefits and expense reimbursement

AFRY processes your personal data for the purpose of administrating the payment of your salary and benefits. This includes calculating and paying salary, managing of compensation and incentives as well as handling salary adjustments and sending pay slips. We will also process your personal data for purposes relating to administration of annual leave, pensions and insurance premiums, benefits and business expenses.

2.3.3 Managing day-to-day operations, including IT administration

AFRY processes your personal data for the purpose of managing the day-to-day operations within the scope of your employment, such as managing work tools and access to IT systems, business planning, following up on the business, handling offboarding process, and any other activities within the scope of your employment.

2.3.4 General workforce planning, including mobility and customer invoicing

AFRY will process your personal data for the purpose of general workforce planning, which includes allocating resources to client project and assessing mobility and relocation preferences and needs across AFRY, as well as to handle customer invoicing.

Additionally, workforce planning will leverage AI to optimise resource allocation, enhance project management, and streamline employee mobility and relocation processes within AFRY.

2.3.5 Performance review and documentation of competence, including salary review

AFRY will process your personal data to review and evaluate your performance at AFRY, such as through performance appraisals. This also involves maintaining information about your competence, skills, and goals. Additionally, we will process your personal data to assign you to duties relevant to your profile and competence, including for succession planning and promotion purposes. In conjunction with this, AFRY will carry out salary reviews, documenting your achieved goals and overall performance, and communicating the new salary to you.

2.3.6 Administration of your participation in trainings, events and meetings

AFRY will process personal data about you for the purpose of administrating your participation in trainings, events and meetings. This includes, inter alia, managing of relevant invitations, carrying out trainings and seminars, storage of and following up on training results and handling room bookings and food orders.

2.3.7 Management of business travels

AFRY will process your personal data to plan and administer business travels and accommodation in connection with such travels, including for safety and incident management. We will also process your personal data to produce statistics for business planning and to work out favourable agreements with hotels and airlines.

2.3.8 Conducting internal investigations, including preventing and counteracting criminal activities and other violations

AFRY will process your personal data for the purpose of conducting internal investigations at AFRY in case of suspected disloyalty, policy breach, breach of law, etc. Such internal investigations may include scanning/monitoring of e-mail correspondence, user activity and content on your work equipment to make sure our policies are followed, and to take actions in case of non-compliance. Note that AFRY only may access private correspondence/documents/activities (on your work equipment) in cases where a concrete suspicion of a serious crime or disloyal behaviour exists. When you use our whistleblowing service, AFRY Listen Up, personal data will be processed that is included in the report, as well as any supplementary data that may be collected to investigate the allegations. We may share your personal data to support disciplinary actions or legal proceedings or to submit a report to relevant authorities.

2.3.9 Facilitating internal and external communication, including with emergency contacts

Your personal data will be processed to develop the brand of AFRY, e.g. by presenting certain staff on our digital channels, facilitate communication internally (between employees) and externally (between employees and external parties), including to communicate about business activities and changes as well as making offers to clients.

In the event of an accident or other emergency situation we may also collect information from your next of kin or other related persons with whom we communicate.

2.3.10 Document the business and its activities

Your personal data may be processed when we manage and keep our business-related documentation, such as board meeting minutes, notes, annual reports and supporting documents for decisions.

2.3.11 Ensuring the safety at AFRY's premises including camera surveillance in connection with our premise(s)

AFRY processes your personal data to ensure the safety at AFRY's premises through access and facility control. We may use camera surveillance in connection with our premise(s). Where camera surveillance is used, you will be informed about that by signs inside and/or outside the premises. AFRY uses camera surveillance to increase the security and to collect evidence in case of a security breach or crime committed in connection with our office premises.

2.3.12 Ensuring the smooth and data secure operation of AFRY’s business

To manage and protect our services and related IT systems, maintain the secure and efficient use of internal information, and ensure the safety of business-critical information and other assets, we process your personal data as necessary. This includes, inter alia, activities such as logging, troubleshooting, backup, change and problem management in systems, and handling potential IT incidents.

2.3.13 Fulfil legal obligations

We will process your personal data to fulfil various legal obligations of AFRY within the field of employment. These obligations include areas such as anti-discrimination, work environment, employee well-being, rehabilitation, right to work, and trade union negotiations. Additionally, we will manage and administer your sick leave and other statutory leave of absence (such as parental leave), including the allocation of work during your absence. Moreover, we will process your personal data to disburse payments and compensations following your leave of absence, as well as to take necessary rehabilitation measures.

Beyond these employment-related obligations, AFRY will also process your personal data to fulfil legal requirements in areas such as book-keeping, taxation, and compliance with applicable data protection laws.

2.3.14 Establish, exercise and defend legal claims

For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.

2.4 Routines for storage and erasure

AFRY will retain the personal data as long as necessary to:

• fulfil the agreement which we have with you, e.g. to pay your salary and the related social security costs during and shortly after your employment;
• fulfil the purpose for which the data was initially collected, e.g. in case of international travelling to ensure we can correctly allocate the related costs shortly after the travel;
• by applicable laws, e.g. for the payment of pensions, holiday pay, the issuance of work certificates, service certificates and references to other employers and for accounting purposes;
• to be able to efficiently respond to possible claims from clients, business partners or similar which may arise during your employment and the applicable statutory period after the assignments where you have worked with us have been completed;
• by our internal policies e.g. regarding data security, ethics and compliance and data management; e.g. in case of access and facility control only for a very limited amount of time needed to ensure the security of our premises.

Please note that some basic employment data may be stored for an indefinite period of time by virtue of our legal obligations related to pension administration.

Quick links: Where we process your personal data | Your rights | Contact info

3 Customer contacts

[back to top]

3.1 Who is the data controller for the processing?

Each company of AFRY Group processes personal data of all AFRY’s customers as a separate data controller.

3.2 From where do we collect your personal data?

We collect your personal data from:

• Yourself, which you submit to us in your response to AFRY's marketing and via web forms.
• Your Employer, when you are designated as a contact person, communicate with us or is the reference person on an invoice.

3.3 Purposes of the processing of your personal data

3.3.1 Administration of customer relationship

Your personal data will be processed because we have a legitimate interest of administering the relationship with our customers and to be able to manage the overall cooperation and dayto-day activities, e.g. within the scope of delivering professional services when performing project management, planning of work, allocation of resources and business planning. This also includes processing within the scope of the execution of our commercial agreements.

3.3.2 Handle customer invoicing

Your personal data will be processed because we have a legitimate interest to issue and process invoices and payments.

3.3.3 Communicating with you

AFRY will process your personal data for the purpose of communicating with you e.g. when responding to questions or requests sent to us, e.g. via e-mail or phone.

3.3.4 Conduct marketing activities

AFRY processes your personal data within the scope of conducting marketing activities, such as, sending you newsletters or inviting you to events (e.g. webinars or trainings).

3.3.5 Ensuring the safety at AFRY's premises including camera surveillance in connection with our premise(s)

AFRY processes your personal data to ensure the safety at AFRY's premises through access and facility control. We may use camera surveillance in connection with our premise(s). Where camera surveillance is used, you will be informed about that by signs inside and/or outside the premises. AFRY uses camera surveillance to increase the security and to collect evidence in case of a security breach or crime committed in connection with our office premises.

3.3.6 Ensuring the smooth and data secure operation of AFRY’s business

To manage and protect our services and related IT systems, maintain the secure and efficient use of internal information, and ensure the safety of business-critical information and other assets, we process your personal data as necessary. This includes, inter alia, activities such as logging, troubleshooting, backup, change and problem management in systems, and handling potential IT incidents.

3.3.7 Fulfil legal obligations

We will process your personal data where necessary in order to comply with legal obligations, e.g. accounting obligations.

3.3.8 Fulfil legal obligations We will process your personal data where necessary in order to comply with legal obligations, e.g. accounting obligations.

Fulfil legal obligations We will process your personal data where necessary in order to comply with legal obligations, e.g. accounting obligations.

3.4 Routines for storage and erasure

AFRY will store the personal data as long as required:

• to fulfil the agreement which we have with you or your employer during the agreement period and shortly thereafter;
• to ensure that all fees, tasks and resources are correctly allocated;
• to fulfil the purpose for which the data was initially collected, e.g. marketing related material will be deleted when we no longer consider you as a potential customer;
• by applicable laws, e.g. for accounting purposes;
• to be able to efficiently respond to possible claims from clients, business partners or similar which may arise during the contractual relationship and the applicable statutory period after the assignments where you have worked have been completed;
• by our internal policies e.g. regarding data security, ethics and compliance and data management e.g. in case of access and facility control only for a very limited amount of time needed to ensure the security of our premises.

Quick links: Where we process your personal data | Your rights | Contact info

4 Partners and subconsultants

[back to top]

4.1 Who is the data controller for the processing?

Each company of AFRY Group processes personal data of their own partners and subconsultants as a data controller in context of the co-operation agreements. Further, each company of AFRY Group processes personal data of all AFRY partners’ and subconsultants’ as a separate data controller in context of client assignments and other common projects between group companies.

4.2 From where do we collect your personal data?

We collect your personal data from:

• Yourself, which you submit to us by becoming a partner or entering a consultant agreement with AFRY.
• Employees at AFRY, if they recommend you as a partner or subconsultant.

4.3 Purposes of the processing of your personal data

4.3.1 General administration of partner and subconsultant relationship

AFRY processes your personal data within the scope of the general administration of the partner and subconsultant relationship, e.g. in order to enter into a partner or subconsultant agreement with you, to be able to contact you, store basic information about you such as name, contact data, etc., manage work tools and access to IT-systems, handling changes of position and drafting written references.

4.3.2 Managing day-to-day operations

We process your personal data for the purpose of managing the day-to-day operations within the scope of your consultancy assignment, such as expense reimbursement, managing of relevant invitations, carrying out trainings and seminars, following up on the business, handling offboarding process, and any other activities within the scope of your assignment.

4.3.3 General workforce planning, including mobility and customer invoicing

AFRY will process your personal data for the purpose of general workforce planning, which includes allocating resources to client projects and assessing mobility and relocation preferences and needs across AFRY, as well as to handle customer invoicing.

Additionally, workforce planning will leverage AI to optimise resource allocation, enhance project management, and streamline partner and subconsultant mobility and relocation processes within AFRY.

4.3.4 Management of business travels

AFRY will process your personal data to plan and administer business travels and accommodation in connection with such travels, including for safety and incident management. We will also process your personal data to produce statistics for business planning and to work out favourable agreements with hotels and airlines.

4.3.5 Partner and consultant database

If you do not have an active relationship with AFRY, AFRY still has an interest in keeping your personal data to contact you in the event of future assignments that suit your profile. You can also sign up for the database without applying for an assignment with AFRY.

4.3.6 Conducting internal investigations, including preventing and counteracting criminal activities and other violations

We will process your personal data for the purpose of conducting internal investigations at AFRY in case of suspected disloyalty, policy breach, breach of law, etc. Such internal investigations may include scanning/monitoring of e-mail correspondence, user activity and content on your work equipment to make sure our policies are followed, and to take actions in case of noncompliance. Note that we may only access private correspondence/documents/activities (on your work equipment) in cases where a concrete suspicion of a serious crime or disloyal behaviour exists. When you use our whistleblowing service, AFRY Listen Up, personal data will be processed that is included in the report, as well as any supplementary data that may be collected to investigate the allegations. We may share your personal data to support disciplinary actions or legal proceedings or to submit a report to relevant authorities.

4.3.7 Ensuring the safety at AFRY's premises including camera surveillance in connection with our premise(s)

AFRY process your personal data to ensure the safety at AFRY's premises through access and facility control. We may use camera surveillance in connection with our premise(s). Where camera surveillance is used, you will be informed about that by signs inside and/or outside the premises. AFRY uses camera surveillance to increase the security and to collect evidence in case of a security breach or crime committed in connection with our office premises

4.3.8 Ensuring the smooth and data secure operation of AFRY’s business

To manage and protect our services and related IT systems, maintain the secure and efficient use of internal information, and ensure the safety of business-critical information and other assets, we process your personal data as necessary. This includes, inter alia, activities such as logging, troubleshooting, backup, change and problem management in systems, and handling potential IT incidents.

4.3.9 Fulfil legal obligations

We will process your personal data where necessary in order to comply with legal obligations, e.g. accounting obligations.

4.3.10 Establish, exercise and defend legal claims

For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process, we may process your personal data.

4.4 Routines for storage and erasure

AFRY will store the personal data as long as required:

• to fulfil the agreement which we have with you or your employer during the agreement period and shortly thereafter e.g. to ensure that all fees, tasks and resources are correctly allocated;
• to fulfil the purpose for which the data was initially collected, e.g. in case of international travelling to ensure we can correctly allocate the related costs shortly after the travel;
• by applicable laws, e.g. related to accounting;
• to be able to efficiently respond to possible claims from clients, business partners or similar which may arise during the contractual relationship and the applicable statutory period after the assignments where you have worked have been completed;
• by our internal policies e.g. regarding data security, ethics and compliance and data management e.g. in case of access and facility control only for a very limited amount of time needed to ensure the security of our premises.

Quick links: Where we process your personal data | Your rights | Contact info

5 Employee candidates

[back to top]

5.1 Who is the data controller for the processing?

Each company within the AFRY Group processes personal data of their own candidates as a data controller in context of the employment relationship. Further, other companies in the AFRY Group process personal data of candidates where relevant for the recruitment, e.g. when applying to international positions.

Candidates from Austria and Germany can also review details of local AFRY candidate policies on the respective country pages.

5.2 From where do we collect your personal data?

We collect your personal data from:

• Yourself, which you submit to us when you apply for the position at AFRY, (e.g. your CV and cover letter).
• Publicly available sources, e.g. when collecting information that you have published on professional network platforms such as LinkedIn.
• Referees, when the referee provides us with information about your suitability for the position that you have applied for with AFRY.
• Employees at AFRY, when the employee provides us with information about your suitability for a position at AFRY.
• External recruiters, that have been involved in the recruitment process and that have provided information about you to AFRY.

5.3 Purposes of the processing of your personal data

5.3.1 Managing the recruitment process

Your personal data will be processed by AFRY within the scope of the general management of the recruitment process. Processing activities included in this process are e.g. collection of your personal data, review of CVs and cover letters, conducting interviews, evaluating you as a candidate and communicating with you within the scope of the recruitment process.

5.3.2 Job candidate vetting process

Within the scope of the recruitment, AFRY carries out vetting of potential employees. This includes obtaining references and verifying your experience and qualifications. Where permitted under national legislation, additional background checks may include credit and compliance checks, criminal background check and scanning of media reports, social media activity and other footprints on the internet.

5.3.3 Concluding the employment agreement

AFRY will process your personal data in conjunction with the signing of the employment agreement with you e.g. when collecting references. Your personal data will also be processed in connection with the employment agreement and upon the initiation of the onboarding process.

5.3.4 Managing the candidate database and talent pool

To find suitable candidates for roles within our company, we process personal data about you as a previous candidate who has applied for other positions with us (if you have consented to this) or as a talent whose information we have obtained from you or from publicly available sources such as LinkedIn.

5.3.5 Evaluate and follow-up the recruitment process

AFRY processes personal data to create reports and statistics of e.g. the number of applications per position and which job boards are most effective etc.

5.3.6 Ensuring the safety at AFRY's premises including camera surveillance in connection with our premise(s)

AFRY process your personal data to ensure the safety at AFRY's premises through access and facility control. We may use camera surveillance in connection with our premise(s). Where camera surveillance is used, you will be informed about that by signs inside and/or outside the premises. AFRY uses camera surveillance to increase the security and to collect evidence in case of a security breach or crime committed in connection with our office premises.

5.3.7 Ensuring the smooth and data secure operation of AFRY’s business

To manage and protect our services and related IT systems, maintain the secure and efficient use of internal information, and ensure the safety of business-critical information and other assets, we process your personal data as necessary. This includes, inter alia, activities such as logging, troubleshooting, backup, change and problem management in systems, and handling potential IT incidents.

5.3.8 Fulfil legal obligations

Besides legal obligations within the field of employment, AFRY will process your personal data for the purposes of fulfilling legal obligations related to work permit checks, including storage of related documentation.

5.3.9 Establish, exercise and defend legal claims

For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.

5.4 Routines for storage and erasure

AFRY will store the personal data as long as required:

• to comply with your consent regarding storing your data to be taken into account for possible future open vacancies;
• to fulfil the purpose for which the data was initially collected, i.e. during the recruitment process; • by applicable laws, e.g. regarding discrimination in recruitment process;
• to be able to efficiently respond to possible claims from clients, business partners or similar which may arise during the contractual relationship and the applicable statutory period after the assignments where you have worked have been completed;
• by our internal policies e.g. regarding data security, ethics and compliance and data management e.g. in case of access and facility control only for a very limited amount of time needed to ensure the security of our premises.

Quick links: Where we process your personal data | Your rights | Contact info

6 Suppliers including business partners

[back to top]

6.1 Who is the data controller for the processing?

Each company of AFRY Group processes personal data of their own suppliers, including subconsultants, service providers and business partners as a data controller in context of the co-operation agreements. Further, each company of AFRY Group processes personal data of all AFRY suppliers, including subconsultants, service providers’ and other business partners, as a separate data controller when co-operation with the said company is needed.

6.2 From where do we collect your personal data?

We collect your personal data from:

• Yourself, which you submit to us by entering agreements with AFRY or otherwise provide services to us.
• Publicly available sources, e.g. information that you have published on professional network platforms such as LinkedIn or that is published at your AFRY's website.
• Your employer, e.g. when your information is provided to us as a contact person or representative of your employer.

6.3 Purposes of the processing of your personal data

6.3.1 Administration of contractual relationship

Your personal data will be processed because we have a legitimate interest of administering the relationship with our service providers and similar business partners and to be able to manage the overall cooperation and day-to-day activities. This also includes processing within the scope of the execution of our commercial agreements.

6.3.2 Communicating with you

AFRY will process your personal data for the purpose of responding to questions or requests sent to us, e.g. via e-mail or phone.

6.3.3 Invoice administration

AFRY will process your contact information for reference purposes when we are either issuing invoices to or receiving invoices from the company that you represent.

6.3.4 Business planning and development, strategical reviews and statistical evaluation

AFRY processes your personal data in order to conduct business planning and development, strategical reviews and statistical evaluation.

6.3.5 Ensuring the safety at AFRY's premises including camera surveillance in connection with our premise(s)

AFRY processes your personal data to ensure the safety at AFRY's premises through access and facility control. We may use camera surveillance in connection with our premise(s). Where camera surveillance is used, you will be informed about that by signs inside and/or outside the premises. AFRY uses camera surveillance to increase the security and to collect evidence in case of a security breach or crime committed in connection with our office premises.

6.3.6 Ensuring the smooth and data secure operation of AFRY’s business

To manage and protect our services and related IT systems, maintain the secure and efficient use of internal information, and ensure the safety of business-critical information and other assets, we process your personal data as necessary. This includes, inter alia, activities such as logging, troubleshooting, backup, change and problem management in systems, and handling potential IT incidents.

6.3.7 Fulfil legal obligations

We will process your personal data where necessary in order to comply with legal obligations, e.g. accounting obligations.

6.3.8 Establish, exercise and defend legal claims

For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process or when investigating and preventing fraud, misconduct, infringements or other violations of legal rights and obligations), we may process your personal data.

6.4 Routines for storage and erasure

AFRY will store the personal data as long as required:

• to fulfil the agreement which we have with you or your employer during the agreement period and shortly thereafter e.g. to ensure that all fees, tasks and resources are correctly allocated;
• to fulfil the purpose for which the data was initially collected, e.g. to ensure that we buy sufficient type and number of services all the time;
• by applicable laws, e.g. regarding accounting;
• to be able to efficiently respond to possible claims from clients, business partners or similar which may arise during the contractual relationship and the applicable statutory period after the assignments where you have worked have been completed;
• by our internal policies e.g. regarding data security, ethics and compliance and data management e.g. in case of access and facility control only for a very limited amount of time needed to ensure the security of our premises.

Quick links: Where we process your personal data | Your rights | Contact info

7 Shareholders and shareholders representatives

[back to top]

7.1 Who is the data controller for the processing?

AFRY AB is always the data controller regarding shareholder data.

7.2 From where do we collect your personal data?

• Yourself, which you submit to us e.g. when communicating with us.
• AFRY share register, we collect your personal data from AFRY share register when you are an owner of AFRY shares.

7.3 Purposes of the processing of your personal data

Communication and administration in relation to shareholders

We will process your personal data to communicate relevant shareholder information to you, such as updates on dividend payouts, shareholder resolutions and meeting invitations, (e.g. to the Annual General Meeting), and to administer these activities, as well as to answer questions from you.

7.3.1 Fulfil legal obligations

We will process your personal data where necessary in order to comply with legal obligations, e.g. provide authorities or stock exchange with the information they require and to keep our share register.

7.3.2 Establish, exercise and defend legal claims

For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.

7.3.3 Ensuring the safety at AFRY's premises including camera surveillance in connection with our premise(s)

AFRY processes your personal data to ensure the safety at AFRY's premises through access and facility control. We may use camera surveillance in connection with our premise(s). Where camera surveillance is used, you will be informed about that by signs inside and/or outside the premises. AFRY uses camera surveillance to increase the security and to collect evidence in case of a security breach or crime committed in connection with our office premises.

7.3.4 Ensuring the smooth and data secure operation of AFRY’s business

To manage and protect our services and related IT systems, maintain the secure and efficient use of internal information, and ensure the safety of business-critical information and other assets, we process your personal data as necessary. This includes, inter alia, activities such as logging, troubleshooting, backup, change and problem management in systems, and handling potential IT incidents.

7.4 Routines for storage and erasure

The shareholder data is stored as long as AFRY has a legal requirement to store it.

Quick links: Where we process your personal data | Your rights | Contact info

8 Visitors to our website or digital channels

[back to top]

8.1 Who is the data controller for the processing?

Each company of AFRY Group processes personal data received on their own website or digital channel as a data controller. Further, each company of AFRY Group processes personal data of visitors of websites or digital channels when co-operation with the said visitor is needed.

8.2 From where do we collect your personal data?

We collect your personal data from: yourself, which you submit to us or generate when you are browsing our digital channels, including your devices, when visiting our website.

8.3 Purposes of the processing of your personal data

8.3.1 Track your use of our website and our digital channels

When you are browsing the website or our digital channels, we will process your IP address and browser user agent string to track your activity. Your personal data is processed for this purpose to administrate and improve our website or digital channels, for our internal records and for statistical analysis.

Cookies give us information on your IP address and how and when you have used the website such as market site selection, AFRY web pages visited, etc. Please see more about our use of cookies in our Cookie Notice available at afry.com.

8.3.2 Communicate with you and respond to your questions or feedback

Where we offer you a possibility to communicate with us by asking questions or providing feedback regarding our services and our business or answering surveys, we will process your personal data when you submit a question, comment, feedback or any other message. The purpose of the processing is to be able to communicate with you.

8.3.3 Send newsletter or marketing to you

We may also process your personal data to send you promotional materials or communications regarding services provided by entities within the AFRY Group that we believe may be of interest to you. Your consent for such marketing will be asked separately when you provide your personal information. You may at any time request that we discontinue sending you emails, or other communications generated in response to your provision of personal information.

8.3.4 Access to content and events

We are processing your personal data in case you want to gain access to specific content or attend a hosted event.

8.3.5 Ensuring the smooth and data secure operation of AFRY’s business

To manage and protect our services and related IT systems, maintain the secure and efficient use of internal information, and ensure the safety of business-critical information and other assets, we process your personal data as necessary. This includes, inter alia, activities such as logging, troubleshooting, backup, change and problem management in systems, and handling potential IT incidents.

8.4 Routines for storage and erasure

AFRY will store the personal data as long as required:

• to fulfil the purpose for which the data was initially collected, e.g. regarding some essential cookies: during the session which the visitor browses afry.com;
• by our internal policies e.g. regarding data security, ethics and compliance and data management, e.g. back-ups will be stored for a relatively short amount of time to ensure the data security of afry.com.

Your personal data processed for sending newsletters and marketing material will be processed for this purpose until you opt-out from receiving newsletters or marketing material.

Quick links: Where we process your personal data | Your rights | Contact info

9 Disclosure of personal data

[back to top]

9.1 General

Where necessary in order to achieve the purposes of processing, we share your personal data with other actors. The recipients will process personal data on behalf of AFRY in the capacity as data processors (i.e. such actors will only process your personal data in accordance with AFRY's instructions) or in the capacity as data controllers, (i.e. such recipients will determine the purposes and means of the processing without AFRY's involvement) as appropriate. Please note however that AFRY, regardless of the recipients' capacity, only will share your personal data with entrusted actors and only to the extent necessary.

9.2 Data processors acting on behalf of us

In order to fulfil the purposes of the processing of your personal data and to be able run our business, we share personal data with external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as data processors to AFRY and may only process your personal data in accordance with our instructions and not for their own purposes. AFRY is the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by AFRY are outlined in each of the Sections 2–8.

9.3 Recipients that act as data controllers

10 Where we process your personal data

[back to top]

Personal data is shared between the AFRY companies where needed for our business purposes, in accordance with applicable data protection legislation. Personal data that is being processed electronically by AFRY will mainly be stored on servers located in EU/EEA. In case of local systems outside the EU/EEA, the personal data is usually stored in the respective country.

Since AFRY operates globally (please see our offices here; AFRY Offices worldwide) and has customers and projects worldwide, personal data is transferred and processed by AFRY subsidiaries and trusted suppliers and business partners outside of EU/EEA in certain situations. The personal data is shared with third party service providers, such as IT service providers, subconsultants, lawyers and other external professional advisors. Personal data is shared with AFRY’s business partners to the extent it is required for AFRY’s fulfilment of any actual or potential contracts or if it is required by law or pursuant to any order of court or other competent authority or tribunal or by any applicable stock exchange regulations.

Any international transfer of personal data out from the EU/EEA will be subject to appropriate security measures and all reasonable steps to ensure that the personal data is protected and maintained in accordance with this Privacy Notice and applicable data privacy laws. This includes relying on a suitable mechanism for data transfer under Chapter V of the GDPR, including, inter alia, adequacy decisions and appropriate safeguards, and, where necessary, supplementary measures required. If you wish to receive a copy of the appropriate safeguards taken by us or information regarding where these safeguards have been made available, please contact us by using the contact details stated below.

11 Your rights

[back to top]

In accordance with applicable data protection legislation, subject to some conditions and exceptions, you for example have the following rights:

• The right to information about and access to your personal data;
• The right to withdraw consent;
• The right to have your personal data corrected or updated;
• The right to erasure of your personal data (‘The right to be forgotten’);
• The right to restriction of processing of your personal data;
• The right to object to certain processing of your personal data;
• The right to data portability.

Your rights can be exercised by sending an email to privacy@afry.com.

You have a right to lodge any complaints regarding AFRY’s compliance with data protection laws with the appropriate supervisory authority.

12 Contact Information

[back to top]

In case of any questions regarding the privacy and security of the personal data that is being processed by AFRY, and which companies within AFRY are data controllers, please send an email to privacy@afry.com or contact our Data Privacy Office at:

AFRY AB

Att: Data Privacy Office

Group Legal

Frösundaleden 2A

SE-169 99

Stockholm

Sweden