PURPOSE
The purpose of this policy is to safeguard personal integrity when our companies provide and process personal data. The policy clarifies how we work to uphold the rights and integrity required of us as a company, based on the GDPR (General Data Protection Regulation), which came into effect on May 25, 2018.
The document describes:
– which personal data is stored
– where the personal data is stored
– how the personal data is stored
– what the company uses the personal data for
– how we gain access to the personal data
– who has access to the personal data
– information on how individuals can exercise their rights in relation to the company.
WHAT PERSONAL DATA IS STORED?
We only process personal data when there is a legal basis, i.e., a legitimate interest. We do not process personal data unless it is necessary to fulfill obligations under agreements or laws.
Our approach is to process no more personal data than necessary, and we always strive to use the least sensitive data. Since the companies engage in business with other companies (B2B), we have a very limited need for personal data regarding customers and suppliers. However, data about our employees is somewhat more extensive due to legal, general, and practical reasons.
Sensitive personal data, such as race, ethnic origin, political opinions, sexual orientation, religious or philosophical beliefs, is not stored.
Examples of personal data we process include:
– Name
– Address
– Email address
– Phone number
– Date of birth
– Job title
– Username
– Photographs
– Bank-related information
– Data voluntarily provided via mailings or the website.
WHERE AND HOW IS THE DATA STORED?
We store personal data in our business system, CRM system, on our servers, and in files; both digitally and in paper format. Through matrices and mapping carried out by the companies, we believe we have good control and can demonstrate what data we hold and where it is stored. This mapping forms the basis for individuals' rights to request extracts from our registers or exercise the "right to be forgotten."
WHAT IS PERSONAL DATA USED FOR?
We primarily process personal data to fulfill our obligations to customers, suppliers, and employees.
Personal data about our customers is used to ensure good service, such as deliveries, follow-ups, and information, as well as for customer analysis and marketing. Everyone has the right to object to the use of personal data for direct marketing. When we collect personal data, we provide information on this and how to object, either via our website or through other means.
Personal data regarding our suppliers is minimal but is used primarily to communicate purchases, price inquiries, and technical questions.
Personal data about our employees is required for communication with the employee, as well as with banks for salary payments and authorities for reporting in accordance with accounting and tax laws. Personal data about employees' relatives is used partly for emergency contact purposes and partly for reporting or inquiries to authorities.
HOW DO WE GAIN ACCESS TO PERSONAL DATA?
We strive to obtain consent whenever required before processing personal data. Within the framework of business relationships and data handled in accordance with Swedish law, we do not consider it necessary to obtain consent from our customers or suppliers. For our personnel, the signed employment contract serves as consent for the data needed for salary and HR management.
Individuals have the right to withdraw their consent at any time. We will then cease processing that personal data or obtaining new data, provided it is not necessary to fulfill our obligations under agreements or laws. Withdrawal of consent may mean that we cannot fulfill our obligations.
We also gain access to personal data in the following ways:
– Data provided directly by individuals
– Data registered via visits to our websites
– Data registered through inquiries to our employees
– Data submitted through registrations for courses or seminars
– Data submitted through subscriptions to newsletters or other mailings
– Data provided in response to surveys or questionnaires
– Data received when someone applies for employment, visits, or otherwise contacts us
WHO HAS ACCESS TO THE COMPANY'S PERSONAL DATA?
We have established routines and procedures to ensure personal data is handled securely. The principle is that only employees within the organization who need personal data to perform their duties should have access to it.
For sensitive personal data, we have implemented special access controls, providing a higher level of protection.
Our security systems are designed with a focus on integrity and offer a high degree of protection against intrusion, damage, or alterations that could pose risks to personal integrity.
Our policy is not to disclose personal data to third parties without consent, unless necessary to fulfill our obligations under agreements or laws. When the company uses data processors, i.e., third parties, we establish confidentiality agreements and ensure personal data is handled securely.
INDIVIDUALS' RIGHTS
When we collect or receive personal data, we will inform individuals of how the data will be processed, i.e., what it will be used for, what rights individuals have under data protection laws, and how these rights can be exercised. Information about GDPR and individuals' rights has been available on the companies' websites since May 25, 2018.
COMPANY RESPONSIBILITY
The legal entity, Colly Flowtech AB, is the data controller, meaning we are responsible for how personal data is processed and for ensuring individuals' rights are respected. Our website describes how we process personal data and comply with GDPR requirements.
Following the implementation of the regulation in May 2018, the company introduced internal training for all employees. GDPR is included in the training plan for every new hire.