1. Policy statement
This is an organizational data protection policy (“Policy”) for VEF AB (publ) (“VEF” or the “Company”) and applies to all personal data processing within and on behalf of VEF, including other companies and affiliates within the VEF group.
The General Counsel is the Data Responsible Person (“DRP”) of the Company and is the individual responsible for ensuring VEF’s overall compliance with the applicable data protection laws and regulations. Any questions in relation to this Policy or VEF’s handling of personal data should be directed to the DRP (email@example.com).
VEF’s main place of business in relation to handling of personal data is in Sweden and as such the Company falls under the jurisdiction of the Swedish Data Protection Authority and applicable European legislation including the General Data Protection Regulation (EU) 2016/679.
In order to carry out its functions, the Company is required to collect and use personal data. In doing so, it recognizes that any person whose personal data are processed by VEF should feel confident that this is performed with the necessary care and diligence and that it is only kept for business purposes. The Company shall respect the privacy of the individual by protecting the personal data. VEF shall at all times comply with all applicable data protection legislation and follow the rules governing the collection and use of personal data which may relate to natural persons.
The rules and procedures of data protection apply to all employees and consultants who process personal data in connection with VEF’s business operations.
VEF also recognizes our responsibility to ensure that any third parties processing personal data on behalf of VEF do this according to this policy.
The rules apply to all processing of personal data. Examples of common processing activities are
The rules also apply to the processing of personal data in non-digital form, where the information is included in a manual searchable register or where the information is connected to an IT-system.
‘Personal data’ means any information relating to a directly identified or indirectly identifiable natural person, such as name, contact information, e-mail address, personal ID number, photographs, personal “user identities”, and one or more factors specific to the identification of a natural, living person. Encrypted information also constitutes personal data.
4. How we may use your personal data and why
How we process your personal data depends on what type of relation you have with us.
This is how we process your personal data when concluding a business agreement:
If you are entering into an agreement with us to be a direct partner, or a designated contact person representing one of our partners, we are saving your name, e-mail address, telephone number and address of the organization you represent (when applicable). This is saved so that we can fulfill the business agreement, manage the business relationship and enable communication. This is processed because we have a legitimate interest in being able to conduct business with our partners and enable communication.
The information is processed during the time that there is a business relationship between us and the organization you represent, and for a period of one year thereafter because we have a legitimate interest in pursuing the assignment. Your personal information will not be transferred to any other recipient without your explicit consent.
Personal data is also sometimes found in agreements and invoices, and agreements and invoices are saved to administer proper contract management and to fulfill legal obligations. The personal information that may appear in agreements and invoices are name, address of the organization, e-mail address, telephone number and role or function. We are processing the information because we have a legitimate interest in saving all contracts and invoices in order to be able to defend ourselves against various types of legal claims. After completing the assignment, the information is processed in archives for a period of 10 years in order to fulfill our legitimate interest in defending against various types of legal claims. Financial information is archived and processed for a period of 7 years for regulatory reasons, in order to fulfill legal obligations.
The personal data we store about you is such information that you provide when contacting us, or data that any other representative of your organization has provided.
This is how we process your personal data when you contact us by e-mail:
We collect your name and e-mail address as well as the information you provide in the e-mail when you contact us by e-mail. We need this to be able to get back to you.
How long we store your personal information depends on the reason you contact us. If you are a supplier or business partner or belong to one of our existing suppliers or business partners, the information is saved during the time there is a valid agreement or existing business relationship between us and the organization you represent (if applicable). If you’re not an existing supplier or business partner, or don’t belong to one of our suppliers or business partners and you contact us by e-mail, your personal information will be saved until the matter is resolved or your question is answered.
If you have provided us with personal information in order to subscribe to our company news, this processing is based on our legitimate interest to market and grow our business. You may opt out of such communications by VEF at any time by unsubscribing from communications sent by VEF.
Your personal data will not be transferred to any other recipient. We process the personal data because we have a legitimate interest in responding to incoming e-mail and being able to provide support to our business partners. The personal information we store about you is such information that you provide yourself when contacting us.
This is how we process your personal data when seeking employment:
If you send us a spontaneous application by e-mail, we will process your personal data for a period of maximum two years, but only if we have your consent for doing so. If we are advertising a vacancy, we may hire an external recruitment partner to assist in the recruitment process. You will then submit your personal data to the recruitment company, which in turn will provide us personal data on suitable candidates for the current position.
The personal data that we will process in the recruitment process is information you provide in your CV and personal letter such as contact information, educational background, professional experiences, and possibly contact information of persons you indicate as references. Your personal data will be stored for as long as is necessary for the recruitment process, and then for a further two years, in order to satisfy the rights of appeal that the applicant who is denied the job have.
We are processing personal data because we have a legitimate interest in connecting the right candidate with the right job and evaluating whether you are the right applicant for the position. The legal basis for saving your personal data when you send us a spontaneous application is your consent.
We will not transfer your personal information to any other recipient. In cases where we use an external recruitment partner, you as an applicant will be informed about it.
We process personal information that you provide directly to us. We may also receive personal information about you from other sources, such as from persons you indicate as a reference.
This is how we process personal data when saving contact information relating to our suppliers and business partners:
In order to fulfill the business agreement, we need to register contact information to a person of contact at our supplier or a business partner. We are saving name, company email and telephone number. The information is saved to enable contact when needed and handle the contractual relationship and is stored as long as the business agreement or business relationship applies. We process this information because we have a legitimate interest in enabling contact and handling the contractual and/or business relationship.
Personal data is also sometimes found in agreements and invoices, and agreements and invoices are saved to administer good contract management and to fulfill legal obligations. The personal data that may appear in agreements and invoices are name, address of the organization, e-mail address, telephone number and function. We process the personal data because we have a legitimate interest in saving all contracts and invoices in order to be able to defend ourselves against different types of legal claims. After the end of the contract period, information is processed in archives for a period of 10 years to satisfy our legitimate interest in defending us against various types of legal claims. Financial information is archived and processed for a period of 7 years for regulatory reasons, in order to fulfill legal obligations.
The personal data we save from you as a contact person at one of our suppliers or business partners is the information that you or another representative from your company has provided about you.
5. Your Privacy Rights
As a general rule, all individuals whose personal data is processed by VEF must prior to collection receive information concerning, among other things, the purpose of the processing, the recipient of information and the data subject’s rights.
Right to access personal data
You are entitled to, upon request, receive information concerning personal data which relates to you processed by VEF. Any such requests should be directed to the DRP.
Right to rectification
You are entitled upon request to have erroneous information which relates to you rectified. Rectification must take place without undue delay. The DRP is responsible for ensuring that such data has been rectified.
Right to erasure
Under certain circumstances, you are entitled to have information which relates to you erased. All such requests for deletion of personal data should be directed to the DRP. The DRP will determine whether there is a right to have the personal data deleted based on applicable laws and regulations.
Right to restrict data processing
Under certain circumstances, you are entitled to request that the processing of information which relates to you is restricted. All such requests for restriction of processing personal data should be directed to the DRP. The DRP will determine whether there is a right to restrict the processing based on applicable laws and regulations.
Right to data portability
Under certain circumstances, you are entitled to have information which relates to you disclosed to yourself or to a third party in a digital format. All such requests should be directed to the DRP. The DRP will determine whether there is a right to data portability based on applicable laws and regulations.
Right to object
Under certain circumstances, you are entitled to object to the processing of data which relates to you. All such requests should be directed to the DRP. The DRP will determine whether there is a right to data portability based on applicable laws and regulations.
Where we have based our legal grounds for processing your personal data on our legitimate interest, you have the right to request information on our reasons for this. All such requests should be directed to the DRP.
In the event a data subject objects to information which relates to him or her being used for direct marketing purposes, the information may no longer be processed for this purpose and will be terminated with immediate effect. All such requests should be directed to the DRP.
If our processing of your personal data is based on your consent you have the right to withdraw that consent, fully or partially, at any point in time. All such requests should be directed to the DRP.
6. How we protect your personal data
Keeping your personal data safe and secure is important to us. We use appropriate technical, organizational and administrative security measures to protect any information we hold from loss, misuse, and unauthorized access, disclosure, alteration and destruction.
7. Engagement of third parties which process personal data on behalf of VE
Prior to engaging a third party (a ‘data processor’) for processing of personal data on behalf of VEF, we will assess whether the supplier can provide appropriate technical and organizational measures to achieve adequate data protection of the processing of personal data. These measures will be regulated through a written agreement containing specific terms and conditions relating to the processing, a personal data processing agreement (‘DPA’).
8. Transferring of personal data outside the EU/EEA
Personal data may only be transferred to a country which is not a member state of the European Union (“EU”) or the European Economic Area (“EEA”) under certain circumstances. Before transferring any personal data outside the EU/EEA, the DRP will be notified and will determine what measures must be taken for such transfer to be permitted (‘Transferring Impact Assessment’).
9. Processing and retention due to legal matters
We may access, preserve and share personal data regarding you in response to a legal request (like a search warrant, court order or a subpoena or the like), or when necessary to detect, prevent and address fraud and other illegal activity, to protect ourselves, you and other users. We may also use any personal data we process for the purposes of establishing, defending and exercising legal claims (our legitimate interest), if this becomes necessary. If so happens, we will store the personal data for the duration of the matter, and for ten years thereafter.
10. Notice of changes to the policy, and changes of control
11. Contact information
To exercise your rights, or if you have any questions concerning VEF’s processing of personal data or how the provisions in this policy are applied, you are always welcome and encouraged to contact our DRP, Helena Caan Mattsson, at firstname.lastname@example.org.
If you have any complaints regarding our processing of your Personal Data, you may file a complaint to the competent Data Protection authority. You can find out more about the local data protection authorities under the following link: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.