Skip to content

GDPR - Personal data policy

AIMS 
The purpose of this policy is to safeguard privacy when our companies provide and process personal data. The policy clarifies how we work to safeguard the rights and privacy required of us as a company and is based on the General Data Protection Regulation (GDPR), which came into force on May 25, 2018.  

The document describes: 
- what personal data is stored 
- where is the personal data stored 
- how is the personal data stored 
- what the company uses the personal data for 
- how we get access to your personal data 
- who gets/can get access to the personal data 
information on how individuals can get help with the rights they have against the company.

WHAT PERSONAL DATA IS STORED? 
We only process personal data when we have a legal basis, i.e. a legitimate interest. We do not process personal data other than when they are needed to fulfill obligations under contract and law.  
Our starting point is to process no more personal data than is necessary and we always aim to use the least privacy-sensitive data. As the companies do business with other companies, B2B, we have very little need for personal data in relation to customers and suppliers. Data on our employees is somewhat more extensive for legal, general and practical reasons. 
Sensitive personal data such as race, ethnic origin, political opinions, sexual orientation, religious or philosophical beliefs are not stored.

Here are examples of the personal data we process: 
- Name
- Address 
- E-mail address
- Telephone number 
- Date of birth
- Title 
- User name
- Photographs 
- Bank-related data 
- Data recorded voluntarily via, for example, mailings or the website.

WHERE AND HOW ARE THE DATA STORED? 
We store personal data in our business system, CRM system, on our servers and in binders; digitally and in paper format. Through the matrices and the mapping the companies have done, we consider ourselves to have good control and thus be able to show what data we have and where it is stored. This mapping will form the basis for the data subject's rights when requesting extracts from our records or the right to ”be forgotten”. 

WHAT IS THE PERSONAL DATA USED FOR? 
We process personal data primarily to fulfill our commitments to customers, suppliers and employees.
 
Personal data about our customers is used to ensure good service such as deliveries, follow-up and information but also for customer analysis and marketing. Everyone has the right to object to us using personal data for direct marketing. When we collect personal data, we provide information about this and how to object to it via our website if it is not otherwise clear. 

Personal data regarding our suppliers is limited, but what is available is mainly used to communicate purchases, price requests and technical issues. 

Personal data about our employees is needed for further information to the employee but also to banks for payment of salaries and to authorities for reports under the Accounting and Tax Act. Personal data about employees' relatives is partly to be able to inform if something happens to the employee and partly for reports or requests to authorities. 

HOW DO WE GET ACCESS TO YOUR PERSONAL DATA? 
We make every effort to obtain consent before we start processing personal data where required. In the context of business relationships and the data that we handle under Swedish law, we do not consider ourselves to need consent with our customers or suppliers. For our staff, the signed employment contract is considered as consent for the data we need for payroll and personnel management.  
Individuals have the right to withdraw their consent at any time. We will then no longer process that personal data or obtain new ones, provided that it is not necessary for the performance of our contractual or legal obligations. Withdrawing consent may mean that we are unable to fulfill the obligations we have in our commitment. 

We also access personal data in the following ways: 

- Data provided directly to us by individuals 
- Data recorded via visits to our websites 
- Data recorded when making an inquiry to our employees 
- Data via registration for our courses or seminars 
- Data via newsletter subscriptions and other mailings 
- Data via responses to questionnaires and surveys 
- Information we receive when a person applies for employment, visits or otherwise contacts us 

WHO CAN/CAN ACCESS THE COMPANY'S PERSONAL DATA? 
We have developed procedures and practices to ensure that personal data is handled in a secure manner. The starting point is that only employees within the organization who need the personal data to perform their tasks should have access to it. 
For sensitive personal data, we have put in place specific access controls, which provide a higher level of protection for personal data. 

Our security systems are designed with privacy in mind and provide a high level of protection against intrusion, vandalism or alteration that may pose a risk to personal integrity. 

Our starting point is not to disclose personal data to third parties unless we have consent to do so or unless it is necessary to fulfill our obligations under contract or law. In cases where the company uses personal data assistants, i.e. a third party, we draw up confidentiality agreements and ensure that the personal data is processed in a satisfactory manner. 

THE RIGHTS OF THE DATA SUBJECT 
When we collect or receive personal data, we will provide information on how we process the data, i.e. what we will use it for, what rights the individual has under data protection law and how individuals can exercise their rights. Information regarding the GDPR and the individual's rights is available from May 25, 2018 on the companies' website. 

THE COMPANY'S RESPONSIBILITY 
The legal entity Colly Flowtech AB is the data controller, which means that we are responsible for how personal data is processed and that people's rights are safeguarded. On our website we describe how we process personal data and take advantage of the GDPR's requirements for handling. 

Following the new regulation in May 2018, the company introduced internal training for all company employees. The GDPR is included in the training plan for each new employee.