Privacy Policy
CERTEGO is committed to protecting your personal data. Our Privacy Notice describes, among other things, the type of personal data we process and why.
The privacy notice describes
- The different types of personal data we process
- How we use the personal data and why;
- Who we share them with and where;
- How Long We Save Them
- Your rights and how you can contact us if you have further questions about the processing of your personal data
- How we can make changes to this Privacy Policy
Personuppgift och behandling
- A personal data is defined as any information that can be directly or indirectly attributed to a natural person who is alive.
- A processing is defined as any action taken in respect of personal data, such as collection, recording, storage, transmission, reading, dissemination, erasure, etc.
Definitions
|
Concept |
Definition |
|
Personal data |
Any information that can be directly or indirectly related to a living individual. |
|
Processing
|
All actions taken regarding personal data, such as collection, registration, storage, transmission, reading, dissemination, erasure, etc. |
|
Legal basis |
The grounds that allow the Data Controller to process personal data. |
|
Data Controller (DC)
|
A natural or legal person, public authority, institution, or other entity that alone or jointly with others determines the purposes and means of processing personal data. |
|
Data Processor (DP)
|
A natural or legal person, public authority, institution, or other entity that processes personal data on the instructions of the Data Controller. |
|
Third party
|
A natural or legal person, public authority, institution, or entity that is not the data subject, the Data Controller, the Data Processor, or individuals authorized to process personal data under the direct responsibility of the Data Controller or Data Processor.
|
|
Third country
|
A country outside the EU/EEA. |
|
Supervisory authority
|
An independent public authority appointed by a member state to oversee the application of the GDPR. In Sweden, it is the Data Inspection Authority.
|
|
Data Protection Manager (DPM) |
A role within CERTEGO to ensure compliance with the GDPR. DPMs are appointed at the group level, division level, and regional level.
|
|
Data Processing Agreement
|
An agreement between the Data Controller and Data Processor in cases where the Data Processor processes personal data on behalf of the Data Controller. |
|
Customer B2B (business to business) |
Refers to a legal entity or contact person at a legal entity whose personal data we process in connection with the purchase of our products and services, such as resellers, licensed customers, product recipients. |
|
Customer B2C (business to consumer) |
Refers to a natural person whose personal data we process in connection with the purchase of our products and services, such as customers who shop in stores. |
|
Potential customer |
Refers to a natural or legal person whose personal data we process in connection with the marketing of our products and services. |
|
Supplier |
Refers to a natural or legal person whose personal data we process in connection with performing work or delivering a service to us, in exchange for compensation, such as consultants, contact persons. |
|
Test subject |
Refers to a natural person whose personal data we process in connection with testing our products and services, such as beta testers. |
|
Recruitment candidate |
Refers to a natural person whose personal data we process in connection with their job application with us. |
|
Visitor |
Refers to a natural person whose personal data we process when they visit any of our premises. |
What personal data do we collect?
Customer - B2 (companies)
|
Purpose |
Personal Data |
Legal Basis |
Retention Period |
|
Administer customer quotations |
Name |
Legitimate interest, our interest in processing this information to facilitate an efficient bidding process outweighs the data subject's interest in not having their data processed for this purpose. |
During the validity of the quotation + 6 months or as per confidentiality agreements in procurement |
|
Administer customer contracts |
Name |
Legitimate interest, if it concerns contact persons at a customer who is the data controller. Our interest in administering contracts outweighs the data subject's interest in not having their data processed for this purpose. |
During the contract period + 10 years |
|
Manage accounting information |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the accounting year to which the information relates + 7 years |
|
Administer credit assessments on individual businesses to assess their suitability, with the financial stability of the business being a factor |
Name |
Legitimate interest, our interest in conducting an economic risk assessment outweighs the data subject's interest in not having their data processed for this purpose. The processing can also be said to be in the data subject's interest in cases where certification is issued. |
Deleted immediately after the decision |
|
Manage debt collection cases for individual businesses |
Name |
Legitimate interest, our interest in ensuring payment of our debts outweighs the data subject's interest in not having their data processed for this purpose. |
Until the payment is received + 3 months |
|
Administer complaints and claims |
Name |
Legitimate interest, if it concerns contact persons at a customer who is the data controller because we assess our interest in handling complaints and improving our products outweighs the data subject's interest in not having their data processed for this purpose. |
During the case + 1 year |
|
Manage testing and troubleshooting when CERTEGO is the data controller |
Name |
Performance of Contract, the data is necessary for us to fulfill obligations in contracts where the data subjects are customers |
During the testing/troubleshooting period |
|
Administer support case management |
Name |
Legitimate interest, if it concerns contact persons at a customer who is the data controller. Our interest in administering support cases outweighs the data subject's interest in not having their data processed for this purpose. |
During the contract period + 6 months |
|
Manage NDAs (Non-Disclosure Agreements) |
Name |
Legitimate interest, as we assess that our interest in ensuring confidentiality outweighs the data subject's interest in not having their data processed for this purpose. |
During the contract period + 10 years |
|
Administer order management |
Name |
Legitimate interest, if it concerns contact persons at a customer who is the data controller. Our interest in administering orders outweighs the data subject's interest in not having their data processed for this purpose |
During the contract period + 3 years |
|
Enable the delivery of goods to end-users/consumers |
Name |
Legitimate interest, our interest in being able to deliver goods outweighs the data subject's interest in not having their data processed for this purpose |
Until delivery + 10 years |
|
Contact existing customers with newsletters and marketing, who have not requested the information/signed up for mailings |
Name |
Legitimate interest, as we assess that our interest in informing our customers about news and/or changes in our products outweighs the data subject's interest in not having their data processed for this purpose. |
If the data subject has requested the information: From opt-out/unsubscribe + 1 year (mailings cease immediately) |
|
Administer events |
Name |
|
During the event + 1 month |
|
Market the company on our external website |
Name |
Legitimate interest, if it concerns obligations to businesses or our own employees because we assess that our interest in being able to market the company outweighs the data subject's interest in not having their data processed for this purpose. |
During the campaign + 3 months |
|
Manage market research for contact persons at customers |
Name |
Legitimate interest, as we assess that our interest in exploring new business opportunities outweighs the data subject's interest in not having their personal data processed for this purpose |
Contact details, position, company affiliation, and information about invitations to participate in surveys: From the end of the customer relationship + 10 years
|
|
Manage data subject rights under GDPR |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the case + 10 years |
|
Manage personal data incidents under GDPR |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the case + 10 years |
|
Establish, assert, or defend legal claims |
Name |
Legitimate interest, as we assess that our interest in being able to defend legal claims against the company outweighs the data subject's interest in not having their data processed for this purpose. |
During the contract/warranty period + 10 years |
|
Prevent fraud and other abuse |
Name
|
Legitimate interest, as we assess that our interest in preventing fraud and abuse outweighs the data subject's interest in not having their data processed for this purpose. |
During the contract period + 10 years |
|
For access, maintenance, and development of the company's IT environment
|
Name |
Legitimate interest, as we assess that our interest in processing the data for this purpose outweighs the data subject's interest in not having their data processed for this purpose. |
As long as necessary to fulfill the purpose |
Customer - B2C (consumers)
|
Purpose |
Personal Data |
Legal Basis |
Retention Period |
|
Provide products and services in our stores |
Name
|
Performance of contract |
During the contract period + 10 months |
|
Manage data subject rights under GDPR |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the case + 10 years |
|
Manage personal data incidents under GDPR |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the case + 10 years |
|
Manage accounting information |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the accounting year to which the information relates + 7 years |
|
Administer complaints and claims |
Name |
Legitimate interest, as we assess our interest in handling complaints and improving our products outweighs the data subject's interest in not having their data processed for this purpose. |
During the case + 3 years |
|
Administer customer contracts |
Name |
Performance of contract to the extent processing is required to fulfill the contract/contractual obligations (e.g., warranties) towards the data subject. |
During the contract period + 10 years |
|
Establish, assert, or defend legal claims |
Name
|
Legitimate interest, as we assess that our interest in being able to defend legal claims against the company outweighs the data subject's interest in not having their data processed for this purpose. |
During the contract/warranty period + 10 years |
|
Prevent fraud and other abuse |
Name
|
Legitimate interest, as we assess that our interest in preventing fraud and abuse outweighs the data subject's interest in not having their data processed for this purpose. |
During the contract period + 10 years |
Potential customers
|
Purpose |
Personal Data |
Legal Basis |
Retention Period |
|
Manage data subject rights under GDPR |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the case + 10 years |
|
Manage personal data incidents under GDPR |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the case + 10 years |
|
Administer marketing communications to contact persons at potential customers who have requested information or subscribed to mailings |
Name |
Legitimate interest, as we assess that our interest in conducting marketing outweighs the data subject's interest in not having their data processed for this purpose. |
From opt-out + 1 year (communications cease immediately) |
|
Administer initial marketing campaigns to contact persons at potential customers who have NOT requested information or subscribed to mailings |
Name |
Legitimate interest, as we assess that our interest in conducting marketing outweighs the data subject's interest in not having their personal data processed for this purpose. |
From collection + 1 month to initial contact, then 2 months |
|
Manage market research surveys to contact persons at potential customers |
Name
|
Legitimate interest, as we assess that our interest in exploring new business opportunities outweighs the data subject's interest in not having their personal data processed for this purpose. |
Contact information, position, company affiliation, and information about the invitation to participate in surveys: From collection + 3 months |
Suppliers/
subcontractors
|
Purpose |
Personal Data |
Legal Basis |
Retention Period |
|
Manage data subject rights under GDPR |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the case + 10 years |
|
Manage personal data incidents under GDPR |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the case + 10 years |
|
Manage accounting information |
Name Phone number Company Organisation number |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the fiscal year to which the information relates + 7 years |
|
Manage procurement of goods and services |
Name |
Legitimate interest, as we assess that our interest in contacting potential suppliers and subcontractors outweighs the data subject's interest in not having their data processed for this purpose. |
Until delivery + 10 years |
|
Management of procurement processes |
Name |
Legitimate interest, as we assess that our interest in procuring new suppliers and subcontractors outweighs the data subject's interest in not having their personal data processed for this purpose. |
Allocation decision + 6 months |
|
Ensure compliance with SSF Stöldskyddsföreningen's regulations |
Name |
Legitimate interest, our interest in ensuring that our subcontractors meet SSF's requirements outweighs the data subject's interest in not having their data processed for this purpose. |
2 years from the date of the check. |
Recruitment candidate
|
Purpose |
Personal Data |
Legal Basis |
Retention Period |
|
Manage data subject rights under GDPR |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the case + 10 years |
|
Manage personal data incidents under GDPR |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the case + 10 years |
|
Receive, evaluate, and decide on job applications |
Name |
Performance of a contract, the data is necessary for us to fulfill obligations in employment contracts and collective agreements |
During recruitment + 2 years |
Visitor
|
Purpose |
Personal Data |
Legal Basis |
Retention Period |
|
Manage data subject rights under GDPR |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the case + 10 years |
|
Manage personal data incidents under GDPR |
Name |
Legal obligation, the data is necessary for us to fulfill obligations under Swedish law |
During the case + 10 years |
|
Manage camera surveillance for security in physical premises |
Image |
Balancing of interests, as we assess that our interest in the security of our physical premises outweighs the data subject's interest in not having their data processed for this purpose |
From recording + 30 days |
|
To administer visits to the company's premises |
Name |
Balancing of interests, our interest in processing this information to inform the person receiving the visit and to know who is present in our premises outweighs the data subject's/visitor's interest in not having their data processed for this purpose. In the event of a fire, we also need to be able to produce an evacuation list. |
During the visit + 1 day |
Website Visitors
|
Purpose |
Personal Data |
Legal Basis |
Retention Period |
|
To provide the information you request via the website |
Name |
Balancing of interests, as we assess that our interest in being able to respond to individuals' requests outweighs the data subject's interest in not having their data processed for this purpose |
During the case |
|
To create and manage your account |
|
Balancing of interests, as we assess that our interest in being able to administer user accounts outweighs the data subject's interest in not having their data processed for this purpose |
|
How and why will we use your personal data?
|
Why do we process this personal data? |
What is the legal basis for such processing? |
|
To provide you with the information you request via the website. |
Using your personal data in this way is necessary for us to respond to your request. |
| To create and manage your account, for example, by sending passwords, reminders, or notifications of changes to your account details. | Using your personal data in this way is necessary for us to offer you an online account. |
|
To conduct statistical analyses of how our website is used and thereby gain a better understanding of its usage and how to improve it. |
We have a legitimate interest in using this information to understand how our website is used and to manage and improve it. Because the processing is limited and does not involve sensitive personal data, we have assessed that our legitimate interest in conducting analyses and improvements outweighs your personal privacy and interest in not having your data processed in this context. |
|
To better understand your interests and preferences and, as a result, provide you with an experience tailored to these interests and preferences, such as through behavioral analysis and automated marketing. |
We have a legitimate interest in accessing the preferences we derive from your browsing behavior and purchases so that we can customize your user experience, including regarding marketing materials in line with your marketing preferences (see below). |
|
To send information about relevant products or services in accordance with your marketing preferences. |
We will only send marketing materials if you have consented to it. |
|
To provide you with sales tools that help you choose the right product or service. |
Using your personal data in this way is necessary for us to respond to your request. |
|
To meet the legal requirements that we are obliged to comply with, such as in the areas of taxation or accounting. |
Using your personal data in this way is necessary for us to fulfill our legal obligations. |
Protection of personal data
CERTEGO has taken appropriate technical and organizational measures to protect your personal data and to prevent your personal data from being used for illegal purposes or made available to unauthorized persons.
Employees with us as well as personal data assistants and assistants must follow our internal guidelines for data protection.
Your rights
In order to fulfil any of the stated purposes (above), we may disclose your personal data as follows:
- To other companies within the Group
- To third parties providing market research services
- If required by law; and/or
- To a buyer or potential future buyer of our business
Processors
CERTEGO may in some cases use processors who provide services to us, e.g. IT services and security solutions. In these cases, we undertake to have a personal data processor agreement with all the processors and that the processors hired comply with the General Data Protection Regulation (GDPR).
Third country
Some recipients may be located in countries outside the EU/EEA area. As these countries in some cases have a lower level of protection for personal data than countries within the EU/EEA, we apply the standard contractual clauses approved by the European Commission when transferring personal data to such countries, to ensure an appropriate level of protection for your personal data. These Standard Contractual Clauses can be found at the following link: https://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.
In relation to the personal data we hold about you, you have the right to:
- request a copy of your personal data from our records;
- request that we correct or delete your personal data (even if this means that your account is deleted, or that we will no longer be able to handle your requests or orders);
- request that we cease processing your personal data (for example, when we use it for the purpose of improving our website), or that we restrict the processing of the personal data (for example, if you believe that it is incorrect);
- request to obtain the personal data that we use to provide you with the information requested by you, manage an order or administer your account or our relationship with you, in a machine-readable format which you are then entitled to transfer to another controller; and
- withdraw at any time the consent you have given us regarding the processing of your personal data for marketing purposes.
We may reject your request to delete your personal data if we need to continue processing it to comply with a legal obligation or to establish, exercise or defend legal claims.
A request to exercise your rights should be made by submitting our Privacy Concerns Form
If you wish to complain about how we process your personal data, you have the right to report this to the relevant data protection authority or to the relevant supervisory authority where you live or work (if different from the above).
How can we make changes to this Privacy Policy?
We may update this Privacy Policy from time to time as a result of changes in legal, regulatory or business requirements. When we make changes that are not solely linguistic or editorial, you will be clearly informed about the changes.