Privacy Policy

BACKGROUND
Personal Data (as defined below) protection is primarily governed by the General Data Protection Regulation (“GDPR”), which is a comprehensive regulation within the European Union. GDPR sets out guidelines and requirements for the processing of Personal Data across all EU member states, including Sweden.
‍

PURPOSE
This Policy outlines the utilization and purposes associated with Personal Data, specifying the lawful basis and measures implemented for safeguarding Personal Data. Information on how one may exercise its rights related to the Processing of Personal Data is also provided.
‍

SCOPE
This Policy applies to all employees, officers, directors and operations of the entities in the Qarlbo Group.
‍

DEFINITIONS
“Applicable Law” refers to the legislation applicable to the Processing of Personal Data, including the GDPR, supplementary national legislation, as well as practices, guidelines and recommendations issued by a national or EU supervisory authority.

“Controller” is the company/organisation that decides for what purposes and in what way personal data is to be processed and is responsible for the Processing of Personal Data in accordance with Applicable Law.

“Data Subject” is the living, natural person whose Personal Data is being processed.

“Personal Data” is all information relating, directly or indirectly, to an identifiable natural person.

“Processing” means any operation or set of operations which is performed on Personal data, e.g. storage, modification, reading, handover and similar.

“Processor” is the company/organisation that processes Personal Data on behalf of the Controller and can therefore only process the Personal Data according to the instructions of the Controller and the Applicable Law.
‍

THE COMPANY’S ROLE AS A CONTROLLER
The Company assumes the role of Controller for all Personal Data outlined in this Policy. As a Controller, the Company is responsible for deciding the purpose of and the means for the Processing (what methods, what Personal Data is stored and for how long it is stored). This Policy does not describe how the Company Process Personal Data in the role of a Processor.
‍

CUSTOMER DUE DILIGENCE
This Policy applies to Personal Data collected through the following functions (the “Functions”):
‍

Visitors to the website:
The Company may collect information from visitors to the website in order to be able to improve, enhance the efficiency of, simplify and develop the website. The information may include IP address, MAC address, and similar data (unit information).  

Company representatives:
The Company may collect and store information from company representatives in order to be able to contact a Data Subject or enter into an agreement with a Data Subject in the capacity as a company representative. The information may include name, position, postal address, personal identification number, e-mail address, telephone number and other personal data that the Data Subject choose to provide the Company with.  

General communication with Qarlbo:
When a Data Subject communicate with the Company or send any type of material or information, the Company may collect the information in order to communicate with the Data Subject. The information may include name, e-mail address, delivery address and other personal data that the Data Subject choose to provide the Company with.

Recruitment:
The Company may collect information in order to be able to recruit the right people for employment at the Company. The information may include name, address, e-mail address and telephone number, CV and other personal data that the Data Subject choose to provide the Company with.  

THE COMPANY’S PROCESSING OF PERSONAL DATA
The Company has a responsibility to describe and demonstrate the fulfilment of requirements for Processing of Personal Data. This section aims to provide an understanding of what type of Personal Data is processed and on what reasons.
‍

Storage of Personal Data
Personal Data will be stored for as long as it is necessary for the purpose for which it was collected. Depending on the lawful basis on which the Processing is support on, this may a) be regulated in a contract, b) be dependent on valid consent, c) be stated in legislation or d) follow by an internal assessment based on a legitimate interest assessment (LIA).
Personal Data is never stored longer than necessary and Personal Data will be deleted regularly. The Company also takes reasonable actions to keep the Personal Data being Processed updated and to delete outdated and otherwise incorrect or redundant Personal Data.
‍

Processing
The main purpose of the Processing is to provide, carry out and improve the Company’s services.
‍

Access to your Personal Data
Personal Data is being collected in a number of different ways. The Company mainly get access to Personal Data by the Data Subject providing its Personal Data.
‍

Lawful basis
In order for the Company to be able to Process Personal Data, it is required to have so-called legal basis for each process. The Company processes Personal Data on one of the following grounds:
‍

Consent – The Company may process personal data after collecting the Data Subjects consent to the Processing. Information regarding the processing is always provided in connection to the request of consent.
‍

Performance of a contract - The Processing is necessary for the performance of a contract entered between the Company and the Data Subject, or to prepare for entering into an agreement with the Data Subject.
‍

Legitimate interest – The Company may process Personal Data if there is a legitimate interest, and if the processing is necessary for the purpose in question.

Legal obligation – The Company is required by laws and regulations to process Personal Data as a result of the Company’s business.
‍

THE DATA SUBJECT’S RIGHTS
The Data Subject is the one in control of the Personal Data and the Company always strives to ensure that the Data Subject can exercise its rights as efficiently as possible.
‍

Access – The Data Subject always has the right to receive information about the Processing of data that concerns them.

Rectification – The Data Subject has the right to rectification.

Erasure – The Data Subject has the right to be forgotten and request deletion of their Personal Data when the Processing is no longer necessary for the purpose for which it was collected. If the Company is required to retain the information under applicable law or a contract that has been entered with the Data Subject, the Company will ensure that it is processed only for the specific purpose set forth in such applicable law or contract. Thereafter the information will be erased as soon as possible.

Objections – The Data Subject has the right to object to the assessment that a legitimate interest for Processing the Personal Data overrides the interest in protecting the Data Subjects privacy. In such case, the Company will review the legitimate interest assessment.

Restriction – The Data Subject has a right to limitation of Processing of Personal Data:
whilst the Company is Processing a request from the Data Subject for any of the Data Subject’s other rights;
if, instead of requesting erasure, the Data Subject want the Company to limit the Processing of Personal Data for a specific purpose.
in cases where the Company no longer need the information in relation to the purpose for which it was collected, provided that the Data Subject do not have an interest in retaining it to make a legal claim.

Data portability – The Company may provide the Data Subject with the data that they have submitted to the Company or that the Company has received from them in connection with a contractual relationship. The Data Subject will receive information in a commonly used and machine-readable format that can be transferred to another personal data manager.

Withdraw consent – A Data Subject has the right to withdraw their consent.

‍

HOW YOU USE YOUR RIGHTS
If a Data Subject want to exercise any of the above rights or if there is any questions regarding Personal Data processed by the Company or questions about this Policy, contact Qarlbo (matilda.kyringer-jurell@qarlbo.com).
‍

PROCESSORS AND TRANSFER OF PERSONAL DATA
The Company may engage Processors. If so, the Company make sure that the transfer happens in a secure way that protects the Data Subject’s privacy. The following are categories of recipients with whom personal data may be shared:
‍

- IT suppliers for e.g. business systems and case management. In order to be able to carry out assignments and services, the Company store Personal Data in business systems (a system that administers customers and contacts); or

- statistics to contribute to industry statistics and to improve the customer experience.
‍

In cases where Processors transfer Personal Data outsider the EU/EEA, the Company will ensure that the level of protection is adequate, and in compliance with Applicable Law, by controlling that either of the following requirements are fulfilled:

- the EU Commission has determined that the level of protection is adequate in the third country where the data is processed;

- the Processor has a legally recognized transfer mechanism, e.g. the EU Commission's standard contract clauses (SCCs) for data transfer to non-EU/EEA countries; or

- the Processor has taken other appropriate safeguards prior to the transfer and that such safeguards comply with Applicable law.
‍

The Company has entered into Data Processing Agreements (“DPA”) with all Processors. The DPA sets out, among other things, how the Processor may process the Personal Data and what security measures are required for the Processing.
‍

The Company may also need to disclose personal information to certain designated authorities in order to fulfil obligations under applicable law or legally binding judgements.
‍

SECURITY MEASURES
The Company has taken technical and organisational security measures to ensure that Personal Data is processed securely and protected from loss, abuse and unauthorised access.
“Organisational security measures” are measures that are implemented in work methods and routines within the organisation, such as:

- internal governance documents (policys/instructions)
- cyber security policy
- physical security (premises etc.)

“Technical security measures” are measures implemented through technical solutions.
‍

COMPLAINTS
If a Data Subject finds that the Company is not Processing Personal Data correctly, the Data Subject is always entitled to submit complaints to the Swedish Authority for Privacy Protection.
‍

More information about the Company’s obligations and the Data Subjects rights can be found at https://www.imy.se/

‍