Privacy Policy

1. BACKGROUND

[Företagsbostäder Sverige AB], reg. no. [556213-6241], (the ”Company”), is a company providing accommodation solutions, mainly for companies. The Company has approximately [30] employees

Within the Company’s business operations various personal data are processed. It is highly important that personal data is processed in a correct and secure way without any risk of compromising the personal integrity of the individual whose personal data is being processed (the “data subject”). The Company shall at all times ensure that personal data is processed in a lawful and correct manner, and that every person processing personal data on behalf of the Company has the required qualifications and knowledge for processing such data.

This Personal Data Protection Policy (the “Policy”) contains rules and guidelines for the processing of personal data carried out by the Company as controller and processor of personal data, regardless of which type of personal data it concerns or to whom the personal data pertains. The purpose of this Policy is to provide important information to the data subjects regarding our processing of personal data, to increase the knowledge within the Company of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “General Data Protection Regulation”) and to ensure that the Company fulfils its obligations under the regulation.

2. WHAT, WHY AND FOR HOW LONG IS DATA BEING PROCESSED?

2.1 General

The Company collects and processes personal data within the areas and functions listed below. Regarding most of the personal data mentioned in the Policy the Company acts as data controller, i.e. processes personal data independently and on behalf of itself.

In several cases the Company requires personal data for the purpose of fulfilling legal or contractual obligations or demands, which are necessary for entering into an agreement with, for example, an employee, a customer or a supplier. If the data subject does not provide the Company with the required personal data, the Company may not be able to enter into or fulfil its obligations under an agreement with the data subject.

Listed below, in sections 2.2, 2.3, 2.4, 2.5, 2.6 and 2.7, are the areas in which the Company processes personal data. In connection to each area the purposes and the legal basis for processing the personal data is stated, as well as recipients of the data, period for storing the data etc.

2.2 Employees

Which is the legal basis for processing the personal data?

The legal basis to collect and process personal data regarding employees is either (a) to fulfil legal obligations, (b) to enter into and fulfil obligations in agreements with the employees or (c) the legitimate interests of the Company, except where such interests are overridden by the interests of the employee and, if none of the previously mentioned apply, (d) based on the employee’s consent to the processing.

Further, personal data regarding employees is collected and processed in order to fulfil obligations in law, collective agreements and/or in order to enter into and fulfil obligations under individual agreements.

What type of personal data is processed and who receives the data?

The personal data processed are mainly names, personal identity number, phone number, bank details, basis for calculating salary and benefits, address, information about relatives, qualifications, experience and progress, absence, health conditions and possible rehabilitation.

The recipients of the personal data are the managing director, HR department, the IT department, the sales manager, other managers, the financial department and internal or external actors administrating salaries and other benefits etc. and, when required by law, authorities.

For what purposes are personal data processed?

The employee’s personal data is required for purposes such as payment of salary, calculating provision, wage revision and other reimbursements and employee benefits, general personnel administration, time tracking, board fees, maintaining emergency and catastrophe response plans, contacting relatives in case of incidents or accidents occurring to the employee, providing occupational health care, paid leave, administrating employee benefits (including pension benefits as well as life and health insurance), maintaining documentation regarding sick leave and other absence for the purpose of calculating sick pay and participation in rehabilitation investigations in accordance with the Work Environment Act, making decisions about the suitability for certain work tasks, enabling evaluations and reviews of performance (including information regarding performance and other information for assessments and performance reviews with the employee) as well as generally in order to ensure fulfilment of legal obligations (including but not limited to income tax, social insurance and applicable labour legislation, such as fulfilling regulations regarding order of priority during termination of employment or in order to issue employer’s certificates).

Further, personal data and information about bonuses may be processed for statistical purposes intended for the Central Bureau of Statistics (Sw: Statistiska Centralbyrån) or the Confederation of Swedish Enterprise (Sw. Svenskt Näringsliv).

How long is the data stored?

The Company does not store personal data longer than necessary in relation to the purpose for which it was processed. Therefore, the Company performs screenings on a regular basis of the personal data and removes data which is no longer necessary to process. Generally when an employment has been terminated there is no reason for the Company to continue storing the former employee’s personal data. This includes the employee’s e-mail account and information regarding the employee on the Company’s website. In such case, screening shall be performed as soon as possible after the termination of the employment.

However, there are exceptions to the typical case above. In order to fulfil its obligations in accordance with labor, tax and social insurance law the Company is required to store some data regarding the employee for a period of time even after the employment has been terminated. For example, data needs to be stored in order to fulfil legal obligations regarding taxation or accounting, to fulfil requirements concerning the employee’s right of priority to re-employment in accordance with the Employment Protection Act or to handle possible legal claims against the Company. The Company may also be required to store data for payment of pension benefits or severance pay. For these exceptions, personal data will be stored for two or ten years respectively (concerning accounting, taxation and periods of limitation).

To the extent relevant, the Company may also process personal data in connection with co-worker surveys. Such surveys are being conducted in order for the Company to identify inadequacies and thereafter work towards and ensure a better work environment.

Some of the personal data which the Company is processing in relation to the employment may be considered sensitive personal data. Such sensitive data can for example be personal data relating to health or data concerning membership in trade unions. See section 2.8 below for more information about the Company’s treatment of sensitive data.

2.3 Consultants

Which is the legal basis for processing the personal data?

The Company may need to collect and process personal data regarding individual consultants in order to fulfil legal obligations or to enter into and fulfil obligations in consultancy agreements.

What type of personal data is processed and who receives the data?

The personal data processed by the Company are, among others, name, personal identity number, address, e-mail address, phone number, bank details, number for bank and postal giro, information about qualifications, basis for calculating consultancy fee, experience etc. and information about absence as well as contact information to the manager of the individual consultant.

The primary recipients of the personal data are relevant managers, the HR-department, possible external actors administrating payment of consultancy fees etc. and, when required, authorities.

For what purposes are personal data processed?

The consultant’s personal data can be required for purposes such as payment of consultancy fees and other reimbursements, general personnel administration, maintaining emergency and catastrophe response plans, maintaining documentation regarding absence for the purpose of calculating consultancy fees, making decisions about the suitability for certain work tasks and services, enabling evaluations and reviews of performance and also generally ensuring fulfilment of legal obligations.

For how long is the data stored?

The Company does not store personal data longer than necessary in relation to the purpose for which they were processed. Therefore, the Company performs screenings on a regular basis of the personal data and removes data which is no longer necessary.

Generally when a consultancy assignment has been terminated there is no reason for the Company to continue storing the consultant’s personal data. However, in order to fulfil legal obligations regarding taxation, accounting or to handle possible legal claims against the Company, it may be necessary for the Company to store personal data for a period of time even after the consultancy assignment has been terminated. For these exceptions, personal data will be stored for a maximum of ten years after the termination of the consultancy assignment.

2.4 Recruitment

Which is the legal basis for processing the personal data?

In order to administrate applications sent in by the data subject, conduct interviews and make decisions in a recruitment procedure, the Company must process certain personal data. The legal basis for processing personal data in this manner is the legitimate interests of the Company, not overridden by the interests of the data subject, alternatively necessity for the performance of a contract.

What type of personal data is processed and who receives the data?

The Company processes personal data such as name, date of birth, address, information about qualifications and experience, photography etc. Automated decision making, including profiling, may occur.

The primary recipients of the personal data are the HR-department, other managers and hired recruitment agencies. When the processing of data is being handled by a recruitment agency the Company will always enter into a data processing agreement with the data processor, please see section 3.2 below for further information about the Company’s routines regarding data processing agreement.

For what purposes are personal data processed?

The Company collects and processes personal data in order to administrate applications, conduct interviews and make decisions in a recruitment procedure.

For how long is the data stored?

The Company does not store personal data longer than necessary in relation to the purpose for which it was processed. Therefore, the Company performs screenings of the personal data on a regular basis and removes data which is no longer necessary. The Company may need to store personal data for a period of time even after the recruitment procedure is over, if such storage is necessary in order to handle possible legal claims against the Company. The storage period in such cases is two years

2.5 Customers

Which is the legal basis for processing the personal data?

Our main group of customers is business tenants, i.e. companies in need of accommodation solutions for e.g. their employees and their families. Our solutions are, to a limited extent, also offered to customers that are private individuals. The information below regards processing of personal data of customers in general, i.e. both customers that are private individuals and representatives of our business customers. Please see section 2.7 for information about how we process personal data relating to the actual guests (i.e. individuals actually staying in our apartments or houses).

In order to enter into and maintain agreements with our customers, the Company processes personal data related to representatives of customers. The legal bases for processing personal data in this manner are therefore either the necessity for the performance of agreement or the legitimate interests of the Company. Certain personal data may also be processed on the basis of legal obligations of the Company, for example personal information on invoices on account of accounting obligations.

What type of personal data is processed and who receives the data?

The Company processes personal data relating to customers and representatives of customers, such as name, phone number, e-mail address, postal address, personal identity number, IPaddress, orders and payment details, copy of ID-card/driver’s license etc. The Company may also process name and personal identity number for guarantors related to the customer agreements.

Further, the Company may process personal data related to potential customers or representatives of potential customers, such as name, phone number, address and e-mail address etc.

The primary recipients of the personal data are persons at the Company’s sales department which are relevant to the customer’s agreement, the financial department, the marketing department, managers and administrators of the agreement. Helpdesk and technicians may also receive the 6 data. In applicable cases, we may have to share your personal data with external actors assisting us in accommodation management including e.g. key hand overs.

For what purposes are personal data processed?

In cases where there is an existing customer agreement, the Company only processes personal data which is of relevance for the customer relationship and which is required in order to fulfil the agreement. Personal data such as names, e-mail addresses and phone numbers of customers or representatives of customers are processed in order to administrate the customer agreement and to keep a dialogue with the customer, and in applicable cases, to organize inspections/exhibitions or access to e.g. apartments or houses. Personal data such as personal identity number or driver’s license are only processed if it is necessary in order to administrate invoicing, credit worthiness and similar activities. Personal data may also be processed for the purpose of sending offers and adverts of interest to the customer. Customers and representatives of customers have the right to, at any moment, object to the processing of their personal data for the purpose of direct marketing, see section 5.4 below.

In cases where the Company is processing personal data relating to potential customers or representatives of potential customers, the purpose of the processing is to get in contact with the potential customer in order to provide interesting offers and information through telephone or e-mail or in order to administrate booked meetings. Potential customers and representatives of potential customers have the right to, at any moment, object to the processing of their personal data for the purpose of direct marketing, see section 5.4 below.

For how long is the data stored?

The Company does not store personal data longer than necessary in relation to the purpose for which the data was processed. Therefore, the Company performs screenings of stored personal data on a regular basis and removes data which is no longer necessary. The Company may need to store personal data for a period of time even after the customer relationship has been terminated, if such storage is necessary in order to administrate possible warranties and limitation periods of complaints, handle possible legal claims against the Company or in order to promote services and send offers which the Company believes may be of interest to our former customers. Exceptionally, personal data may therefore be stored during some time after the termination of the customer relationship or until the person being subject of the data has objected to direct marketing.

Personal data related to potential customers or representatives of potential customers will be removed once the dialogue with the potential customer has ceased, given that the parties has not begun a customer relationship, or immediately if the person being subject of the data has objected to direct marketing.

It may also be necessary for the Company to store personal data longer, in order to fulfil legal obligations regarding accounting, for example. If such obligations are at hand the personal data may be stored for up to seven years.

2.6 Suppliers

Which is the legal basis for processing the personal data?

In order to enter into and maintain agreements with suppliers, the Company processes personal data related to suppliers or representatives of suppliers. Certain personal data may also be processed on the basis of legal obligations of the Company, for example personal information on invoices on account of accounting obligations.

What type of personal data is processed and who receives the data?

The Company processes personal data relating to existing and potential suppliers and representatives of suppliers, such as name, phone number, e-mail address and title.

The primary recipients of the personal data are the Company’s purchase department, the managing director and other relevant managers in charge, the financial department and the IT department.

For what purposes are personal data processed?

The Company processes personal data in order to administrate purchase agreements, handle invoicing and be able to ask questions to the supplier regarding purchased goods or services.

For how long is the data stored?

The Company may need to store personal data for a period of time even after the contractual relationship with the supplier has been terminated, if such storage is necessary in order to administrate possible warranties and limitation periods of complaints or handle possible legal claims against the Company. Exceptionally, personal data may therefore be stored for up to two years after the termination of the supplier customer relationship.

It may also be necessary for the Company to store personal data generally, in order to fulfil legal obligations regarding accounting, for example. If such obligations are at hand the personal data may be stored for up to seven years.

2.7 Guests

Which is the legal basis for processing the personal data?

In order to enter into and maintain the agreements that we have with our customers as referred to in section 2.5 above and to assure that we provide services adapted to the needs and requirements of the individual guests staying in our apartments or houses, the Company must process certain limited personal data of those guests. The legal bases for processing personal data in this manner 8 are therefore either the necessity for the performance of agreement or the legitimate interests of the Company. Certain personal data may also be processed on the basis of legal obligations of the Company, for example personal information on invoices on account of accounting obligations

What type of personal data is processed and who receives the data?

The Company processes personal data relating to name, family members, e-mail address, phone number, address, arrival and departure dates, key number, passport copies and/or ID-numbers, information about special needs such as disabilities, domestic care services and house pets or other preferences or complaints that the guest provides us information about. Also, personal data that the guest provides us by participating in a voluntary guest survey may be processed.

The primary recipients of the personal data are the Company’s customer service and booking department, relevant managers in charge, the financial department and the IT department. In applicable cases, we may have to share your personal data with external actors assisting us in accommodation management including e.g. housekeeping, real estate management and key hand overs.

For what purposes are personal data processed?

Personal data such as names, e-mail addresses and phone numbers of guests are processed in order to administrate the accommodation and to be able to keep a dialogue with the guests (e.g. key hand overs, questions complaints, viewings and other matters). Personal data such as information about disabilities, domestic care services, house pets or other, are processed when provided by the guest (or indirectly through the customer making the booking) in order to ensure that all the needs and requirements are met and consequently, to ensure the best possible experience for the guest in question. Personal data such as personal identity number, passport or ID are only processed if it is necessary in order to administrate invoicing, credit worthiness and similar activities. The personal data collected through our voluntary guest surveys is collected in order to optimize and improve our services and guest experiences.

For how long is the data stored?

The Company may need to store personal data for a period of time even after the expiry of the period during which the guest stay in the apartment or house provided by us, if such storage is necessary in order to administrate possible warranties and limitation periods of complaints or handle possible legal claims against the Company. Exceptionally, personal data may therefore be stored for up to two years after the expiry of the guest’s stay in our apartment or house.

Some of the personal data which the Company is processing in relation to the guests may be considered sensitive personal data. Such sensitive data can for example be personal data relating to health, which might be processed to meet the guests’ special needs. See section 2.8 below for more information about the Company’s treatment of sensitive data.

2.8 Sensitive personal data

According to this Policy, sensitive personal data is personal data that reveals ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometrical data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation

The Company never processes sensitive personal data without the explicit consent of the data subject or without the existence of such necessity which is stated in article 9 in the General Data Protection Regulation for carrying out obligations and exercising specific rights in the field of employment, social security and/or social protection law or when the processing is necessary to protect the vital interests of the data subject or another person, where the data subject is physically or legally incapable of giving consent, in certain cases within trade unions if the data has been made official by the data subject, if it is necessary for reasons of substantial public interest, if it is necessary for the assessment of the working capacity of the employee or the provision of health or social care or if it is necessary for statistical purposes.

The Company takes appropriate safety measures during every processing of sensitive personal data in order to protect the data. The personal data is never available for more persons than necessary, regardless of whether the Company acts as data controller or data processor.

3. HOW DO WE PROCESS PERSONAL DATA?

3.1 General

When the Company collects, processes and stores personal data, it shall be conducted in a legal, correct and open manner and in accordance with the purpose of the processing and only to the extent deemed necessary by the Company. The Company shall continuously process personal data in a manner aiming at avoiding a violation of the data subject’s personal integrity. In every case of processing personal data the Company is strictly ensuring that the personal data is protected by appropriate safety measures.

The Company may process personal data either by collecting and processing the data independently and on behalf of itself or by appointment by and on behalf of other companies. Hence, the Company may act as data controller and as data processor. In some cases, the Company may act as data controller mutually with another actor.

In several cases when we request personal data it is done, as is mentioned above, in order to fulfil legal or contractual obligations or obligations necessary to enter into an agreement with an employee. If the data subject does not provide the requested data it may in some cases mean than the Company cannot enter into an agreement or fulfil contractual obligations with the data subject. If the data subject is unsure or worried about providing certain personal data the data subject may contact the Company (see below under Contact information) for further information.

3.2 The Company shares data with an external party

The Company may, from time to time, be required to submit information to a relevant third party (including but not limited to situations where the Company has a legal obligation to do so). To ensure that your personal data is processed in a safe manner in every such situation, the Company regularly enters into agreements (such as data processor agreements) with every third party processing personal data on behalf of the Company. Such agreements always state the subject of the processing, the duration, kind and purpose of the processing, the type of personal data and categories of data subjects and the Company’s obligations and rights as data controller. Further, the Company always provides the data processor with documented instructions that the data processor is obliged to follow.

3.3 Transfer of personal data outside the European Economic Area (the “EEA”)

In order to administrate our business and the personal data processed therein in an efficient and organized manner, the Company uses a data system provided to us by an external service provider. The information that the Company registers or enters into such system will, normally, be stored on the service provider’s servers. Those servers may be located outside the EEA, for example in the USA. In order to assure full security and protection for the personal data that the Company processes in this system, the Company always ensures that any transfer of data outside the EEA is covered by sufficient security measures and that no transfer takes place to a location that is not covered by appropriate level of adequate protection. As stated in section 3.2, the Company always enters into data processing agreements with its data processors.

3.4 The Company as data processor

In every case where the Company acts as data processor the Company shall enter into a data processor agreement with the data controller. The data controller is responsible for deciding, for example, purpose and time of storage for the personal data. When the Company acts as data processor the personal data will always be processed in accordance with the data processor agreement and the instructions of the data controller. If the Company is unsure of the meaning of the instructions or the extent of its responsibilities, the Company regularly requests a clarification from the data controller.

The Company always ensures that the personal data is protected by appropriate safety measures and that it is only available for a limited amount of persons within the Company who require the data for their work

As is stated in section 5 below, the data subject has a right to, among other rights, access, rectify and delete its personal data. In these cases the data subject is recommended to primarily make contact with a suitable contact person at the data controller and secondly to make contact with the data protection officer at the Company. Contact information for the Company’s data protection officer can be found in section 6 below.

4. WHAT HAPPENS IN CASE OF A DATA BREACH?

4.1 General

A data breach is a security breach which leads to unintentional or illegal destruction, loss or modification of personal data processed by the Company. Further, a security breach leading to unauthorized disclosure of or unauthorized access to the processed data may also be considered a data breach. In case of a breach, the incident must be reported to the Swedish Data Protection Authority (Sw: Datainspektionen) by the Company’s personal data officer if rights and/or freedoms of an individual are at risk. Examples of breaches may be restriction of an individual’s rights, identity theft or fraud, or breach of confidentiality.

4.2 Who do you contact in case of a data breach?

In case of a breach, the Company’s data protection officer shall be contacted. Contact information to the data protection officer can be found in section 6 below. To minimize damage, contact shall be made immediately upon suspicion of a breach. The data protection officer shall thereafter evaluate the seriousness of the breach and decide what action measures are to be taken.

5. WHAT RIGHTS DOES THE DATA SUBJECT HAVE?

5.1 Requests or questions from a data subject

The paragraphs below lists certain rights for the data subject, with regards to personal data. If a data subject contacts an employee of the Company with requests or questions regarding personal data, that employee shall immediately contact the Company’s data protection officer and inform the officer about the data subject’s requests or questions. Contact information to the Company’s data protection officer is found in section 6 below.

5.2 The right to access

The data subject has a right to turn to the Company, as data controller, and request access to the personal data related to him/her processed by the Company. The data subject also has the right to request information about the personal data, such as the purpose of the processing and the recipients of the data.

As data controller, the Company shall provide the data subject with a copy regarding the processed personal data, free of charge. If the data subject requests further copies, the Company may charge an administration fee.

5.3 The right to rectification, deletion and limitation

The data subject has the right to, without undue delay, have his/her personal data rectified or, under certain circumstances, limited or deleted. If the data subject believes that the Company is processing personal data regarding him/her which is inaccurate or incomplete, the data subject may request to have them rectified or completed.

The data subject also has the right to have his/her personal data deleted if, among other, the data no longer is necessary or if the processing is based on consent which has been withdrawn.

If the data subject requests to have the personal data rectified, deleted or limited in process, the Company, as data processor, shall regularly, if possible with reasonable effort, notify every recipient of the personal data of the data subject’s request.

5.4 The right to objection

The data subject has the right to, at any moment, object to the processing of the personal data if the legal basis of the processing is public interest or a balance of interests in accordance with article 6.1 (e) and (f) in the General Data Protection Regulation.

Further, the data subject has the right to, at any moment, object to the process of his/her personal data if the data is processed for the purpose of direct marketing.

5.5 The right to data portability

The data subject has the right to receive the personal data processed by the Company concerning him/her and transmit this data to another controller (data portability), provided that

(a) such portability is technically possible, and
(b) the legal basis for processing data is consent or that the processing has been necessary for the fulfilment of an agreement.

5.6 The right to withdraw consent

If the processing of personal data is based on the data subject’s consent, the data subject has the right to, at any time, withdraw the consent. Such withdrawal does not affect the legality of the processing of data before the consent was withdrawn.

5.7 Rights during automated individual decision-making, including profiling

The data subject has the right to not be subject to decisions based on automated decision making alone, including profiling, and which may lead to legal or similar significant effects on the data subject. This right does not apply

(a) if such processing is necessary in order for the Company to enter into or fulfil an agreement with the data subject
(b) if such processing is allowed according to applicable legislation, or
(c) if the legal basis for such processing is the data subject’s consent.

5.8 The right to file a complaint to the Swedish Data Protection Authority

The data subject has the right to file a complaint to the Swedish Data Protection Authority (Sw: Datainspektionen) if the data subject’s personal data is processed in violation with the General Data Protection Regulation

Contact information to the Swedish Data Protection Authority can be found at the authority’s website https://www.datainspektionen.se

6. CONTACT INFORMATON

For questions about the Policy or requests regarding personal data, please contact the Company’s data protection officer.

Contact information:

Name: Therese Callenberg

E-mail adress: therese.callenberg@foretagsbostader.se

7. ALTERATIONS OF THE POLICY

The Company reserves the right to alter and update the Policy. If the Policy is altered materially or if current information is to be processed in a different manner than what is stated in the Policy, the Company will inform about this appropriately.