This information is aimed at employees or contractors of Draftit Privacy’s business contacts/partners/suppliers, anyone applying for employment at Draftit Privacy, visitors to our website, recipients of our newsletters and other marketing e-mails, or participants of customer surveys or panels. There is separate information for users of Draftit Privacy’s services which will be issued to you in connection with registration for and use of our services.
By means of this information text, Draftit AB, (“Draftit Privacy”, “we”, “us”) wishes to inform you of how we collect and process your personal data. It also contains information on your rights in this regard, so that you will know what to do if you wish to exercise any of these rights.
2 Personal data responsibility
All employees at Draftit Privacy have basic knowledge of data protection, and we cooperate with leading data protection experts. We always pay the greatest possible regard to your integrity and process your personal data with great care. Naturally, we hope that you will read this information and that it will answer any questions you may have. If you still have questions, you are always welcome to contact us as follows:
The email address of our Data Protection Officer: firstname.lastname@example.org
3 What personal data do we process?
In order to make it easier for you, this section of the information text has been divided up and specially adapted to the different categories of people at whom the information is aimed.
3.1 Specific information for employees or contractors of one of our business contacts/partners/suppliers
3.1.1 What personal data and why?
We may process your e-mail address, name, telephone number, place of work and title. If you represent a sole trader, your social security number and place of residence/invoice address may also be processed if this is required to be able to identify you as a customer and to fulfil the purposes below.
We may have obtained such data from your employer, where we have an agreement or other business relationship with the employer, for instance, when you are named as the contact person for a specific agreement or in relation to a specific issue. We may also have obtained the data directly from you when you contacted us by telephone, e-mailed us or gave your business card (or other personal contact details) to one of Draftit Privacy’s representatives. These types of data can also be collected when we collect the information ourselves through searches in order to produce lists of contact persons at companies with whom we have, or want to establish, a business relationship.
The purposes of processing your personal data are so that we can communicate with you in order to retain or establish a business relationship with you and/or the organisation you represent and, where relevant, to administer the contractual relationship with your employer, manage invoices/payments and communicate with you within the framework of the contractual relationship.
Our legal basis for the processing is our agreement with you or the organisation you represent (where relevant) and/or our legitimate interest in being able to communicate with you in your professional role in order to retain or create a good business relationship with you.
3.1.2 How long do we store the data?
Where we process your personal data with an agreement as the legal basis, we will process the data for as long as the business relationship lasts. If the business relationship is terminated, the data will be deleted no later than one (1) year after the business relationship ends. We will store any such data that we have a statutory obligation to store (e.g. in accordance with the Swedish Bookkeeping Act).
Any personal data relating to invoicing/payment, and where continued processing of the data is required by law, must be kept for processing for seven (7) years in accordance with the Swedish Bookkeeping Act. Any personal data contained in concluded agreements will be kept for ten (10) years as per the period of limitation in accordance with the Swedish Limitation Act.
3.2 Special information for anyone applying for employment with us
3.2.1 What personal data and why?
If you submit an application for a job or internship to Draftit Privacy, the data you share with us in your application will only be processed internally by us. Only the data you yourself provide to Draftit Privacy in connection with your application will be processed by us, and all data will be deleted as soon as the relevant position has been filled, unless we have asked for your consent to store your data for any future recruitment processes.
Our legal basis for the processing is our legitimate interests in being able to deal with your application and implement the recruitment process for the position with us for which you have applied, and to fulfil our obligations and exercise our and/or your rights in accordance with the labour law, such as in the event we were to become subject to a claim in accordance with discrimination legislation.
Based on our legitimate interest, your personal data will be processed in order to review your application and assess how well it matches the advertised position, as well as to contact you during the recruitment process, such as calling you to an interview, making you an offer of employment, or informing you that your application has unfortunately not been successful.
3.2.2 How long do we store the data?
We store your personal data during the period necessary for the purposes specified above. In order to be able to exercise our rights in accordance with discrimination legislation, we need to store application documents for two (2) years after the recruitment process has ended. If we agree with you to store your personal data for any future recruitment processes, we will store such data for as long as you consent to this, or until our purpose has ended.
3.3 Special information for recipients of our newsletters, marketing e-mails, and participants of events, customer surveys or panels
3.3.1 What personal data and why?
We process your e-mail address and name, and in some cases your telephone number, and place of work and title. We may have obtained such data from your employer, where we have an agreement or other business relationship with the employer. We may also have obtained the data directly through you contacting us or having registered via our website.
The purposes of the processing are to allow us to communicate with you and send information and marketing to you, such as our newsletter, invitations to training and events, tips for new services and products that you informed us you were interested in, or which we believe you will be interested in.
Our legal basis for the processing is our agreement with you or the organisation you represent (where relevant) and/or our legitimate interest in retaining or creating a good business relationship with you, and communicating with you in your professional role regarding news, information, training, events and products that we offer and that we believe you will be interested in.
3.3.2 How long do we store the data?
If you receive marketing e-mails from us as part of a contractual relationship between us and your employer, we will process your data for as long as the contractual relationship lasts and for a maximum of one (1) year thereafter. Otherwise, we will process the data for as long as we have a legitimate interest in sending such material to you and you have a continued interest in receiving it. You can choose to stop receiving marketing e-mails from us at any time by informing us accordingly or by unsubscribing directly via the link in the e-mail. If you unsubscribe from our marketing e-mails, we will immediately stop processing your personal data for marketing purposes. 3.4 Special information for visitors to our website.
3.4.1 What personal data and why?
Our legal basis for the processing is our legitimate interest, which is justified because we have an interest in and need to be able to compile statistics of visitors to the website, to improve the website and visitor experience and to be able to manage troubleshooting and the prevention of incidents effectively).
3.4.2 How long do we store the data?
We store personal data for a maximum of one (1) year in accordance with the EU Commission’s recommendations, and because we believe it is justified based on the needs described above.
4 Where is your personal data processed?
As a rule, your personal data is processed within the EU/EEA. However, there may be certain situations where your personal data needs to be processed in a country outside the EU/EEA, such as where Draftit Privacy on a specific occasion needs to use a subcontractor based in a country outside the EU/EEA. In such cases, we will take all suitable legal, technical and organisational measures in order to ensure that your personal data is handled safely and with an adequate level of security comparable to the same level of protection offered within the EU/EEA in accordance with the data protection legislation.
5 Who may be given access to your personal data?
You can be confident that Draftit Privacy will never sell your personal data. Nor will we give any third party access to your personal data in other cases except for the purposes that we inform you of in this information text.
Draftit Privacy takes all suitable legal, technical and organisational measures in order to ensure that your personal data is handled safely and with an adequate level of security. This applies both internally to us and when your personal data is transferred or shared with selected third parties with whom Draftit Privacy cooperates. Only persons who need to process your personal data in accordance with the purposes outlined above will have access to your personal data.
- Subcontractors and group companies. Other companies within the Draftit Privacy group and subcontractors may access your personal data in order to process it in accordance with the purposes outlined above. Draftit Privacy is responsible for ensuring that all such processing of your personal data is completed by any such third party in accordance with the data protection legislation and only for the purposes that we inform you of as above.
- Authorities (such as the Swedish Data Protection Authority and the Police) We may provide necessary information to authorities such as the police if we are obliged to do so by law or if you have approved us doing so.
6 Your rights
You are always welcome to contact us (contact details above) if you have any questions concerning the processing of your personal data or if you want to exercise any of your rights as follows:
- You are entitled to know what personal data we process about you. Please state clearly in your request what information you want from us. The information is free and we will provide it to you without unnecessary delay (within one month). If we cannot provide the information your requested for any reason, we will explain why.
- You are entitled to request rectification of your personal data. It is important that the data we process about you is correct. If you change e-mail address or other contact information, or you discover that the data we hold about you is incorrect or irrelevant, you are entitled to request that we rectify it.
- You are entitled to request erasure of your personal data (the “right to be forgotten”) if the data is no longer necessary for the purpose for which we collected it. However, we have certain obligations – both contractual and legal – that prevent us from erasing parts of your personal data immediately. If you request erasure, we will erase all the data about you that we can. The remaining personal data that we are obliged to store by law and in accordance with other obligations, we will ensure is blocked so that it can only be used for such specific purposes.
- In some situations you are entitled to request a temporary restriction to the processing of your personal data. This may be the case, for instance, if you have requested rectification of your personal data, and it takes us some time to fulfil your request. In such circumstances, a limitation on the processing of your personal data may be imposed during the period when we deal with the matter.
- The right to obtain data in a machine-readable format (data portability). In some cases, you are entitled to obtain the personal data processed about you in machine-readable format.
- You are entitled to object to any such activities that we carry out using your personal data based on what is known as balancing of interests/legitimate interest (see above for what processing may be relevant to you). Please specify for us which processing you object to in your request.
Naturally, if you believe that we are processing your personal data in contravention of the relevant data protection legislation, we would like you to inform us. You are also entitled to submit a complaint to the Swedish Data Protection Authority. For more information, visit the Swedish Data Protection Authority’s (Integritetsskyddsmyndigheten) website www.imy.se.