Personal Data Policy
1. INTRODUCTION
1.1 Your privacy and digital security are important to us at White Paper Advisors Sweden AB (“WPA”) corp. ID no. 559208-3611. You must always feel secure when you provide personal data to WPA. WPA is not only the controller for the processing of your personal data on our behalf, but also the data processor for processing that takes place on our customers’ behalf. You can contact us at any time to ask questions about our management by contacting us (see contact details in section 12).
1.2 This personal data policy (the “Personal Data Policy”) describes how we process personal data in respect of:
(i) persons who register their interest in working with us, people with whom we come into contact during personal meetings, people about we have obtained information from third parties, such as through a recommendation from another party, etc. (“Candidates”) (see especially section 2.1),
(ii) reference persons that Candidates submit to us in connection with taking up employment (“Reference Persons”) (see especially section 2.2),
(iii) contact persons and representatives of customers, suppliers, partners, prospects, etc. (see especially section 2.3),
(iv) other employees of customers, suppliers and partners whose personal data we will be processing within the framework of our services (see especially section 2.4),
(v) certain personal data in the WPA Whistleblower Service (see especially section 2.5);
(vi) persons who submit expressions of interest, emails and enquiries to WPA (see especially section 2.6), and
(vii) participants in market surveys and customer surveys, and persons who register on our website or otherwise show an interest in marketing measures such as receiving newsletters and information about possible seminars and events organised by WPA (see especially section 2.7).
1.3 This Personal Data Policy aims to clearly inform you about which personal data WPA collects and processes about you, how it is processed, the purpose of the processing, the legal basis on which the processing takes place, who is given access to the information and what rights you have in connection with the processing. Also described below are also the measures taken to protect your personal data and how to contact us if you have any questions about our processing of your personal data.
1.4 Personal data is all information that can be directly or indirectly linked to a living natural person, e.g. name, addresses, phone numbers and IP addresses.
1.5 WPA will always comply with applicable legislation about how your personal data may be processed, including the General Data Protection Regulation (GDPR), the Swedish Data Protection Act and other applicable legislation.
2. WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU AND WHY?
2.1 Candidates
Personal data that is processed
The information collected and processed about you is information that you yourself provide to WPA and information that WPA receives from government agencies or other parties in the form of recommendations and references. Such information includes:
· name, age, address, email address and phone number,
· messages you have submitted to us via email, website, social media or in any other way,
· information provided in CVs and personal statements, professional roles and competence areas,
· notes from interviews and references, and
· information from government agencies and registers.
Purpose
The purpose of the processing of the personal data described above includes to contact and maintain contact with you, conduct an interview and assess your suitability for the relevant position and whether the conditions for employment are fulfilled.
Legal basis
The personal data described above will be processed by WPA based on either consent that you provide in connection with your submission of the application to us (for more information, please refer to the consent document), or WPA’s legitimate interest in maintaining and developing the relationship with you and assessing your suitability for the position or collaboration in question.
Processing activities
Processing activities performed in respect of your personal data include storage in our business systems and other online storage areas, communication with you, obtaining information from relevant government agencies and registers, and obtaining references from specified Reference Persons.
2.2 Reference Persons
Personal data that is processed
The information collected and processed about you is information that Candidates provide about you when they are involved in a hiring process with us, as well as information that you provide to us in our contact with you. Such information includes name, workplace address, email address, phone number and professional title.
Purpose
The purpose of the processing of the personal data described above is to carry out reference checks and assess the suitability of Candidates for the position in question.
Legal basis
The personal data described above will be processed by WPA on the basis of our legitimate interest in being able to perform reference checks as part of our thorough and well-founded recruitment processes.
Processing activities
Processing activities performed in respect of your personal data include storage in online storage areas and communication in connection with checking references.
2.3 Contact persons and representatives of customers, suppliers, partners, prospects, etc.
Personal data that is processed
The information collected and processed about you includes such information that you yourself provide to WPA, and information that WPA receives from your employer or through a recommendation from a third party. Such information includes name, email address, phone number, personal ID number and ID document in cases where secure identification is required, employer, position where appropriate and messages you have submitted to us via the website, email, social media or in some other way.
Purpose
The purpose of processing the personal data described above includes to manage the agreement that may exist between WPA and your employer, establish and maintain contact with you and your employer, contact you regarding questions arising from any agreement between us and your employer and specify you as the invoice recipient on invoices and in our invoicing systems.
Legal basis
The personal data listed above will be processed by WPA based on our legitimate interest in establishing and maintaining communication, developing the business relationship and appropriately entering into and fulfilling any agreement between us and your employer.
Processing activities
Processing activities performed in respect of your personal data include storage in our business systems and other online storage areas, communication with you and invoicing.
2.4 Other employees of customers and persons related to customers
When WPA performs its services for its customers, WPA usually acts in the role of processor. In our role as processor, we may, within the framework of our services, process personal data about a customer’s employees as well as personal data about persons related to a customer’s business. This processing is performed on behalf of our customers in accordance with the applicable personal data processing agreement and the instructions in force at any given time. If you have any questions regarding such processing, we refer you to our customer, who is the controller for the processing activities.
If we process your personal data in the role of processor and you do not know who the controller is, you can contact us using the contact details in section 12, and we will refer your questions to the controller for your personal data.
2.5 Personal data in the whistleblower system
WPA provides a whistleblower service that can be used by our customers. As a starting point, the customer is the controller and WPA the assistant, in accordance with section 2.4 above, for the personal data that you submit in the whistleblower service. If, however, you decide that the personal data you provide about yourself in the whistleblower service should remain anonymous in relation to the customer, WPA is the controller of this data and we will not disclose it to the customer. It may, however, may be disclosed to our subcontractors in accordance with section 6 below.
If at any time you choose to no longer remain anonymous to the customer, the customer will be provided with your personal data and be the controller of this. If this is the case, we process your data in the role of processor in accordance with section 2.4 above.
Personal data that is processed
The information collected and processed about you in the whistleblower system includes information that you yourself provide to WPA, in particular your name, phone number and email address.
Purpose
The purpose of the processing activity is to contact you if necessary to obtain more information in order to investigate whether the information you provide in the whistleblower service relates to people in key positions or management positions within the customer’s company or group, and whether the persons in question have been involved in serious irregularities concerning accounting, internal accounting control, auditing, combating bribery, crime in the banking and finance sector, or other serious irregularities concerning the organisation’s vital interests or the life and health of individuals.
An additional purpose is to be able to get back to you with additional questions if necessary to investigate the irregularities you have reported and to inform you of updates in the case.
Legal basis
The personal data you provide about yourself in the whistleblower service will be processed on the basis of your consent. You have the right to withdraw your consent at any time.
If you do not give your consent, you still have the opportunity to submit a report via the whistleblower system by choosing to remain completely anonymous and thus not to provide any personal data about yourself.
If you withdraw your consent, your report will continue to be processed within the whistleblower system, but without your personal data, unless WPA has a legal basis other than your consent for processing the data. In the latter situation, you will be informed of this when you withdraw your consent.
2.6 Personal data in expression of interest forms, emails and enquiries
Personal data that is processed
The information collected and processed when you complete and submit information via WPA’s expression of interest forms on our website or contact us by email is: first and last name, email address and any other information that you yourself choose to provide. We may also save the contact details you provide during phone calls in order to be able to get back to you regarding your questions.
Purpose
The purpose of the processing activity is to be able to manage any question you submit and follow up on communication with you until the case is closed.
Legal basis
The personal data described above will be processed by WPA on the basis of our legitimate interest in establishing and maintaining communication and developing potential business relationships.
2.7 Marketing
Personal data that is processed
The information collected and processed about you includes information that you yourself provide to WPA and information that we receive from our customers. Such information includes name, address, email address, phone number, allergies and dietary preferences where appropriate, images, statements and results from market surveys and customer surveys etc.
Purpose
The purpose of the processing of personal data described above includes to send out newsletters and invitations to seminars, events, etc. via email or text message, to publish images from seminars, events, etc. on our website and our social media, and to conduct market surveys and customer surveys, etc.
Legal basis
The personal data described above will be processed by WPA on the basis of either our legitimate interest in carrying out marketing measures so that you can receive relevant news, keep yourself updated about what is happening in or around the business, etc., or on the condition that you have given WPA your consent to the processing activity via our website or in some other way. Information about any allergies always requires your consent. You have the right to withdraw your consent at any time, and each mailing from us for marketing purposes includes an option to opt out.
Processing activities
Processing activities in respect of your personal data include storage in our business systems and other online storage areas, mailings, emails and text messages, publication on our website and social media, compilations of market surveys and customer surveys, etc.
3 Cookies
We use so-called cookies on our website. A cookie is a text file that is sent from our web server and stored on your browser or device. You can change the settings for the use and scope of cookies in your browser. For example, you can adjust it to block all cookies or to delete all cookies each time you close your browser.
Personal data that is processed
When you use our website, we collect and process, among other things, technical data concerning devices used when visiting our website (e.g. IP address) and statistics on how you have interacted with us, i.e. how you have used our website.
Purpose
The purpose of the processing of the personal data described above includes to evaluate the use of and improve your website visit, our services and our website, and to save functional settings.
Legal basis
The personal data described above will be processed by WPA on the basis of our legitimate interest in being able to evaluate the use of and improve our services and website.
Read more about how we use cookies in our cookies policy.
4. PROCESSING OF PERSONAL ID NUMBERS
To the extent that we process personal ID numbers without your consent, this will only take place when it is clearly justified with regard to the purpose, the importance of secure identification or any other significant reason.
5. ADDITIONAL PROCESSING AND OBTAINING CONSENT
5.1 In the event that WPA needs to process personal data for any purpose other than described above, WPA will inform you of this by updating this Personal Data Policy in accordance with section 11 below.
5.2 If, for example, WPA were to process the Personal Data for any purpose that, in accordance with applicable legislation, requires your consent, WPA will also obtain your consent before such processing begins. Consent to such processing is entirely voluntary and you have the opportunity at any time to withdraw consent that has been given. More information about consent and your rights in connection with this is provided in the relevant consent document.
6. WHO CAN RECEIVE YOUR PERSONAL DATA?
6.1 WPA shares personal data with third parties, including:
(i) with our service providers, mainly in terms of IT operating services such as support, maintenance and development, as well as data storage,
(ii) with companies that offer storage services, email services, accounting services, marketing services, etc.,
(iii) with auditors, lawyers and other external professional advisors to WPA who are subject to binding confidentiality provisions or a legal duty of confidentiality,
(iv) with IT security providers where this is necessary by law in order to protect you or our customers and partners or to protect our services,
(v) to comply with, for example, a court order/government agency decision or other legal obligations, and
(vi) to protect rights, property or to protect the security of WPA and companies within its group or others.
Personal data that WPA processes in the role of controller within the framework of a whistleblower system in accordance with section 2.5 above may be shared with subcontractors who act in the role of case workers within the framework of the whistleblower system. Subcontractors are subject to confidentiality and a binding personal data processing agreement.
6.2 Several of the third parties with whom we share personal data as described above act in the role of processors in relation to us. These parties may only process the data transferred on our behalf and in accordance with our explicit instructions. We only transfer your personal data to such processors for purposes that are compatible with the purposes for which we have collected data, and we guarantee through written agreements with the processors that they undertake to comply with our security requirements and restrictions, as well as requirements concerning the international transfer of personal data.
6.3 In certain situations, however, government agencies and some of the companies to which we transfer personal data as described above may be independent controllers for the personal data transferred. When your personal data is transferred to a party that is an independent controller, we have no control over how the data is then processed, but the responsibility for this rests with the government agency or the company to which the transfer has taken place, which means, among other things, that the government agency or the company is obliged to inform you about its processing of your personal data and to guarantee that the processing activity is lawful.
6.4 WPA will at all times strive to limit access to personal data disclosed as described above and only to share information for which there is a legal basis to share and that is necessary for the recipients to be able to do their work or provide their services. WPA will also require the recipients to demonstrate that they (i) will protect your Personal Data in accordance with this Privacy Policy and applicable legislation, and (ii) will not use or disclose your personal data for any purpose other than that for which it was disclosed.
7. FOR HOW LONG DO WE SAVE YOUR DATA?
Your personal data will be processed and stored by WPA for the period necessary to fulfil the purposes of the processing activity as specified above. After that, the Personal Data will be deleted. In determining the period during which your personal data will be stored, WPA pays particular attention to the retention period requirements required in law, limitation periods, government agency recommendations and industry practice. Additional information about how long WPA intends to process specific Personal Data is set out in the WPA archiving policy.
8. IS YOUR PERSONAL DATA PROCESSED OUTSIDE THE EU/EEA?
WPA may share your personal data with processors that, either themselves or through subcontractors, are established or store information in a country outside the EU or the EEA. In such cases, we will take all reasonable legal, organisational and technical measures necessary to make sure that the level of protection for such processing activity corresponds to that within the EU/EEA. WPA will not transfer your personal data to an external party outside the EU or EEA without having concluded an agreement before the transfer takes place and having ensured that the country is approved by the European Commission or that the external party is certified under the principles of the Privacy Shield. If you want to find out more about what applies when transferring personal data to a country outside the EU or EEA, you can read more here.
9. WHAT ARE YOUR RIGHTS?
It is our duty only to process personal data that is correct, relevant and necessary with regard to our purposes, and you have the right to check that this is what happens. WPA is responsible for ensuring that your personal data is processed in accordance with applicable legislation.
At your request or on its own initiative, WPA will correct, anonymise, erase or supplement data that is discovered to be incorrect, incomplete or misleading.
As an individual, you have a number of rights under applicable legislation. You have the right to:
· Have access to your personal data.
We will, at your request, as quickly as possible and no later than 30 days after we received your message requesting access to the data, provide you with information about the personal data we process about you.
The information will then be provided in the form of a register extract stating which personal data we are processing, for which purposes, from where the data is obtained, to which third parties the data has been transferred and for how long the data will be stored. If your request is made in electronic form, the information will be provided in an electronic format that is commonly used, unless you request otherwise.
· Demand rectification of your personal data.
We will, at your request, as quickly as possible and no later than 30 days after we received your message concerning rectification, rectify the incorrect or incomplete data that we are processing about you.
· Demand erasure of your personal data.
We will, at your request, as quickly as possible and no later than 30 days after we received your message concerning erasure, erase your personal data if it is no longer necessary for the purpose for which it was collected.
There may be reasons why we are not able or permitted to erase your personal data immediately. In this case, we will then terminate the processing that is being performed for other purposes and inform you of the legal basis of and relevant purposes for continued processing.
· Demand restriction of processing.
You have the right to have your personal data marked so that it can only be processed for certain, limited purposes. Among other things, you can request restriction if you believe that your data is incorrect and you have requested rectification as described above. While the correctness of the data is being investigated, the processing of the data will be restricted.
WPA will notify you if the investigation has concluded that the processing should be limited. We will make sure that the necessary corrections or erasure of data, as well as the restriction of the processing of data, will also be carried out by the parties to which WPA has disclosed your personal data (see section 6 above).
· Demand data portability.
Under certain conditions, you have the right to obtain and transfer your personal data in a structured, commonly used and machine-readable format to another controller designated by you.
· Object to processing of personal data that is being performed with the support of a balance of interests.
You may object to the processing being performed if it is based on a balance of interests. If you object to such processing, we will only continue the processing if there are legitimate reasons for the processing activity that outweigh your interests in not being processed. If this is the case, we will inform you of the reasons.
· Complain about our processing of your personal data and compliance with legislation to the Swedish Authority for Privacy Protection.
You have the right to complain about the processing we are performing of your personal data to the Swedish Authority for Privacy Protection if you feel that we are violating the Personal Data Policy, are not complying with your rights or are in any other way acting in contravention of applicable legislation.
If you wish to exercise any of your rights as described above, you are welcome to contact us. Our contact details may be found in section 12.
10. WHAT DO WE DO TO PROTECT YOUR PERSONAL DATA?
You must always feel secure when you provide us with your personal data. WPA has therefore implemented the security measures needed to protect your personal data against unauthorised access, modification and erasure. Measures taken include:
· restricted access rights to the systems in which the personal data is processed. Access is only granted to employees and service providers who need it for their work, and authorisation is limited to the specific task. These parties are also informed of the importance of maintaining the security of the personal data,
· encryption with recognised and secure encryption methods,
· consolidation from older systems to newer systems with higher security requirements,
· use of antivirus and firewalls,
· introduction of clear policies and guidelines adapted for the purpose, which are continuously updated,
· security audit of suppliers of systems and services, and
· continuous monitoring of our systems to detect vulnerabilities and to protect your personal data.
Although we take precautions for data protection, no security measures are completely secure, and therefore we cannot provide a one hundred per cent guarantee for the security of your personal data. If we were to lose control of your personal data that is of a privacy-sensitive nature, such as personal ID number, we will notify you immediately and no later than 72 hours after we discovered the incident, and we will do all we can to minimise the consequences of this.
11. CAN WE CHANGE THIS PERSONAL DATA POLICY?
We may sometimes make changes to the Personal Data Policy. If we make significant changes to the Personal Data Policy, we will send you a clear message based on what is appropriate in the circumstances, e.g. by sending you an email or text message, or through a pop-up with information before you can access the WPA website. We would therefore ask you to please make sure that you read all such messages carefully.
If you do not want us to continue to process your personal data in accordance with the new version of the Personal Data Policy, you can notify us and we will erase your personal data within 30 days of your message. Please note, however, that we will not be able to delete your data if there are legal grounds for continued processing. If this is the case, we will notify you of the grounds for continued processing.
12. HOW CAN YOU CONTACT US?
Thank you for reading our Privacy Policy. If you have any questions, please feel free to contact us!
White Paper Advisors Sweden AB
Postal address Box 479, SE-201 24 Malmö, Sweden