1. Background
1.1 This privacy policy (”Policy”) describes how IT-lawyers in Sweden, Company Reg. No. 969758-7179 (“IT-lawyers in Sweden”, “we” or “us”), as a controller, processes your personal data within our firm.
1.2 We process your personal data in accordance with this Policy and applicable law, such as the GDPR (EU/2016/679). In this Policy you will also find information on your rights and how to contact us.
1.3 Depending on what type of our services you are involved in, the purposes and means of the processing of your personal data vary. We process personal data for the purposes outlined under section 2 below.
This privacy policy was updated on 13 September 2019.
2. PERSONAL DATA WE PROCESS AND FOR WHAT PURPOSES
2.1. The performance of our services
Purpose of the processing
In order to take on or complete a work we need to process personal data. The scope of the work will determine what data will be processed and how. Regardless of the scope of the work, we always need a contact person for each customer in order to accept or complete the work, perform conflict of interest checks and to invoice work performed. Therefore, if you are a contact person of our customer, we will process your contact details (name, e-mail address and phone number) in order to perform our work. We will normally collect these data directly from you, but in some cases, we may receive them from someone else at your company.
Depending on the scope of the work we may also process personal data concerning persons who in are connected to the work, such as counterparties, counsel of a counterparty, employees or consultants at our customer or counterparty, public authority personnel or other persons who are relevant for the work, in order to complete the work on behalf of our customer.
The personal data that we process
The personal data that we process in order to perform our works are:
- Representative/contact person at a customer
Name, title, employer and contact details (such as office address, e-mail address and phone number). If necessary in order to perform the work: personal identification number or other identification number or a copy of an identity card or equivalent (for example when giving us a documented authority).
- Counterparty representative/contact person
Name, title, employer and contact details (such as office address, e-mail address and phone number). If necessary in order to perform the work: other personal data such as information included in judgments, contracts or other documents that we have received or collected in connection with our work.
- Lawyer or other representative of counterparty
Name, title, employer and contact details (such as office address, e-mail address and phone number).
- Other connection to the work
Depending on the scope of the work we may need to process information about contact persons at customer, counterparties, authorities, companies or other organisations in order to contact these organisations to perform the work on behalf of the customer. In most cases we only process name, title, employer and contact details (such as office address, e-mail address and phone number).The personal data is normally collected from the person itself, but can also be collected from another person involved in the work, such as the customer, the counterparty or its lawyer. In rare cases, we complement the personal data by collecting information from public registers, public authorities (such as the company register from the Swedish Companies Registration Office), credit rating institutions, banks or other sort of reporting bureaus.
Lawfulness
We process personal data to the extent that it is necessary for the purpose of performing contracts for legal services in relation to our customers (including invoicing), which is in our and our customer’s legitimate interest. In regards to the aforementioned personal data, we believe that the data subjects’ interests or fundamental rights and freedoms do not override our and our customer’s legitimate interest. We continuously evaluate if the data we receive or are requested to collect constitute a violation of the data subjects’ interests or fundamental rights and freedoms.
Data retention
We are obliged by the Swedish Bar Association and its Code of Conduct to retain personal data that forms part of work for ten years starting from the day of completing the work or such longer period as is necessary due to the nature of the work.
We have a legal obligation to retain personal data relating to financial reporting for seven years according to the Swedish Accounting Act.
2.2. Legal obligations etc.
We will also process your personal data to the extent it is required for us to comply with legal obligations or to defend ourselves against a legal claim.
As a law firm we are further obliged to follow the Code of Conduct of the Swedish Bar Association, and will process your personal data accordingly.
2.3. Marketing
Purpose of the processing
We process your personal data in our communication with you in order to market and sell our services as well as for customer care purposes. The communication includes newsletters, invitations to customer activities or other information that we believe may be of interest to you in your job role.
The personal data that we process
We process your name, title, e-mail address and phone number that we collected in connection to you becoming our customer or being in contact with us.
Lawfulness
The processing of personal data for marketing purposes is based on our legitimate interest. In each case, we assess if our legitimate interest to market our services is overridden by the interests or fundamental rights and freedoms of the data subject.
Data retention
We process your personal data for marketing purposes only for as long as you or your employer are in a business relationship with us. If you are not a customer, but for some other reason have been in contact with us, we will only process your personal data for marketing purposes as long as our business relationship exists.
2.4. Evaluation of completed work
Purpose of the processing
We are interested in understanding what our customers’ experience is of the services we provide and of us. Therefore, we may ask you as a representative for our customer to evaluate our performance after completing an assignment. Participation is voluntary.
The personal data that we process
We process information regarding name, title, e-mail address and phone number that we have collected in connection with the work. If you choose to participate in an evaluation we also process your evaluation answers.
Lawfulness
The processing is necessary for the purpose of sending a request for evaluation participation in order for us to improve our services, which is our legitimate interest. In each case we assess if our legitimate interest to send a request for evaluation participation is overridden by the interests or fundamental rights and freedoms of the data subject.
Data retention
We anonymise all answers on evaluations within a month of receiving them.
2.5. Recruitment
Purpose of the processing
If you send a job application (spontaneous or for a specific position) through our website or other communication channel (e.g. e-mail), we will process your personal data in order to evaluate your application and, if applicable, during the subsequent recruitment process. This includes, if applicable, reference within the recruitment process.
Please note that we will share your personal data with our suppliers for recruitment services and personality tests.
We kindly ask that you do not send us any sensitive personal data (e.g. information regarding health or ethnicity). If you are offered and accept an employment with us, some of the personal data you have provided during the recruitment process will form part of your contract of employment.
The personal data that we process
- Identity details (e.g. name).
- Contact details (e.g. e-mail address, phone number, address).
- Recruitment details (e.g. CV, cover letter).
- Information regarding the position and employment for which you applied.
- Gender, citizenship and nationality.
- Grades, certificates, work experience, education, references and background checks or other information that you provide as part of your job application.
Lawfulness
The processing is based on your consent to take part in a recruitment process.
Data retention
Your job application will be retained during the entire recruitment process. If you are not offered an employment with us, we will retain the personal data about you that we have collected, for up to 24 months after the recruitment process is finished in order to defend ourselves against legal claims from you (e.g. regarding discrimination). Spontaneous job applications are retained for up to 12 months from receiving your application, unless a recruitment process is initiated.
3. RECIPIENTS OF PERSONAL DATA
3.1 Our suppliers of IT services and financial reporting process personal data on our behalf in order to supply their services. The suppliers process personal data in accordance with our instructions only and as necessary in order to provide the services, for example to investigate any errors.
3.2 In addition to the aforementioned regarding our suppliers, we only provide personal data to a third party if it is (i) specifically agreed with you, (ii) necessary in an assignment to safeguard our customer’s rights, or (iii) necessary in order for us to comply with a legal obligation or decision by a by a public authority or court.
3.3 We only process personal data within the EU/EEA.
4. DATA RETENTION
4.1 Your personal data is retained for as long as it is necessary in order to fulfil the purposes of the processing. Thereafter we will erase your personal data or anonymise it so that it is no longer possible to use them to identify you. Under section 2 above the retention period is detailed for each processing purpose.
4.2 Note especially that the personal data processed in connection with an engagement is, in accordance to the Swedish Bar Association’s Code of Conduct, retained for a period of ten years from the day of completing the work or such longer time as is necessary due to the nature of the work.
5. YOUR RIGHTS
5.1 You may exercise your rights in connection with our processing of your personal data at any time.
- Access to your personal data
Unless otherwise required by law or the Code of Conduct of the Swedish Bar Association, you have the right to obtain confirmation from us as to whether or not we process your personal data as well as the right to access the personal data processed together with information about the processing and your rights (a data subject access request).
- Right to rectification
You have the right to, at your request and without undue delay, obtain rectification or completion of your personal data that is inaccurate or incomplete.
- Withdrawal of consent with future effect
To the extent we are processing your personal data on the basis of your consent, you have the right to withdraw your consent to future processing at any time.
- Erasure
You have the right to request the erasure of your personal data, for example if the personal data is no longer necessary for the purposes for which they were collected or otherwise processed or if the personal data have been processed unlawfully. However, this does not apply to the extent the processing is necessary for example to comply with a legal obligation or for the establishment, exercise or defence of a legal claim.
- Restriction of processing
You have the right to request restriction of processing your personal data. However you should note that this might result in us not being able to provide our services to you.
- Right to object to processing
You have the right to object to processing that is based on our legitimate interests as well as processing of your personal data for direct marketing purposes.
- Right to complain
If you are dissatisfied with our processing of your personal data or think that we process your personal data unlawfully we welcome you to contact us with your complaint so that we can help you with your request or complaint. If you do not want to turn to us or if you, despite turning to us, are not satisfied, you may file a complaint to a supervisory authority. The supervisory authority in Sweden is the Swedish Data Protection Authority (Swe: Datainspektionen) (www.datainspektionen.se).
- Exercise your rights
To exercise your rights, please send an email to: info@itlawyers.se
6. Cookies
6.1 We do not use cookies on our website.
7. Secuirty
7.1 We have implemented appropriate technical and organisational measures to ensure that your personal data is protected from unauthorised access, loss or corruption. We continuously adjust our security measures to the technical development in order to maintain a high security level.
7.2 As a law firm we are obliged to comply with the Code of Conduct of the Swedish Bar Association. This guidance aims among other to preserve the loyalty, trust and confidentiality between our customers and us. Personal data, other information and material are therefore always treated as strictly confidential.
8. Contact
You are welcome to contact us if you have any questions or thoughts regarding this Policy, our processing of your personal data or if you would like to get in contact with us for other reasons.
IT-lawyers in Sweden
Finnboda Kajväg 10, 9tr
SE 131 72 Nacka
Sweden
Email: info@itlawyers.se