This policy
1. Information on the processing of your personal data
This Policy is issued by each of the controller entities listed in Section 12 below (together, “Advania”, “we”, “us” and “our”) and is addressed to individuals outside our organisation with whom we interact, including customers, visitors to our websites, other users of our services, personnel of corporate customers and vendors, applicants for employment, and visitors to our premises (together, “you”). Defined terms used in this Policy are explained in Section 14 below.
This Policy may be amended or updated from time to time to reflect changes in our practices with respect to the processing of personal data, or changes in applicable law. We encourage you to read this Policy carefully, and to regularly check this page to review any changes we might make in accordance with the terms of this Policy.
2. Information about processing personal data
Advania protects your privacy, and we want you to feel safe when submitting your personal data to us. It is important to us to be open about how we manage your personal data and give you information in a way that makes you understand how we will process them.
In this Policy, which applies to all of Advania's customers, suppliers and partners in Sweden, we want to inform you about how we handle your personal data as it relates to visits to our websites, registering an account in our e-shop or mailing list, when your employers buy our products or services, or in other contacts made with us.
Advania works continuously with privacy matters, and therefore we may update this Policy. You will find the latest version on this page. This Policy was last updated on May 2022.
3. Collection of personal data
We collect personal information:
- when those data are provided to us (e.g., where you contact us);
- in the course of our relationship with you (e.g., we provide a service to you or the organization you work for); • when you make personal data public (e.g., if you make a public post about us on social media);
- when you visit our websites; and
- when you register to use any of our websites or services.
We may also receive personal data about you from the customer, vendor or partner by whom you are employed. In some cases, we may also collect personal data from public registers (e.g., from the Swedish Companies Registration Office if you are a board member, managing director or authorized signatory). We also create personal data about you in certain circumstances, such as records of your interactions with us, and details of your past interactions with us.
4. Purposes of processing personal data
Advania uses your personal data for the purposes and on the legal bases provided below:
| Purpose | Personal data | Reason for processing |
| Management of the relationship with contact persons at customers, vendors or partners, i.e., communication before and during contractual relationship. |
|
|
| Management of customer service inquiries, e.g., reception, investigation and responding to requests. |
|
Advania's legitimate interest in being able to manage customer service inquiries, to the extent that such legitimate interest is not overridden by the interests, fundamental rights or freedoms of customers (Article 6.1f of the GDPR). |
| Sending of newsletters, including marketing. |
|
Advania’s legitimate interest in being able to inform about and market its operation, to the extent that such legitimate interest is not overridden by your interests, fundamental rights or freedoms (Article 6.1f of the GDPR). |
| Management of events organized by us or in cooperation with our partners. |
|
Advania's legitimate interest in managing events, to the extent that such legitimate interest is not overridden by the interests, fundamental rights or freedoms of the relevant data subjects (Article 6.1f of the GDPR), and/or If you submit health data (allergies), we will ask for your express consent (Article 9.2a of the GDPR). |
| Conducting surveys. |
|
Advania’s legitimate interest in conducting surveys, to the extent that such legitimate interest is not overridden by your interests, fundamental rights or freedoms (Article 6.1f of the GDPR). |
| Updating and improving services and products as well as the technical functionality of our computer systems and websites. |
|
Advania’s legitimate interest to improve services and products as well as the technical functionality of our computer systems and websites, to the extent that such legitimate interest is not overridden by your interests, fundamental rights or freedoms (Article 6.1f of the GDPR). |
| Maintaining records of the people who have communicated that they do not wish to receive marketing from Advania. |
|
The processing is necessary to fulfil our legal obligations (Article 6.1c of the GDPR). |
| Maintaining records of sales, finance, corporate audit, and vendor management. |
|
Advania’s legitimate interest to carry out the processing for the purpose of managing and operating the financial affairs of our business, to the extent that such legitimate interest is not overridden by your interests, fundamental rights or freedoms (Article 6.1f of the GDPR). |
| Complying with our legal and regulatory obligations under applicable law. | As relevant, adequate, and limited to what is necessary under the circumstances. | The processing is necessary to fulfil our legal obligations (Article 6.1c of the GDPR). |
| Ensuring physical safety of our premises |
|
Advania’s legitimate interest to ensure the physical and electronic security of our business and our premises, to the extent that such legitimate interest is not overridden by your interests, fundamental rights or freedoms (Article 6.1f of the GDPR). |
| Establishing, exercising and/or defending legal claims: managing legal claims; establishing facts and claims (including collection, review and production of documents, facts, evidence and witness statements), and exercising and defending legal rights and claims (including formal legal proceedings). |
|
Advania’s legitimate interest to establish, exercise and/or defend our legal rights, to the extent that such legitimate interest is not overridden by your interests, fundamental rights or freedoms (Article 6.1f of the GDPR). |
| Engaging in recruitment activities (advertising positions, interviewing, analysing suitability for the relevant position, and recording hiring decisions, offer details and acceptance details). |
|
|
5. Information about health and events
We care about your personal data and therefore want to inform you that based on your express consent, we may collect health information (allergies) to organize events according to your desires and needs when food or drinks are served (the legal basis of your consent is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way). We will ask for your express consent to the processing of this information alongside the invitation or registration to the specific event. Your personal data is stored for 1 month after the event has ended. Please contact us (our contact details are in Section 12below) to revoke your consent or to update the information that is registered about you. Read more about how we process your personal data in our privacy information below.
6. Data security
Advania ensures that your personal data is handled in accordance with appropriate technical and organisational security measures to protect against illicit or unauthorized access to said information as well as destruction, loss, alteration, unauthorized disclosure and other unlawful or unauthorized forms of processing, in accordance with applicable law. At Advania, we only handle necessary information, and only by those who need it in order to provide the best service to our customers, vendors and other people who come into contact with Advania.
Because the internet is an open system, the transmission of information via the internet is not completely secure. Although Advania will implement all reasonable measures to protect your personal data, we cannot guarantee the security of your data transmitted to us using the internet – any such transmission is at your own risk and you are responsible for ensuring that any personal data that you send to us are sent securely.
7. Disclosure of personal data
We may disclosure your personal data to the following categories of recipients:
| Recipient category | Purpose and legal basis | Personal data categories |
| Our third party service providers (processors acting on our behalf and under our instructions) for exemple in the areas of IT hosting. | To fulfil our contractual obligations to you (Article 6.1b of the GDPR) and for the administration of our business needs, to the extent that such legitimate interest is not overridden by their interests, fundamental rights or freedoms (Article 6.1f of the GDPR). | The personal data required according to the contractual obligation. |
| Accountants, auditors, consultants, lawyers and other outside professional advisors to Advania, subject to binding contractual obligations of confidentiality. | To fulfil our legal obligations (Article 6.1c of the GDPR) and to achieve our legitimate interest in maintaining business continuity, sourcing finance, managing a proposed sale or merger of our business, and such other purposes necessary for the running of our business, to the extent that such legitimate interest is not overridden by your interests, fundamental rights or freedoms (Article 6.1f of the GDPR). |
|
| Legal and regulatory authorities (e.g., The Swedish Tax Agency). | To fulfil our legal obligations (Article 6.1c of the GDPR). |
|
| Partners other than the one for whom you work. | Our legitimate interest in managing cooperation agreements (Article 6.1f of the GDPR). |
|
| Law enforcement agencies, courts, agents, parties and counterparties. | To fulfil our legal obligations (Article 6.1c of the GDPR). Our legitimate interest in establishing, asserting and defending legal claims (e.g., in the case of a dispute) to the extent that such legitimate interest is not overridden by your interests, fundamental rights or freedoms (Article 6.1f of the GDPR). |
|
| Licensors for products and services resold by Advania. | Advania's legitimate interest in managing agreements with licensors, e.g., for the licensor to know who the end customer is and their contact person for administration purposes to the extent that such legitimate interest is not overridden by your interests, fundamental rights or freedoms (Article 6.1f of the GDPR). |
|
Your personal data may also be disclosed to relevant third party providers, where our websites use third party advertising, plugins or content. We use such third party providers to maintain the functionality of our websites (to achieve our legitimate interest, to the extent that such legitimate interest is not overridden by your interests, fundamental rights or freedoms (Article 6.1f of the GDPR). If you choose to interact with any such advertising, plugins or content, your personal data may be shared with the relevant third party provider. We recommend that you review that third party’s privacy policy before interacting with its advertising, plugins or content.
8. Data retention
Summary
We take every reasonable step to ensure that your personal data are only retained for as long as they are needed in connection with a lawful purpose.
We take every reasonable step to ensure that your personal data are only processed for the minimum period necessary for the purposes set out in this Policy. The criteria for determining the duration for which we will retain your personal data are as follows:
(1) we will retain personal data in a form that permits identification only for as long as:
(a) we maintain an ongoing relationship with you (e.g., where you are a user of our services, or you are lawfully included in our mailing list and have not unsubscribed); or
(b) your personal data are necessary in connection with the lawful purposes set out in this notice, for which we have a valid legal basis (e.g., where your personal data are included in a contract between us and your employer, and we have a legitimate interest in processing those data for the purposes of operating our business and fulfilling our obligations under that contract; or where we have a legal obligation to retain your personal data), fulfilling our obligations under that contract; or where we have a legal obligation to retain your personal data),
plus:
(2) the duration of:
(a) any applicable limitation period under applicable law (i.e., any period during which any person could bring a legal claim against us in connection with your personal data, or to which your personal data are relevant); and
(b) an additional two (2) month period following the end of such applicable limitation period (so that, if a person brings a claim at the end of the limitation period, we are still afforded a reasonable amount of time in which to identify any personal data that are relevant to that claim),
and:
(3) in addition, if any relevant legal claims are brought, we continue to process personal data for such additional periods as are necessary in connection with that claim.
During the periods noted in paragraphs (2)(a) and (2)(b) above, we will restrict our processing of your personal data to storage of, and maintaining the security of, those data, except to the extent that those data need to be reviewed in connection with any legal claim, or any obligation under applicable law.
Once the periods in paragraphs (1), (2) and (3) above, each to the extent applicable, have concluded, we will either:
- permanently delete or destroy the relevant personal data; or
- anonymize the relevant personal data.
9. Cross-boarder data transfers
Because of the international nature of our business, we may transfer personal data within the Advania group, and to the third parties listed above. For this reason, we may transfer personal data to other countries that may have different laws and data protection compliance requirements to those that apply in the country in which you are located.
If an exemption or derogation applies (e.g., where a transfer is necessary to establish, exercise or defend a legal claim) we may rely on that exemption or derogation, as appropriate. Where no exemption or derogation applies, and we transfer your personal data from the EEA to recipients located outside the EEA who are not in jurisdictions that have been formally designated by the European Commission as providing an adequate level of protection of personal data, we do so on the basis of appropriate Standard Contractual Clauses. You may be entitled to request a list of the relevant countries to which your personal data may be transferred and a copy of our Standard Contractual Clauses by reaching out to us using the details provided in Section 12 below.
Please note that when you transfer any personal data directly to any Advania entity established outside the EEA, we are not responsible for that transfer of your personal data. We will nevertheless process your personal data, from the point at which we receive those data, in accordance with the provisions of this privacy information.
10. Your rights
Subject to applicable law, you may have the following rights regarding the processing of your personal data. To submit a request in accordance with the data subject's rights, you may contact us using the details provided in Section 12 below. If we receive a request from you, we may request additional information to ensure that we are providing the information to the right person.
The right not to provide personal data
You have the right not to provide your personal data to us. However, please note that we may be unable to provide you with the full benefit of our websites or services, if you do not provide us with the necessary personal data.
Right to access
Subject to applicable law, you may have the right to receive confirmation from Advania that your personal data is being processed by Advania and, if so, to access the personal data and the following information:
- the purpose of the processing;
- the categories of personal data being processed;
- the recipients of personal data (in particular if they are located outside the EU/EEA and if that is the case, the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer;
- the period during which the personal data is processed;
- information on the rights set out in this section (such as your right to the rectification or erasure of your personal data);
- information about the source from which the personal data has been collected; and
- whether your personal data has been subjected to any automated decision-making, including profiling.
Subject to applicable law, you may also have the right, upon request, to receive a copy of your personal data in a commonly used electronic format. Please note that Advania has the right to charge a fee if you request more than one (1) copy of your personal data.
Right to rectification
Subject to applicable law, you may have the right to rectification of incomplete or incorrect personal data processed by us. Depending on the purpose of the processing you also have a right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to deletion
Subject to applicable law, you may have the right to erasure of your personal data. The right to erasure may apply:
- if you have withdrawn a previously given consent under Article 6.1 a) of the GDPR and there is no legal basis for the continued processing of your personal data;
- if the personal data processed is no longer necessary for the purpose or the personal data is otherwise unlawfully processed;
- if you object to the processing under Article 21 of the GDPR where the processing is based on a legitimate interest (Article 6.1 f) of the GDPR) or public interest (Article 6.1 e) of the GDPR) and there are no compelling reasons to continue the processing or you object to processing for direct marketing purposes; and
- if the personal data have to be erased in compliance with a legal obligation.
Where we have made the personal data public and are obliged to erase the personal data according to the above, we shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
What is stated above regarding the right to erasure does not apply to the extent the processing is necessary for example:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation; or
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89.1 of the GDPR.
Right to restrict processing
Subject to applicable law, you may have the right to obtain restriction of processing where one of the following grounds applies:
- the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
- the processing is unlawful, you oppose the erasure of the personal data, and you request the restriction of their use instead;
- we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; and
- you have objected to processing pursuant to Article 21.1 of the GDPR pending the verification of overriding legitimate interests.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. If you have obtained restriction of processing, you shall be informed by us before the restriction of processing is lifted.
Right to withdraw consent
You have the right to withdraw your consent to the extent that Advania’s processing of your personal data is based on consent (noting that such withdrawal does not affect the lawfulness of any processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the processing of your personal data in reliance upon any other available legal bases).
Right to data portability
When the processing of your personal data takes place on the basis of your consent or because the processing is necessary to fulfil or enter into an agreement with you, and provided that the personal data has been collected directly from you, you have the right to receive a copy of your personal data in a common machine-readable format. To submit a request to exercise your rights, please contact us using the details provided in Section 12below.
Right to object to processing
Subject to applicable law, you may also have the following additional rights regarding the processing of your personal data:
- the right to object, on grounds relating to your particular situation, to the processing of your personal data by us or on our behalf, where such processing is based on Articles 6.1e (public interest) or 6.1f (legitimate interests) of the GDPR; and
- the right to object to the processing of your personal data by us or on our behalf for direct marketing purposes.
11. Compliants
You are welcome to contact us with questions or complaints regarding the processing of your personal data, using the details provided in Section 12below. However, you also always have the right to file a complaint regarding the processing of your personal data to the relevant Data Protection Authority. Details of the Data Protection Authorities for each EEA jurisdiction can be found here. Details of the UK Information Commissioner’s Office can be found here.
12. Details of controllers
For the purposes of this Policy, the relevant controllers are:
| Controller entity | Contact details |
| Advania Sverige AB | Reg. no. 556214-9996, Fredsborgsgatan 24, 117 43 Stockholm, 08-546 70 000 |
Advania has appointed a data protection officer whose task it is to help Advania to comply with current data protection legislation. You are always welcome to contact our data protection officer at the email address compliance@advania.se.
13. Representatives
Each of the controllers established outside the EEA and listed in Section 12above has appointed Advania Sverige AB, reg. no. 556214-9996, compliance@advania.se to be its representative for the purposes of Article 27 of the GDPR.
Each of the controllers established outside the UK and listed in Section 12 above has appointed Content+Cloud Limited, reg no. 03645998, privacy@contentandcloud.com to be its representative for the purposes of Article 27 of the UK GDPR.
14. Definitions
- “controller” means the entity that decides how and why Personal Data are Processed. In many jurisdictions, the controller has primary responsibility for complying with applicable data protection laws.
- “Data Protection Authority” means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws.
- “EEA” means the European Economic Area.
- “GDPR” means the General Data Protection Regulation (EU) 2016/679.
- “personal data” means information that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
- “process”, “processing” or “processed” means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “processor” means any person or entity that Processes Personal Data on behalf of the controller (other than employees of the controller).
- “Standard Contractual Clauses” means template transfer clauses adopted by the European Commission or adopted by a Data Protection Authority and approved by the European Commission.
- “UK GDPR” means the GDPR as it forms part of the laws applicable in the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018, and as applied and modified by Schedule 2 of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) or as modified from time to time by other laws applicable in the UK).