Skedvi Bröd / Privacy policy

SKEDVI BRÖD

PRIVACY POLICY

THIS PRIVACY POLICY EXPLAINS how we collect and use your personal information. It also describes your rights and how you can exercise them.

It is important that you read and understand the Privacy Policy and feel safe with how we process your personal data. You are always welcome to contact us in case you have any questions.

WHO, WHAT AND WHICH?

What are personal data? And what does processing of personal data involve?
Personal data means all types of information which can be attributed directly or indirectly to a living natural person. For example, images or photographs that are processed on computers might be personal data even if no names are given. Encrypted information and different types of electronic identities (e.g. IP addresses) constitute personal data if they can be connected to natural persons.

Processing is the only thing that happens to personal data. Every action taken with personal data constitutes processing, regardless of whether it is carried out as an automated process or not. Examples of common forms of processing are collection, registration, organisation, structuring, handling, transmission and erasure.

IP-ADDRESS

An IP address is a unique sequence of numbers which identifies computers on a network such that an IP address can be easily used to locate a device or origin of an internet message.
Source: ip.nu

Who is responsible for the personal data we collect?

SKEDVI BRÖD, org.no. 556954-0569, address Landsvägen 38, 783 92 Stora Skedvi, is the controller responsible for the company’s processing of personal data.

What personal data do we collect about you as a costumer, and why?

Below, we describe the different purposes we collect personal data for, the processing we carry out and what categories of data are collected, as well as the legal basis for such and the retention period we have.

Why:
To be able to handle your benefits and loyalty offerings.
Processing:
Creating your personal offers, personalised news, product recommendations, inspiration and event invites. Analysing the data we collect for this purpose.
For example, we look at your age, gender, place of residence, stated preferences
(regarding products and communication channels) and results of customer satisfaction or market surveys. Analysing the data we collect for this purpose. Based on the data we collect (e.g. age, gender and stated preferences), we conduct an analysis at an individual level which may result in you being assigned to a customer group (so-called customer segment). Insights from this analysis
Personal data:
Name.
Age. Gender.
Contact details (e.g. address, e-mail and telephone number).
Place of residence.
Stated customer preference regarding products and services.

Who might we share your personal data with?

Processor:
In the event that such is necessary for us to be able to offer our services, we share your personal data with companies that act as so-called data processors for us. A processor is a company which processes information on our behalf and according to our instructions. We have processors who help us with:

  • Payment solutions (credit card processing companies, banks and other payment
    service providers).
  • Marketing (printing and distribution, social media, media agencies or advertising agencies).
  • IT services (companies which take care of the necessary operation, technical
    support and maintenance of our IT solutions).

When your personal data are shared with processors, this is done solely for purposes that are compatible with the purposes for which we collected information (i.e. to be able to fulfil our obligations according to the purchase agreement or the loyalty programme’s terms and conditions of membership). We verify all processors in order to ensure that they can provide sufficient guarantees regarding security and confidentiality of personal data. We have written agreements in place with all processors, in which they guarantee the security of the personal data being processed and undertake to comply with our security requirements and restrictions and requirements regarding international transmissions of personal data.

Where do we process your personal data?

We strive to always process your personal data within the EU/EEA and for all of our own IT systems to be located within the EU/EEA. However, in case of system support and maintenance, we may be forced to send information to a country outside of the EU/EEA, e.g. if we share your personal data with a processor who, either themselves or via a sub-contractor, is established or stores information in a country outside of the EU/EEA. In such case, the processor may only have access to the information that is relevant for the purpose (e.g. logfiles).

Regardless of which country your personal data are processed in, we take all reasonable legal, technical and organisational measure to ensure that the level of security is the same as within the EU/EEA. In the event that personal data are processed outside of the EU/EEA, the level of protection is guaranteed either by an adequacy decision from the EU Commission regarding whether the country in question provides an adequate level of protection, or by applying so-called appropriate protective measures.

What rights do you have as a data subject?

Right of access to so-called register extracts

We are always open and transparent with how we process your personal data and in the event that you would like a deeper insight into what personal data we process about you specifically, you can request access to these data (information is provided in the form of a register extract indicating purpose, categories of personal data, categories of recipient,
retention periods, information on where the information has been collected from and the use of automated decision-making).
Remember that in the event that we receive a request for access, we may ask for further information in order to ensure effective handling of your request and to ensure that information is being provided to the right person.

Right to rectification
You can request that your personal data be rectified if the data are incorrect. Within the scope of the purpose indicated, you also have the right to supplement any incomplete personal data.

Right to restriction of processing
You have the right to request that our processing of your personal data be restricted. If you are contesting the correctness of the personal data we are processing, you may request restriction of processing for such time as we require to verify to what extent the personal data are correct or incorrect. If we no longer require the personal data for specific purposes but you, on the other hand, do require your data to be able to establish, exercise or defend legal claims, you may request that we restrict our data processing. This means that you may request that we do not erase your data. If you have objected to a balancing of the legitimate interest we have established as our legal basis for a purpose, you may request restriction of processing for such time as we require to verify to what extent our legitimate interests outweigh your interests in having your data erased.

If processing has been restricted according to any of the situations above, we may only process data, besides storage of the data themselves, in order to establish, exercise or defend legal claims, to protect the rights of others, or in the event that you have provided your consent.

Right to erasure
You can request erasure of the personal data we process about you if:
— The data are no longer required for the purposes for which they were collected or processed.
— You object to a balancing of interests we have undertaken based on a legitimate
interest and your grounds for objection outweigh our legitimate interest.
— You object to processing for direct marketing purposes.
— The personal data are being processed in an unlawful manner.
— The personal data must be erased in order to fulfil a legal obligation which we are subject to.
— Personal data have been collected about a child (under 13 years of age) who you are the legal guardian of and these data were collected in connection with offering information society services (e.g. social media).

Remember that we may be entitled to deny your request in the event that legal obligations prohibit us from immediately erasing certain personal data. These obligations arise from accounting and tax legislation, banking and money-laundering legislation, and also consumer rights legislation.

It may also happen that the processing is necessary in order that we can establish, exercise or defend legal claims. If we are prevented from granting your request for erasure, we will instead block your personal data from being used for purposes other than the purpose that is preventing the requested erasure.

Right to data portability
If our right to process your personal information is based either on your consent or on the performance of a contract with you, you have the right to request to have the data that relate to you and that you have provided to us transferred to another controller (so-called data portability). Data portability requires that this transfer is technically feasible, and it may be automated.

Right to object to certain types of processing
You always have the right to opt out of direct marketing and to object to all processing of personal data that is based on a balancing of interests.
Legitimate interest In the event that we use a balancing of interests as legal grounds for a purpose, you have the option of objecting to the processing. To be able to continue to process your personal data after such an objection, we must be able to demonstrate compelling legitimate grounds for the processing in question that outweigh your interests, rights or freedoms. Failing this, we may only process the data in order to establish, exercise or defend legal claims.
Direct marketing (including analyses performed for the purposes of direct marketing). You have the option of objecting to your personal data being processed for direct marketing. Your objection also covers analyses of personal data (so-called profiling) that is performed for direct marketing purposes. Direct marketing means all types of marketing outreach activities (e.g. by post, e-mail and text message).

Marketing activities where you as a customer have actively chosen to use one of our services or otherwise sought us out in order to learn more about our services do not constitute direct marketing (e.g. product recommendations or other functions and offers on My Page).

If you object to direct marketing, we will stop processing your personal data for this purpose, and will equally cease all types of direct marketing activities. Remember that you always have the option of determining which channels we use for mailers and personal offers.

How are your personal data protected?

We use IT systems to protect the confidentiality and integrity of and access to personal data. We have taken special security measures to protect your personal data against unlawful or unauthorised processing (such as unlawful access, loss, destruction or damage).
Only those persons who actually need to process your personal data in order that we can fulfil our specified purposes have access to your data.

What does it mean that the Swedish authority for privacy protection
(datainspektionen) is the supervisory authority?

The Swedish Authority for Privacy Protection is responsible for monitoring application of the law and ensures that a person who believes a company is handling personal data in an incorrect manner can lodge a claim with the Authority for Privacy Protection.

What is the easiest way to contact us if you have questions about data
protection?

Because we take data protection very seriously, we have prioritised it as an issue. If you have questions regarding data protection, you can always contact us at info@skedvibrod.se. We may amend our Privacy Policy. The latest version of our Privacy Policy can always be found here on our website.

Privacy policy updated latest 2022-05-05

skedvi-brod-gradda