Privacy Policy

Dated 2020-05-25
Information on how we process your personal data

1. Introduction

This privacy policy (the “Privacy Policy”) describes how 21 Grams AB, company registration no. 556666-3729, with address at Lumaparksvägen 9, Stockholm (“we”, “our” and “us”), processes personal ´data about you who visit and use our website and about you who come into contact with us in connection with our business and services – usually because you are a contact person of a business customer or partner or a supplier to us.

We are responsible for the personal data processing described in the Privacy Policy in our capacity as data controller. If you would like to know more about our processing of your personal data, you are always welcome to contact us, e.g. at the address above or via our email address privacy@21grams.com.

We want you to feel confident about how we process your personal data and we therefore ask you to read the Privacy Policy, which we may
update from time to time. If we change our Privacy Policy, the new version will apply from the date of publication on our website. You can see when we last made updates at the top of the Privacy Policy.

2. How we collect your personal data

The data we process about you is mainly collected directly from you when you visit and use our website or when we come into contact with you – e.g. via e-mail, telephone or at personal meetings, conferences, trade fairs or similar occasions. We may also collect information about you from third parties, usually from the company you represent.

3. How we process your personal data

3.1 Introduction

We will only process your personal data if the processing is permitted by applicable data protection legislation. This means, among other things, that we must have support for the purposes of the processing in the form of a so-called legal basis, which in our case mainly means one of the following grounds:

Performance of a contract – the processing is necessary for us to provide you with our services or otherwise perform a contract between us (applies to you as a sole trader), or to take steps at your request prior to entering into a contract.

If you are acting on behalf of someone else, e.g. as a representative of a company (which is usually the case), our processing is based on a balancing of interests and our legitimate interests in being able to enter into or perform the contract with the person you represent.

Fulfilment of legal obligations – the processing is necessary for the performance of our legal obligations under, for example, a law or other regulation to which we are subject or a court or official order requiring us to process data about you.

Balancing of interests – processing is necessary for purposes relating to our legitimate interests or those of third parties, provided, however, that your interests or fundamental rights or freedoms are not outweighed (in which case processing may not take place).

Consent – the processing is carried out on the basis of your prior consent, where we have a responsibility, inter alia, to clearly inform you of the processing you consent to and the possibility to withdraw your consent to our further processing in an easy way

Below we detail the categories of personal data we process, the purposes for which we process them and the legal grounds on which our processing of your personal data is based, including how long the data about you is stored by us.

3.2 Maintaining and improving our website

Purpose of the processing
Collect statistics on and analyse the traffic to our website and other technical information generated by visits to our website, in order to maintain and improve its functionality, the user experience and our efforts to detect and prevent errors, intrusions and incidents.

This is done with the support of third-party analytics services. The statistics we compile and the analyses we carry out with the support of these services are done using data in aggregated form and with the support of de-identified or anonymised data.

Categories of personal data
The personal data we process relates to:

IP address
Other technical information generated during visits to our website, such as the type of technical device you used, browser, pages visited and time of visits (browser information, time zone from the location where you visited our website, other web traffic information).

Legal basis
Interest-based, where our legitimate interest is to collect data to maintain and improve the functionality, content and security of our website. The collection of information using cookies and similar technologies is done with your consent, except for such use that is strictly necessary for you to use our website in a purposeful manner. For more information on how we use cookies and other similar technologies, please see our cookie policy here Cookie policy .

Storage time
We process and store information about how visitors interact with our website for a maximum of six (6) months. In most cases, however, the collected personal data will be converted into aggregated data (anonymised) at an earlier stage in the course of our statistical processing.

3.3 Create, maintain and develop potential business relationships

Purpose of the processing
Contact and communication with you in order to create, maintain and develop a business relationship with you or the company you represent.

This includes, among other things, communicating via email about our business, our services and our ongoing activities (see section 3.6 below).

Categories of personal data
The personal data we process relates to:

First and last name
Contact details such as e-mail address, telephone number, place of residence and address
Professional title and details of the company you represent
Information you otherwise provide to us in connection with our communication with you.

Legal basis
Balance of interests, where our legitimate interest is to create and then maintain and develop a business relationship with you or the company you represent.

Storage time
We process and store your personal data for a period of six (6) months after the data was collected. However, if a business relationship is established between us and you or the company you represent during the said period, your personal data will continue to be processed in accordance with sections 3.4-3.7 below.

3.4 Maintain and develop existing business relationships

Purpose of the processing
Contact and communication with you as a contact person of any of our existing customers, partners, suppliers or business contacts in general, in order to maintain and develop our business relationship with you or the company you represent.

This includes, among other things, the usual administration of and communication about our customer, partner and supplier agreements and communication by e-mail about our business, our services and our ongoing activities (see sections 3.5 and 3.6 below).

Categories of personal data
The personal data we process relates to:

First and last name
Contact details such as e-mail address, telephone number, place of residence and address
Professional title and details of the company you represent
Any other information you provide to us in connection with our communication with you.

Legal basis
Balance of interests, where our legitimate interest is to maintain and develop our business relationship with you or the company you represent.

Storage time
We process and store your personal data for as long as we have a business relationship with you or the company you represent, but for no longer than two (2) years from the last time we were in contact with each other in connection with our business relationship.

However, we may need to retain data for longer periods for other purposes, for example if it becomes apparent that we need to take action to establish, enforce or defend legal claims. We will also need to retain data for a longer period of time in order to comply with legal obligations, for example in relation to record keeping under the Accounting Act (see further in section 3.7 below).

3.5 Administrera ingående och fullgörande av avtal

Purpose of the processing
Administration and communication to enter into or perform contracts between us and you or the company you represent.

This includes invoicing and the usual handling, follow-up and documentation of contract-related issues.

Categories of personal data
The personal data we process relates to:

First and last name
Contact details such as e-mail address, telephone number, place of residence and address
Professional title and details of the company you represent
The information you provide to us in contract-related matters, such as questions or comments about contracted services.

Legal basis
The processing is necessary for us to enter into and perform contracts with you or the company you represent. If you are acting on behalf of someone else, e.g. as a representative of a customer, partner or supplier to us, our processing is carried out on the basis of a balancing of interests, where our legitimate interest is to be able to conclude or perform the contract with the company you represent.

3.6 Nyhetsbrev och andra marknadsföringsutskick

Purpose of the processing
Manage and carry out e-mail campaigns, with the aim of providing information about our activities, services and ongoing activities.

Categories of personal data
The personal data we process relates to:

E-mail address
First and last name

Legal basis
We carry out marketing mailings to you based on a balance of interests. We will send you information if you have been in contact with us in your professional role or provided your details to registers to which we subscribe. We assume that in your business role you would like to receive information about our services and products. You always have the option to unsubscribe from our mailings.

Storage time
We process and store your personal data to carry out marketing mailings to you by e-mail as long as you have not unsubscribed from receiving further mailings. You can unsubscribe at any time by using the unsubscribe link included in our mailings.

3.7 Fulfilment of legal obligations and defence of legal claims

We may process your personal data in order to comply with our legal obligations under, for example, a law or other regulation to which we are subject or a court or government order requiring us to process data about you.

We may also process your personal data to enable you or the company you represent, ourselves or the relevant third party to establish, enforce or defend legal claims, for example in the event of imminent or ongoing litigation.

4. Security measures

We take security measures to ensure that our handling of your personal data is secure. For example, the systems on which personal data is stored are only accessible to our employees and service providers who need the data to carry out their duties. They are also informed of the importance of security and confidentiality in relation to the personal data we process. We take appropriate security measures and standards to protect your personal data against unauthorised access, disclosure and misuse. We also monitor our systems for vulnerabilities.

5. With whom do we share your personal data?

Access to your personal data is limited to persons who need such access for the purposes described in section 3 above. Your personal data may therefore be shared with the following recipients:

Companies within our group: we may share your personal data with companies within our group. If we share your personal data within our group, we will ensure that the data continues to be processed only in accordance with this Privacy Policy.
Our suppliers: we use third party suppliers to manage parts of our business. We may share personal data with these suppliers in order for them to perform services on our behalf, such as providing us with support and business systems or performing sub-contracted work for us in connection with our own services. When we use suppliers under this paragraph, we will establish data processing agreements and take other appropriate steps to ensure that your personal data is processed in a manner consistent with this Privacy Policy.
Mail Distribution Providers: We work with postal operators and other external parties for the physical and digital distribution of mail. These providers process personal data either as data controllers under their own terms and guidelines for processing personal data, or as data processors to us under our instructions for processing. In the latter case, we will establish data processor agreements and take other appropriate steps to ensure that your personal data is processed in a manner consistent with this Privacy Policy.
Sale or Transfer: We may transfer your personal data to a buyer/investor or potential buyer/investor in connection with the sale or other transfer of all or part of our shares, assets or business. In the event of such a transfer, we will take steps to ensure that the receiving party processes your information in a manner consistent with this Privacy Policy. The purpose of such a transfer is to allow a (potential) buyer/investor to conduct a review of our business and, where appropriate, to take steps and make preparations for a possible purchase or investment, where the transfer is made with reference to the legitimate interest of such an opportunity for review or possible steps and preparations.
Authorities: we may also share your personal data with, for example, the police, the Swedish Tax Agency or other authorities when we are obliged to do so by, for example, law or other regulation or by court or authority order.

6. Where we process your personal data

We aim to always process your personal data within the EU/EEA. However, as some of our suppliers work internationally, your personal data may be transferred to countries outside the EU/EEA in accordance with the agreements we have with the suppliers. In such cases, we have an obligation to ensure that the transfer is carried out in accordance with the applicable data protection legislation before the data is transferred, for example by ensuring that the country to which the data is transferred meets adequate protection requirements as decided by the European Commission, or by ensuring that the transfer is subject to appropriate safeguards such as standard contractual clauses decided by the European Commission which ensure that appropriate measures are taken to safeguard your rights and freedoms.

The following link provides you with information on the countries outside the EU/EEA that the European Commission has decided provide an adequate level of protection for the authorised transfer of personal data:

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimensi-on-data-protection/adequacy-decisions_sv

Via the following link you will find the standard contractual clauses decided by the European Commission ensuring that appropriate safeguards are applied by the recipient of personal data after transfer from the EU/EEA:

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimensi-on-data-protection/standard-contractual-clauses-scc_sv

7. Your rights

You have rights in relation to us and our processing of your personal data. Information about your rights and how to exercise them is set out below.

Please note that your rights apply to the extent provided by applicable data protection legislation and that there may be exceptions to these rights where appropriate. Please also note that we may need more information from you in order to, inter alia, confirm your identity before we proceed with your request to exercise your rights.

To exercise your rights or to request more information about them, please contact us, most easily by e-mail: privacy@21grams.com.

7.1 Right of access

You have the right to obtain confirmation as to whether we are processing personal data relating to you. If this is the case, you also have the right to access these personal data by means of an extract from the register, as well as further information on the processing in question, such as the purpose(s) of the processing, the categories of personal data concerned and the recipients to whom the personal data have been disclosed.

7.2 Right to rectification

You have the right to have incorrect information about you corrected without delay. You may also have the right to supplement incomplete data.

7.3 Right to erasure

You can request that we delete your personal data without delay if:

the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
Our processing of personal data is carried out on the basis of your consent and you withdraw your consent to the processing in question;
You object to processing carried out by us on the basis of a balancing of interests and your objection outweighs our or another person’s legitimate interest in the processing;
the personal data has been processed unlawfully; or
The Personal Data must be erased in order to comply with a legal obligation.

7.4 Right to restriction of processing

You have the right to request that we restrict the processing of your personal data if:

You contest the accuracy of the personal data, for a period of time that allows us to verify whether or not the data is accurate;
The processing is unlawful and you object to our erasure of your personal data and instead request that we restrict its use;
We no longer need to process the data for the purposes for which it was collected, while you need the data to establish, enforce or defend legal claims; and
You have objected to the processing carried out by us on the basis of interest balancing and are awaiting verification as to whether your objection outweighs our or another’s legitimate interest in continuing the processing.

7.5 Right to object

You have the right to object to the processing of your personal data based on our or another party’s legitimate interest. If we do so, we must be able to demonstrate compelling legitimate grounds that outweigh your interests, rights and freedoms in order to continue processing.

7.6 The right to data portability

If we process your personal data on the basis of a contract with you or on the basis of your consent, you have the right to obtain the personal data you have provided to us relating to you in an electronic format. You have the right to have the data in question transferred from us directly to another controller, where this is technically feasible.

Please note that this right to data portability does not extend to data processed manually by us.

7.7 Right to withdraw your consent

If our processing of your personal data is based on your consent, you always have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of the processing that took place on the basis of your consent before it was withdrawn.

8. Complaints to the supervisory authority

In Sweden, IMY (Integritsskyddsmyndigheten) is the authority responsible for monitoring the application of current data protection legislation. If you believe that we are processing your personal data incorrectly, we encourage you to contact us in the first instance so that we can review your concerns. However, you can always lodge your complaint with IMY.

Läs mer på Cookies and other tools for analysis