Information on the processing of personal data
Last updated: December 03, 2024
In this information we describe how we process your personal data. It is important to us that you feel confident about how we process your personal data. We take measures to ensure that your personal data is protected and that it is processed in accordance with applicable regulations and laws and our internal guidelines and procedures.
In this policy we explain how we process your personal data when you
- are a consumer and use our services privately (“Private User“),
- use our services through your employer (“Organisation User“),
- have been invited as a respondent (“Respondent“),
- are the contact person for a company that is a customer of ours (“Customer Contact Person“), or
- an IDI Facilitator (“Facilitator”).
1. Data controller and contact details
IDI Profiling AB, reg. no. 556988-5196, (“we“, “our“, “us“), is the data controller for the processing of your personal data described in this information.
Contact details for us
IDI Profiling AB
Alströmergatan 45
112 47 Stockholm
E-mail: info@idi.seTelephone: +46 8-756 70 35
2. What categories of personal data do we collect and where are they collected from?
We only collect the personal data we need. The personal data we collect depends on how you interact with us. In sections 2.1 to 2.4 below, we explain what personal data we process about you and where we collect this data from depending on the capacity in which you interact with us.
2.1 Private users
When you interact with us as a Private User, we collect and process the following categories of personal data.
Data that you provide to us:
- Identification data: data that allows you to be identified, such as your name.
- Contact details: information that allows us to contact you, such as your email address.
- Demographic data: information such as your job title and level of education.
- Profile data: data from your profile on the IDI Platform and IDI Academy, e.g. completed tests and/or trainings.
- Social data: data from your self-assessment test, e.g. how you assess yourself.
- Ordering and invoicing data: data to process your order and to invoice or charge you.
- Communications: content and data from your communications with us, such as data from emails.
- Authentication credentials: data that enables you to log in to the IDI Platform.
Data collected through your use of our services:
- Electronic identifiers: Data that allows us to identify the device you are using, such as IP address.
- Device information: information about your device, such as browser and operating system.
- Usage data: data such as how and when you use our services.
Data collected from the respondents you invited:
- Social data: Information about how the respondent perceives you in your role.
2.2 Organisation Users
When you interact with us as an Organisation User, we collect and process the following categories of personal data. You are considered an Organisation User regardless of whether your employer is in the private or public sector.
Data that you provide to us:
- Profile data: data from your profile on the IDI Platform and IDI Academy, e.g. completed tests and/or trainings.
- Communications: content and data from your communications with us, such as data from emails.
- Authentication credentials: data that enables you to log in to the IDI Platform.
Data collected from your employer:
- Identification data: data that allows you to be identified, such as your name.
- Contact details: information that allows us to contact you, such as your email address.
- Demographic data: information such as your job title and level of education.
Data collected through your use of our services:
- Electronic identifiers: Data that allows us to identify the device you are using, such as IP address.
- Device information: information about your device, such as browser and operating system.
- Usage data: data such as how and when you use our services.
2.3 Respondent
When you interact with us as a Respondent, we collect and process the following categories of personal data.
Data that you provide to us:
- Feedback data: Information about how you perceive the user who invited you.
Data collected from the person who invited you:
- Identification data: data that allows you to be identified, such as your name.
- Contact details: information that allows us to contact you, such as your email address.
Data collected through your use of our services:
- Electronic identifiers: data that allows us to identify the device you are using, such as IP address.
- Device information: information about your device, such as browser and operating system.
- Usage data: data such as how and when you use our services.
2.4 Customer Contact Person
When you interact with us as a Customer Contact Person, we collect and process the following categories of personal data.
Data that you provide to us:
- Identification data: data that allows you to be identified, such as your name.
- Contact details: information that allows us to contact you, such as your email address.
- Demographic data: information such as your job title and level of education.
- Communications: Content and data from your communications with us, such as data from emails.
2.5 Facilitator
When you interact with us as a Facilitator, we collect and process the following categories of personal data.
Data that you provide to us:
- Identification data: data that allows you to be identified, such as your name.
- Contact details: information that allows us to contact you, such as your email address.
- Profile data: data from your profile on the IDI Platform and IDI Academy, e.g. completed tests and/or trainings.
- Demographic data: information such as your job title and level of education.
- Communications: content and data from your communications with us, such as data from emails.
- Authentication credentials: data that enables you to log in to the IDI Platform.
- Ordering and invoicing data: data to process your order and to invoice or charge you.
Data collected through your use of our services:
- Licensing data: information about your license and you participation in the facilitator training.
- Electronic identifiers: data that allows us to identify the device you are using, such as IP address.
- Device information: information about your device, such as browser and operating system.
Usage data: data such as how and when you use our services.
3. For what purposes, for how long and on what legal basis do we process your personal data?
We process your personal data in order to provide our services in the best possible way. In this section, we explain the purposes for which we process your personal data.
3.1 Private users
| Purpose | Personal data | Legal basis | Retention period |
| Create and provide a user profile to you. | Contact detailsIdentification dataDemographic data | The processing is necessary for the performance of the contract with you (Article 6(1)(b) GDPR). | During the term of the contract and thirty (30) days thereafter. |
| Offer you storage of your user profile and profile presentation after the end of the contract. | Contact detailsIdentification dataDemographic dataProfile data | The processing is based on your consent (Article 6(1)(a) of the GDPR). You always have the right to and can withdraw your consent at any time. To withdraw your consent for continued storage, please contact us using the contact details provided in section 1. | For one (1) year from the time you gave or confirmed your consent. After one (1) year, we will contact you and ask you to confirm that you wish for us further store your data. |
| Analysing and creating the IDI profile based on the self-assessment and respondents’ answers. | Profile data | The processing is necessary for the performance of the contract with you (Article 6(1)(b) GDPR). | For the time required to analyse and create the IDI profile. |
| Creation and storage of profile presentation. | Profile data | The processing is necessary for the performance of the contract with you (Article 6(1)(b) GDPR). | During the term of the contract and thirty (30) days thereafter. |
| Enable login to the user profile. | Authentication credentialsElectronic identifiersDevice information | The processing is necessary for the performance of the contract with you (Article 6(1)(b) of the GDPR). | During the term of the contract and thirty (30) days thereafter. |
| Communicate and send notifications via email and SMS. | Contact detailsIdentification data | The processing is based on a balancing of interests where our legitimate interest is to be able to notify you of events in the IDI Platform, changes to our general terms and conditions or other important notices related to the service (Article 6(1)(f) GDPR). | During the term of the contract and thirty (30) days thereafter. |
| Anonymising data in order to analyse and track when our emails are opened and which links are clicked in the email through web beacons. | Electronic identifiersDevice informationContact details | The processing is based on a balancing of interests where our legitimate interest is to be able to evaluate and follow up on our mailings (Article 6(1)(f) of the GDPR). | For the time necessary to anonymise the data. |
| Sending marketing communications by e-mail. | Contact detailsIdentification data | The processing is based on your consent (Article 6(1)(a) of the GDPR). You always have the right to and can withdraw your consent to receive marketing communications at any time by following the instructions in the communication. | During the contract period and one (1) year thereafter. |
| Providing, maintaining, testing and improving the IDI portal. | Electronic identifiersUsage data | The processing is based on a balancing of interests where our legitimate interest is to be able to provide and develop our services (Article 6(1)(f) GDPR). | For the entire time we store your personal data in our systems. |
| Enable the management, development and testing of our IT systems to ensure the quality of the IDI platform and to detect and prevent security attacks such as intrusion attempts. | All categories of personal data concerned. | The processing is based on a balancing of interests where our legitimate interest consists of ensuring the necessary technical functionality and security of our website and IT systems (Article 6(1)(f) GDPR). | Personal data are retained for the same period specified in relation to each relevant purpose of processing. Personal data in logs are retained for troubleshooting and incident management purposes for a period of twelve (12) months from the date of the log event. Personal data in backups are retained for a period of twelve (12) months from the date of the backup. |
| Anonymisation of personal data for statistical purposes and to monitor our activities. | Relevant categories of personal data necessary for the production of the statistics. | The processing is based on a balancing of interests where our legitimate interest is to anonymise your personal data in order to be able to produce statistics on our services and thus be able to monitor and evaluate our activities (Article 6(1)(f) of the GDPR). | For the time necessary to anonymise the data. |
| Establishing, exercising and defending legal claims. | Categories of personal data concerned that are necessary to manage and respond to the legal requirement in the individual case. | The processing is based on a balancing of interests where our legitimate interest is to establish, exercise and defend legal claims (Article 6(1)(c) GDPR). | For the period necessary for us to establish, exercise and defend the legal claim in each case. |
| To fulfil our legal obligations with reference to e.g. the Accounting Act and tax legislation, as well as to comply with injunctions and decisions of courts and authorities. | Relevant categories of personal data necessary to fulfil the respective legal obligation. | The processing is necessary for the fulfilment of legal obligations to which we are subject (Article 6(1)(c) of the GDPR). | Personal data is retained for the time necessary for us to fulfil the respective legal obligation we have and for a period of ten (10) years for the purpose of satisfying our legitimate interest in managing and responding to legal claims, and for the time thereafter necessary to manage the claim. As an example, personal data in accounting material is retained for seven (7) years from the end of the calendar year in which the relevant financial year ended in accordance with the Accounting Act (1999:1078). |
| Manage the customer relationship with you. | Contact detailsIdentification dataCommunication | The processing is necessary for the performance of the contract with you (Article 6(1)(b) of the GDPR). | For the duration of the contract and for a period of one (1) year thereafter. |
| Manage invoicing in our business. | Contact detailsIdentification dataOrdering and invoicing data | The processing is based on a balancing of interests, where our legitimate interest is to be able to invoice you for the use of our services (Article 6(1)(f) GDPR). | For the duration of the contract. |
3.2 Organisational users
| Purpose | Personal data | Legal basis | Retention period |
| Create and provide a user profile to you. | Contact detailsIdentification dataDemographic data | The processing is based on a balancing of interests where our legitimate interest consists of the fulfilment of the contract we have concluded with your employer (Article 6(1)(f) of the GDPR). | For the entire time you use our services in accordance with the contract we have with your employer. |
| Enable login to the user profile. | Authentication credentialsElectronic identifiersDevice information | The processing is based on a balancing of interests where our legitimate interest consists of the fulfilment of the contract we have concluded with your employer (Article 6(1)(f) of the GDPR). | For the entire time you use our services in accordance with the contract we have with your employer. |
| Communicate and send notifications via email and SMS. | Contact detailsIdentification data | The processing is based on a balancing of interests where our legitimate interest is to be able to notify you of events in the IDI Platform, changes to our general terms and conditions or other important notices related to the service (Article 6(1)(f) GDPR). | For the entire time you use our services in accordance with the contract we have with your employer. |
| Anonymising data in order to analyse and track when our emails are opened and which links are clicked in the email through web beacons. | Electronic identifiersDevice informationContact details | The processing is based on a balancing of interests where our legitimate interest is to be able to evaluate and follow up on our mailings (Article 6(1)(f) of the GDPR). | For the time necessary to anonymise the data. |
| Sending marketing communications by e-mail. | Contact detailsIdentification data | The processing is based on your consent (Article 6(1)(a) of the GDPR). You always have the right and can withdraw your consent to receive marketing communications at any time by following the instructions in the communication. | For the entire time you use our services in accordance with the contract we have with your employer and one (1) year thereafter. |
| Providing, maintaining, testing and improving the IDI portal. | Electronic identifiersUsage data | The processing is based on a balancing of interests where our legitimate interest is to be able to provide and develop our services (Article 6(1)(f) GDPR). | For the entire time we store your personal data in our systems. |
| Enable the management, development and testing of our IT systems to ensure the quality of the IDI platform and to detect and prevent security attacks such as intrusion attempts. | All categories of personal data concerned. | The processing is based on a balancing of interests where our legitimate interest consists of ensuring the necessary technical functionality and security of our website and IT systems (Article 6(1)(f) GDPR). | Personal data are retained for the same period specified in relation to each relevant purpose of processing. Personal data in logs are retained for troubleshooting and incident management purposes for a period of twelve (12) months from the date of the log event. Personal data in backups are retained for a period of twelve (12) months from the date of the backup. |
| Anonymisation of personal data for statistical purposes and to monitor our activities. | Relevant categories of personal data necessary for the production of the statistics. | The processing is based on a balancing of interests where our legitimate interest is to anonymise your personal data in order to produce statistics on our services and thus be able to monitor and evaluate our activities (Article 6(1)(f) of the GDPR). | For the time necessary to anonymise the data. |
| Establishing, exercising and defending legal claims. | Relevant categories of personal data necessary to manage and respond to the legal requirement in the individual case. | The processing is based on a balancing of interests where our legitimate interest is to establish, exercise and defend legal claims (Article 6(1)(c) GDPR). | For the period necessary for us to establish, exercise and defend the legal claim in each case. |
| To fulfil our legal obligations with reference to e.g. the Accounting Act and tax legislation, as well as to comply with injunctions and decisions of courts and authorities. | Relevant categories of personal data necessary to fulfil the respective legal obligation. | The processing is necessary for the fulfilment of legal obligations to which we are subject (Article 6(1)(c) of the GDPR). | Personal data is retained for the time necessary for us to fulfil the respective legal obligation we have and for a period of ten (10) years for the purpose of satisfying our legitimate interest in managing and responding to legal claims, and for the time thereafter necessary to manage the claim. As an example, personal data in accounting material is retained for seven (7) years from the end of the calendar year in which the relevant financial year ended in accordance with the Accounting Act (1999:1078). |
| Managing the customer relationship. | Contact detailsIdentification dataCommunication | The processing is necessary for the performance of the contract with you (Article 6(1)(b) of the GDPR). | For the entire time you use our services in accordance with the contract we have with your employer. |
| Manage invoicing in our business. | Contact detailsIdentification dataOrdering and invoicing dataEconomic data | The processing is based on a balancing of interests, where our legitimate interest is to be able to invoice the company you are connected to for the use of our services (Article 6(1)(f) GDPR). | For the entire time you use our services in accordance with the contract we have with your employer. |
3.3 Respondent
| Purpose | Personal data | Legal basis | Retention period |
| Collection, aggregation and anonymisation of response data for the development of the user’s IDI profile. | Response data | The processing is based on your consent (Article 6(1)(a) of the GDPR). You have the right to withdraw your consent at any time. To withdraw your consent, please contact us using the contact details provided in section 1. | For the time necessary to collect, aggregate and anonymise the feedback data. There is no permanent storage of detailed feedback data. |
| Track whether you have submitted your feedback and share the result with the user of our services. | Usage data | The processing is based on your consent (Article 6(1)(a) of the GDPR). You have the right to withdraw your consent at any time. To withdraw your consent, please contact us using the contact details provided in section 1. | Three (3) months from the collection of the data. |
| Communicate and send invitation and notifications via email and SMS | Contact detailsIdentification data | The processing is based on a balancing of interests where our legitimate interest is to be able to notify you of events in the IDI Platform, changes to our general terms and conditions or other important notices related to the service (Article 6(1)(f) GDPR). | Three (3) months from the collection of the data. |
| Anonymising data in order to analyse and track when our emails are opened and which links are clicked in the email through web beacons. | Electronic identifiersDevice informationContact details | The processing is based on a balancing of interests where our legitimate interest is to be able to evaluate and follow up on our mailings (Article 6(1)(f) of the GDPR). | For the time necessary to anonymise the data. |
| Sending marketing communications by e-mail. | Contact detailsIdentification data | The processing is based on your consent (Article 6(1)(a) of the GDPR). You always have the right and can withdraw your consent to receive marketing communications at any time by following the instructions in the communication. | One (1) year from the date you submitted your feedback. |
| Providing, maintaining, testing and improving the IDI portal | Electronic identifiersUsage data | The processing is based on a balancing of interests where our legitimate interest is to be able to provide and develop our services (Article 6(1)(f) GDPR). | For the entire time we store your personal data in our systems. |
| Enable the management, development and testing of our IT systems to ensure the quality of the IDI platform and to detect and prevent security attacks such as virus attacks | All categories of personal data concerned. | The processing is based on a balancing of interests where our legitimate interest consists of ensuring the necessary technical functionality and security of our website and IT systems (Article 6(1)(f) GDPR). | Personal data are retained for the same period specified in relation to each relevant purpose of processing. Personal data in logs are retained for troubleshooting and incident management purposes for a period of twelve (12) months from the date of the log event. Personal data in backups are retained for a period of twelve (12) months from the date of the backup. |
| Anonymisation of personal data for statistical purposes and to monitor our activities. | Relevant categories of personal data necessary for the production of the statistics. | The processing is based on a balancing of interests where our legitimate interest is to anonymise your personal data in order to be able to produce statistics on our services and thus be able to monitor and evaluate our activities (Article 6(1)(f) of the GDPR). | For the time necessary to anonymise the data. |
| Establishing, exercising and defending legal claims | Categories of personal data concerned that are necessary to manage and respond to the legal requirement in the individual case. | The processing is based on a balancing of interests where our legitimate interest is to establish, exercise and defend legal claims (Article 6(1)(c) GDPR). | For the period necessary for us to establish, exercise and defend the legal claim in each case. |
| To fulfil our legal obligations with reference to e.g. the Accounting Act and tax legislation, as well as to comply with injunctions and decisions of courts and authorities. | Relevant categories of personal data necessary to fulfil the respective legal obligation. | The processing is necessary for the fulfilment of legal obligations to which we are subject (Article 6(1)(c) of the GDPR). | Personal data is retained for the time necessary for us to fulfil the respective legal obligation we have and for a period of ten (10) years for the purpose of satisfying our legitimate interest in managing and responding to legal claims, and for the time thereafter necessary to manage the claim. As an example, personal data in accounting material is retained for seven (7) years from the end of the calendar year in which the relevant financial year ended in accordance with the Accounting Act (1999:1078). |
3.4 Contact person
| Purpose | Personal data | Legal basis | Retention period |
| Managing the customer relationship. | Contact detailsIdentification dataCommunication | The processing is necessary for the performance of the contract with you (Article 6(1)(b) of the GDPR). | For the entire time you use our services in accordance with the contract we have with your employer. |
| Manage invoicing in our business. | Contact detailsIdentification dataOrdering and invoicing data | The processing is based on a balancing of interests, where our legitimate interest is to be able to invoice the company you are connected to for the use of our services (Article 6(1)(f) GDPR). | For the entire time you use our services in accordance with the contract we have with your employer. |
| Communicate and send notifications via email and SMS | Contact detailsIdentification data | The processing is based on a balancing of interests where our legitimate interest is to be able to notify you of events in the IDI Platform, changes to our general terms and conditions or other important notices related to the service (Article 6(1)(f) GDPR). | For the entire time you use our services in accordance with the contract we have with your employer. |
| Anonymising data in order to analyse and track when our emails are opened and which links are clicked in the email through web beacons. | Electronic identifiersDevice informationContact details | The processing is based on a balancing of interests where our legitimate interest is to be able to evaluate and follow up on our mailings (Article 6(1)(f) of the GDPR). | For the time necessary to anonymise the data. |
| Sending marketing communications by e-mail. | Contact detailsIdentification data | The processing is based on your consent (Article 6(1)(a) of the GDPR). You always have the right and can withdraw your consent to receive marketing communications at any time by following the instructions in the communication. | For the entire time you use our services in accordance with the contract we have with your employer and one (1) year thereafter. |
| Providing, maintaining, testing and improving the IDI portal | Electronic identifiersUsage data | The processing is based on a balancing of interests where our legitimate interest is to be able to provide and develop our services (Article 6(1)(f) GDPR). | For the entire time we store your personal data in our systems. |
| Enable the management, development and testing of our IT systems to ensure the quality of the IDI platform and to detect and prevent security attacks such as virus attacks | All categories of personal data concerned. | The processing is based on a balancing of interests where our legitimate interest consists of ensuring the necessary technical functionality and security of our website and IT systems (Article 6(1)(f) GDPR). | Personal data are retained for the same period specified in relation to each relevant purpose of processing. Personal data in logs are retained for troubleshooting and incident management purposes for a period of twelve (12) months from the date of the log event. Personal data in backups are retained for a period of twelve (12) months from the date of the backup. |
| Anonymisation of personal data for statistical purposes and to monitor our activities. | Relevant categories of personal data necessary for the production of the statistics. | The processing is based on a balancing of interests where our legitimate interest is to anonymise your personal data in order to produce statistics on our services and thus be able to monitor and evaluate our activities (Article 6(1)(f) of the GDPR). | For the time necessary to anonymise the data. |
| Establishing, exercising and defending legal claims | Categories of personal data concerned that are necessary to manage and respond to the legal requirement in the individual case. | The processing is based on a balancing of interests where our legitimate interest is to establish, exercise and defend legal claims (Article 6(1)(c) GDPR). | For the period necessary for us to establish, exercise and defend the legal claim in each case. |
| To fulfil our legal obligations with reference to e.g. the Accounting Act and tax legislation, as well as to comply with injunctions and decisions of courts and authorities. | Relevant categories of personal data necessary to fulfil the respective legal obligation. | The processing is necessary for the fulfilment of legal obligations to which we are subject (Article 6(1)(c) of the GDPR). | Personal data is retained for the time necessary for us to fulfil the respective legal obligation we have and for a period of ten (10) years for the purpose of satisfying our legitimate interest in handling and responding to legal claims, and for the time thereafter necessary to handle the claim. As an example, personal data in accounting material is retained for seven (7) years from the end of the calendar year in which the relevant financial year ended in accordance with the Accounting Act (1999:1078). |
3.5 Facilitator
| Purpose | Personal data | Legal basis | Retention period |
| Create and provide a user profile to you. | Contact detailsIdentification dataDemographic data | The processing is necessary for the performance of the contract with you (Article 6(1)(b) GDPR). | During the term of the contract and thirty (30) days thereafter. |
| Administer your license. | Contact detailsIdentification dataLicensing data | Behandlingen är nödvändig för att vi ska kunna fullgöra avtalet med dig (artikel 6.1 b GDPR). | Under avtalstiden samt ett (1) år därefter. |
| Analysing and creating the IDI profile based on the self-assessment and respondents’ answers. | Profile data | The processing is necessary for the performance of the contract with you (Article 6(1)(b) GDPR). | For the time required to analyse and create the IDI profile. |
| Creation and storage of profile presentation. | Profile data | The processing is necessary for the performance of the contract with you (Article 6(1)(b) GDPR). | During the term of the contract and thirty (30) days thereafter. |
| Enable login to the user profile. | Authentication credentialsElectronic identifiersDevice information | The processing is necessary for the performance of the contract with you (Article 6(1)(b) of the GDPR). | During the term of the contract and thirty (30) days thereafter. |
| Communicate and send notifications via email and SMS. | Contact detailsIdentification data | The processing is based on a balancing of interests where our legitimate interest is to be able to notify you of events in the IDI Platform, changes to our general terms and conditions or other important notices related to the service (Article 6(1)(f) GDPR). | During the term of the contract and thirty (30) days thereafter. |
| Anonymising data in order to analyse and track when our emails are opened and which links are clicked in the email through web beacons. | Electronic identifiersDevice informationContact details | The processing is based on a balancing of interests where our legitimate interest is to be able to evaluate and follow up on our mailings (Article 6(1)(f) of the GDPR). | For the time necessary to anonymise the data. |
| Sending marketing communications by e-mail. | Contact detailsIdentification data | The processing is based on your consent (Article 6(1)(a) of the GDPR). You always have the right to and can withdraw your consent to receive marketing communications at any time by following the instructions in the communication. | During the contract period and one (1) year thereafter. |
| Providing, maintaining, testing and improving the IDI portal. | Electronic identifiersUsage data | The processing is based on a balancing of interests where our legitimate interest is to be able to provide and develop our services (Article 6(1)(f) GDPR). | For the entire time we store your personal data in our systems. |
| Enable the management, development and testing of our IT systems to ensure the quality of the IDI platform and to detect and prevent security attacks such as intrusion attempts. | All categories of personal data concerned. | The processing is based on a balancing of interests where our legitimate interest consists of ensuring the necessary technical functionality and security of our website and IT systems (Article 6(1)(f) GDPR). | Personal data are retained for the same period specified in relation to each relevant purpose of processing. Personal data in logs are retained for troubleshooting and incident management purposes for a period of twelve (12) months from the date of the log event. Personal data in backups are retained for a period of twelve (12) months from the date of the backup. |
| Anonymisation of personal data for statistical purposes and to monitor our activities. | Relevant categories of personal data necessary for the production of the statistics. | The processing is based on a balancing of interests where our legitimate interest is to anonymise your personal data in order to be able to produce statistics on our services and thus be able to monitor and evaluate our activities (Article 6(1)(f) of the GDPR). | For the time necessary to anonymise the data. |
| Establishing, exercising and defending legal claims. | Categories of personal data concerned that are necessary to manage and respond to the legal requirement in the individual case. | The processing is based on a balancing of interests where our legitimate interest is to establish, exercise and defend legal claims (Article 6(1)(c) GDPR). | For the period necessary for us to establish, exercise and defend the legal claim in each case. |
| To fulfil our legal obligations with reference to e.g. the Accounting Act and tax legislation, as well as to comply with injunctions and decisions of courts and authorities. | Relevant categories of personal data necessary to fulfil the respective legal obligation. | The processing is necessary for the fulfilment of legal obligations to which we are subject (Article 6(1)(c) of the GDPR). | Personal data is retained for the time necessary for us to fulfil the respective legal obligation we have and for a period of ten (10) years for the purpose of satisfying our legitimate interest in managing and responding to legal claims, and for the time thereafter necessary to manage the claim. As an example, personal data in accounting material is retained for seven (7) years from the end of the calendar year in which the relevant financial year ended in accordance with the Accounting Act (1999:1078). |
| Manage invoicing in our business. | Contact detailsIdentification dataOrdering and invoicing data | The processing is based on a balancing of interests, where our legitimate interest is to be able to invoice you for the use of our services (Article 6(1)(f) GDPR). | For the duration of the contract. |
4. How long do we keep your personal data?
We will retain your data only for as long as necessary to fulfil the purpose for which the personal data was collected in accordance with this policy. When the personal data is no longer necessary, we delete or anonymise the data.
You can see the specific retention periods we apply in the tables above. When your contract with us expires or when your employer notifies us that you will no longer be using the services, and you have not indicated that you wish to continue to retain the data, we will delete or anonymise all the data that we process about you according to the retention periods indicated above. However, for technical reasons, personal data may be retained for up to 30 days after the expiry of the above indicated retention periods.
If you consent to allow us to store your personal data for a longer period, e.g. so that you can compare your results from previous rounds at a later date, we will ask you to confirm your consent once a year.
5. Who do we share your personal data with?
We use subcontractors to provide our services. Your personal data will therefore be shared with IT service providers.
We may also share your data with authorities or third parties when we are obliged to do so in the context of legal proceedings or by order of a public authority.
If you want detailed information on who we share your personal data with, please contact us or request a copy of your personal data (see section 7 “Right to access your personal data”).
6. When can your personal data be transferred to a country outside the EU/EEA?
We always aim to process your personal data within the EU/EEA. In certain situations, e.g. when we share your data with a supplier or subcontractor operating outside the EU/EEA, your personal data will be transferred to a country outside the EU/EEA.
We will always ensure a high level of protection in the event of a transfer and that appropriate safeguards have been put in place in accordance with applicable data protection law. Such appropriate safeguards include, among others, ensuring that:
- if the European Commission has decided that the country outside the EU/EEA to which your personal data is transferred achieves an ‘adequate’ level of protection equivalent to that provided by the GDPR. This means, for example, that the data continues to be protected from unauthorised access and that you can enforce your rights in relation to the data, or
- that the European Commission’s standard contractual clauses have been concluded between us and the recipient of the personal data outside the EU/EEA. This means that the recipient guarantees that the protection of your personal data provided by the GDPR still applies. In these cases, we also assess whether there is legislation in the recipient country that affects the protection of your personal data. If necessary, we will take specific technical and organisational measures to ensure that the protection of your data is maintained during the transfer to the relevant country outside the EU/EEA.
If you would like more information about the countries outside the EU/EEA to which we transfer your personal data and the safeguards we have put in place to protect your personal data, please contact us or request a copy of your personal data (see section 7 “Right to access your personal data”).
7. Your rights
You have a number of rights in relation to your personal data. You can read more about your rights below. If you wish to exercise any of your rights or have any questions, please contact us using the contact details provided in section 1 of this policy.
Right to have your personal data erased (“Right to be forgotten”)
In certain cases, you have the right to have your personal data erased. This applies, for example, to data that (a) is no longer necessary to process or keep for the purpose for which it was collected, or (b) if you withdraw your consent for processing. In some cases, we have no possibility to delete your personal data. This may be because the data is either still necessary to process for the purpose for which it was collected, our interest in continuing to process the data outweighs your interest in having it erased, or because we are required by law to retain it.
Right to be informed
You have the right to be informed about how we process your personal data. We do this through this privacy notice and by answering your questions.
Right to access your personal data
You have the right to know whether we process your personal data and to receive a copy of your personal data. The copy will tell you what information we have about you and how we process your personal data.
Right to access and transfer your personal data to another recipient
This right, also known as the ‘right to data portability’, means that you can request a copy of the data we hold about you and which we process to fulfil a contract with you, or based on your consent, in a machine-readable format. This is to allow you to transfer your personal data to another recipient.
Right to rectification
You have the right to request that we correct inaccurate or incomplete information about you and that we complete your information.
Right to restriction of processing
If you believe that the data we hold about you is inaccurate, that our processing is unlawful or that we do not need the data for a specific purpose, you have the right to request that we restrict our processing of that data. You can also request that we do not process your data while we check this, or while we check whether you have the right to object to certain processing as described below.
Right to object to our processing of your personal data
You can object to our processing that we base on our legitimate interests (Article 6(1)(f) GDPR). You can also always object to us using your personal data for direct marketing purposes. When you inform us that you no longer wish to receive direct marketing from us, we will switch off the marketing and thus stop sending you marketing.
Right to object to automated decision making that significantly affects you
You have the right to object to an automated decision made by us if the decision produces legal effects or similarly significantly affects you. We do not use automated decisions.
Right to withdraw your consent
When we process your personal data based on your consent, you have the right to withdraw your consent at any time. When you withdraw your consent, we will stop processing the personal data concerned.
Right to lodge a complaint
If you wish to make a complaint about our processing of personal data, you can contact the Data Protection Authority. For information on how to lodge a complaint, please refer to IMY’s website.
More information about your rights can be found on IMY’s website.
8. How we use cookies and other tracking technologies
We use cookies and other similar tracking technologies in our various interfaces. You can find more information about how we use cookies and similar tracking technologies in our cookie policy which you can find here .
9. Update of this information
We are constantly working to improve our services. This may involve changes to existing services. If such a change requires notification or consent under applicable data protection laws, you will be notified and given the opportunity to give your consent.