It is our intention that all persons whose personal data is processed by Odevo AB and its group companies (“Odevo”) should feel confident that this shall be performed with the requisite consideration and respect for the person’s private life and protection of personal data.
Odevo shall at all times comply with applicable data protection legislation and follow the rules governing the collection and use of personal data which may relate to natural persons.
This Privacy Policy (this “Policy”) shall apply as a minimum standard to all Odevo group companies, subject to any deviation required or permitted under local data protection legislation.
Each Odevo group company shall comply with the principles that are stipulated in this Policy. In addition, each Odevo group company has the responsibility to implement data protection policies and procedures needed in order to comply with this Policy and applicable data protection legislation.
Each Odevo group company shall appoint a person responsible for compliance with this Policy and applicable data protection legislation.
Each Odevo group company shall make an assessment if appointment of a data protection officer is required under applicable data protection legislation and, where required, notify the competent data protection authority of such appointment.
This Policy shall apply to all processing of personal data by or on behalf of Odevo, which occurs in IT systems or by other automatic means. The Policy shall also apply to the processing of personal data in paper form where such data form part of or are intended to form part of a structured filing system. Personal data means any information relating to an identified or identifiable natural person. Examples: name, contact information, personal ID-numbers, photographs, employment number, customer numbers and IP-numbers.
Odevo shall comply with the following principles with respect to all processing of personal data:
Prior to the commencement of the collection of personal data, it must be considered what reasons may exist in order to process personal data and for what purpose the information shall be used for. Personal data may only be collected and used for specified purposes and only relevant information which is required for the purpose in question may be collected.
Each Odevo group company shall prepare and maintain a record of its processing activities. Such record shall include (i) the purposes of the processing; (ii) a description of the categories of data subjects and of the categories of personal data; (iii) the categories of recipients to whom the personal data have been or will be disclosed; (iv) if personal data will be transferred to countries outside the EU/EEA; (v) the envisaged time limits for erasure of the different categories of data; and (vi) a general description of the technical and organisational security measures taken to protect personal data.
If new technology will be used or where the processing covers a large amount of sensitive personal data or includes systematic and extensive analysis of personal aspects, a data protection impact assessment shall be performed prior to the commencement of the processing.
In connection with the development of software and IT systems which will be used in connection with the processing of personal data, appropriate requirement specifications shall be prepared in order to ensure that such software and IT systems are designed to implement data processing principles and data protection by default.
Personal data may be processed where the persons concerned have consented to the processing in question.
Personal data may also be processed without consent where:
Special restrictions apply for processing of special categories of personal data, i.e., data which reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation.
As a general rule, such special categories of personal data may only be processed where the persons concerned have given their explicit consent to the processing in question.
Special categories of personal data may also be processed by Odevo without consent where the processing is necessary in order for:
Particular restrictiveness should be observed in conjunction with processing of personal ID numbers. Information concerning personal ID numbers may only be processed with consent from the persons concerned or where it is clearly justified taking into account: (i) the purpose of the processing; (ii) the importance of secured identification; or (iii) any other justifiable reason.
Particular restrictiveness should be observed in conjunction with processing of criminal data. It is only permitted to process criminal offence data: (i) if it is necessary for Odevo to comply with a legal obligation (e.g., it is permitted if there is AML rules or similar that require a criminal background check); or (ii) if it is necessary in order for Odevo to establish, exercise or defend legal claims.
A consent must be a voluntary and informed expression of will that the person in question accepts the processing of personal data. Consent can be obtained in writing, electronically (for example with the help of tick boxes on the website) or orally.
All persons, including but not limited to customers and employees, whose personal data is processed by Odevo shall be provided with information concerning, among other things, the purpose of the processing, the recipients of personal data, the period for which personal data will be stored, data subject’s rights, etc. The information shall be provided by means of privacy notices. Each Odevo group company shall regularly review whether their privacy notices are sufficient in relation to the relevant processing of personal data or whether the privacy notices need to be updated.
Each Odevo group company shall implement procedures to comply with and facilitate the exercise of data subject rights under applicable data protection legislation.
Each person is entitled, upon request, to receive information concerning personal data which relates to him or her is processed by Odevo. Upon such request, a copy of the personal data undergoing processing shall be provided, together with information about the processing of the personal data.
Where a person submits a request to have erroneous information which relates to him or her rectified, rectification must take place without undue delay.
A person has a right to request the erasure of personal data which relates to him or her. Certain conditions must be at hand in order for Odevo to be able to erase the personal data. For example, a person has the right to have his or her data erased if it is no longer necessary for the purposes for which it was collected. The right to erasure is, however, not absolute and it may not always be possible to erase personal data on request, for example, when the data is still necessary to process for the purpose for which the data was collected or if Odevo has a legal obligation to keep it.
A person has a right to request restriction of processing of his or her personal data. This is for example the case if the person contests the accuracy of the personal data or if the processing is unlawful and the person opposes the erasure of the personal data. Restriction of processing means that the personal data shall be stored and may only be processed with the person’s consent or in order for Odevo to adhere to laws and regulations or establish, exercise or defend legal claims.
A person has a right to receive personal data, that he or she have provided to Odevo, in a structured, commonly used and machine-readable format. This is the case if the processing of personal data is based on consent or performance of an agreement with the person. The person may also request that Odevo shall transmit the personal data to another controller. Odevo may need to retain some data due to laws and regulations, see above regarding right to erasure.
A person is entitled to object to the processing of data which relates to him or her if such processing is based on a legitimate interest of Odevo. In the event a person objects to information which relates to him or her being used for direct marketing purposes, the information shall no longer be processed for such purpose.
In conjunction with processing of personal data, it must be verified that there is a security level which is appropriate to the risks which exist in relation to the processing. Each Odevo group company need to ensure that appropriate technical and organizational measures have been taken in order to protect personal data against unintentional or unlawful destruction, unintentional loss, amendment, unauthorized disclosure or unauthorized access.
Personal data shall at all times be treated as confidential and may only be processed in accordance with these and other security rules implemented by Odevo.
If a personal data breach occurs which entails that personal data has been erased, lost or changed or where any unauthorized person has gained access to or reviewed personal data, such breach must be notified to the competent data protection authority within a period of 72 hours from the time at which the incident was discovered. Affected persons may also need to be informed of the personal data breach.
The Chief Risk & Compliance Officer in Odevo shall be informed of any data breaches reported to a competent data protection authority.
Before an external supplier is engaged for processing of personal data on behalf of Odevo, an assessment must take place in order to ensure that the supplier can provide appropriate security and appropriate procedures for processing of personal data. When an external supplier is engaged for processing of personal data on behalf of Odevo, this arrangement should be regulated through a written agreement containing specific terms and conditions relating to such processing of personal data (i.e., a data processing agreement).
Personal data may only be transferred to a country which is not a member of the European Union (EU) or the European Economic Area (EEA) under certain circumstances. This includes that personal data may be transferred on the basis of an adequacy decision by the European Commission; or where standard contract clauses are entered into with the recipient of personal data.
This policy will be reviewed at least annually to ensure its effectiveness and compliance with applicable laws and regulations.
The Chief Risk & Compliance Officer shall monitor Odevo’s and the Odevo group companies’ compliance with this Policy.
