Väderstad AB Privacy policy

Version 2.0

 

Väderstad AB (VAB) believes in being open and transparent when it comes to what personal data we process and for what purposes. For us, it is also important that we take action to protect your personal data, and we do this through the use of both technical and organisational measures in order to meet the requirements set out in the General Data Protection Regulation (GDPR).

This privacy policy describes how Väderstad AB processes your personal data as a customer, supplier, employee or other interested party. You are welcome to contact us via the contact details found at the end of this document, should you have any questions regarding the processing of your personal data.

1. Key expressions

General Data Protection Regulation (GDPR)

GDPR is a common EU-wide regulatory framework that governs how personal data is processed and which came into force on May 25, 2018. In Sweden, this law called Dataskyddsförordningen.

Data subject

The "Data subject" refers to the individual whose personal data is being processed. The individuals that an organisation processes personal information about may be employees, consultants, customers, suppliers and partners.

Personal data

Personal Data refers to anything that can be directly or indirectly linked to a living individual. Examples of personal data include an organisation number belonging to a sole proprietorship, personal identity numbers for farmers and the contact details for our customer contacts. The organisation number of a limited company or a generic e-mail address, such as info@xxxxx.com, are examples of non-personal data.

Processing

Processing is a measure or combination of measures being applied to personal data or sets of personal data, whether or not these are automated. Processing generally involves some kind of register that is searchable. However, processing does not apply to, for example, handwritten notes that are inserted into calendars in an unsorted manner.

Processing may include the following:

Collection Recording Organising

Structuring

Storing Processing Changing Scanning
Using Transfer Sharing Amending
Limitation Deletion Destruction Merging

Legal basis

Any processing of personal data requires a clearly reported purpose, for which at least one legal basis exists. At least one of the following legal bases shall exist in order for companies to process an item of personal data:

  • Agreement
  • Legal obligation
  • Protection of interest
  • Legitimate interest
  • Consent
  • Exercise of public authority

Purposes

Personal data collected for a particular purpose may not be used for any other purpose than that communicated to the data subject. When the period of validity for the stated purpose expires, the information shall be deleted, provided that it is not required for any other purpose.

Responsibility for personal data

The Data Controller is usually a company or organisation and is the entity or individual who determines the purposes and means of personal data processing and is therefore responsible for such processing in accordance with the GDPR. Individual employees of a company are not considered Data Controllers.

A joint responsibility exists where two or more parties jointly determine the purposes and means for personal data processing. The jointly responsible businesses shall determine their respective responsibilities, provided that their obligations are not already established by union or member state law. The defined responsibility components shall be presented to the data subjects, who may exercise their rights to each of the controllers.

Sensitive personal data

Some types of sensitive personal data cannot be collected, except under exceptional circumstances.

Sensitive personal data include:

  • Race or ethnic origin
  • Religious or philosophical convictions
  • Sex life or sexual orientation
  • Trade union membership
  • Health
  • Political opinions
  • Genetic and biometric data

Exceptional circumstances may be sited when a company collects sensitive personal data the health of the data subject in order to carry out its obligations within health care. Special precautions are, however, required in such circumstances.

Personal Data Processor

The Data Processor is usually a company or organisation, authority or other legal entity that processes personal data for and on behalf of the Data Controller. This can be an IT solution such as a cloud service provider or a human resources management system.

Data Processors may only process personal data as instructed by the Data Controller. Under GDPR, all Data Processors must keep a record of their Data Processing. The Data Processor shall also not engage any other Data Processor(s), as an assistant, without prior and explicit written agreement from the Data Controller.

2. Customer and market

The following information concerns the collection, processing, storage and sharing of personal customer data within VAB. A customer is someone who has previously enjoyed or currently enjoys a customer relationship with VAB. Customer also refers to potential customers.

Who is responsible?

VAB is the Personal Data Controller for its own customers’ personal data. Each national sales company within the Väderstad Group is generally responsible for its own customer relations. In markets which do not have a national sales company, an importer will usually have the same responsibility as a national sales company. The importer is therefore the Data Controller in these circumstances. A joint responsibility may exist between two or more parties when such parties jointly determine the means and purposes for personal data processing.

If you have any questions about our processing of your personal data, please feel free to contact Väderstad AB using the contact details at the end of this document. If you have any questions about how your reseller /importer processes your personal data, contact the reseller or importer directly.

What kind of personal data is collected and why?

When personal data is collected

Categories of  personal data

Categories of purposes
When recording the details of a potential customer /new customer Identity details, contact details, farm details

To be able to provide information, handle orders, invoicing, support and administration

For service and support purposes Identity details, contact details, equipment details To be able to assist you with service and support issues, fulfil warranty commitments
When using the app

Identity details, contact information, location*

To enable you to use the app

When using a Väderstad machine

Journey data, location data

To enable engineers to address servicing and maintenance faults, conduct product development, and manage guarantee commitments

In the business relationship

Identity details, contact details, company information, demographic information, machinery information

To enter into an agreement with you, to enable you /your company to purchase a equipment from Väderstad
Market research Name, contact information To provide you with the best customer experience
At events

Photography, names, contact information

So that we can contact you with further information
Training course participation

Name, contact information

To provide details about the course and be able to issue a course certificate
For photography purposes

Name, photo, contact information

For marketing purposes**

 *Depending on which app you use, and provided that you have consented to such data collection, we may also collect data that is stored on your device, such as contact data, location data or other types of digital content. 

** In some cases, the data will be collected by consent and in other cases a balance is struck, taking legitimate interest into consideration.

Who has access to the data?

We limit access to your personal data to Väderstad Group employees and suppliers who need to use the information in order to process it on our behalf, and who are required to maintain your personal data secure and confidential in accordance with an agreement or steering document.

Personal data may be disclosed to processors, other companies within Väderstad Group or third parties, described below, in accordance with applicable data protection laws.

  • Personal data may be shared between eligible persons in companies within the Väderstad Group, for customer satisfaction purposes. For example, with Väderstad’s authorised resellers for the purpose of distributing product and service offers and sending other messages to you
  • To third parties in connection with the sale or otherwise transfer of a part of Väderstad Group’s business activities
  • To security firms, courts of law or authorities when we deem it necessary to share such data in order to protect our rights; e.g. in order to investigate potential breaches against our terms or to detect, prevent or reveal fraudulent activity or other security issues
  • With our partners and other third parties, where you have chosen to accept services provided by them or given them authorisation to request personal data from Väderstad
  • With our product and service providers who work on our behalf, for example suppliers of wireless services, companies which manage and operate our websites, send communications, undertake data analyses, systems suppliers who are necessary in order to process, store or manage payments and /or other types of financial information

We always strive to select options for data processing services protect the integrity of personal data in relation to third parties.

How long the data is processed and stored

The personal data that we process for the purpose of fulfilling our agreement with you/ the customer you act as a contact for is treated as a starting point for the length of time that is necessary for us to fulfil our contractual relationship.

VAB also processes personal data in order to exercise our rights and fulfil our obligations in relation to you/ the supplier you represent until the expiry of any such periods of liability that exist e.g. for the sale of machines, spare parts, accessories or the distribution of apps.

The personal data that we process for the purpose of communicating business or product news and updates etc., will be processed as long as you or the company you represent entertains a business relationship with us and for a certain time thereafter, or as long as you have expressly consented to. You have the right to unsubscribe from such communications at any time. If you unsubscribe we will cease the processing of your personal data.

Personal data that we process to analyse our customer base in order to provide our customers with updated, relevant and enhanced offers, are stored for the duration of our business relationship or for as long as you have expressly consented to. You are always welcome to get in touch if you have any questions or concerns regarding the processing of your personal data.

3. Employees

The following information concerns the collection, processing, storage and sharing of the personal data belonging to employees of VAB. This includes current, past and future employees regardless of employment type, including agency workers.

Who is responsible?

VAB is responsible for the personal data of those who have applied to work with us, those who have previously been employed by us and those who are currently employed by us, regardless of the form of employment. Contact details can be found at the end of this document.

What kind of personal data is collected and why?

Personal data may be collected during the recruitment process and continuously throughout the period of employment.

When personal data is collected

Categories of personal data

Categories of purposes

In the recruitment process

Identity details, contact details, references, skills profile

Hiring employees

During recruitment

Identity details, photograph* contact details, skills profile, payroll information, working hours, health details

Personnel, payroll and expenses, fulfilment of internal policies and legal obligations in, for example, accounting and the health and safety

* In some cases, the data will be collected by consent and in other cases a balance is struck, taking legitimate interest into consideration.

Who has access to the data?

Personal data may be disclosed to data processors, other companies within Väderstad Group or third parties, described below, in accordance with applicable data protection laws.

  • Väderstad Group may be granted access in order to enable global processing of personal data for the above purposes
  • Personal data processors may be granted access for example for personnel administration and business purposes as part of their normal activities, such as outsourcing the management of employees' salaries or IT operations to an external supplier
  • Recruitment service providers and where personality tests are carried out
  • To the authorities where there is an obligation to do so or if we need to protect our rights or the rights of a third party
  • To third parties in connection with the sale or otherwise transfer of a part of Väderstad Group’s business activities
  • To third parties in connection with an emergency where the health and safety of an employee or other person is in danger
  • To third parties in order for us to exercise our rights, e.g. in connection with a legal dispute
  • To an authority and/or employer organisation for payroll statistics

In such cases where data processors are engaged it will be required that the data processor uses appropriate technical and organisational security measures to protect employees' personal data and to ensure that the processing of employees' personal data is carried out only in accordance with VAB’s instructions.

How long the data is processed and stored

The personal data is processed and stored for as long as necessary for the purposes for which the data was collected. Some personal data will be deleted when the employment relationship is terminated. Other personal data will be stored for a longer period of time due to legal obligations to retain the personal data. For example to be able to provide a reference or proof of employment, to prove that the correct tax deductions have been made or where VAB need to retain the data in order to safeguard its rights.

As the ability to lodge claims against VAB expire (limitation), the data will be removed. There may be a requirement to retain personal data related to specific projects and such data may then be retained for the duration of such projects.

Some personal data may be retained for an extended period of time, for example data relating to employee’s period of employment until such a time as the employee has reached retirement age according to the Employment Act. The basis for pension contributions may be retained for the remainder of the employee’s life. If you have any questions or concerns regarding the processing of your personal data, you are welcome to get in touch with us.

4. Suppliers 

The following information concerns the collection, processing, storage and sharing of the personal data belonging to suppliers of VAB. A supplier is an employee or contractor of a supplier, including a sole trader, and may also include a prospective supplier.

Who is responsible?

Väderstad AB is responsible for the personal data of those who are acting as or have acted as its suppliers. Contact details can be found at the end of this document.

What kind of personal data is collected and why?

We collect personal information such as name and contact information from your employer /client within the framework of our business relationship. We do this in order to manage and fulfil our contractual obligations. We will never require that you provide us with your personal data, however, we will be unable to enter into an agreement with you as a sole trader or with your employer/ client should we not be granted access to certain personal data. 

Personal data will be collected for a prospective new supplier and /or when registering a supplier and when a supplier enters and exits our premises. 

When personal data is collected

Categories of personal data

Categories of purposes

For our records*

Name, title, contact information

To be able to provide information, handle orders, invoicing, support and administration

On entering and exiting

Name, title

On recording who is present on the premises, for example, for health and safety reasons

*Includes prospective new suppliers

Who has access to the data?

Väderstad may disclose personal data to data processors, other companies within Väderstad Group or third parties, described below, in accordance with applicable data protection laws.

  • Väderstad Group companies may have access for the above-mentioned purposes. Where appropriate, there will be an access control system in place whereby only those who need the information are given access
  • To security firms, courts of law and authorities when we deem it necessary to share such data in order to protect our rights; e.g. in order to investigate potential breaches against our terms or to detect, prevent or reveal fraudulent activity, economic espionage or other security issues
  • With product and service providers who act on our behalf, e.g. providers of the systems that are necessary for managing the business relationship
  • With third parties in connection with the sale or otherwise transfer of a part of Väderstad Group’s business activities

How long the data is processed and stored

The data will be retained as long as it is required in order to support previous deliveries by the supplier /potential supplier or contact to VAB. Processing of the personal data will cease as soon as it has been received from the supplier, provided that we are not required to retain the data under for example laws related to accountancy and statute of limitations.

If you as a supplier have any questions or concerns regarding the processing of your personal data you are welcome to get in touch with us. 

5. Cookies

In general, you can visit Väderstad’s websites without giving any details as to who you are and without revealing any information about yourself. We collect cookies and anonymous information about your use of our websites. We use this data to improve our websites or our marketing.

All Väderstad websites which can be accessed by our customers contain information on how we use cookies. Some countries also have an online procedure for approving or rejecting cookies. You can find more information about our use of cookies in our local cookie policy that has been published in your country at www.vaderstad.com.

6. Your rights

The GDPR constitutes a strengthening of the privacy and rights of the individual. You have certain rights in respect of the processing of your personal data. You are welcome to contact us should you wish to exercise those rights. Your rights as a data subject are briefly described here.

Right to revoke your consent and to object to data processing

You may, with immediate effect, revoke all or part of your consent at any time. You may also object to your personal data being used for direct marketing, automated decision making or profiling, in which case the data subject may object to this processing at no cost

Right to access

You have the right to know which of your personal data is being processed by us and you have the right to access this data. In order to gain access to your personal data, you should submit your request using the contact details in the next section. Inquiries will be handled within 30 days. This time limit may be extended, depending on how complex the request is and how many requests are received during the same period.

If the Data Controller requires more than three months to process the request, then this shall be reported to the supervisory authority within one month from the date on which the request is received. Reasons for the delay shall be given in this report.

Right to correction

You have the right to have incorrect personal data corrected without undue delay and to ask us to supplement incomplete data by providing us with accurate details. If you have a user account with Väderstad’s Partner Portal, you will also be able to correct and update your details there. If you are a Väderstad employee, you will be able to easily amend your contact and other personal information in the human resources management system.

Right of removal

The right of removal means that organisations must delete your personal data when:

  • The purpose for which it was collected no longer applies
  • The data subject revokes his /her consent which had been the legal basis for processing the data
  • The data must be removed by law
  • The data subject objects to direct marketing
  • A data subject objects to "legitimate interest" as a legal basis, provided that the interests of the data subject outweigh those of other parties

The organisation must also provide notification of deletion to any other parties to whom the data has been disclosed, provided that this does not entail an excessive burden on the Data Controller.

There are exceptions, as in cases where other rights and obligations take precedence. Organisations do not need to delete information that can be used as a defence in legal claims.

Right to data portability

The right to data portability entitles the data subject to receive the personal data they have provided the Data Controller with in a structured, commonly used and machine-readable format.

The right also applies to personal data generated by the data subject's activity. This right applies to processed personal data where the legal basis is consent or a necessity for the performance of a contract. You also have the right to transfer your personal data to another personal data controller or to seek our assistance in transferring the data when technically possible.

Right to lodge a complaint

Should you have any complaints regarding our processing of your personal data, you have the right lodge a complaint with the Swedish Data Protection Authority (www.datainspektionen.se).

There is no cost associated with exercising your rights in respect of the processing of your personal data. Should you make a manifestly unfounded request, however, we may charge a fee that covers our administrative cost of satisfying your request.

7. Contact details

In order to exercise your rights, e.g. obtaining access to the personal data that we process, please contact Väderstad’s Data Protection Coordinator via e-mail:

gdpr@vaderstad.com or by post:

Väderstad AB
Box 85
590 21 Väderstad

Mark the envelope "Data Protection Coordinator".

You can also contact your local data protection authority, which in Sweden is the Swedish Data Protection Authority.

Amendments to the document

This document may be updated and the most recent edition is always available on our website, numbered according to edition.