GDPR – Personal data policy

From 25 May 2018, the Personal Data Act (PUL) has been replaced by the new data protection regulation (GDPR). The purpose of PUL has been to protect people against having their personal integrity violated when their personal data is processed. GDPR places higher demands on how we as an organization process your personal data and gives you better opportunities to influence our handling.

In the policy, we describe why we process your personal data, which personal data we process, on which legal basis we support the processing and how long the data is saved. We also describe how you can influence the processing by exercising your rights. We also give you information on where to turn if you are not satisfied with our handling. It is important that you read and understand the privacy policy. You are always welcome to contact us with any questions.

We can be reached in the following ways:

Mail: Svärdvägen 19, 182 33 Danderyd

Phone: 08 446 45 00

Email: info@ortivus.com

What the change means for you

In short, GDPR means that…

…you have the right to receive more detailed information about how we process your personal data. We provide you with such information in the personal data policy below,

…you have the opportunity, under certain conditions, to request that your personal data be moved or that we limit the processing,

…that you get enhanced opportunities to access your personal data and, under certain conditions, to have it corrected or deleted,

…that you can approve or object to certain processing that we carry out, for example for the sending of information such as newsletter via e-mail.

1. Information about personal data

In this personal data policy, we, with organization number 556593-0707, are referred to as the Company and are the personal data controller. Personal data is data through which we can directly or indirectly identify you, e.g. your name, your phone number, your email address.

2. Processing of personal data

Everything we do with your personal data counts as processing. This applies regardless of whether we use automated systems or not. We process your personal data in connection with the sending of information, payments, handling of complaints, in order to comply with current legislation such as e.g. the Accounting Act, to send newsletters etc.

3. Personal data handled

The personal data we collect about you consists of customer data. This is information such as name, e-mail address, telephone number, address details and other information provided by you.

4. What the data is used for

In order for us to process your personal data, it is required that we have stated an explicit and justified purpose for the processing. The personal data must then not be processed in a way that is incompatible with the original purpose. In addition to this, we must have support in law, a so-called legal basis, to be allowed to process personal data.

We support the processing of personal data that we carry out on the following legal grounds and consent:

a) Processing of your personal data is necessary to enter into or fulfill the agreement with you (the housing association that you represent as a board member, auditor or manager).

b) The processing of your personal data is necessary for us to fulfill a legal obligation, e.g. to save personal data for accounting purposes.

c) We assess, after a so-called balancing of interests, that our interests in processing your personal data outweigh your right to privacy protection.

In order for us to be able to fulfill the agreement with you, we need to process and handle your personal data. Below are examples of the purposes for which we process your personal data and on what legal basis we do this.

Provision of services

We process your personal data to the extent necessary for us to be able to identify you as a customer. We also need to process your personal data to be able to charge you according to the agreement and to be able to take debt collection measures if this is necessary to ensure that our claim is paid.

Legal basis of above as follows: Fulfillment of agreement according to point 1 and Legitimate interest according to point 3. Our legitimate interest in the processing in this part is that we ensure payment according to the agreement with you.

Other communications about services

We process personal data in connection with other communications with you, e.g. to provide you with information. It can e.g. take place in the form of newsletters sent via e-mail. We also process personal data that we receive from you when and if you have chosen to respond to customer surveys that we have sent you or that you have received in another way.

Legal basis of above as follows: Fulfillment of agreement according to point 1 and Legitimate interest according to point 3. Our legitimate interests in the processing of personal data in customer surveys is that we want to receive your opinions in order to improve our offer based on that.

Compliance with laws

We process your personal data in order to be able to fulfill the statutory obligations incumbent upon us, e.g. the Accounting Act’s requirements for the storage of accounting material.

Legal basis of above as follows: Legal obligation according to point 2.

5. How we collect the data

We collect personal data in connection with your registration on the website, contacts with your financial manager, telephone or through a personal visit to us.

6. How long the data is saved

We do not save personal data about you longer than we need based on the purpose for which we process it. We therefore never save personal data just because it is “good to have”, but always have a defined purpose that is supported by legislation or an agreement.

As the information we collect is processed for different purposes, it is also saved for different lengths of time. It may therefore be the case that personal data about you is saved in one system, but deleted in another.

7. To whom the information is disclosed

In certain situations, we share your personal data with others. Below we describe when and why we do this. We would like to emphasize that we never hand over your personal data if this is not required for us to be able to carry out any of the treatments stated above, for which we have a purpose and for which there is a legal basis. We also do not sell your personal data on to others.

Suppliers and other personal data processors who process personal data on our behalf

We employ various suppliers in order to be able to provide our services. When we use suppliers who process personal data on our behalf, we stipulate in the agreement that the supplier (personal data processor) may only process personal data for purposes that we determine and on special instructions from us. Our suppliers are therefore not allowed to do anything with your personal data that we have not explicitly told them to do. We also require that the supplier’s handling of personal data be secure and correct.

8. Your rights

You have the right to receive information about how we process your personal data. You will receive such information in this policy. If you have further questions about our processing of personal data, you are welcome to contact us. Contact details can be found at the bottom of the policy.

In addition to the right to information, you also have other rights in relation to your personal data. You can e.g. affect our processing by requesting extracts, corrections, deletions and restrictions. You also have the right to object to certain processing that we carry out and request your personal data or request that it be moved.

Your right to be deleted requires that the data is no longer needed for the purpose for which it was collected, if the processing is based on a balancing of interests and there are no legitimate reasons that outweigh your interest, if the personal data has been processed illegally, or if you object against processing for direct marketing purposes. The right to be deleted does not apply if we are obliged by law (e.g. the Accounting Act) to keep the data.

You have the right to request extracts free of charge once a year, you can also request correction, deletion and/or restriction regarding the personal data we process about you. As it is important that we do not disclose your personal data to anyone else, such a request must be made in writing and signed by you. In addition, specify what the request is about. Send the request in a letter to us in which you state your name and social security number, your address and a copy of a valid ID document signed by you.

The register extract will be sent to you within 30 days of receiving the request. If the extract is so extensive that we need more time or if for some reason we cannot complete your request, we will let you know.

Please send your request to us: Svärdvägen 19, 182 33 Danderyd.

9. Security

We protect your personal data through a combination of technical and organizational solutions. Access systems are required for access to all of our systems that handle personal data. Employees with us as well as personal data assistants and sub-assistants must follow our internal information security policy.

10. Cookies

We use so-called cookies on the website www.hemsidan.se The purpose is for the website to function in the best way, to give you access to certain functions and to receive information about visits to the website. A cookie is a small text file that is stored on the visitor’s computer and that contains information. There are two types of cookies; partly permanent cookies that save a file on the visitor’s computer until the file is deleted, partly session cookies that disappear when you close your browser. Our website also uses third-party cookies for e.g. Google Analytics.

We use cookies to improve the experience on the website in the following ways:

11. Complaints

If you believe that we are processing your personal data in violation of current regulations, you should report this to us as soon as possible. You can also contact the Swedish Data Protection Authority directly and submit your complaint.

12. Damages

If you have suffered damage because your personal data has been processed in violation of applicable regulations, you may be entitled to compensation. In such cases, you can, after a written request, request damages from us or file a claim for damages in court.

13. Personal data controller

The company is responsible for personal data and is responsible for the personal data processed under the Company brand. We determine the purpose of the treatment and how it is carried out. We also determine how personal data is processed when we use subcontractors.

14. Contact details

Ortivus AB
Svardvägen 19
182 33
Danderyd
08 446 45 00
info@ortivus.com