Processing of personal data - Expressed interest in receiving news or annual reports
Castellum AB (“Castellum”) cares about your privacy and protecting the personal data we process about you. All processing of personal data takes place in accordance with the provisions of the General Data Protection Regulation and other applicable data protection legislation. We present below a description of how we compile, process and share your personal data when you have expressed interest in receiving news about us or have ordered our annual report.
Which personal data will be processed?
Castellum collects and processes personal data that you provide voluntarily, e.g. when you register or ask us to send you news or other material (regardless of whether this takes place via our own website or via other external tools that you use). The data that we collect include name, address and/or email address (your ‘personal data’).
Why do we process your personal data?
Castellum processes your personal data to enable us to send the news and other material you have shown an interest in receiving from us.
If you have expressed interest in receiving news from us, we will also process the data in order to send invitations to events and to send other news about our business.
From where do we obtain personal data?
Your personal data is collected directly from you via our online form at Castellum’s website or via other external tools that you use.
Who has access to your personal data?
We have taken appropriate technical and organisational security measures to protect your personal data against, for example, loss and unauthorised access. The number of persons who have access to your personal data is limited. Only persons at Castellum who need to process the personal data for the above purposes have access to your personal data.
However, we may share your data with our suppliers who perform services on our behalf. The personal data you provide to us may primarily be shared with suppliers of information services and distributors, to the extent this is necessary in order to administer and provide news and other material in accordance with your preferences, as well as with our IT providers, for the purposes of supporting and maintaining our IT systems.
How long is your personal data stored?
Your personal data will be stored and processed for the above-stated purposes until such time as you choose to unsubscribe from receiving news from us. If you have requested to receive our annual report, your personal data will be stored until we have sent it to you. Anonymized statistical information may also be stored thereafter.
What right does Castellum have to process your personal data?
The processing of your personal data as described above is based on a balancing of interests. Castellum considers that it is entitled to process your personal data since the processing is necessary for purposes which involve Castellum’s legitimate interests.
This is our reasoning
Castellum’s legitimate interest in this case is to be able to communicate information regarding our business to you, a person who has expressed interest in such information. Castellum has weighed its legitimate interest against any encroachment on privacy that Castellum’s processing of your personal data might entail for you. Castellum makes the assessment that the risk of encroachment on privacy is restricted since you have personally requested to receive news information. The personal data which is processed is also not of a privacy-sensitive nature. The personal data which is processed is also restricted to what is needed to perform the purposes for which the processing of personal data takes place. Castellum therefore makes the assessment that, following a balancing of interests, Castellum is entitled to process the personal data.
What happens if you do not provide your personal data?
It is necessary that you provide the personal data stated above to enable Castellum to send you the material you have requested. If the data is not provided, Castellum will be unable to send you the requested material.
Will third country transfer take place?
Castellum strives not to transfer data to a country or company located outside the EU/EEA. However, we use third-party cookies on our website. The use of third-party cookies means that your personal data may be transferred to a third party located in a third country (e.g., the USA). You have the option to limit the use of cookies yourself, and you can find more information about this in our cookie policy.
Your rights
When your personal data are processed, you have the below rights under the General Data Protection Regulation (GDPR). More information is available on the website of the Swedish Authority for Privacy Protection (IMY) www.imy.se/privatperson/dataskydd/dina-rattigheter/.
Right to be informed (register extracts)
You have a right to be informed by us of whether we are processing your personal data and, if so, to request access to this personal data in the form of a register extract. You also have the right to receive the following information:
- the purpose of the processing,
- the types of personal data processed,
- who the personal data has been shared with, including third country transfers, and the protective measures taken,
- data retention period,
- your rights,
- the source of the personal data, and
- whether automated decision-making occurs.
If you ask to access personal data that we process about you, you will receive a copy of these data. If you request extra copies, you may be charged a fee for administrative costs. If you request your personal data electronically, we will normally provide the copy of the personal data in electronic format, unless otherwise requested.
Right to rectification
If any of the personal data we process about you are incorrect, you have a right to request that we rectify them without undue delay. Depending on the purpose of the processing, you also have a right to amend any incomplete personal data.
Right to erasure
You have a right to request that we erase your personal data without undue delay if:
- the data are no longer necessary for the purposes for which they were collected,
- you have withdrawn your consent, and your consent was the lawful basis for processing the data,
- you object to the processing of data which relied on legitimate interests as the legal basis for processing, and there is no overriding legitimate interest to continue our processing,
- you have objected to direct marketing,
- the processing is unlawful, and
- erasure is necessary in order to comply with legal obligations.
We have a right to refuse your request for erasure if processing is necessary in order to comply with a legal obligation or for the establishment, exercise or defence of legal claims.
If the data are erased at your request, we have an obligation to inform any parties whom we have shared the data with that you have requested to have your personal data erased.
Right to restrict processing
You have a right to request to have your personal data processing restricted under certain circumstances.
The right to restrict processing applies if:
- you contest the accuracy of your personal data (during the time that we are verifying the accuracy of the data),
- the data have been unlawfully processed and you oppose erasure and request restriction instead,
- we no longer need the personal data but you need the data in order to establish, exercise or defend a legal claim, or
- you have objected to processing of data which relied on legitimate interests as the legal basis (during the time that we are investigating whether our legitimate grounds override your grounds for having the data erased).
If we have restricted processing of your data, we will notify you before restriction of the processing ceases.
Right to object
You have a right to object at any time to processing of your personal data on the basis of legitimate interests. If our grounds do not override your grounds, we are no longer allowed to process your data after you have objected.
If you object to direct marketing, we may no longer process your data for such purposes.
Right to data portability
If our processing of your data is automated and based on consent or on the performance of a contract, you have a right to receive the data in a structured, commonly used and machine readable format. You also have a right to transmit the data to another data controller.
If it is possible, you also have a right to request that we transmit your data directly to another data controller.
Contact details
You have a right to lodge a complaint to the Swedish Authority for Privacy Protection if you think that we are processing your personal data in violation of the GDPR. The contact details of the Swedish Authority for Privacy Protection are available at www.imy.se. Castellum AB is the data controller for processing of your personal data.
If you have any questions about how your personal data are processed, do not hesitate to contact Castellum’s data protection officer at dso.castellum@insatt.com.
Contact details for Castellum:
Castellum AB, co. reg. no. 556475-5550, postal address Box 2269, 403 14 Gothenburg, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se