Processing of your personal data - Private individual
Castellum cares about your privacy and protecting the personal data we process about you. All processing of personal data takes place in accordance with the provisions of the General Data Protection Regulation and other applicable data protection legislation. We present below a description of how we compile, process and share your personal data with the application for housing and in connection with the administration of your tenancy or right of use relationship with Castellum.
This is how we process your personal data
This description applies regardless of which company in the Castellum Group owns the property/garage or parking facility that you use. However, please note that the data controller is the company that belongs to the region where the property/garage/parking facility is located. If you have a contractual relationship with a Kungsleden company, Kungsleden AB is the data controller. In this document, the term ‘Castellum’ also includes Kungsleden companies.
Which personal data will be processed?
Castellum compiles and processes the following personal data: names, addresses, telephone numbers, bank account numbers, email addresses, personal ID numbers, vehicle registration numbers, income data, salary, employment certificates, references, apartment numbers, entry logs, access cards/tags, credit information, any CCTV material, lease term, repair and maintenance, subletting, fault reports, payment records, information about any trustee or guardian, decisions from the social care committee in the case of special housing or group housing, admission notice and student union membership in the case of student housing, and any additional information that may be disclosed by you when communicating with us (your ‘personal data’).
Why do we process your personal data?
Castellum processes your personal data in order to process an application for housing and administer the tenancy/right of use relationship (e.g. to send rent invoices and receive payments); to communicate with you (e.g. concerning maintenance of the property in which you live or the garage/parking space which you use, and suchlike); to send you relevant news about our business; to ensure that only authorised persons have access to the property/garage e.g. through entry systems and CCTV; if it is necessary to safeguard a legal claim (e.g. in the event of disturbances in the accommodation, late or non-payment of rent or damage to the apartment); to send information about you to the police in conjunction with events concerning your tenancy or right of use relationship; to serve notice of termination or send information to another landlord in order to carry out an apartment swap if applicable; to pass on decisions from the social care committee in support of eligibility for special housing or group housing; to pass on admission notices and student union membership in support of eligibility for student housing; and to carry out company accounting. Where trustees or guardians are involved, their personal data may be used for the purposes described above. Kindly note that CCTV is only used in certain properties and, in such cases, it is clearly indicated that CCTV is in use.
From where do we obtain personal data?
The personal data is compiled directly from you, from your employer, from authorities and from credit rating agencies. In the event of an apartment swap, Castellum may also obtain data from another landlord. Information connected to you can also be created internally at Castellum. Castellum can also update the personal data to ensure that Castellum does not process outdated personal data about you. Updating of personal data may, for example, take place through the State Personal Address Register (SPAR).
Who has access to your personal data?
We have taken appropriate technical and organisational security measures to protect your personal data against, for example, loss and unauthorised access. Only persons at Castellum have access to your personal data and such will be processed only for the purposes stated above.
However, we may share your data with other companies in the Castellum Group for the purposes of transferring information on what has transpired in communication with you, following up strategic matters, statistics regarding costs, etc. We may also share your data with our suppliers who perform services on our behalf. In addition, we may share your personal data to enable us to carry out questionnaires, events and marketing or administer the lease and other documentation. The personal data you provide to us may primarily be shared with IT providers for the purposes of supporting and maintaining our IT systems, with our auditors and our bank, with address providers to update your personal data when necessary, and with other landlords, the police and process servers. Your personal data may also need to be shared with authorities, insurance companies, security companies, parking companies, collaborative bodies and debt collection companies.
How long is your personal data stored.
Your personal data will be stored and processed by us as follows:
- Personal data that is processed for a housing application and is collected to approve your tenancy is not retained. However, if we cannot approve your tenancy, your personal data will be retained for three months after the rejection decision;
- Personal data that is processed in order to communicate with you or a guardian or trustee is retained for one month after the termination of the tenancy or parking space agreement;
- Personal data which is processed in order to administer the tenancy or right of use relationship – 8 years after termination of the tenancy or parking space agreement;
- Personal data which is processed to ensure that only authorised persons have access to the property – 1 month after termination of the tenancy (entry card/tag as well as name) and 1 week after termination of the tenancy (entry log).
- Any material from CCTV surveillance – as long as the data are necessary to fulfil the purposes of the surveillance.
- Personal data processed for the administration of events – normally deleted within 30 days after the event has ended.
- Personal data processed in order send news about our operations, or to send you invitations to events or marketing – for as long as you remain our tenant.
What right does Castellum have to process your personal data?
Personal data about your credit status, information from debt collection companies and authorities that is collected to approve your tenancy is processed on the basis of balance of interests. Castellum considers that it is entitled to process your personal data since this processing is necessary for purposes that involve Castellum’s legitimate interests.
The processing of your personal data to administer the tenancy or right of use relationship and the processing of access cards/tags and data needed to safeguard legal claims is based on such processing being necessary to fulfil the agreement with you and to provide you with the tenancy or right of use object.
The processing of your personal data to carry out company accounting is based on the fact that we are obliged by law to process your personal data for this purpose.
On the basis of balance of interests we process your personal data to communicate with you, to send data about you to the police, process servers, insurance companies, security companies, parking companies, collaborative bodies, debt collection companies or other landlords (if applicable), to send news, marketing or invitations to events, and to manage entry logs and any other surveillance of the property/garage. Castellum considers that it is entitled to process your personal data since this processing is necessary for purposes that involve Castellum’s legitimate interests.
The processing of your personal data in order to communicate with you, to send information about you to the police, any service processor or other landlord if relevant, as well as the processing of an entry log as well as other monitoring of the property/the garage, is based on a balancing of interests. Castellum considers that it is entitled to process your personal data since the processing is necessary for purposes which involve Castellum’s legitimate interests.
The processing of personal data relating to a guardian or trustee is based on the fact that we are legally required to process personal data for this purpose.
In the event that we request information about your dietary preferences, which could include personal data concerning your health which falls under a specific personal data category, we base the data processing on consent. You always have the right to withdraw your consent by contacting us.
This is our reasoning
Castellum’s legitimate interest as regards the sending of information about you to another landlord and other communication with you is to provide you with service and to be able to contact you on diverse issues within the scope of the relationship that exists between you and Castellum, e.g. to give notice of maintenance of the property/the garage/the parking space or similar information, and to provide you with relevant news concerning our business. Castellum has weighed its legitimate interest against any encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that the risk of encroachment on privacy is restricted since the personal data which is processed cannot be deemed to be particularly privacy-sensitive personal data. The personal data which is processed is also restricted to what is needed to perform the purposes of the processing of the personal data and it is also in your interest to obtain relevant information and to be able to carry out an apartment swap with another landlord.
Castellum’s legitimate interest with regard to sending data about you to process servers, the police, insurance companies, security companies, parking companies, collaborative bodies and debt collection companies, and with regard to managing entry logs and other surveillance of the property/garage, is to protect Castellum’s business operations and prevent unauthorised persons from accessing the property/garage, as well as to prevent vandalism etc. Castellum’s legitimate interest to process your personal data relating to credit status, information from debt collection companies and authorities that is collected in order to approve your tenancy is to protect Castellum’s business operations. Castellum has weighed its legitimate interests against any encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that there is a risk of encroachment on privacy, but that the use of the information is so restricted and that very few individuals within Castellum have access to the data that the risk is nevertheless limited. In addition, Castellum makes the assessment that Castellum’s interest in being able to carry out this processing carries considerable weight.
Castellum’s legitimate interest with regard to the processing of contact details for the purposes of sending you news, marketing, or invitations to events, as well as sending contact details to selected suppliers to enable them to send marketing, is to keep you updated regarding our operations and activities and to maintain a good relationship with you as a tenant. Castellum has balanced its legitimate interests against any violation of privacy that Castellum’s processing could cause. Castellum assesses the risk of privacy violation to be limited, as the personal data processed cannot be regarded as particularly privacy-sensitive. Moreover, the personal data that are processed are limited to what is necessary to fulfil the purpose of the data processing. For this reason, in the balancing of legitimate interests, Castellum assesses that Castellum’s grounds for processing prevail, and that Castellum therefore has the right to process your personal data.
Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data..
What happens if you do not provide your personal data?
It is necessary that you provide the personal data stated above to enable Castellum to contact you and take measures as stated above. If the data stated above which is obtained from you is not provided, the aforementioned measures cannot be taken by Castellum.
Will third country transfer take place?
Castellum strives not to transfer data to a country or company located outside the EU/EEA. However, we use third-party cookies on our website. The use of third-party cookies means that your personal data may be transferred to a third party located in a third country (e.g., the USA). You have the option to limit the use of cookies yourself, and you can find more information about this in our cookie policy.
Your rights
When your personal data are processed, you have the below rights under the General Data Protection Regulation (GDPR). More information is available on the website of the Swedish Authority for Privacy Protection (IMY) www.imy.se/privatperson/dataskydd/dina-rattigheter/.
Right to be informed (register extracts)
You have a right to be informed by us of whether we are processing your personal data and, if so, to request access to this personal data in the form of a register extract. You also have the right to receive the following information:
- the purpose of the processing,
- the types of personal data processed,
- who the personal data has been shared with, including third country transfers, and the protective measures taken,
- data retention period,
- your rights,
- the source of the personal data, and
- whether automated decision-making occurs.
If you ask to access personal data that we process about you, you will receive a copy of these data. If you request extra copies, you may be charged a fee for administrative costs. If you request your personal data electronically, we will normally provide the copy of the personal data in electronic format, unless otherwise requested.
Right to rectification
If any of the personal data we process about you are incorrect, you have a right to request that we rectify them without undue delay. Depending on the purpose of the processing, you also have a right to amend any incomplete personal data.
Right to erasure
You have a right to request that we erase your personal data without undue delay if:
- the data are no longer necessary for the purposes for which they were collected,
- you have withdrawn your consent, and your consent was the lawful basis for processing the data,
- you object to the processing of data which relied on legitimate interests as the legal basis for processing, and there is no overriding legitimate interest to continue our processing,
- you have objected to direct marketing,
- the processing is unlawful, and
- erasure is necessary in order to comply with legal obligations.
We have a right to refuse your request for erasure if processing is necessary in order to comply with a legal obligation or for the establishment, exercise or defence of legal claims.
If the data are erased at your request, we have an obligation to inform any parties whom we have shared the data with that you have requested to have your personal data erased.
Right to restrict processing
You have a right to request to have your personal data processing restricted under certain circumstances.
The right to restrict processing applies if:
- you contest the accuracy of your personal data (during the time that we are verifying the accuracy of the data),
- the data have been unlawfully processed and you oppose erasure and request restriction instead,
- we no longer need the personal data but you need the data in order to establish, exercise or defend a legal claim, or
- you have objected to processing of data which relied on legitimate interests as the legal basis (during the time that we are investigating whether our legitimate grounds override your grounds for having the data erased).
If we have restricted processing of your data, we will notify you before restriction of the processing ceases.
Right to object
You have a right to object at any time to processing of your personal data on the basis of legitimate interests. If our grounds do not override your grounds, we are no longer allowed to process your data after you have objected.
If you object to direct marketing, we may no longer process your data for such purposes.
Right to data portability
If our processing of your data is automated and based on consent or on the performance of a contract, you have a right to receive the data in a structured, commonly used and machine readable format. You also have a right to transmit the data to another data controller.
If it is possible, you also have a right to request that we transmit your data directly to another data controller.
Data controller and contact details
You have a right to lodge a complaint to the Swedish Authority for Privacy Protection if you think that we are processing your personal data in violation of the GDPR. The contact details of the Swedish Authority for Privacy Protection are available at www.imy.se.
If you have any questions about how your personal data are processed, do not hesitate to contact Castellum’s data protection officer at dso.castellum@insatt.com.
The data controller for processing of your personal data is the company listed below that belongs to the region in which the property/garage/parking facility is located. If you have a contractual relationship with a Kungsleden company, Kungsleden AB is the data controller. In this document, the term ‘Castellum’ also includes Kungsleden companies.
Castellum Mitt AB, co. reg. no. 556121-9089
Address: Box 1824, 701 18 Örebro, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se
Castellum Stockholm AB, co. reg. no. 556002-8952
Address: Box 70414, 107 25 Stockholm, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se
Castellum Väst AB, co. reg. no. 556122-3768
Address: Box 8725, 402 75 Gothenburg, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se
Castellum Öresund AB, co. reg. no. 556476-7688
Address: Box 3158, 200 22 Malmö, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se
Castellum Mälardalen AB, co. reg. no. 559292-6678
Address: Box 1187, 721 29 Västerås, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se
Kungsleden AB, co. reg. no. 556545-1217
Address: Box 70414, 107 25 Stockholm, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se