Konferensrumsdatabasen Sverige AB – Privacy Policy

This Privacy Policy contains information on how Konferensrumsdatabasen Sverige AB with company registration number 559327-9895 (hereinafter referred to as ”we” or ”us”) collects and Processes Personal data and information about Data subjects’ rights according to the General Data Protection Regulation (“GDPR”). References to ”you” and ”your” refer to the Data subject whose Personal Data we Process.

The Privacy Policy covers all Processing of Personal data, in both structured and unstructured data.

Definitions

The following terms used in this Privacy Policy shall have the meanings set forth below, both when expressed in the plural and the singular:

The Service, as well as Konferensrumsdatabasen.se: refers to the webbased software service at https://konferensrumsdatabasen.se provided by us and accessed by users through a web browser.

Customer: refers to the entity that has entered into a Subscription  Agreement with the Supplier regarding the Service.

User: refers to the individual that is using the Service on behalf of the Customer.

Account: refers to the User’s or Customer’s user account, protected by a password, to the Service.

GDPR: refers to regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal data: any information relating to an identified or identifiable natural person (“Data subject”’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal data.

Processor: refers to a natural or legal person, public authority, agency or other body which Processes Personal data on behalf of the Controller.

Personal data breach: refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal data transmitted, stored or otherwise Processed.

Third party: refers to someone other than the Controller (and the persons who are authorised to Process the Personal Data), the Data subject or the Processor (and the persons who are authorised to Process the Personal Data). A Third party may be a legal person or a natural person, institution, authority or other body.

SCC: refers to the Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or the Standard Contractual Clauses for the transfer of Personal Data to Processors established in third countries, set forth in the European Commission Decision of 5 February 2010, or any other such updated version.

Other terms and expressions used in this Privacy Policy, but not defined herein, shall be defined in accordance with the definitions stated in “Konferensrumsdatabasen Sverige AB’s Terms of Service”.

Controller and Processor

We act in the capacity of a Controller and are responsible for the Processing of Personal data performed by us or on our behalf, when we determine the means and purpose of the Processing (according to the principle of liability). For example, we act in the capacity of a Controller when we register the Customer as a customer of ours in the systems we use within the business or when we Process the Customer’s data including any Personal Data to perform invoicing for the Service etc.

In some cases, we act in the capacity as Processor for the Customer, who is the Controller. For example, we Process Personal data on behalf of the Customer and in accordance with the Customer’s instructions, when a Customer and its Users registers information in our Service. The Processing of Personal Data that we perform in the capacity as Processor is regulated in more detail in a Data Processing Agreement that has been entered into with the Customer.

How we collect Personal data

We collect your Personal data:
When we engage in a business relationship.
Through your use of our Service, website or app.
Through email correspondence.
When you provide us with data through meetings, social media or events.

What data we collect

We try to work primarily through the principle of data minimization regarding the storage of Personal data, by only Processing Personal data that is necessary, adequate and relevant for each individual purpose (according to the principle of purpose limitation and data minimization).

We mainly Process the categories of Personal Data listed below, which we can access when you contact us, enter into an agreement with us or otherwise in connection with the performance of our Services:

  • Basic information such as your name, workplace and title.
  • Contact details such as address, email address and telephone number.
  • Information you provide in connection with meetings or events.
  • Information about how you use our website or Service.
  • Technical data, which may include your URL, IP address, unique device ID, network and computer performance, browser type, language and identifying information, general geographical location and operating system.
  • Email correspondence.

Why we Process your data

We only collect Personal data for specific, explicitly stated and legitimate purposes according to GDPR and the principle of purpose limitation. Each individual Processing of Personal data requires a so-called “legal basis” in order to be legal (according to the principle of lawfulness, fairness and transparency).

According to GDPR, Personal data shall not be stored for longer than what is necessary to fulfill the purposes for which they were collected. If it is necessary for us to comply with a legal obligation, we may store Personal data for a longer period for that purpose. Personal data that can no longer be stored will be erased (deleted) (according to the principle of storage limitation).

Below you can read more about the purpose, legal basis and storage period of the Processing of your Personal data.

1)        When you visit our website and/or use the Service:

Our website and the Service uses cookies. The use of non-essential cookies takes place only if you give your consent to it. You can revoke a given consent at any time (without this affecting the legality of the Processing performed with the support of the consent before it was revoked). In addition, you can manage the storage of cookies through your browser settings. Legal basis for the Processing: Consent.

2)        When we get in touch through email, telephone, social media or contact form:

You can contact us through email, telephone or social media and in such cases, we obtain access to your Personal data that appears in connection with such contact. For example, we may have access to the following Personal data: name, telephone number, IP-address, e-mail address, user ID from social media (if applicable) and other information that you provide to us. This information is Processed by us so that we can know who we are talking to and to keep in touch in the matter. Legal basis for the Processing: Legitimate interest.

You can also contact us by sending a message to us through the contact form on the website. We may obtain the following Personal data that belongs to you: name, employer, telephone number, IP-address, e-mail address, and the information that you include in the message. This information is Processed by us so that we can know who we are talking to and to contact you. Before sending the message to us, you give your active consent to our Processing of your Personal data taking place in accordance with this Privacy Policy, by ticking a checkbox for approval. Legal basis for the Processing: Consent.

When the User contacts us, the User’s messages are saved in order to help the end User with a problem or provide information about our Services, whether immediately or at a later time. The Processing is performed as long as we have a business relationship with the company you represent, and up to 180 days thereafter (backup storage). Legal basis for the Processing: Contract.

 3)        When a Customer enters into a subscription or service agreement with us:

We Process Personal data that belongs to the Customer’s contact person and/or company signatory in order to fulfill the agreement regarding our Services. Personal data that we Process belonging to the Customer’s contact person and/or company signatory refers to, among other things: first name, last name, telephone number, e-mail address, employer. Legal basis for the Processing: Contract.

The subscription and service agreement that is entered into with us may contain Personal data belonging to the Customers contact person and/or company signatory and is stored as long as we are obliged to keep an accounting record of the invoices made to the Customer regarding the Services provided to the Customer.

4)        To manage our business relationships:

We may contact you by using your contact details that you have provided to us, in order to manage our business relationship with you. If there is a contract between you and us (or the company that you represent), the Processing is made on the basis of performance of a Contract. This type of Processing may be conducted by us as long as we have a business relationship with you or the company you represent.

If you have not entered into an agreement with us, the Processing is made on the basis of Legitimate interest instead, since we have a legitimate interest in managing potential business relationships. This type of Processing may be conducted by us as long as we deem our Services to be interesting to you or the company you represent, or until you request that we shall stop our processing of your personal data for this purpose.

5)        When you receive newsletters from us:

You may receive newsletters from us, in order for us to inform you about for example new features and/or changes in the Service, new services provided by us or similar. You can choose to unsubscribe from the newsletters at any time by clicking on the unsubscribe link in the newsletter or email your request to unsubscribe to us. Legal basis for the Processing: Legitimate interest.

If you unsubscribe, you will be removed from the email list for recipients of the newsletters, but your email address will remain in the database with a block for receiving newsletters. The purpose of this is to ensure that you do not receive any newsletters from us. If you want your email address to be deleted from the list of blocked email addresses, you can contact us by email and request this. However, if you request that we remove your email address from the list of blocked email addresses, you will be able to receive newsletters from us if you or someone else registers your email address to receive newsletters again.

6)         To comply with our legal obligations:

If we are obliged by for example law, a court decision or similar to Process certain Personal data, the Processing takes place on the basis of a Legal obligation as the legal basis. In such cases, the Processing takes place only to the extent that it is necessary for us to fulfil our legal obligations and then we only process the necessary Personal data, for as long as it is required (in accordance with the principle of storage limitation).

As an example, we Process and store invoices and other documentation that form our accounting basis that we are obliged to Process and store in accordance with current legislation, such as the Swedish Accounting Act (1999: 1078). Accounting documents and invoices may in some cases contain Personal data, such as contact information of the Customer’s contact person and/or signatory. Such is stored for as long as prescribed by law. Legal basis for the Processing: Legal obligation.

We may also Process relevant Personal data for the establishment, exercise or defence of legal claims. This is made based on our Legitimate interest in establishing, exercising or defending any legal claims. This also applies in order for us to protect our rights and property. Information that is relevant for any legal claim is kept for as long as such claim can be made in accordance with applicable legislation.

7)         Other purposes for our Processing of Personal Data:

When a Processing of Personal data takes place on the basis of a Legitimate interest as a legal basis, our assessment is that the Processing does not constitute an infringement of your right to privacy and integrity. We have come to this conclusion, after having made a balance between on the one hand what the Processing in question means for your interests and the right to privacy, and on the other hand our legitimate interest in the Processing in question. However, we never Process sensitive Personal Data on the basis of this legal basis.

Based on our Legitimate Interest, we may process Personal data to:

  • market our products and services through, for example, direct marketing, publications and events. We may process your email address to perform the direct marketing, and we may do this as long as we have a business relationship or until you opt out.
  • ensure the technical functioning of our website and Service, to provide support for our Services and to analyse your use of the website and Services in order for us to develop and improve them. Session cookies are stored as long as the browser is open. Other cookies are stored for a maximum of 24 months. Other technical data is logged for 180 days.

Where Personal data is stored

We strive to Process all Personal data that we handle within the EU/EEA (according to the principle of integrity and confidentiality).

If we transfer your Personal data outside the EU/EEA, such transfer will be subject to appropriate safeguards in accordance with the GDPR and/or SCC.

Termination

Upon termination of the Customers Subscription, all Account information and data will be made inaccessible to the User. The data and logs of activity in the User’s account are stored for a maximum of 180 days, before being permanently deleted, unless there is a legal obligation to store the data for a longer period of time.

How we share your data

We do not sell your data to any Third party for marketing purposes. However, we may share Personal data that we Process with our subcontractors when they perform services on our behalf, for example when we engage subcontractors to maintain and support our IT systems, to help us fulfill our legal obligations under contracts, applicable legislation, to safeguard our legal interest, to improve our services/products, or to prevent and detect technical or security issues with our services and/or software. When we engage a subcontractor to Process Personal data on our behalf, they become our sub-processors.

With regards to EU Personal Data, we and the sub-processor will comply with each of our respective obligations under the GDPR and any subordinate legislation and regulation implementing the GDPR and/or SCC which may apply. The sub-processors may only Process the Personal data in accordance with the instructions stated in a Data Processing Agreement and/or SCC entered into between us and the sub-processors.

We may also disclose or share Personal data with:
– Subsidiaries or other group companies.
– Auditors and other professional advisors.
– A Third party involved in organizing an event, e.g. hotels, event organiser or speaker.
– A Third party when it is necessary in order to provide services to you or comply with a legal obligation.
– Social media such as Instagram, Facebook, LinkedIn or Twitter when you contact us through such services. If you use these services, we refer to the respective service’s privacy policy for information on how they Process Personal data.

How we protect your data

We implement security measures to protect your Personal data. All our Services and software use encryption to ensure security when data is sent over the Internet. Only employees who need information owned by the Users in order to help the Users may access such information.  

We use a range of technical and organisational measures to protect your Personal data from unauthorised access, use, loss, change or deletion in accordance with the GDPR (according to the principle of integrity and confidentiality). Such actions include, but are not limited to, physical controls, encryption, eligibility restrictions, policies, etc. All our internal registers and systems are password protected. There are also instructions for staff-members with access to our databases containing Personal data, to protect the information.

Your rights

If we Process your Personal Data, you have different rights under GDPR regarding our Processing of your Personal Data. Under certain conditions, you have the right to:

  • be informed about the collection and the use of your Personal data,
  • access your Personal data and supplementary information,
  • have your inaccurate Personal data rectified or completed if it is incomplete,
  • have your Personal data erased (to be forgotten) in certain circumstances,
  • restrict Processing of your Personal data in certain circumstances,
  • data portability, which allows you to obtain and reuse your Personal data for your own purposes across different services,
  • object to Processing in certain circumstances,
  • rights in relation to automated decision making and profiling,
  • withdraw your consent at any time (where relevant),
  • complain to the Supervisory authority regarding our Processing of Personal data, and
  • be informed about any Personal data breach concerning your Personal data in certain circumstances.

We hereby inform you that some of the rights only apply in certain situations and only if it is legal and possible for us to implement your request. You are welcome to contact us if you would like to invoke any of the above rights regarding your Personal data that we Process.

Personal data breach and complaints

If you have any complaints about our Processing of Personal data, the complaint can be made to us, or to the Swedish Authority for Privacy Protection: Integritetskyddsmyndigheten (IMY), Box 8114, SE-104 20 Stockholm, Sweden or your local national data protection authority, and the contact details for local national data protection authorities can be found at the European Commission’s web page.

A data breach or other incident which means that our control over Processed Personal data is lost, is regarded as a Personal data breach according to GDPR. All Personal data breaches will be documented internally and will also be reported to the Swedish Authority for Privacy Protection within 72 hours, when GDPR requires it.

Changes to this privacy policy

The latest version of the Privacy Policy is always publicly available through this website. You are responsible for reading the contents of this Privacy Policy and keeping up to date on any changes.

How to contact us

Do not hesitate to contact us if you have any questions about this Privacy Policy or regarding our Processing of your Personal data or if you would like to exercise any of your rights under the GDPR. You can contact us at info@konferensrumsdatabasen.se

Updated as of October 19, 2022.