1. Background and purpose
When you submit your personal data to us, or when we have obtained such data from someone else (a third party), we process that data in the manner detailed in this Policy.
The Railcare Group consists of Railcare Group AB (publ), 556790-7813, Näsuddsvägen 10, SE-932 32 Skelleftehamn, Sweden and the following Swedish subsidiaries:
Railcare Aktiebolag, 556600-2514, Railcare Export AB, 556502-3925, Railcare Lining AB, 556873-4817, Railcare Production AB, 556980-8586, and Railcare T AB, 556904-6674.
In processing your personal data, each subsidiary is at all times required to comply with this Policy and the applicable personal data legislation in its capacity as a personal data manager. As a registered contact, you are always entitled to assert your rights by addressing the subsidiary with which you have been in contact by sending a letter to P.O. Box 34, SE-932 21 Skelleftehamn, Sweden. You are also always entitled to contact us at firstname.lastname@example.org. See Section 3 below for more information regarding your rights.
Your personal privacy is important to us and we take data protection issues very seriously. Accordingly, this Policy sets out, for example, the categories of personal data we process, the purposes for which we process them and the legal provisions on which we support this processing. We also account for who is able to access and process the data, the principles for de-registering data, the third parties with whom we may share personal data, where personal data are processed and your rights as someone whose data have been registered, including your right of information, to have data rectified or deleted, etc. We ask that you review the Policy carefully and familiarise yourself with the contents as applied throughout our operations in processing personal data.
It may be necessary for us to update or amend the Policy from time to time. In such cases, we will inform you in an appropriate manner and we ask that you take note of any amendments. You will always find the latest version of the Policy on our website.
We hope this Policy answers any questions you may have regarding how we process and protect your personal data. If you have any further questions or concerns, you are always welcome to contact us at Box 34, SE-932 21 Skelleftehamn, Sweden or via email@example.com.
2. How we process personal data
We process personal data concerning our employees, individual contact persons at existing and potential customer and supplier companies, as well as job seekers. The sections below detail what personal data we process concerning each category of individuals, the purposes for which we process these and the procedures performed, the legal provisions on which we support the processing and the amount of time during which data are stored.
|Purpose||Legal basis||Personal data categories|
|For the purposes of personnel administration.||Implementation of the employment contract with you and our legitimate interest in conducting personnel administration.||Basic data concerning you, including your name, personal identification number, postal address, e-mail address, telephone number and age.|
|For publication on our website and in other marketing materials provided that you hold a managerial or customer-related position.||Our legitimate interest in being able to market our services and to state your contact details.||A photograph of you.|
|To be able to contact your relatives in the event of an accident or your absence/illness, for example.||Our legitimate interest in being able to contact your relatives on matters concerning you.||Contact details of your relatives.|
|To determine whether the terms of employment have been met.||This processing is required under legislation applicable to us as an employer.||Where applicable, data regarding your citizenship and work/residence permit.|
|To administrate and meet obligations regarding salary/sick pay, absence, insurance, contacts with Försäkringskassan (Swedish Social Insurance Agency) and other authorities, rehabilitation and adaptation measures and to assess capacity for work.||Implementation of the employment contract with you, as well as our legal obligation as an employer.||Health data, including data regarding sick leave, your own notifications, medical certificates and examination results, sick pay and data regarding rehabilitation.|
|To administrate and meet obligations regarding salary, absence, leave (including vacation leave) and other benefits, including insurance and occupational pensions.||Implementation of the employment contract with you, as well as our legal obligation as an employer.||Details of working hours, absence, salary, vacation, insurance, pensions and other benefits, as well as bank account data and similar data.|
|To be able to calculate period of notice, determine benefits and calculate seniority.||Implementation of the employment contract with you, as well as our legal obligation as an employer.||First and last date of employment.|
|To comply with the Employment Protection Act.||Implementation of the employment contract with you, as well as our legal obligation as an employer.||Type and terms of employment.|
|For streamlining and improving our operations and for your own skills development.||Our legitimate interest in streamlining and improving our operations and for your own skills development and to comply with the Employment Protection Act.||CVs, education programmes, qualifications, previous experience and previous employment, as well as performance and work evaluation.|
|To meet legal requirements on negotiations with your trade union, issue employer certificates and meet obligations under the Work Environment Act, the law regarding the position of elected trade union representatives in the workplace and the law regarding board representation for employees in the private sector.||This processing is required under legislation applicable to us as an employer.||Where applicable, trade union membership, unemployment fund, position as elected trade union representative, as health and safety representative or as employee representative on the board.|
|To comply with the law on market abuse in the securities market.||This processing is required under legislation applicable to us as an employer.||Name, telephone number, e-mail address, home address, personal identification number and, where applicable, passport details. For senior executives, names and contact details of related parties are also obtained.|
We store your personal data in a format enabling your identification for as long as necessary to meet the processing purposes, although not for longer than one (1) year after termination of employment, with the exception of personal data that we are legally required to process for a longer period of time.
Your relatives’ contact details are deleted on the termination of your employment. Data on trade union membership, etc. are deleted following union negotiations and when other legal obligations have been met.
2.2 Contact persons at existing and potential customer and supplier companies
The following applies to contact persons at potential customer and supplier companies:
|Purpose||Processing performed||Personal data categories|
|To be able to contact you and to then maintain and develop the contact with you.
To be able to receive quotes and other offers.
|Retention of submitted personal data in our operating systems.
Communication with you.
Contact details (such as company address, e-mail address and telephone number).
Employer/potential customer or supplier company.
Where applicable, position.
Balancing of interests. Processing is based on our legitimate interest in being able to establish and develop business relationships with potential customer and supplier companies.
From the time at which the data is collected and subsequently for a period of one (1) year, unless a relationship has been developed between us during this period, with you acting as a contact person at a potential customer or supplier company.
2.3 Contact persons at customer and supplier companies
The following applies to contact persons at existing customer and supplier companies:
|Purpose||Processing performed||Personal data categories|
|To be able to contact you in your capacity as a contact person at one of our customer or supplier companies.||Retention of submitted personal data in our operating systems.
Communication with you.
Contact details (such as company address, e-mail address and telephone number).
Employer/customer or supplier company.
Where applicable, position.
Balancing of interests. Processing is based on our legitimate interest in maintaining our business relationships and providing our services.
The period over which we deem the information necessary in maintaining the business relationship with, and providing our services to, the customer or partner company that you represent. Data is de-registered as soon as we are made aware of the information no longer being adequate or necessary for the purpose; for example, if the customer or supplier relationship ends; you, as a contact person, have switched to a new position or employer or have retired; or at your request. Your details are never stored for more than one (1) year from the cessation of the customer or supplier relationship.
2.4 Contact details of job seekers
The following applies to the processing of job seekers’ personal data:
|To be able to administrate the application process.|
Balancing of interests. Processing is based on our legitimate interest in conducting recruitment procedures.
Details are retained for as long as they are necessary for the recruitment process and subsequently for a period of up to one (1) year after the completion of the procedure.
2.5 With whom may your personal data be shared?
We engage a third-party supplier, Cision Sverige AB (a company registered in Sweden, with its registered offices at Linnégatan 87 D, SE-104 51, Stockholm, Sweden) in providing subscription services.
When you submit personal data to us, this data may be transferred outside the European Economic Area (“EEA”). This is because some of Cision’s servers are located outside the EEA. In all such cases, the necessary measures are taken to ensure an adequate level of protection of such data.
2.6 How do we keep your personal data secure?
We safeguard the security of your personal data. Our supplier, Cision, has implemented the following measures:
- careful screening during the recruitment process
- all employees must understand and approve the data security policy.
- when employees switch to another position or leave their employment, their rights are removed or updated to ensure that employees only have access to the data they need to perform their duties.
- Data systems and infrastructure are hosted by reputable data centres and “infrastructure-as-a-service” (IaaS) providers.
- there are physical security checks at facility entrances ensuring that only authorised personnel have access.
- hosted facilities with biometric security, video surveillance and a round-the-clock manned guard.
- The vulnerability of the applications used (dynamic), the application code (static) and the underlying infrastructure is assessed regularly applying industry standards.
- annual manual penetration testing.
- Applications follow a multi-layered model, enabling checks to be applied at each level and “defence in depth” to be practised.
- Data centres apply industry-standard methods and regularly certify their annual audits, e.g. SOC Type II.
- cryptographic protocols, such as TLS, are applied to protect data during transmission via public networks.
- At the periphery of the network, firewalls, web application firewalls and DDoS protection are used to filter out attacks.
- applications follow a multi-layered model, allowing security checks to be applied between each layer.
- E-mail systems use modern spam filters and malicious code filters to prevent outbreaks and phishing attempts.
- Web navigation is checked and filtered for known malicious websites to prevent infection of internal systems and data leaks.
- Industry-standard anti-virus software that is constantly updated and monitored has been installed on all servers and computers.
- Servers submit logs to a central archive for forensic storage and correlation to detect aberrant activity and facilitate investigations.
- Security backups are made regularly and stored in a secure location off-site in case a serious event should occur at the hosted facility.
2.7 Processing of technical data
We process technical data regarding devices used when visiting our website (the IP address for example), as well as analyses and statistics on your use of the website. These data are processed so that we can:
- Develop and improve our products and services,
- distribute customised newsletters and
- communicate relevant information to our customers, suppliers and stakeholders.
Our processing of technical data is based on our legitimate interest in being able to evaluate the use of our website and to improve it, as well as in marketing our goods and services.
2.8 Retention periods
We do not retain personal data longer than necessary. Once the employee, customer, supplier or stakeholder relationship has ceased, we retain your data for one (1) year.
It may, however, be necessary to retain certain data for a longer period to meet other legal requirements, such as the provisions of the Accounting Act, in accordance with which we need to save data for seven (7) years. It is also necessary to retain data for a longer period if an investigation or dispute is in progress.
2.9 How do we access your personal data?
We have access to personal data provided to us directly by you.
We also gain access to personal data by way of the following:
- Details from public records
- Details we receive when engaged as a supplier
- Details we receive when you sign up for newsletters and other mailings
- Details we receive when you contact us, apply for employment with us, visit us or otherwise contact us.
2.10 What data do we provide to you?
When gathering your personal data for the first time, we will inform you, by way of this Policy, of how we obtained your personal data, how we will use it, your rights under the data protection legislation and how you can assert them. You will also be informed of who is responsible for processing personal data and how you can contact us if you have questions or need to submit a request or enquiry regarding your personal data and/or rights.
This information will be distributed by e-mail with reference to this Policy. The current version of the Policy will always be available via our website.
2.11 Processing of personal identification numbers
To the extent we do so, we only process social security numbers without your consent where this is clearly justified given the purpose for doing so, given the importance of secure identification or other reasons that should be taken into account.
2.12 Direct marketing
If you have consented to receive such information from us, we may use your personal data for direct marketing, also including communications regarding our services and information about important events within our organisation. Direct marketing refers to all types of targeted marketing measures, including mailings, emails and SMS. You are entitled to decline, free of charge, that your information be used for such purposes and all such marketing communications from us include an opt-out opportunity. If you choose to unsubscribe from future marketing communications, we will set our business systems to cease distributing direct marketing to you.
2.13 Protection of your personal data
We have undertaken a number of security measures to ensure that we process personal data securely and to protect such data against unlawful access, unauthorised processing and misuse. For example, access to the systems in which personal data are stored is limited to our employees and service providers who need to access the data within the framework of their duties. These people have also been informed of the importance of maintaining the security of these personal data. We also monitor our systems continuously to detect vulnerabilities and to protect your personal data.
2.14 Where do we process your personal data?
Our aim is to always process your personal data within the EU/EES, which is where all of our proprietary IT systems are located. Your personal data may, however, be shared with personal data administrators who, themselves or via subcontractors, operate or store information in a country outside the EU/EEA. In such cases, we will take all reasonable legal, organisational and technical measures necessary to ensure that the level of protection in that processing is equivalent to that within the EU/EEA. This will be achieved either through a decision by the European Commission that the relevant country safeguards an adequate level of protection or through the application of appropriate safeguards, such as standard contract clauses or approved codes of conduct in our agreements with such personal data administrators.
2.15 When do we disclose your personal data?
We may engage third parties in direct marketing, advertising mailings, data storage and IT support, in connection with which we may use personal data administrators. We may also disclose data where necessary to meet our legal or contractual obligations.
If we engage personal data administrators, they may only process the data transferred on our behalf and in accordance with our express instructions. We only transfer your personal data to such personal data administrators for purposes consistent with those for which we have gathered the data and we ensure, through written agreements with the personal data administrators, that they undertake to comply with our security requirements and restrictions, as well as with requirements regarding international transfers of personal data.
In certain situations, however, public authorities and some of the companies to which we transfer personal data may, as above, be responsible independently for the personal data transferred. When your personal data is transferred to an entity that is independently responsible for personal data, we do not control how the data is subsequently processed – responsibility for this falls instead on the public authority or company to which the data were transferred, meaning, among other things, that the public authority or company is required to inform you about its processing of your personal data and to safeguard the legality of the processing.
3. Your rights as someone whose data have been registered
This section describes your rights as someone whose data have been registered. You may always assert these rights by contacting firstname.lastname@example.org
3.1 Right of access
If you require information on which of your personal data we process, you may request access to the data. The data will then be provided in the form of a register excerpt indicating which personal data we process, the purposes for which we process them, from where the data have been collected from, any third parties to whom the data have been transferred and for how long the data will be stored. If your request is submitted electronically, the data will be provided in a generally used electronic format, unless you request otherwise.
3.2 Right of rectification
You are entitled to have inaccurate data regarding you rectified without delay. You are also entitled to supplement incomplete data.
3.3 Right of deletion
You are entitled to have your personal data deleted without delay, should any of the following occur:
(a) the personal data are no longer necessary for the purposes for which they were gathered or otherwise processed;
(b) you revoke your consent for processing requiring such consent and for which there are no other legal grounds for processing;
(c) you object to processing based on a balance of interests and your reason for objecting outweighs our legitimate interests;
(d) the personal data have been processed illegally;
(e) the personal data must be deleted for us to meet a legal obligation.
3.4 Right to restricted processing
You are entitled to request that the processing your personal data be restricted if any of the following options apply:
(a) you dispute the accuracy of your personal data during a period allowing us to verify the accuracy of the data;
(b) the processing is illegal and you object to the deletion of the data, requesting instead that their use be restricted;
(c) although we no longer need the personal data for processing purposes, you need them to be able to establish, bring or defend legal claims;
(d) you have objected to processing based on a balance of interests and we are ascertaining whether our legitimate interests outweigh your legitimate interests.
Where processing has been restricted in accordance with this item, the personal data subject to restricted processing may, except for storage, be used only for the purpose of establishing, making or defending legal claims, for protecting the rights of a third party or for purposes involving a public interest of significance for the EU or an EU member state.
3.5 Right of data portability
Where our processing of personal data is based on your consent or the fulfilment of an agreement, you are entitled to request that data concerning you and that has been provided to us by you be transferred to another personal data manager. This is, however, conditional on the transfer being technically possible and that it can be executed automatically.
3.6 Revoking consent
Where our processing of your personal data is based on your consent, you are always entitled to revoke your consent at any time. Such revocation does not affect the legality of processing performed with your consent before it was revoked. If you revoke your consent, we will no longer process the personal data based on your consent, unless we are legally obliged to continue processing it. Should our legal obligations prevent us from deleting your data, we will instead mark them so that they are no longer used actively in our systems.
You can, at any time, send an e-mail to email@example.com to revoke your consent. We will respond to your request promptly.
3.7 Right of complaint
The Swedish Data Protection Authority is responsible for monitoring the application of the legislation among companies processing personal data. If you are of the opinion that we are processing your personal information erroneously, you may, in addition to contacting us, file a complaint with the Swedish Data Protection Authority via www.dataskyddsmyndigheten.se
This text was updated on 25 May 2018