External privacy policy for Norditech V1 | 2024
Introduction
All personal data processing carried out by Norditech AB (reg. no. 559266–7280) (hereinafter "Norditech", "we" or "us") is carried out in accordance with applicable data protection legislation.
At Norditech, we care about your personal integrity and strive for a high level of data protection. In this privacy policy, we describe how we collect and process your personal data and describe your rights.
Contact
If you have any questions or concerns regarding our processing of personal data, please contact us at:
Name: David Bacelj
E-mail: david.bacelj@norditech.se
Address: Ståhlgatan 5, 561 44, Huskvarna
Phone: +46 760 442 022
Norditech's role as Data Controller and Data Processor
By providing Viss.AI and associated services, Norditech will, on behalf of the companies with which you have a business relationship, access and process your personal data in its capacity as a data processor.
In some cases, Norditech acts as a data controller when you submit a job application to us, contact our customer support or use Viss.AI as a private individual.
Norditech shows the utmost consideration for your personal integrity and will only handle your personal data in line with applicable legislation. This policy only applies to the processing of personal data carried out by Norditech and associated data processors. When using third-party applications through Viss.AI, we refer to the respective third-party's privacy policies.
Processing of personal data as a data processor
To gain access to Viss.AI, our customers enter into an agreement with Norditech. At where this takes place, Norditech acts as a data processor and carries out personal data processing on behalf of the customer and as a result of instructions from the customer. This includes your name, email address and messages you write in Viss.AI.
Processing of personal data as a controller
Norditech processes the personal data that you have provided about yourself. This can be your name, phone number, email address and in some cases your social security number. Your login details and web logs may also be processed, and should Norditech obtain or receive information about you from elsewhere, you will receive separate information about just that.
Contact persons at stakeholders, potential customers, current customers and customer service
1.1 Newsletter subscription
This includes everyone who comes into contact with us to take part in our newsletter, which includes both customers, potential customers and users of the systems that Norditech provides.
Purpose: To inform customers about the company and market Norditech's work as well as provide information about admission to the waiting list.
Categories of personal data: Name and email address.
Legal basis: The processing of personal data is based on consent.
Storage period: The personal data is collected when the individual fills out the form for subscribing to newsletters on our website or otherwise informs us that they want to receive our newsletter. You can unsubscribe from our newsletter at any time. The personal data is deleted 30 days after the individual has withdrawn their consent.
1.2 Support and customer service issues via chat and email
Purpose: The purpose is to be able to easily support the customer or potential customer with various questions regarding support and services.
Categories of personal data: Name and email address.
Legal basis: The processing of personal data is based on the legal basis of agreements for current customers as it is part of the service provided by Norditech. The legal basis of balancing of interests supports personal data processing in relation to potential customers who use chatbots for support or customer service matters.
Storage period: Personal data is collected with each new initiated message via our support chat or customer service email and is deleted 10 years after the agreement has ended.
1.3 Accounting and accounting
Purpose: To be able to administer payments and ensure that they are received and pay invoices.
Categories of personal data: Name, email address, card details, invoice details and information about the customer's bank.
Legal basis: The processing of personal data is based on the legal basis of an agreement with the customer and a legal obligation arising from the Accounting Act.
Storage period: The personal data is collected at the conclusion of the agreement and then stored for seven (7) years after the end of the calendar years in which the financial year ended in accordance with the Accounting Act and 10 years after the end of the customer relationship.
1.4 Customer administration
Norditech processes the personal data in order to be able to carry out and administer assignments and fulfil our contractual obligations with our business partners.
Purpose: To administer customer care, contract management and invoicing documentation.
Categories of personal data: Name, social security number, telephone number and e-mail address.
Legal basis: The processing of personal data is based on the legal basis of agreements in order to be able to fulfil our contractual obligations with business partners and legal obligations under the Accounting Act.
Storage period: The personal data is collected at the conclusion of a contract and then stored for seven (7) years after the end of the calendar years in which the financial year ended in accordance with the Accounting Act and 10 years after the end of the customer relationship.
2. Recruitment process
2.1 Recruitment
Purpose: The purpose of the processing is to find a suitable candidate for the intended role that meets our candidate profile.
Categories of personal data: Name, social security number, CV (information about ethnicity may occur as a result of language skills), address, e-mail address, telephone number and previous workplaces.
Legal basis: The processing is based on the legal basis of balancing of interests, where our legitimate interest is to be able to assess which candidate best meets our competence profile.
Storage period: Documents and documentation saved during the ongoing recruitment process are deleted two (2) years after the end of the recruitment process according to discrimination legislation.
2.2 Job interview
Purpose: The purpose of the processing is to find a suitable candidate for the intended role that meets our candidate profile.
Categories of personal data: Name, social security number, previous workplaces, previous duties, questions about private life such as hobbies.
Legal basis: The processing is based on the legal basis of balancing of interests, where our legitimate interest is to be able to assess which candidate best meets our competence profile.
Storage period: Documents and documentation saved during the ongoing recruitment process are deleted two (2) years after the end of the recruitment process according to discrimination legislation.
2.3 Obtaining an opinion from a reference person to a job applicant
If a candidate has provided you as a reference in connection with a recruitment process, we will collect your personal data from the candidate for the purpose of contacting you.
Purpose: The purpose of the processing is to be able to contact the specified reference person who has previously worked with the jobseeker or in some other way can comment on his/her competence, personality and work experience (obtain a judgement).
Categories of personal data: Name, telephone number and e-mail address and, if applicable, which company or organisation the reference person works or has worked for.
Legal basis: The processing is based on the legal basis of balancing of interests. Our legitimate interest is to be able to assess which candidate best meets our competence profile by contacting you as a reference to obtain an assessment of the candidate in connection with the recruitment process.
Storage period: The personal data will be processed during the current and ongoing recruitment process and then stored for two (2) years after the completion of the recruitment process in order to be able to respond to any legal claims under the Discrimination Act and then deleted.
3. Analysis and marketing related to the website and platform VISS.AI
3.1 Analysis of how the User interacts with the Platform, Viss.AI
Purpose: The purpose is to be able to improve the user experience and our services through analysis of the use of the platform Viss.AI.
Categories of personal data: Analysis of the usage and historical data of the platform Viss.AI as well as user ID.
Legal basis: The processing of personal data is based on an agreement with the user of the platform Viss.AI.
Storage period: The personal data is collected when an analysis is performed and is deleted 12 months after the analysis has been completed.
3.2 Marketing to website visitors and users of the platform Viss.AI
Purpose: The purpose is to drive additional sales and marketing towards website visitors and users in the platform, Viss.AI.
Categories of personal data: Email address.
Legal basis: The processing of personal data is based on a balancing of interests, in order to be able to create additional sales through marketing aimed at you who may be relevant for marketing such as potential stakeholders in the form of users of the platform and website visitors.
Retention period: Until the individual objects to the processing or six (6) months after the last visit to the website or use of the platform Viss.AI.
3.3 Use of VISS.AI as an individual
Purpose: The purpose of the processing is to assist the user's use which takes the form of a command recorded by the system (Viss.AI) which then initiates a process within Viss.AI which is a direct result of the specified command.
Categories of personal data: Email address, messages within the system (commands) and name.
Legal basis: The processing of personal data is based on an agreement that the user enters into with Norditech when creating an account and starting to use the service.
Retention period: From the time of termination of the account, it is possible to reactivate the account within six (6) months, after which all information associated with the account will be deleted.
4. Who do we disclose your personal data to?
As a rule, your data is processed only by us. For certain processing of personal data, which takes place with the help of subcontractors or partners, we need to share your data. By this we mean that they are allowed to access your data but are only allowed to handle it according to our instructions (personal data processing agreement).
We share data with suppliers of the following types of systems:
· Mail program,
· File management provider,
· Email automation tools,
· Economics Programs,
· Video meeting software,
· Storage tools.
5. Transfer of your personal data outside the EU/EEA
In cases where Norditech uses, or will use, subcontractors or collaborates with partners established outside the EU/EEA area, we are responsible for ensuring that these players can guarantee a level of security equivalent to that maintained within the EU.
In order to ensure an adequate level of protection for your personal data when transferred to countries outside the EU/EEA in the absence of an adequacy decision from the European Commission, Norditech has, where applicable, entered into agreements with the respective recipients of personal data containing standard contractual clauses adopted and approved by the European Commission, including but not limited to the standard contractual clauses adopted by Commission Decision (EU) 2021/914 as well as ensured protection for personal data via the Data Privacy Framework (DPF).
In addition, when the level of protection in the recipient country cannot be considered equivalent to that in the EU/EEA, Norditech takes additional protective measures such as pseudonymization, IP anonymization and encryption.[BS1] [DB2]
6. Your rights
If you have provided us with your personal data, you have the opportunity to exercise your rights as set out below by us free of charge by contacting us. If we receive such a request, we may need to verify your identity with appropriate security measures in order to prevent unauthorized access to your personal information. We will respond to your request without delay but no later than one (1) month after your request was received by us. You are entitled to the following rights:
(a) Right of access
You have the right to request access to and information about the categories of personal data that are processed about you through a register extract. The information provided must be easy to understand and provided free of charge in electronic form.
b) Right to rectification
You have the right to request correction of your personal data if it is incomplete or otherwise inaccurate.
c) Right to erasure (right to be forgotten)
You have the right in some cases to request that your data be deleted. For example, if:
· the data is no longer needed for the purposes for which it was processed;
· the processing is for direct marketing purposes and you object to the processing of the data for this purpose;
· you object to processing that takes place according to a balancing of interests and there are no legitimate reasons that outweigh your interest,
· the personal data has been unlawfully processed, or
· Deletion is required to comply with a legal obligation.
If Norditech needs the personal data to fulfil an agreement with you or to comply with a legal requirement, we will not delete the data.
(d) Right to restriction
You have the right to request that we temporarily restrict the processing of your personal data. The restriction of personal data would include, for example:
· during the time it takes us to verify the accuracy of your data;
· for the time it takes us to verify whether our legitimate interest in processing outweighs your interests and fundamental rights;
· to enable you to establish, exercise or defend legal claims;
· if the processing is unlawful but you want the processing to be restricted instead of us deleting the personal data in question.
(e) Right to object
You have the right to object to the processing of personal data based on our legitimate interest. If you make such an objection, Norditech will take your objection and make an overall assessment between our legitimate interests and your rights related to the processing of personal data.
(f) Right to data portability
You have the right to receive your personal data in a structured, commonly used and machine-readable format for the personal data based on consent or contract that you have provided to us. You also have the right to request that we transfer your personal data directly to another data controller. [BS3] [DB4]
Withdrawal of consent and objection
In cases where we process your personal data on the legal basis that you have given your consent to it, you can withdraw your consent at any time by contacting us, such withdrawal may take place in whole or in part. If you do not want to receive marketing from us, you can object to the processing by contacting us.
7. Contact information for the Swedish Authority for Privacy Protection (IMY)
Please contact us if you have any questions or concerns regarding the processing of personal data. You always have the right to turn to the responsible supervisory authority for complaints if you believe that we do not meet the requirements placed on us. The Swedish Authority for Privacy Protection (IMY) is the responsible supervisory authority for the processing of personal data in Sweden and you can get in touch with them here.
8. Changes to the Privacy Policy
Norditech may change its privacy policy if necessary. The updates will be published on our website.
9. Version history
Version 6/8–2024.