Processing of personal data - Commercial tenant

Which personal data will be processed?

Castellum collects and processes the following data: name, telephone number, address, email address, title, role, dietary preferences, authorised signatory, personal ID number of authorised signatory, IP addresses, location data, user data, interactions in tenant applications, and any additional information you may provide when communicating with us, income data, credit, credit information and liabilities in relation to tenants who are sole traders, as well as any entry logs, access cards/tags and material from CCTV cameras (your ‘personal data’). In certain situations, we may also process personal data regarding, for example, circumstances or data that are relevant to our business relationship.

Why do we process your personal data?

Castellum processes your personal data in order to manage our tenancy relationship with your employer (e.g. to ensure the fulfilment of obligations under our lease agreement and to send rent invoices) or, if applicable, to enter into a tenancy relationship with your employer, communicate with you (e.g. regarding maintenance of the property you work in), to assess the ability of sole traders to pay, to ensure that only authorised persons have access to the property, e.g. through entry systems and CCTV, and to carry out company accounting. Kindly note that CCTV occurs only in certain properties and, in such cases, it is clearly stated that there is CCTV. We will also process your personal data in order to send you news about our operations or to invitations to events (including for organising of such events, e.g. as regards participants, refreshment and food preferences) and in order to send marketing material about our products and services, or such products and services of other companies within the Castellum group, which we believe may be of interest. Furthermore, we may disclose your personal data to those of our suppliers and partners that we deem may be of interest, so that they can send marketing about their products or services.

We may also process your personal data in connection with market communication such as publication of posts, images, videos, etc. on social media (e.g. Facebook, LinkedIn, Instagram) and for publication of posts, images and videos for internal use (e.g. on our intranet). If we should wish to process your personal data for such purposes, you will receive specific information about the data processing it entails and be asked to consent specifically to our processing of your data for the purpose in question. In addition, we may process your personal data in applications linked to the tenancy relationship to enable the booking of resources such as conference rooms and parking facilities, the management of authorisations for unlocking delegated doors, creating and managing user accounts in the application, in order to sent relevant information and messages in the application, to be able to improve the application’s functions and user experience, and to be able to manage other closely related functionality at the workplace via the application.

From where do we obtain personal data?

The personal data is compiled directly from you. Information may also be compiled from your employer. In conjunction with credit information, information is compiled from credit information agencies. Information connected to you can also be created internally at Castellum. Castellum can also update the personal data to ensure that Castellum does not process outdated personal data about you. Updating of personal data may, for example, take place with the help of services provided by Bisnode Sverige AB.

Who has access to your personal data?

We have taken appropriate technical and organisational security measures to protect your personal data against, for example, loss and unauthorised access. Only persons at Castellum have access to your personal data and such will be processed only for the purposes stated above.

However, we may share your data with other companies in the Castellum Group for the purposes of sharing relevant contacts (e.g. for marketing purposes) and transferring information on what has transpired in communication with you, following up strategic matters, statistics regarding costs, etc. In addition, we may share your personal data in order to carry out questionnaires, events and marketing, or to administer the lease and other documentation. We may also share your data with our suppliers who perform services on our behalf. Your personal data may also need to be shared with our bank, our accountants, authorities, insurance companies, security companies, parking companies, collaborative bodies and debt collection companies.

How long is your personal data stored?

Your personal data will be stored and processed by us no longer than necessary in light of the purpose of the processing, unless there are specific statutory requirements entailing that the data must be stored for a longer period. Your personal data will be stored and processed by us as follows:

Personal data which is processed for accounting purposes (e.g. assessment of payment ability of sole traders and as a basis for company reporting) and as tax information – eight years after termination of the lease.

• Personal data processed for accounting purposes (e.g. to assess sole traders’ ability to pay and documentation for company accounting) and tax documentation – eight years after expiry of the lease.
• Personal data which is processed via communication with you and to administer the tenancy – six months after termination of the lease and an approved inspection.
• Personal data which is processed to ensure that only authorised persons have access to the property through, e.g an entry system – one month (name and entry card/tag) after termination of the lease and 1 week (entry log) after compilation date.
• Personal data processed in connection with a prospective tenancy relationship – for as long as you continue to have a contact person for our potential tenant.
• Any CCTV material – for such time as the information is necessary in light of the purpose of the monitoring.
• Personal data processed for the administration of events – normally deleted within 30 days after the event has ended.
• Personal data which is processed to send you news about our operations or invitations to events, or marketing material – for such time as you continue to be a contact person for our tenant.
• Personal data processed in applications within the framework of the tenancy relationship with your employer – for as long as your employer elects for you to use the application, and, at latest, until the lease has expired.

What right does Castellum have to process your personal data?

The processing of your personal data to administer our tenancy with your employer is based on the processing being necessary for the performance of the contract with our tenant and to provide the tenant with the lease object.

The processing of your personal data for the performance of company reports is based on the processing being necessary for our obligation to comply with a legal obligation.

On the basis of balance of interests we process your personal data to communicate with you, to enter into a tenancy relationship with your employer (if applicable), to assess the ability of sole traders to pay, to send you news, marketing or invitations to events, to pass them on to selected suppliers and partners so that they can send you marketing, for applications related to the tenancy relationship, to administer access cards/tags and manage entry logs and other property surveillance, where applicable. Castellum considers that it is entitled to process your personal data since this processing is necessary for purposes that involve Castellum’s legitimate interests.

In the event that we request information about your dietary preferences, which could include personal data concerning your health which falls under a specific personal data category, we base the data processing on consent. You always have the right to withdraw your consent by contacting us.

This is our reasoning

Castellum’s legitimate interest with regard to communication with you is to be able to contact you regarding various matters within the framework of the relationship between you and Castellum, e.g. to provide information about maintenance of the property or similar information, or (if applicable) to enter into a tenancy relationship with your employer. Castellum has balanced its legitimate interests against any violation of privacy that Castellum’s processing of your personal data could cause. Castellum makes the assessment that the risk of encroachment on privacy is restricted since the personal data which is processed cannot be deemed to be particularly privacy-sensitive personal data. The personal data which is processed is also restricted to what is needed to perform the purposes of the processing of the personal data and it is also in your interest to obtain relevant information. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data.

Castellum’s legitimate interest as regards an assessment of payment ability of sole traders is to safeguard our interest before we enter into a business relationship. Castellum has weighed its legitimate interests against any encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that there is a risk of encroachment on privacy, but that the use of the information is so restricted and that Castellum has a strong interest in processing such data in order to protect its business. The personal data which is processed is also restricted to what is needed to perform the purposes for which the processing of the personal data takes place. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data.

Castellum’s legitimate interest to administer access cards/tags and manage entry logs and any other property surveillance are intended to prevent unauthorised persons from gaining access to the property and to prevent damage or suchlike. Castellum has weighed its legitimate interests against the possible encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that there is a risk of encroachment on privacy, but that the use of the data is so restricted and that there are very few individuals within Castellum who have access to such data that the risk is nevertheless restricted. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data.

Castellum’s legitimate interest as regards the processing of personal data in order to send you news, marketing material or invitations to events as well as to send contact details to selected suppliers and partners so that they can send marketing, is to keep you updated concerning what is happening in our business and to maintain the commercial relationship which has been created and to maintain a continued positive relationship with you as a contact person for our tenant. Castellum has weighed its legitimate interests against the possible encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that the risk of encroachment on privacy is restricted since you, in your professional capacity, should be able to expect that certain data will be processed for the above-mentioned purposes. The personal data which is processed cannot be deemed to be particularly privacy-sensitive personal data. The personal data which is processed is also restricted to what is needed to perform the purposes for which the processing of personal data takes place. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data.

Your personal data is also processed when we save information for, e.g. our bookkeeping (e.g. all payments) and tax information. This processing is based on our obligation to comply with a legal obligation.

Castellum’s legitimate interest to process your personal data in applications within the framework of the tenancy relationship is to make it easier for the tenant and the tenant’s employees to administer the workplace. Castellum has balanced its legitimate interests against any violation of privacy that Castellum’s processing of your personal data could cause. The personal data that are processed cannot be regarded as being particularly privacy-sensitive. Moreover, the personal data that are processed are limited to what is necessary to fulfil the purpose of the data processing. For this reason, in the balancing of legitimate interests, Castellum assesses that Castellum’s grounds for processing prevail, and that Castellum therefore has the right to process your personal data.

What happens if you do not provide your personal data?

It is necessary that you provide the personal data stated above to enable Castellum to contact you and take measures as stated above. If the data stated above which is obtained from you is not provided, the aforementioned measures cannot be taken by Castellum.

Will third country transfer take place?

Castellum strives not to transfer data to a country or company located outside the EU/EEA. However, we use third-party cookies on our website. The use of third-party cookies means that your personal data may be transferred to a third party located in a third country (e.g., the USA). You have the option to limit the use of cookies yourself, and you can find more information about this in our cookie policy.

Our and your use of social media also means that your personal data is usually transferred to a third party located in a third country (USA). You can choose not to consent to appear in our social media, not to follow us, or not to interact with us on social media to limit or completely avoid your personal data being transferred to the USA.

If personal data is transferred to a third country (e.g., the USA), we always take appropriate safeguards to protect your personal data in the best possible way. Such appropriate safeguards may include:

• ensuring that the European Commission has decided that the country to which the personal data is transferred provides an adequate level of protection equivalent to the level of protection ensured by the General Data Protection Regulation, which applies to social media like Facebook, Instagram, and LinkedIn, all of which are certified according to the EU-US Data Privacy Framework (DPF).
• entering into the European Commission's standard contractual clauses with the recipient of the personal data in the third country. When personal data is transferred to a third country based on the European Commission's standard contractual clauses, we assess whether there is legislation in the recipient country that affects the protection of your personal data. If necessary, we take specific technical and organizational measures so that the protection of your data remains during the transfer. However, due to American security legislation, there is a certain risk that American authorities, in order to prevent and investigate crime or defend national security, may gain access to personal data transferred to the USA despite our technical and organizational security measures.

You can contact us and request a copy of the safeguards, see contact details below.

Your rights

When your personal data are processed, you have the below rights under the General Data Protection Regulation (GDPR). More information is available on the website of the Swedish Authority for Privacy Protection (IMY) www.imy.se/privatperson/dataskydd/dina-rattigheter/.

Right to be informed (register extracts)

You have a right to be informed by us of whether we are processing your personal data and, if so, to request access to this personal data in the form of a register extract. You also have the right to receive the following information:

1. the purpose of the processing,
2. the types of personal data processed,
3. who the personal data has been shared with, including third country transfers, and the protective measures taken,
4. data retention period,
5. your rights,
6. the source of the personal data, and
7. whether automated decision-making occurs.

If you ask to access personal data that we process about you, you will receive a copy of these data. If you request extra copies, you may be charged a fee for administrative costs. If you request your personal data electronically, we will normally provide the copy of the personal data in electronic format, unless otherwise requested.

Right to rectification

If any of the personal data we process about you are incorrect, you have a right to request that we rectify them without undue delay. Depending on the purpose of the processing, you also have a right to amend any incomplete personal data.

Right to erasure

You have a right to request that we erase your personal data without undue delay if:

1. the data are no longer necessary for the purposes for which they were collected,
2. you have withdrawn your consent, and your consent was the lawful basis for processing the data,
3. you object to the processing of data which relied on legitimate interests as the legal basis for processing, and there is no overriding legitimate interest to continue our processing,
4. you have objected to direct marketing,
5. the processing is unlawful, and
6. erasure is necessary in order to comply with legal obligations.

We have a right to refuse your request for erasure if processing is necessary in order to comply with a legal obligation or for the establishment, exercise or defence of legal claims.

If the data are erased at your request, we have an obligation to inform any parties whom we have shared the data with that you have requested to have your personal data erased.

Right to restrict processing

You have a right to request to have your personal data processing restricted under certain circumstances.

The right to restrict processing applies if:

1. you contest the accuracy of your personal data (during the time that we are verifying the accuracy of the data),
2. the data have been unlawfully processed and you oppose erasure and request restriction instead,
3. we no longer need the personal data but you need the data in order to establish, exercise or defend a legal claim, or
4. you have objected to processing of data which relied on legitimate interests as the legal basis (during the time that we are investigating whether our legitimate grounds override your grounds for having the data erased).

If we have restricted processing of your data, we will notify you before restriction of the processing ceases.

Right to object

You have a right to object at any time to processing of your personal data on the basis of legitimate interests. If our grounds do not override your grounds, we are no longer allowed to process your data after you have objected.

If you object to direct marketing, we may no longer process your data for such purposes.

Right to data portability

If our processing of your data is automated and based on consent or on the performance of a contract, you have a right to receive the data in a structured, commonly used and machine readable format. You also have a right to transmit the data to another data controller.

If it is possible, you also have a right to request that we transmit your data directly to another data controller.

Data controller and contact details

You have a right to lodge a complaint to the Swedish Authority for Privacy Protection if you think that we are processing your personal data in violation of the GDPR. The contact details of the Swedish Authority for Privacy Protection are available at www.imy.se.

If you have any questions about how your personal data are processed, do not hesitate to contact Castellum’s data protection officer at dso.castellum@insatt.com.

The data controller for processing of your personal data is the Castellum company listed below that is linked to the geographic region where the property in which your company is renting premises is located. If your Company has a contractual relationship with a Kungsleden company, Kungsleden AB is the data controller.

Castellum Mitt AB, co. reg. no. 556121-9089
Address: Box 1824, 701 18 Örebro, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se

Castellum Stockholm AB, co. reg. no. 556002-8952

Address: Box 70414, 107 25 Stockholm, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se

Castellum Väst AB, co. reg. no. 556122-3768
Address: Box 8725, 402 75 Gothenburg, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se

Castellum Öresund AB, co. reg. no. 556476-7688
Address: Box 3158, 200 22 Malmö, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se

Castellum Mälardalen AB, co. reg. no. 559292-6678
Address: Box 1187, 721 29 Västerås, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se

Kungsleden AB, co. reg. no. 556545-1217
Address: Box 70414, 107 25 Stockholm, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se