Processing of personal data - Guarantor
Castellum cares about your privacy and protecting the personal data we process about you. All processing of personal data takes place in accordance with the provisions of the General Data Protection Regulation and other applicable data protection legislation. We present below a description of how we compile, process and share your personal data in connection with the guarantee commitment you have signed regarding a residential lease.
This is how we process your personal data
This description applies regardless of which company in the Castellum Group owns the property utilised by the tenant whom you are a guarantor for. However, please note that the data controller is the company that belongs to the region where the property is located. If the tenant has a contractual relationship with a Kungsleden company, Kungsleden AB is the data controller. In this document, the term ‘Castellum’ also includes Kungsleden companies.
Which personal data will be processed?
Castellum compiles and processes the following data: names, addresses, email addresses, personal ID numbers, lease numbers, credit data, income data, credits, loans, liabilities as well as additional information which may be disclosed by you in connection with communication with us, (your ‘personal data’).
Why do we process your personal data?
Castellum processes your personal data in order to administer the guarantee commitment (e.g. by contacting you if it becomes relevant to demand that you take the measures you have undertaken under the guarantee commitment) and to assess your payment ability.
From where do we obtain personal data?
The personal data is compiled directly from you and from credit information agencies.
Who has access to your personal data?
We have taken appropriate technical and organisational security measures to protect your personal data against, for example, loss and unauthorised access. Only persons at Castellum have access to your personal data and such will be processed only for the purposes stated above.
However, we may share your data with other companies in the Castellum Group for the purposes of transferring information on what has transpired in communication with you, following up strategic matters, statistics regarding costs, etc. We may also share your data with our suppliers who perform services on our behalf. The personal data you provide to us may primarily be shared with IT providers for the purposes of supporting and maintaining our IT systems, with our auditors and our bank. In addition, your personal data may need to be shared with authorities and debt collection companies.
How long is your personal data stored?
Your personal data will be stored for three months after the termination of the lease with the tenant for whom you have provided the guarantee, unless there are special statutory requirements whereby the data must be stored for a longer period.
What right does Castellum have to process your personal data?
The processing of your personal data for administering the guarantee commitment and assessing your payment ability is based on a balancing of interests. Castellum considers that it is entitled to process your personal data since the processing is necessary for purposes which involve Castellum’s legitimate interests.
This is our reasoning
Castellum’s legitimate interest as regards administration of the guarantee commitment is to be able to contact you on various issues within the scope of the guarantee commitment that you have undertaken. Castellum has weighed its legitimate interest against any encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that the risk of encroachment on privacy is restricted since the personal data which is processed cannot be deemed to be particularly privacy-sensitive personal data. The personal data which is processed is also restricted to what is needed to perform the purposes of the processing of the personal data. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data
Castellum’s legitimate interest as regards assessment of your payment ability is to safeguard our interests before we commence a business relationship with a tenant. Castellum has weighed its legitimate interests against any encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that there is a risk of encroachment on privacy, but that the use of the information is so restricted and that Castellum has a strong interest in processing such data in order to protect its business. The personal data which is processed is also restricted to what is needed to perform the purposes for which the processing of the personal data takes place. Furthermore, Castellum makes the assessment that Castellum’s interest in being able to conduct this processing carries considerable weight. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data
What happens if you do not provide your personal data?
It is necessary that you provide the personal data stated above to enable Castellum to contact you and take measures as stated above. If the data stated above which is obtained from you is not provided, the aforementioned measures cannot be taken by Castellum.
Will third country transfer take place?
Castellum endeavours not to transfer data to countries or companies located outside the EU/EEA. If such data transfer should nevertheless be necessary, Castellum will take suitable safeguarding measures to optimally protect your personal data.
When your personal data are processed, you have the below rights under the General Data Protection Regulation (GDPR). More information is available on the website of the Swedish Authority for Privacy Protection (IMY) www.imy.se/privatperson/dataskydd/dina-rattigheter/.
Right to be informed (register extracts)
You have a right to be informed by us of whether we are processing your personal data and, if so, to request access to this personal data in the form of a register extract. You also have the right to receive the following information:
- the purpose of the processing,
- the types of personal data processed,
- who the personal data has been shared with, including third country transfers, and the protective measures taken,
- data retention period,
- your rights,
- the source of the personal data, and
- whether automated decision-making occurs.
If you ask to access personal data that we process about you, you will receive a copy of these data. If you request extra copies, you may be charged a fee for administrative costs. If you request your personal data electronically, we will normally provide the copy of the personal data in electronic format, unless otherwise requested.
Right to rectification
If any of the personal data we process about you are incorrect, you have a right to request that we rectify them without undue delay. Depending on the purpose of the processing, you also have a right to amend any incomplete personal data.
Right to erasure
You have a right to request that we erase your personal data without undue delay if:
- the data are no longer necessary for the purposes for which they were collected,
- you have withdrawn your consent, and your consent was the lawful basis for processing the data,
- you object to the processing of data which relied on legitimate interests as the legal basis for processing, and there is no overriding legitimate interest to continue our processing,
- you have objected to direct marketing,
- the processing is unlawful, and
- erasure is necessary in order to comply with legal obligations.
We have a right to refuse your request for erasure if processing is necessary in order to comply with a legal obligation or for the establishment, exercise or defence of legal claims.
If the data are erased at your request, we have an obligation to inform any parties whom we have shared the data with that you have requested to have your personal data erased.
Right to restrict processing
You have a right to request to have your personal data processing restricted under certain circumstances.
The right to restrict processing applies if:
- you contest the accuracy of your personal data (during the time that we are verifying the accuracy of the data),
- the data have been unlawfully processed and you oppose erasure and request restriction instead,
- we no longer need the personal data but you need the data in order to establish, exercise or defend a legal claim, or
- you have objected to processing of data which relied on legitimate interests as the legal basis (during the time that we are investigating whether our legitimate grounds override your grounds for having the data erased).
If we have restricted processing of your data, we will notify you before restriction of the processing ceases.
Right to object
You have a right to object at any time to processing of your personal data on the basis of legitimate interests. If our grounds do not override your grounds, we are no longer allowed to process your data after you have objected.
If you object to direct marketing, we may no longer process your data for such purposes.
Right to data portability
If our processing of your data is automated and based on consent or on the performance of a contract, you have a right to receive the data in a structured, commonly used and machine readable format. You also have a right to transmit the data to another data controller.
If it is possible, you also have a right to request that we transmit your data directly to another data controller.
Data controller and contact details
You have a right to lodge a complaint to the Swedish Authority for Privacy Protection if you think that we are processing your personal data in violation of the GDPR. The contact details of the Swedish Authority for Privacy Protection are available at www.imy.se.
If you have any questions about how your personal data are processed, do not hesitate to contact Castellum’s data protection officer at firstname.lastname@example.org.
The data controller for processing of your personal data is the company listed below that belongs to the region where the property utilised by the tenant whom you are a guarantor for is located. If the tenant has a contractual relationship with a Kungsleden company, Kungsleden AB is the data controller.