Municipalities or public authorities
Processing of personal data - Municipalities or public authorities
Castellum cares about your privacy and protecting the personal data we process about you. All processing of personal data takes place in accordance with the provisions of the General Data Protection Regulation and other applicable data protection legislation. We present below a description of how we compile, process and share your personal data in connection with your contacts with Castellum.
This is how we process your personal data
This description applies regardless of which company in the Castellum Group you have a contractual relationship with. However, please note that the data controller is the regional company in the region where your contact person at Castellum is located. If you have a relationship with a Kungsleden company, Kungsleden AB is the data controller. In this document, the term ‘Castellum’ also includes Kungsleden companies.
Which personal data will be processed?
Castellum collects and processes the following data: name, email address, telephone number, employer, position, dietary preferences, and any additional information that you disclose when communicating with us (your ‘personal data’).
Why do we process your personal data?
Castellum processes your personal data in order to compile information about individuals at relevant municipalities, public authorities and other public bodies who are relevant for Castellum and to enable us to contact you easily regarding permit issues and other similar issues within the scope of Castellum’s property management business. We may also process your personal data in order to send you news about our operations or to invitations to events (including organising such events, e.g. as regards participants, refreshment and food preferences).
From where do we obtain personal data?
The personal data is compiled directly from you. Information may also be compiled from your employer.
Who has access to your personal data?
We have taken appropriate technical and organisational security measures to protect your personal data against, for example, loss and unauthorised access. Only persons at Castellum have access to your personal data and such will be processed only for the purposes stated above.
However, we may share your personal data with other companies in the Castellum Group for the purposes of sharing relevant contacts and transferring information on what has transpired in communication with you. We may also share your data with our suppliers who perform services on our behalf, and in order to carry out questionnaires, events and marketing.
How long is your personal data stored?
Your personal data will be stored and processed by us no longer than necessary in light of the purpose of the processing, unless there are specific statutory requirements entailing that the data must be stored for a longer period. Personal data which is processed in order to send you news about our operations or invitations to events will be stored for such time as you continue to be our contact person.
What right does Castellum have to process your personal data?
The processing of your personal data is based on a balancing of interests. Castellum considers that it is entitled to process your personal data since the processing is necessary for purposes which involve Castellum’s legitimate interests.
In the event that we request information about your dietary preferences, which could include personal data concerning your health which falls under a specific personal data category, we base the data processing on consent. You always have the right to withdraw your consent by contacting us.
This is our reasoning
Castellums legitimate interest in this case is to know which individuals at various municipalities, public authorities and other public bodies it is relevant to contact on various types of issues. In addition, Castellum’s legitimate interest with respect to the processing of personal data for sending you news or invitations to events is to keep you updated concerning what is happening in our business and to maintain the commercial relationship which has been created and to maintain a positive relationship with you. Castellum has weighed its legitimate interests against the possible encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that the risk of encroachment on privacy is restricted since you, in your professional capacity, should be able to expect that certain data will be processed for the above-mentioned purposes. The personal data which is processed cannot be deemed to be particularly privacy-sensitive personal data. The personal data which is processed is also restricted to what is needed to perform the purposes for which the processing of personal data takes place. Accordingly, following a balancing of interests, Castellum makes the assessment that Castellum is entitled to process the personal data.
What happens if you do not provide your personal data?
It is necessary that you provide the personal data stated above to enable Castellum to contact you. If the data stated above which is obtained from you is not provided, Castellum is unable to contact you.
Will third country transfer take place?
Castellum endeavours not to transfer data to countries or companies located outside the EU/EEA. If such data transfer should nevertheless be necessary, Castellum will take suitable safeguarding measures to optimally protect your personal data.
When your personal data are processed, you have the below rights under the General Data Protection Regulation (GDPR). More information is available on the website of the Swedish Authority for Privacy Protection (IMY) www.imy.se/privatperson/dataskydd/dina-rattigheter/.
Right to be informed (register extracts)
You have a right to be informed by us of whether we are processing your personal data and, if so, to request access to this personal data in the form of a register extract. You also have the right to receive the following information:
- the purpose of the processing,
- the types of personal data processed,
- who the personal data has been shared with, including third country transfers, and the protective measures taken,
- data retention period,
- your rights,
- the source of the personal data, and
- whether automated decision-making occurs.
If you ask to access personal data that we process about you, you will receive a copy of these data. If you request extra copies, you may be charged a fee for administrative costs. If you request your personal data electronically, we will normally provide the copy of the personal data in electronic format, unless otherwise requested.
Right to rectification
If any of the personal data we process about you are incorrect, you have a right to request that we rectify them without undue delay. Depending on the purpose of the processing, you also have a right to amend any incomplete personal data.
Right to erasure
You have a right to request that we erase your personal data without undue delay if:
- the data are no longer necessary for the purposes for which they were collected,
- you have withdrawn your consent, and your consent was the lawful basis for processing the data,
- you object to the processing of data which relied on legitimate interests as the legal basis for processing, and there is no overriding legitimate interest to continue our processing,
- you have objected to direct marketing,
- the processing is unlawful, and
- erasure is necessary in order to comply with legal obligations.
We have a right to refuse your request for erasure if processing is necessary in order to comply with a legal obligation or for the establishment, exercise or defence of legal claims.
If the data are erased at your request, we have an obligation to inform any parties whom we have shared the data with that you have requested to have your personal data erased.
Right to restrict processing
You have a right to request to have your personal data processing restricted under certain circumstances.
The right to restrict processing applies if:
- you contest the accuracy of your personal data (during the time that we are verifying the accuracy of the data),
- the data have been unlawfully processed and you oppose erasure and request restriction instead,
- we no longer need the personal data but you need the data in order to establish, exercise or defend a legal claim, or
- you have objected to processing of data which relied on legitimate interests as the legal basis (during the time that we are investigating whether our legitimate grounds override your grounds for having the data erased).
If we have restricted processing of your data, we will notify you before restriction of the processing ceases.
Right to object
You have a right to object at any time to processing of your personal data on the basis of legitimate interests. If our grounds do not override your grounds, we are no longer allowed to process your data after you have objected.
If you object to direct marketing, we may no longer process your data for such purposes.
Right to data portability
If our processing of your data is automated and based on consent or on the performance of a contract, you have a right to receive the data in a structured, commonly used and machine readable format. You also have a right to transmit the data to another data controller.
If it is possible, you also have a right to request that we transmit your data directly to another data controller.
Data controller and contact details
You have a right to lodge a complaint to the Swedish Authority for Privacy Protection if you think that we are processing your personal data in violation of the GDPR. The contact details of the Swedish Authority for Privacy Protection are available at www.imy.se.
If you have any questions about how your personal data are processed, do not hesitate to contact Castellum’s data protection officer at email@example.com.
The data controller for processing of your personal data is the company listed below that belongs to the region in which your contact person at Castellum is located. If you have a relationship with a Kungsleden company, Kungsleden AB is the data controller.