Processing of personal data - Supplier, contractor, consultant or other cooperation partner

Which personal data will be processed?

Castellum compiles and processes the following data: names, telephone numbers, addresses, email addresses, titles, personal ID numbers of authorised signatories, personal ID numbers and credit information in relation to cooperation partners who are sole traders, CCTV material and any other material that may be provided by you when communicating with us (your ‘personal data’). In certain situations we may also process personal data concerning, e.g. circumstances or information of relevance for our business relationship.

Why do we process your personal data?

Castellum processes your personal data in order to administer our business relationship (including to ensure performance of obligations, for administering invoices, follow-up of deliveries, etc.) to facilitate oversight of how construction work is proceeding and to ensure that only authorised individuals have access to building sites e.g. through CCTV monitoring, and to enable us to maintain contact with you. We may also process your personal data in order to send you news about our operations or to invitations to events (including organising such events, e.g. as regards participants, refreshment and food preferences).

We may also process your personal data in conjunction with market communications such as publication of articles, photos, films, etc. on social media (e.g. Facebook, LinkedIn and Instagram) as well as for publication of articles, photos and films for internal use (e.g. on our intranet). If we wish to process your personal data for such a purpose, you will receive separate information about the resulting processing of personal data and to provide us with separate consent to our processing of your personal data for such purpose.

From where do we obtain personal data?

The personal data is compiled directly from you. Information may also be compiled from your employer. In conjunction with credit information, information is compiled from credit information agencies. Castellum can also update the personal data to ensure that Castellum does not process outdated personal data about you. Updating of personal data may, for example, take place with the help of services provided by Bisnode Sverige AB.

Who has access to your personal data?

We have taken appropriate technical and organisational security measures to protect your personal data against, for example, loss and unauthorised access. Only persons at Castellum have access to your personal data and such will be processed only for the purposes stated above.

However, we may share your data with other companies in the Castellum Group for the purposes of sharing relevant contacts and transferring information on what has transpired in communication with you, cooperating regarding choice of suppliers, partners, etc. We may also share your data with our suppliers who perform services on our behalf. In addition, we may share your personal data in order to carry out questionnaires, events and marketing or to communicate through communication channels and manage documentation. Your personal data may also need to be shared with our bank, our accountants, authorities, insurance companies, security companies, parking companies, collaborative bodies and debt collection companies.

How long is your personal data stored?

Your personal data will be stored and processed by us no longer than necessary in light of the purpose of the processing, unless there are specific statutory requirements entailing that the data must be stored for a longer period.

The data required for our bookkeeping (for example, all orders, invoices and payments) and tax information must, according to law, be stored for at least seven years. Note that certain data is stored for a longer period, e.g data concerning invoices for follow-up purposes is stored longer than seven years. Otherwise, as a general rule data is stored only until we no longer have a business relationship with the company you represent, or until you no longer represent such company. Personal data which is processed in order to send you news about our business or invitations to events is stored for such time as you are a contact person of the company you represent. Personal data processed for the administration of events – normally deleted within 30 days after the event has ended.

What right does Castellum have to process your personal data?

The processing of your personal data in order to administer our business relationship takes place based on a balancing of interests. This includes processing of your personal data to enable us to contact you, to send you news or invitations to events, as well as processing through CCTV monitoring. Castellum considers that it is entitled to process your personal data since the processing is necessary for purposes which involve Castellum’s legitimate interests.

In the event that we request information about your dietary preferences, which could include personal data concerning your health which falls under a specific personal data category, we base the data processing on consent. You always have the right to withdraw your consent by contacting us.

This is our reasoning

Castellum’s legitimate interests in this case are to be able to contact you, to maintain the business relationship which has been created and continue to maintain a positive relationship with you by, e.g. sending you news and invitations to events. Castellum has weighed its legitimate interest against any encroachment on privacy that Castellum’s processing might entail. Castellum makes the assessment that the risk of encroachment on privacy is restricted since contact persons, in their professional capacity, should be able to expect that certain data is processed for the above-mentioned purposes. The personal data which is processed cannot be deemed to be particularly privacy-sensitive personal data. The personal data which is processed is also restricted to what is needed to perform the purposes of the processing of the personal data. Accordingly, Castellum makes the assessment that, following a balancing of interests, Castellum is entitled to process the personal data.

Castellum’s legitimate interest as regards the processing of material from monitoring of building sites is to facilitate oversight of the progress of construction work and to ensure that only authorised persons have access to a building site. Castellum has weighed its legitimate interest against any encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that there is a risk of encroachment on privacy but that the use of the data is so restricted that the risk is nevertheless limited. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data.

Your personal data is also processed when we store information for, e.g. our bookkeeping (e.g. all orders, invoices and payments) and tax information. This processing is based on our obligation to comply with a legal obligation.

What happens if you do not provide your personal data?

It is necessary that you provide the personal data stated above to enable Castellum to contact you and take the measures stated above. If the data stated above which is compiled from you is not provided, the aforementioned measures cannot be taken by Castellum.

Will third country transfer take place?

Castellum strives not to transfer data to a country or company located outside the EU/EEA. However, we use third-party cookies on our website. The use of third-party cookies means that your personal data may be transferred to a third party located in a third country (e.g., the USA). You have the option to limit the use of cookies yourself, and you can find more information about this in our cookie policy.

Our and your use of social media also means that your personal data is usually transferred to a third party located in a third country (USA). You can choose not to consent to appear in our social media, not to follow us, or not to interact with us on social media to limit or completely avoid your personal data being transferred to the USA.

If personal data is transferred to a third country (e.g., the USA), we always take appropriate safeguards to protect your personal data in the best possible way. Such appropriate safeguards may include:

• ensuring that the European Commission has decided that the country to which the personal data is transferred provides an adequate level of protection equivalent to the level of protection ensured by the General Data Protection Regulation, which applies to social media like Facebook, Instagram, and LinkedIn, all of which are certified according to the EU-US Data Privacy Framework (DPF).
• entering into the European Commission's standard contractual clauses with the recipient of the personal data in the third country. When personal data is transferred to a third country based on the European Commission's standard contractual clauses, we assess whether there is legislation in the recipient country that affects the protection of your personal data. If necessary, we take specific technical and organizational measures so that the protection of your data remains during the transfer. However, due to American security legislation, there is a certain risk that American authorities, in order to prevent and investigate crime or defend national security, may gain access to personal data transferred to the USA despite our technical and organizational security measures.

You can contact us and request a copy of the safeguards, see contact details below.

Your rights

When your personal data are processed, you have the below rights under the General Data Protection Regulation (GDPR). More information is available on the website of the Swedish Authority for Privacy Protection (IMY) www.imy.se/privatperson/dataskydd/dina-rattigheter/.

Right to be informed (register extracts)

You have a right to be informed by us of whether we are processing your personal data and, if so, to request access to this personal data in the form of a register extract. You also have the right to receive the following information:

1. the purpose of the processing,
2. the types of personal data processed,
3. who the personal data has been shared with, including third country transfers, and the protective measures taken,
4. data retention period,
5. your rights,
6. the source of the personal data, and
7. whether automated decision-making occurs.

If you ask to access personal data that we process about you, you will receive a copy of these data. If you request extra copies, you may be charged a fee for administrative costs. If you request your personal data electronically, we will normally provide the copy of the personal data in electronic format, unless otherwise requested.

Right to rectification

If any of the personal data we process about you are incorrect, you have a right to request that we rectify them without undue delay. Depending on the purpose of the processing, you also have a right to amend any incomplete personal data.

Right to erasure

You have a right to request that we erase your personal data without undue delay if:

1. the data are no longer necessary for the purposes for which they were collected,
2. you have withdrawn your consent, and your consent was the lawful basis for processing the data,
3. you object to the processing of data which relied on legitimate interests as the legal basis for processing, and there is no overriding legitimate interest to continue our processing,
4. you have objected to direct marketing,
5. the processing is unlawful, and
6. erasure is necessary in order to comply with legal obligations.

We have a right to refuse your request for erasure if processing is necessary in order to comply with a legal obligation or for the establishment, exercise or defence of legal claims.

If the data are erased at your request, we have an obligation to inform any parties whom we have shared the data with that you have requested to have your personal data erased.  

Right to restrict processing

You have a right to request to have your personal data processing restricted under certain circumstances.

The right to restrict processing applies if:

1. you contest the accuracy of your personal data (during the time that we are verifying the accuracy of the data),
2. the data have been unlawfully processed and you oppose erasure and request restriction instead,
3. we no longer need the personal data but you need the data in order to establish, exercise or defend a legal claim, or
4. you have objected to processing of data which relied on legitimate interests as the legal basis (during the time that we are investigating whether our legitimate grounds override your grounds for having the data erased).

If we have restricted processing of your data, we will notify you before restriction of the processing ceases.

Right to object

You have a right to object at any time to processing of your personal data on the basis of legitimate interests. If our grounds do not override your grounds, we are no longer allowed to process your data after you have objected.

If you object to direct marketing, we may no longer process your data for such purposes.

Right to data portability

If our processing of your data is automated and based on consent or on the performance of a contract, you have a right to receive the data in a structured, commonly used and machine readable format. You also have a right to transmit the data to another data controller.

If it is possible, you also have a right to request that we transmit your data directly to another data controller.

Data controller and contact details

You have a right to lodge a complaint to the Swedish Authority for Privacy Protection if you think that we are processing your personal data in violation of the GDPR. The contact details of the Swedish Authority for Privacy Protection are available at www.imy.se.

If you have any questions about how your personal data are processed, do not hesitate to contact Castellum’s data protection officer at dso.castellum@insatt.com.

The data controller for processing of your personal data is the company in the region, as listed below, that the company you represent has entered into a contract with. If your Company has a contractual relationship with a Kungsleden company, Kungsleden AB is the data controller.

Castellum AB; org.nr 556475-5550.
Adress: Box 2269, 403 14 Göteborg
Telefonnummer: +46 8 503 052 00
E-post: gdpr@castellum.se

Castellum Mitt AB, co. reg. no. 556121-9089
Address: Box 1824, 701 18 Örebro, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se

Castellum Stockholm AB, co. reg. no. 556002-8952
Address: Box 70414, 107 25 Stockholm, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se

Castellum Väst AB, co. reg. no. 556122-3768
Address: Box 8725, 402 75 Gothenburg, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se

Castellum Öresund AB, co. reg. no. 556476-7688
Address: Box 3158, 200 22 Malmö, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se

Castellum Mälardalen AB, co. reg. no. 559292-6678
Address: Box 1187, 721 29 Västerås, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se

Kungsleden AB, co. reg. no. 556545-1217
Address: Box 70414, 107 25 Stockholm, Sweden
Tel.: +46 8 503 052 00
Email: gdpr@castellum.se