Processing of personal data - Supplier, contractor, consultant or other cooperation partner

Which personal data will be processed?

Castellum compiles and processes the following data: names, telephone numbers, addresses, email addresses, titles, personal ID numbers of authorised signatories, personal ID numbers and credit information in relation to cooperation partners who are sole traders, CCTV material and any other material that may be provided by you when communicating with us (your “personal data”). In certain situations we may also process personal data concerning, e.g. circumstances or information of relevance for our business relationship.

Why do we process your personal data?

Castellum processes your personal data in order to administer our business relationship (including to ensure performance of obligations, for administering invoices, follow-up of deliveries, etc.) to facilitate oversight of how construction work is proceeding and to ensure that only authorised individuals have access to building sites e.g. through CCTV monitoring, and to enable us to maintain contact with you. We may also process your personal data in order to send you news about our operations or to invitations to events (including organising such events, e.g. as regards participants, refreshment and food preferences).

We may also process your personal data in conjunction with market communications such as publication of articles, photos, films, etc. on social media (e.g. Facebook, LinkedIn and Instagram) as well as for publication of articles, photos and films for internal use (e.g. on our intranet). If we wish to process your personal data for such a purpose, you will receive separate information about the resulting processing of personal data and to provide us with separate consent to our processing of your personal data for such purpose.

From where do we obtain personal data?

The personal data is compiled directly from you. Information may also be compiled from your employer. In conjunction with credit information, information is compiled from credit information agencies. Castellum can also update the personal data to ensure that Castellum does not process outdated personal data about you. Updating of personal data may, for example, take place with the help of services provided by Bisnode Sverige AB.

Who has access to your personal data?

We have taken appropriate technical and organisational security measures to protect your personal data against, for example, loss and unauthorised access. Only persons at Castellum have access to your personal data and such will be processed only for the purposes stated above.

We may, however, share your personal data with other companies within the Castellum group with the aim of sharing relevant contacts and transferring knowledge of what has arisen in communication with you, to cooperate concerning choice of providers, cooperation partners, etc. We may also share your personal data with our providers and other cooperation partners who perform services on our behalf. The personal data you provide to us may primarily be shared with our IT providers, for the supporting and the maintenance of our IT systems, as well as our auditors and our bank.

How long is your personal data stored?

Your personal data will be stored and processed by us no longer than necessary in light of the purpose of the processing, unless there are specific statutory requirements entailing that the data must be stored for a longer period.

The data required for our bookkeeping (for example, all orders, invoices and payments) and tax information must, according to law, be stored for at least seven years. Note that certain data is stored for a longer period, e.g data concerning invoices for follow-up purposes is stored longer than seven years. Otherwise, as a general rule data is stored only until we no longer have a business relationship with the company you represent, or until you no longer represent such company. Personal data which is processed in order to send you news about our business or invitations to events is stored for such time as you are a contact person of the company you represent. Personal data which is processed for organising events is erased not later than three months after a concluded event.

What right does Castellum have to process your personal data?

The processing of your personal data in order to administer our business relationship takes place based on a balancing of interests. This includes processing of your personal data to enable us to contact you, to send you news or invitations to events, as well as processing through CCTV monitoring. Castellum considers that it is entitled to process your personal data since the processing is necessary for purposes which involve Castellum’s legitimate interests.

This is our reasoning

Castellum’s legitimate interests in this case are to be able to contact you, to maintain the business relationship which has been created and continue to maintain a positive relationship with you by, e.g. sending you news and invitations to events. Castellum has weighed its legitimate interest against any encroachment on privacy that Castellum’s processing might entail. Castellum makes the assessment that the risk of encroachment on privacy is restricted since contact persons, in their professional capacity, should be able to expect that certain data is processed for the above-mentioned purposes. The personal data which is processed cannot be deemed to be particularly privacy-sensitive personal data. The personal data which is processed is also restricted to what is needed to perform the purposes of the processing of the personal data. Accordingly, Castellum makes the assessment that, following a balancing of interests, Castellum is entitled to process the personal data.

Castellum’s legitimate interest as regards the processing of material from monitoring of building sites is to facilitate oversight of the progress of construction work and to ensure that only authorised persons have access to a building site. Castellum has weighed its legitimate interest against any encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that there is a risk of encroachment on privacy but that the use of the data is so restricted that the risk is nevertheless limited. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data.

Your personal data is also processed when we store information for, e.g. our bookkeeping (e.g. all orders, invoices and payments) and tax information. This processing is based on our obligation to comply with a legal obligation.

What happens if you do not provide your personal data?

It is necessary that you provide the personal data stated above to enable Castellum to contact you and take the measures stated above. If the data stated above which is compiled from you is not provided, the aforementioned measures cannot be taken by Castellum.

Your rights

You are entitled to request access to the personal data that Castellum processes about you. You are entitled to have incorrect personal data about you rectified and may request that personal data be erased. You are also entitled to object to certain processing of your personal data and to request that the processing of personal data be restricted.

If you request that Castellum restricts or erases your personal data, this may have the consequence that Castellum is unable to perform its duties. You are also entitled to request to receive your personal data in a machine-readable format with the aim of transmitting the data to another controller (referred to as data portability).

If you are dissatisfied with the way in which Castellum processes your personal data you may complain to the supervisory authority regarding Castellum’s processing of personal data.

If you have any questions concerning the way in which your personal data is processed, you are welcome to contact Castellum’s data protection team on gdpr@castellum.se.

Controller and contact details to Castellum

The controller in respect of the processing of your personal data is the company stated in the list below with which the company you represent has entered into an agreement:

• Castellum AB; reg. no. 556475-5550, Box 2269, 403 14 Gothenburg
• Castellum Mitt AB; reg. no. 556121-9089, Box 1824, 701 18 Örebro
• Castellum Stockholm AB; reg. no. 556002-8952, Box 1084, 101 39 Stockholm
• Castellum Väst AB; reg. no. 556122-3768, Box 8725, 402 75 Gothenburg
• Castellum Öresund AB; reg. no. 556476-7688, Box 3158, 200 22 Malmö
• Fastighets AB Örebacka, reg. no. 556279-9931, Box 225, 851 04 Sundsvall
• Örebacka Invest AB, reg. no. 556631-1378, Box 3158, 200 22 Malmö
• Castellum Fastigheter i Jönköping AB, reg. no. 556466-0917, Box 7, 551 12 Jönköping
• Castellum Fastigheter i Östergötland AB, reg. no. 556050-0380, Gamla Torget 3, 602 24 Norrköping
• Castellum Danmark A/S, CVR-nr 33507704, Kay Fiskers Plads 9,5, 2300 København S
• Castellum City Förvaltning AB, reg. no. 556573-3952, Rörvägen 1, 702 27 Örebro
• Castellum Väst Borås AB (formerly Harry Sjögren AB), reg. no. 556051-0561, Box 8725, 402 75 Gothenburg
• Fastighets AB Corallen, reg. no. 556226-6527, Box 1824, 701 18 Örebro
• Fastighets AB Briggen i Öresund AB, reg. no. 556462-8724, Box 3158, 200 22 Malmö
• Norrporten 7 Struktur AB, reg. no. 556718-718, Box 225, 851 04 Sundsvall
• Castellum Fastigheter i Linköping AB, reg. no. 556710-6611, Teknikringen 20, 583 30 Linköping
• Castellum Mälardalen AB, org.nr. 559292-6678, med adress Box 1187, 721 29 Västerås