Arevo Privacy policy
Policy for personal data management – Arevo AB
Introduction and purpose
The purpose of this policy is to ensure that Arevo handles personal data in accordance with the EU's
General Data Protection Regulation (GDPR) and describes how we at Arevo collect, use and protect
your personal data.
The policy covers all processing where personal data is handled.
Application and Revision
The CEO is responsible for ensuring that the processing of personal data complies with this policy.
The policy must be established by the board and updated as necessary.
The CEO is responsible for maintaining the process of updating the policy as a result of new and
changed regulations.
This policy is applicable to the company's board members, CEO, employees and contractors affected
by our operations.
Organization and responsibility
The CEO has overall responsibility for the content of this policy and that it is implemented and
complied with by the business.
The CEO may delegate responsibility and implementation to the appropriate person in the company.
All employees are responsible for acting in accordance with this policy and what it aims to ensure.
Concepts and abbreviations
Concept Meaning
Personal data Personal data is any kind of information that can be directly or indirectly
attributed to a physical person who is alive.
Registered The person who can be directly or indirectly identified through the
personal data in a register.
Personal data processing An action or combination of actions concerning personal data -
regardless of whether they are performed automatically or not - such as
collection, registration, organization and structuring.
Personal data processing
Every personal data processing must take place according to the following principles:
• Legality• Purpose limitation
• Task minimization
• Correctness
• Storage minimization
• Privacy and confidentiality.
The personal data the company will process about you as an employee consists of name, address,
social security number, contact details for relatives, salary and account details. Otherwise, we may
process e-mail address, grades, certificates, education and work experience, photography, test
results, health checks and drug test results.
The company may also need to process sensitive personal data about you, such as information about
your health. For example, health data may need to be processed in order for us to fulfill our
obligations as an employer.
In the event that you agree to be photographed or that you leave a photograph of yourself without a
request from us, you agree to us processing such photograph.
The company also needs to collect and store contact information to be able to fulfill agreements and
legal requirements or to be able to submit quotes and keep in touch with customers in ongoing
assignments
The company will not collect more information than we need to provide our services to you.
Our data processing is continuously documented in the GDPR register
Follow-up and evaluation of our handling of personal data must take place annually.
Saving of personal data
How long personal data is saved depends on which personal data it is and the purpose of its
processing. As a general rule, personal data relating to:
- employment contract, as long as the employment lasts and ten (10) years thereafter;
- information about business events, such as information about time sheets, participants,
assignments, salary, invoice, declarations, financial statements, during the contract period and for
ten (10) years thereafter
- control data, until our pension commitment ends.
Sharing of personal data
When required, we may disclose your personal data to third parties, such as suppliers for payroll
administration, technical support, operation of IT systems or external testing companies.
We will also disclose personal data that we are obliged to according to applicable law, court orders or
if such disclosure is otherwise necessary to participate in a legal investigation.In the event that we are subject to a reorganization, merger or sale, we may transfer personal data to
the relevant third party, provided that the third party undertakes to process the personal data in
accordance with this Privacy Policy.
We will not sell or distribute personal data to third parties.
Outside the EU/EEA
Parties to whom we may disclose personal data may be located outside the European Economic
Cooperation Area, EEA, which means that personal data may be transferred to countries outside the
EEA. In such cases, we will take measures to ensure that the personal data continues to be protected
and also take the necessary measures to legally transfer personal data to countries outside the EEA.
The data subject's rights
As a registered user, you have the right to receive information about the personal data we process
about you and information about the scope and purpose of such processing, free of charge, after a
written and signed application has been sent to us. You as an individual also have the right to request
that we erase or correct your personal data at any time, as well as the right to withdraw a given
consent and notify that you object to continued processing of your personal data. Such rights only
apply when personal data processing is not covered by another legal basis, such as tax legislation,
accounting law, labor legislation and the like.
Incidents
Any incidents concerning personal data that we process must be reported without delay, and
notified to the Data Protection Authority within 72 hours at the latest, as well as other necessary
measures taken due to the incident.
Personal data controller
Arevo AB Organization number 556995–8423
Address: Box 4095, 904 03 Umeå
Contact person: Niklas Åström
e-mail address: niklas.astrom@arevo.se