Privacy policy for suppliers

Who is a supplier?

You are a contact person of a supplier if the company that you work for provides goods and services to us.

Your personal data is collected from yourself, your employer or the company you work for or other external persons that share your information with us. In certain cases we may collect personal data about you from publically available sources, e.g. websites and social media platforms.

When and why we process your personal data?

We process your personal data for the following purposes:

Procurement of supplier

In connection with the procurement of a new supplier we process your personal data, e.g. to collect contact details to you as a contact person for the supplier prior to issuing a request for proposal (RFP), to collect documentation and to complete the procurement process.

Categories of personal data

Legal basis

  • Identity information, including personal identification number (in case of a sole proprietorship)
  • Information regarding qualifications
  • Contact details
  • Organisational information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of carrying out procurement of suppliers. 

The processing of personal identification number is necessary having regard to the purpose of the processing.

Storage period: Your personal is stored during the procurement process and for a period of ten (10) years thereafter in order to satisfy our legitimate interest of managing and defending legal claims and for such period thereafter which is necessary in order to manage the claim.

 

Manage the supplier relationship

We process your personal data in order to manage the supplier relationship, e.g. to register your contact information in our supplier database, manage supplier invoices and to manage and archive supplier agreements.

Categories of personal data

Legal basis

  • Identity information, including personal identification number (in case of a sole proprietorship)
  • Contact details
  • Organisational information

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of managing supplier relationships.

The processing of personal identification number is necessary having regarding to the purpose of
the processing.

Storage period: Your personal data is stored during such period that you are a contact person for the supplier and for ten (10) years thereafter in order to satisfy our legitimate interest of managing and defending legal claims and for such period thereafter which is necessary in order to manage the claim. Personal data in accounting material is stored for a period of seven (7) years calculated from the end of the calendar year when the relevant fiscal year ended in order to fulfill legal obligations (bookkeeping and accounting requirements under the Accounting Act (1999:1078)).

 

Manage order of goods and services from supplier

In order to manage an order of goods and services from the company you work for, we process your personal data, e.g. to handle order confirmations and complaints.

Categories of personal data 

Legal basis

  • Your communication
  • Identity information
  • Contact details
  • Organisational information

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of managing orders from the supplier.

Storage period: Your personal data is stored during such period that is necessary in order to manage the order and for ten (10) years thereafter in order to satisfy our legitimate interest of managing and defending legal claims and for such period thereafter which is necessary in order to manage the claim. Personal data in accounting material is stored for a period of seven (7) years
calculated from the end of the calendar year when the relevant fiscal year ended in order to fulfill legal obligations (bookkeeping and accounting requirements under the Accounting Act (1999:1078)).

 

Communication between employees and external persons in the service

We process your personal data as a contact person of a supplier in order to communicate with you, other employees and external persons in the service.

Categories of personal data 

Legal basis

  • Your communication
  • Identity information
  • Contact details
  • Information regarding qualifications
  • Organisational information

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of enabling communication between employees and external persons in the service.

Storage period: Your personal data is stored for a period of ten (10) years calculated from the date of the last communication in the same conversation in order to satisfy our legitimate interest of managing and defending all types of legal claims.

 

Evaluate and follow-up supplier relationships

We process, to the extent it is necessary, your personal data to evaluate and follow-up on our supplier relationships.

Categories of personal data

Legal basis

  • Identity information
  • Organisational information

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of evaluating and to follow-up our supplier relationships.

Storage period: Reports on an aggregated level which do not contain any personal data and statistics are stored until further notice or until they are deleted.

 

Handle and defend legal claims

We process your personal data, to the extent it is necessary, to handle and defend legal claims, e.g. in case of a dispute or litigation.

Categories of personal data

Laglig grund

  • Your communication
  • Identity information, including personal identification number (in case of a sole proprietorship)
  • Contact details
  • Organisational information

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of handling and defending legal claims.

The processing of personal identification number is necessary having regard to the purpose of the processing.

Storage period: Your personal data is stored for such a period that is necessary for this purpose.

 

Fulfill legal obligations

We process your personal data in order to fulfil legal obligations, e.g. bookkeeping and accounting requirements and obligations under data protection regulations.

Categories of personal data

Legal basis

All categories of personal data that have been collected and which are necessary in order to fulfill each legal obligation.

Legal obligation. The processing is necessary in order to fulfill our legal obligations.

Storage period: Your personal data is stored for such period that is necessary in relation to each legal obligation.

 

Manage and protect IT systems and services

In order to manage and protect our IT systems and services, e.g. upon logging, troubleshooting, backup, change and problem management in systems and in connection with potential IT incidents, we process, to the extent necessary, your personal data.

Categories of personal data

Legal basis

All categories of personal data stated above.

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of managing and protecting our IT systems and services.

The processing of personal identification number is necessary having regarding to the purpose of the processing.

Storage period: Your personal data is stored during the same period that is stated in relation to each purpose of the processing of your personal data above. Personal data in logs are stored for troubleshooting and incident handling during a period of 13 months calculated from the date of the logging event.

 

Recipients that we share your personal data with

Where necessary, we share your personal data with others. The recipient is the data controller for the processing of your personal data, unless we have stated otherwise.

We share your personal data with:

Service providers

In order to fulfil the purposes of the processing of your personal data, we share personal data with service providers that we have engaged. These service providers provide IT services to us (such as operation, technical support and maintenance of IT systems). The service providers may only process your personal data for these purposes and in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that the service providers carry out on our behalf.

Group companies

We share your personal data with group companies that provide services to us, e.g. IT services. We are the data controller for the processing of personal data that the group companies carry out on our behalf.

External persons

In connection with communication with external persons we share the personal data, that you yourself or others have provided, with the external persons.

Categories of personal data

Legal basis for the transfer

  • Your communication
  • Identity information
  • Contact details
  • Organisational information

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of enabling communication between employees and external persons in the service.

 

Other recipients

In certain cases we share, if necessary, your personal data with other recipients for certain purposes (e.g. to fulfill legal obligations and to handle and defend legal claims). Examples of recipients are external advisors, authorities, courts, the police and potential buyers or sellers of the company.

Recipient

Purpose

Legal basis for the transfer

Public authorities

We share necessary personal data with public authorities if we are obligated under law to disclose the information.

Legal obligation. The processing is necessary in order to fulfill legal
obligations.

External advisors

We share necessary information with external advisors, e.g. audit firms, and law firms if we are obligated under law to share the information or in order to manage and defend legal claims.

Legal obligation and
legitimate interest. The processing is necessary in order to fulfill legal obligations or, alternatively, to satisfy our legitimate interest of managing and defending legal claims.

Courts, counterparties etc.

In order to manage and defend legal claims we share personal data to other parties.

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of managing and defending legal claims.

Law enforcement authorities, e.g. police

We share personal data with law enforcement authorities, e.g. the police if we are obligated under law to disclose information.

Legal obligation. The
processing is necessary in order to fulfill legal obligations.

Potential buyers and sellers

We share personal data with potential buyers and sellers in case of an acquisition of the business or a merger.

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of carrying out the acquisition or the merger.

 

Information regarding categories of personal data

Please see the table below for further information regarding which categories of personal data that we process.

Category

Examples of personal data

Your communication

Contents in your communication, e.g. e-mails

Identity information 

Name and personal identification number

Information regarding qualifications 

Education, work experience, courses, qualifications

Contact details 

Address, telephone number, e-mail address

Organisational information 

Title, position, employer