Latest update: May 25, 2018
This policy describes Above Agency AB's personal data management practices and applies from May 25, 2018.
The purpose of this policy is to clearly and transparently know what types of personal data we handle, how we treat them, and how to take advantage of your rights. The policy follows the provisions of the EU General Data Protection Ordinance (GDPR). It is also supplemented by internal guidelines for handling personal data.
What personal data do we handle?
The collection and processing of personal data is not a core activity for us at Above Agency AB. However, like any other company, we handle personal data in our internal administration and for marketing purposes.
Personal data that is handled in our internal administration and in our own channels
Marketing and Mailing
We store contact information to current customers, past customers, potential customers and other relevant parties we are in contact with in order to market our business. We do this primarily by emailing marketing of our services, event invitations and so on. Subscriptions always contain an opt-out option for those who no longer want to know such information from us.
Media production and photography
We also conduct media production (film and audio recording) and photography for personal use. Typically, it is about documenting events that occur in our own name as well as marketing and documentation of our own business.
We process personal data that appear in the agreements we sign. For example, there may be agreements with customers, subcontractors, partners and employees. The data typically deals with basic contact information that is necessary to fulfill the agreement.
Those who contact us to apply for work with us automatically agree that we process your personal information when submitting them to us in the form of letters, resume and other documentation. Looking for your employment with us, we store your data for 270 days before deleting.
For web analytics, we mainly use Google Analytics. This helps us, among other things, to get information about how our visitors interact with the site. Data from the cookie is used for internal web analytics and marketing, but is also included in Google's demographics and interest reports.
How is your personal information processed?
The legality of the treatment
Our processing of personal data, whether done on behalf of our clients or for our internal administration or marketing, is based on the basic principles of personal data management as stated by GDPR. We only process personal data after we ensure that we have legal basis under the GDPR to do so.
With regard to personal data management within the context of customer assignments, it is typically based on the so-called "balance of interests" as a legal basis.
We own the right to process personal data if it is necessary to fulfill an agreement, for example with a customer, a partner, a subcontractor or an employee, as well as to fulfill legal obligations, for example towards the authorities. It may involve processing data for laws or other regulations requiring it.
In some cases, active consent of the registrant makes the processing of its personal data legal. It is also a requirement that the tasks under the regulation are considered sensitive. In cases where the law requires it or where the situation requirements it, we collect an active consent for treatment from the data subject.
Information to registered
In our personal data processing we also look to meet the information obligation as described in GDPR, and inform you about your data that is being processed by us. This is provided that the personal data it is not already made public, such as by being openly available (for example, on the internet or in the media) or actively published or provided by the registered person.
Restriction of access
We have routines and working methods to handle personal information safely. The starting point is that only the employees and, if applicable, the customer we perform the task of requiring the personal data to perform their duties shall have access to them.
Personal data that is no longer used, for example, because the customer assignment within which they were processed has been terminated, because the information for other reasons has become out of date for the task, for termination of an agreement or cooperation, or similarly, is deleted regularly.
The exception is whether personal data need to be saved for a time to live up to, for example, a complaint period, if there is reason to believe that the termination of the assignment, agreement or cooperation in the near future will be transferred to a new assignment, agreement or cooperation with the same counterparty, or if It is in our interest to be able to report on the performance of the assignment.
Transfer of personal data
We do not transfer personal data in cases other than those expressly stated in this policy. This may, for example, be about personal data we have handled on behalf of a customer and where it is included in our mission that the information is to be handed over to the customer or personal data handled within a tool or digital platform where our own policy does not apply without is the tool or platform policy that applies.
Otherwise, transfer of personal data takes place between Above Agency and, if applicable, partners when our customer assignments so require.
We comply with data protection requirements set by GDPR. This includes encrypting our networks and limiting access to data to avoid personal data incidents. We have internal policies and practices for IT security as well as handling personal data incidents that meet the statutory requirements.
You have rights and they are important to us!
Generally, we believe you have the right to have your data processed only in accordance with your expectations. But you also have rights laid down by applicable law, below you can read more about them, first the ones we believe might be most relevant for you.
Under the General Data Protection Regulation (GDPR)/(EU) 2016/679:
You have the right to be informed about certain details on the processing of your data. We provide this information through our Transparency Widget above.
You have the right to receive a copy of the personal data we process about you. You can receive this data by reaching out to us.
You have the right to correct the personal data we process about you if you see that it is inaccurate.
You have the right to erasure if:
the personal data is no longer necessary for the purposes it was collected for;
your particular situation gives you the right to object to processing on grounds of legitimate interest (see more below);
processing the personal data has been unlawful; or
there is a legal obligation under EU or Swedish law for us to erase the data.
You have the right to request us to restrict the processing of your data if:
the personal data we have about you is inaccurate;
The processing is unlawful and you ask us to restrict the use of the personal data instead of erasing it;
we no longer need the personal data for the purposes of the processing, but if we still need it for the establishment, exercise or defence of legal claims; or
you have objected to the processing claiming that the legal basis of legitimate interest is invalid and are waiting for the verification of this claim.
You have the right to object to the processing of your data if:
you can show that your interests, rights and freedoms regarding the personal data outweigh our interest to process your personal data; or
we process your personal data for direct marketing purposes.
You have the right to data portability:
for personal data that you provided to us; and
if the legal basis for the processing of the personal data is the fulfilment of contract or consent.
We will send a copy of your data in a commonly used and machine-readable format to you or a person/organisation appointed by you.
How to exercise your rights?
Send us an email at email@example.com and we’ll do our best to figure it out together. If you are unhappy with the way we process your personal data you can always file a complaint with the Swedish data protection authorities at firstname.lastname@example.org