Personal Data Policy

1 Background and purpose

On 25 May 2018, the GDPR – General Data Protection Regulation – comes into force within the EU and the EEA. The objective of the GDPR is the protection of privacy with regard to the use and registration of personal data.

The purpose of this policy is to demonstrate how Christian Berner Tech Trade, both as a Group and through its subsidiaries, processes personal data within the Group and at its subsidiaries.

1.1 Definitions

  • Personal data: personal data means all information that can be linked to a living natural person, such as their name, email address, personal identity number, photographs, etc.
  • Personal data processing: any operation or set of operations which is performed on personal data, such as collection, recording, filing, storage, adaptation, use, or transmission of personal data, etc.
  • Controller: the natural or legal person who determines the purposes and means of the processing of personal data, in our case this is Christian Berner Tech Trade and its respective subsidiaries.
  • Processor: a natural or legal person which processes personal data on behalf of the controller.
  • Personal data breach: a breach that results in the personal data not being processed in the agreed and predetermined manner, such as loss, destruction or unauthorised access.

2 Scope

This policy applies to the Christian Berner Tech Trade Group, its current subsidiaries and any future subsidiaries. The policy covers personal data and personal documents relating to owners, employees, contractors, former employees, applicants for positions, relatives’ details, customer contacts, supplier contacts, business partners and visitors to our various websites and exhibitions or events, as well as people who have reported interest in one of our newsletters. The policy covers personal data and personal documents that are processed digitally or which are filed in a register in paper format.

3 Christian Berner Tech Trade’s principles for the processing of personal data

Personal data must be processed in a lawful, correct and transparent manner with regard to the data subject.

  • We will only collect personal data in accordance with the express and legitimate purposes set out in this policy.
  • The personal data we collect must be adequate, relevant, and not excessive in relation to the purposes we have set out.
  • Personal data must be accurate and kept up to date. We will take all reasonable steps to rectify or erase inaccurate data where necessary.
  • We will only use, file and process personal data that enables the identification of the data subject for the period necessary for the purpose for which the personal data is being processed.
  • Personal data must be processed in such a way that we ensure the security of the personal data, which includes both technical and organisational security measures.
  • We will continuously educate and inform our employees about how we are expected to handle, process and safeguard the personal data that has been provided to us.
  • We will have guidelines on how to deal with and act in the event of personal data breaches.
  • We will have guidelines on safeguarding the rights of data subjects and receiving their questions about the personal data that we process within the Group.
  • In cases where we provide personal data to a third party, we will ensure that this third party processes the personal data in a proper manner and in accordance with our requirements and wishes.

4 What we use personal data for and why

4.1 Employees, candidates, former employees, trainees and consultants

Our employees means all those who are currently employed at the Group and receive salaries – or other remuneration – from the Group or its subsidiaries, such as employees, Board members and consultants.

In order to fulfil the employment contract, we need to process personal data such as name, personal identity number, private contact details, bank account for payment, title, terms of employment, etc. We also process personal data relating to previous professional experience, educational background, certificates, etc., that is needed to demonstrate competence and training completed. In order to fulfil requirements under collective bargaining agreements and employment law, we need to process data relating to sickness, ill health and sickness absence, as well as information about the children of the employee, in order to be able to pay parental pay for example. In the event of acute illness, accident or other emergency situation, we may need to contact a close relative and we therefore encourage employees to provide details of their relatives. In the context of negotiations or other measures of a trade union or collective bargaining nature, we may need to process data about trade union membership.

When an employee’s employment at the Group or at any of its subsidiaries ends, we have procedures in place regarding what data we will erase and how we will do this and the employee will also be given information about how we process personal data after employment ends. If an employee or former employee wishes to receive information about what personal data we have recorded about him or her, we will provide this to the person as soon as possible, but no later than within 30 days.

Access to personal data relating to employees is managed using permissions and only the CEO, HR Director and CFO have full access to all documented information about an employee and then only for employees at their respective companies. The Swedish company also processes the data of Group employees. The immediate manager has access to data relating to the hours worked in order to be able to approve time sheets and therefore also to data concerning business trips and any absence. The immediate manager is also involved in rehabilitation measures for employees, which means that the immediate manager also has information about sickness and ill health. The payroll administrator has access to the information needed in order to process salary payments.

Personal data is documented and filed digitally in the HR system, payroll system and personnel files in the network, as well as in paper format in the personnel files of the HR manager and each employee’s respective manager. Further descriptions of how personal data is used, filed and processed can be found in the companies’ process descriptions, guidelines and staff policies.

Personal data relating to employees is passed on to external parties in connection, for example, with the use of occupational health care, in order to comply with legal requirements relating to certain identity checks, statutory training, safety requirements for entering customers’ facilities, in other words where the personal data is required for the performance of the assignment. At some of our subsidiaries, payroll processes are carried out by an external party. Data is also transferred to public authorities and similar organisations and may also be provided to the police in connection with a criminal investigation. Personal data relating to name, email, title, department and gender are communicated to external parties for the purpose of conducting employee surveys.

Candidates seeking an advertised position or spontaneously sending their details to Christian Berner Tech Trade or its subsidiaries must always receive a reply detailing how we process their personal data and how long we keep it. Application documents may be stored only for as long as the purpose requires; thereafter the consent of the candidate is required and they must also be informed about which personal data is stored. The HR Director/Manager at the respective companies is responsible for processing and handling application documents and consent.

We need the personal data of consultants from staffing companies, for example, who are engaged for assignments and projects, to the extent necessary for the performance of the assignment and in order to guarantee the safety of the person and the company. This may include their name, contact details, training completed, previous work experience, personal identity number, etc. This personal data is processed by the HR Director/Manager at each company.

Data relating to name, previous experience and other general information is used internally, for example to present new employees both at the respective companies and within the Group. Data relating to name, previous experience and other general information is used internally at the respective companies to present consultants or trainees.

Consent is requested in order to enable the use of photos of employees, consultants and trainees in internal or external communication. Exceptions apply to those in positions where this may be considered part of the job, for example the CEO and the Group’s Board of Directors. The HR Director/Manager of each company is responsible for filing consent, both for internal and external communications.

4.2 Customers, suppliers and other business relationships

We process the personal data of the contact persons of our customers, suppliers and other business partners. We do this to enable us to provide information to the right person, send goods, fulfil contracts and agreements, build relationships and market the company and our products. At Christian Berner Tech Trade, we use CRM systems to collate all business communications with customers, suppliers, prospects and business partners. Exceptions may include such business communications which, for the sake of the individual company or the customer’s need for particularly confidential treatment, may need to be handed in a different way. The Group comprises several companies and each company is responsible for its own CRM system.

The CRM system contains personal data such as the contact person’s name, title, email address, telephone number and address. The personal data is usually obtained from the contact person themselves, for example through an order, personal contact, a request for a quote, a discussion or a visit, but we also obtain it through various address register services or by contacting the company where the contact person is employed and through online searches.

It is vital for the success of Christian Berner Tech Trade that we ensure our CRM systems are as up to date as possible and that we have accurate information. We therefore work extensively and continuously to keep our records accurate and up to date in the right way. To ensure that all employees understand the importance of this, we conduct ongoing training on how personal data should be processed and emphasise the importance of protecting our information. Contact persons who, for whatever reason, are no longer included in the register will be anonymised as soon as we become aware of this.

In those cases where we have not yet entered into a commercial agreement, the personal data is stored only for as long as we have an ongoing mutual dialogue and for 12 months thereafter. If we have not entered into a commercial agreement in the past and we have not had a mutual dialogue with the contact person during the past 12 months, the personal data will be anonymised, but the contact details of the company may be retained. If the contact person has subscribed to our newsletter, however, we will send the newsletter until the person opts out of mailings.

We do not sell our customer records to external parties but we may disclose personal data to an external party that we have engaged in order, for example, to fulfil commercial agreements and assignments for our customers, to deliver goods, to carry out market research such as an annual customer survey and to send newsletters and invitations to customer events and similar activities.

An important part of our marketing is being able to tell others about good examples of our work. In order to do this, we usually need to provide personal information in the form of the person’s name, title and the company they represent. In some cases, we may also wish to use an image. We also take photographs at trade fairs and events and we want to share these on our website, on social media or in our newsletters. For all such communication, we will request the consent of the persons concerned in advance if there is the slightest chance that the person could be identified. Our marketing managers file these consents.

Personal data relating to customers, suppliers and business partners can also be found in our ERP systems and distribution systems. Processing takes place here in order to fulfil the commercial agreements we have entered into and to enable us to send and receive goods and invoices and to fulfil other legal obligations. We comply with the retention requirements of the Swedish Bookkeeping Act in this respect.

5 Awareness, security, data protection, rights and permissions

Our employees process personal data and to ensure that they have an awareness of their role in secure and proper processing, we continuously inform and train them on the importance of processing personal data in a secure and correct manner. This forms part of the induction process and is also part of our internal training on CRM systems, ERP systems, payroll systems, etc.

We work on a broad front with security and data protection so that we can take action in the event of any breaches. We work on the basis of the Group’s information security policies and we manage the assignment of rights and permissions. We have a guideline for IT use that stresses the importance of having a good approach to IT security internally. All our premises are secured with measures to protect against burglary and fire in order to prevent the loss of information and personal data. Should an incident nevertheless occur, we have established a guideline on how we should act in the event of a breach.

6 Responsibility

The CEO is ultimately responsible for the legal compliance of the Group’s companies. The CEO of each company is responsible for ensuring that the company establishes the guidelines and instructions specified in this policy and for compliance with these at the respective organisation. Every employee is responsible for complying with this policy, as well as the guidelines and instructions related to this policy.

7 Follow-up and compliance

The policy is followed up as part of the Group’s internal control programme. Any non-compliance is reported to the Nordic management group and to the respective company’s CEO.

8 References

  • Information for applicants on how we process personal data
  • Consent to the storage of application documents
  • Induction of new employees
  • Consent to the use of photographs in internal and external communications
  • How we process your personal data when your employment ends
  • Consent to the use of personal data in marketing – to external parties
  • Guideline on processor agreements
  • Guideline on action in the event of a personal data breach
  • Guideline on IT use