Privacy Policy
Effective from: 2025-11-01
Last revised: 2025-11-01
Approved by: CTO
Contact: Data Protection Group
1. Purpose and Scope
Under the EU General Data Protection Regulation (GDPR), you have the right to receive information about how your personal data is processed. Sertion AB respects your privacy and protects the personal data we process. In this Privacy Policy, we have gathered information about how we use your personal data. All personal data is processed in accordance with applicable data protection laws.
2. Data Controller
Sertion AB (hereinafter referred to as “Sertion”, “we”, or “us”), company registration number 5594-568072, is the data controller responsible for the processing of personal data in accordance with the EU General Data Protection Regulation (“GDPR”).
If you have any questions regarding the processing of your personal data, you may contact Sertion’s Data Protection Group at: privacy@sertion.com
3. How We Obtain Your Personal Data
We collect personal data that you voluntarily provide to us, for example when requesting quotations, submitting tenders, entering into agreements, managing customer and supplier invoicing, submitting job applications, or communicating with us via email or other channels where you register your information.
In some cases, your personal data may be obtained from other sources based on your professional role where we assess that you may be involved in an ongoing project or otherwise connected to our business activities. These sources may include publicly available search engines or your employer’s website.
4. How We Use Your Personal Data
Personal data is only processed when necessary and based on lawful grounds under the GDPR. Common legal bases include:
– Contract – to fulfill our contractual obligations.
– Legal obligation – to comply with laws and regulatory requirements.
– Consent – when you voluntarily provide your information.
– Legitimate interest – to operate a secure and efficient business.
Agreements
Purpose of processing: Administer and follow up on agreements
Types of data: Name, email address, phone number, role/title
Legal basis: Contract / Legitimate interest
Shared with: System providers
Data retention: During the contract period and thereafter according to internal routines
Customer invoices
Purpose of processing: Manage customer invoicing and financial administration
Types of data: Name, address, invoice details, order number
Legal basis: Contract / Legal obligation
Shared with: Financial systems and banks
Data retention: At least 7 years in accordance with accounting legislation
Supplier invoices
Purpose of processing: Manage supplier invoices and payments
Types of data: Name, contact details, invoice details
Legal basis: Contract / Legal obligation
Shared with: Financial systems
Data retention: At least 7 years in accordance with accounting legislation
Digital signing
Purpose of processing: Handle digital signing of agreements
Types of data: Name, email address, phone number
Legal basis: Contract
Shared with: E-signature service providers
Data retention: As long as the agreement needs to be retained
Inquiries
Purpose of processing: Handle inquiries and communication via email
Types of data: Name, email address, and information provided in free text
Legal basis: Legitimate interest
Shared with: IT service providers
Data retention: As long as the matter is being handled
Recruitment
Purpose of processing: Manage recruitment processes and job applications
Types of data: Name, email address, phone number, CV, education and work experience
Legal basis: Legitimate interest / Consent
Shared with: Recruitment systems and IT providers
Data retention: During the recruitment process
Security
Purpose of processing: Ensure IT security and prevent incidents
Types of data: IP address, user ID, log data
Legal basis: Legitimate interest
Shared with: IT security providers
Data retention: According to internal security routines
5. How We Share the Information We Collect
Only individuals who need access to personal data for the purposes described above will have access to your personal data.
We may share your personal data with our suppliers. For example, suppliers and subcontractors may need access to personal data when they provide services to us, primarily in order to maintain and support our IT systems.
6. Security
We implement technical and organizational security measures to protect your personal data. We regularly review our policies and procedures to ensure that our processes and systems remain secure and protected.
7. Transfers of Personal Data Outside the EU/EEA
We always aim to process your personal data within the EU/EEA. In some situations, such as when we share your information with a supplier or subcontractor operating outside the EU/EEA, it may be necessary to transfer your personal data to a country outside the EU/EEA (a “third country”).
We ensure that any such transfers only take place where an approved transfer mechanism is in place and appropriate safeguards are implemented to ensure that your personal data receives a level of protection equivalent to that provided within the EU/EEA.
Approved transfer mechanisms may include:
Adequacy decisions issued by the European Commission confirming that a country provides an adequate level of data protection. For recipients in the United States, this may include organizations certified under the EU-US Data Privacy Framework.
Standard Contractual Clauses (SCCs) adopted by the European Commission between Sertion and the recipient outside the EU/EEA, ensuring that the level of protection required under the GDPR is maintained.
8. Your Rights
As a data subject, you have several rights under the GDPR. These rights may be exercised, for example, if you wish to obtain a copy of your personal data, correct inaccurate information, or object to the processing of your personal data.
Not all rights apply in every situation and depend on the legal basis for the processing and whether the data must also be retained to comply with a legal obligation.
Regardless of the legal basis, you always have the right to:
– Right to information
– Right of access (data access request)
– Right to rectification
– Right to restriction of processing
In certain circumstances you also have the right to:
– Right to erasure, when processing is based on: Contract, Consent, Legitimate interest
– Right to data portability, when processing is based on: Contract, Consent
– Right to object, when processing is based on: Legitimate interest, Public interest
You also have the right to lodge a complaint with the supervisory authority, the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten – IMY) if you believe your personal data is being processed incorrectly.
www.imy.se
If you wish to exercise any of your rights or have questions about Sertion’s processing of your personal data, please contact the Data Protection Group at: privacy@sertion.com