On 25 May 2018, a new EU regulation came into force, which is called the General Data Protection Regulation. In English, it is abbreviated "GDPR". The GDPR strengthens the rights of individuals over how companies, authorities and organizations may collect and use their personal data and applies in all EU member states and the EEA area. GDPR sets stricter requirements for how companies may collect and use personal data. GDPR has replaced the previous Swedish Personal Data Act (PUL). Personal data refers to information that can be linked to a physically living person, such as name, telephone number, e-mail address, social security number, postal address, etc. References to "you", "you", "your" refer to the data subject, whose personal data we process.
According to Article 13 of the GDPR, you as an individual have the right to information about how your personal data is processed by our company, Rosahuset Gruppen AB with company registration number SE559068117601 (hereinafter referred to as "we", "our", "us"). Below you can read about how we process your personal data that we get access to when you enter into an agreement with us or contact us. All processing of personal data takes place in accordance with the GDPR and in accordance with the principles of data protection.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
SCC: Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
Third party: Refers to someone other than you or Rosahuset Gruppen AB.
Payment service provider: refers to a Third Party that has permission from Rosahuset Gruppen AB to receive and process payments from buyers of the goods that Rosahuset Gruppen AB sells through its online store, via the various payment methods provided by such authorized Third Party.
Personal Data Controller
Rosahuset Gruppen AB is the Personal Data Controller regarding all processing of personal data performed by us or on our behalf and is responsible for ensuring that the processing takes place in accordance with the GDPR (according to the principle of accountability).
Among other things, we are responsible for our processing of the personal data that you provide to us when you purchase our products and register yourself as a customer. The processing takes place mainly to administer purchases, returns and complaints.
We do not disclose customer information such as email addresses or personal information to Third Parties, other than those mentioned below.
Firm: Rosahuset Gruppen AB.
VAT. no: SE559068117601
Post address: Rottnebyvägen 6, 79144 Falun.
If you have any questions or concerns regarding the content set forth herein or other questions relating to the processing of your personal data, you may contact our contact person for personal data matters:
- Name: Björn Forsman.
- E-mail address: email@example.com.
What information do we collect?
We only process personal data that is necessary, relevant and adequate to fulfill the purpose for which they were collected (in accordance with the principle of data minimization).
We mainly process the following categories of personal data, which we can access when you contact us or when you enter into an agreement with us:
- First name, last name, personal identity number.
- Address, telephone number e-mail address.
- Other personal information that is provided to us, such as information that you have included in an e-mail that you send to us.
Legal basis and purpose of the processing
According to the principle of purpose limitation, we may only process personal data for special, explicitly stated and justified purposes. In addition, any processing must be legally justified in order to be lawful under the GDPR. We process personal data carefully and do not share the data with unauthorized persons. Below you can read more about the legal basis and purpose of the processing of personal data.
- When you visit our online store:
2) When you enter into an agreement with us:
When you enter into an agreement with us, for example in connection with the purchase of the goods we sell through our online store, we need to process your personal data in order to fulfill the agreement. Legal basis: Performance of a contract (Art. 6 (1) b GDPR).
When creating a user account: When you as a buyer place an order, a user account is automatically created for you. The login information for the user account is sent to your registered e-mail address. You can also choose to start a user account yourself before completing an order. In connection with this, you accept our general terms and conditions. Legal basis: Performance of a contract (Art. 6 (1) b GDPR).
When ordering goods: When you send an order to us through our online store, we get access to your personal information that you provide in connection with the ordering process. Payment is made through the Payment Service Provider that is integrated in the online store. More information about our terms of purchase can be found on the following link: LINK. When ordering goods, we get access to the order information and payment information specified below, and we also store accounting documents:
Order information: Fist name, last name, order ID, order history, delivery address (e-mail), canceled orders, completed orders, personal identity number (if stated in connection with the order). This information is processed by us every time you place an order. We also process the information to improve our services. Legal basis: Legitimate interest (Art. 6 (1) f GDPR).
Consumer rights: In the case of an agreement on the purchase of goods, we store your personal data for at least three (3) years in order to be able to fulfill, among other things, the right of complaint and other consumer rights that apply in accordance with applicable consumer protection legislation. Legal basis: Legal requirement (Art. 6 (1) c GDPR).
Payment information: Payment method, pseudonymized credit / debit card information. We must process this information in order to track the payments you have made and link them to the orders you have made, to enable fulfillment of our contractual obligations. Legal basis: Performance of a contract (Art. 6 (1) b GDPR).
Accounting documents: We process and store invoices, receipts and other items that constitute accounting documents that we are obliged to process and store in accordance with, among other things, the applicable accounting act and the tax agency's requirements. Such items are stored for at least seven (7) years or as long as required by law. Legal basis: Legal requirement (Art. 6 (1) c GDPR).
- When you contact us via email, phone or social media:
We process your personal information that we get access to when you contact us through e-mail, contact form, social media, telephone or in any other way. The purpose of the processing is to enable us to know who we are talking to and to be able to help you in the matter.
Identification information: first name, last name, address, telephone number, e-mail, username or user ID from social media (if applicable), message content. Legal basis: Legitimate interest (Art. 6 (1) f GDPR).
Customer matters: In order to be able to handle purchases and customer matters, we store the following information: First and last name, address, telephone number, e-mail and order history. If purchases are made against an invoice, personal identity numbers are also stored. Legal basis: Performance of a contract (Art. 6 (1) b GDPR).
- When you register to receive newsletters from us:
You can agree to receive newsletters from us by giving your voluntary active consent to the processing of your e-mail address for that purpose. You can cancel your subscription at any time by clicking on the link in the newsletter to unsubscribe from the newsletter or email us at firstname.lastname@example.org.
If you revoke your consent, you will be removed from the email list for recipients of the newsletters, but your email address will remain in the database with a block for receiving newsletters. The purpose of this is to ensure that you do not receive any more newsletters from us.
If you want your e-mail address to be deleted from the block list, you can contact us by e-mail and request this. However, if you request that we remove your email address from the block list, you can receive newsletters from us if you or someone else registers your email address to receive newsletters again.
Identification information: name, e-mail. Legal basis: Consent (Art. 6 (1) a GDPR).
- Other purposes for our processing of personal data:
Legal requirement: If we are obliged by law, court or authority decision to process certain personal data, the processing takes place with Legal requirement as a legal basis. In such cases, the processing takes place only to the extent that it is necessary for us to fulfill our legal requirements. In such cases, we only process and store necessary personal data, for as long as the law requires it (in accordance with the principle of storage limitation).
Legitimate interests: Based on our legitimate interest, we may process personal data in order to:
- protect our rights and property,
- carry out direct marketing of our services,
- ensure the technical functionality of our services,
- collect statistics, performance measurements, etc. regarding our services,
- administer the integration between our services and Third-party services.
When a processing of personal data takes place on the basis of a Legitimate interest as a legal basis, our assessment is that the processing does not constitute an infringement of your right to privacy. We have come to this conclusion, after having made a balancing between, on the one hand, what the treatment in question means for your interests and the right to privacy, and, on the other hand, our legitimate interest in the processing in question. However, we never process sensitive personal data on the basis of Legitimate interest.
Where is the personal data stored?
We strive to store all personal data that we process within the EU / EEA (according to the principle of integrity and confidentiality). If personal data is stored in a country outside the EU / EEA, we shall ensure that such a storage site ensures an adequate level of protection in accordance with the provisions of the GDPR, and the SCC where applicable.
How long is the personal data stored?
We store your personal information for as long as it is necessary to fulfill the purposes for which it was collected. Personal data that no longer needs to be stored for the purposes will be erased (deleted) from storage locations or anonymized (in accordance with the principle of storage limitation).
If a claim can be made against our company, we can store the personal data until the statutory limitation period has expired. In the event of an existing dispute, relevant personal data is stored until the dispute has been settled.
Who do we share the personal information to?
We process all personal data carefully and do not share personal data with unauthorized persons. In some cases, however, we may need to share personal information with someone else, such as authorities or Third parties that we use within the framework of our activities and to fulfill our obligations in accordance with current legislation. Below is a summary description of which companies / entities we share personal information to and why.
We may share personal data that we process with relevant authorities in response to legal inquiries or if it is necessary to prevent, detect, deter or investigate criminal activity and to protect our interests and property.
Klarna is our Payment Service Provider. In order for us to offer you Klarna's payment methods, we need to share some of your personal information with Klarna, such as contact and order information, so that Klarna can assess whether you can be offered their payment methods and to tailor the payment methods for you.
In order to deliver your orders, we share certain information with our booking system for shipping and our shipping supplier. The information shared is: first and last name, address, mobile number and e-mail address. We use Unifaun AB to book transports, as well as DHL which performs the transports.
If you have chosen to subscribe to our newsletter, your first and last name and e-mail address will be shared with our service provider. We use the company Klaviyo Inc. to send out newsletters.
We use various service providers to: fulfill our contractual and legal obligations; detect and prevent technical, operational or safety problems; safeguard our legal interests; and to provide, improve and maintain our online store (software maintenance).
In some cases, we may need to share personal data for which we are responsible for, with such service provider. Before we share any personal data, we enter into a data processing agreement in accordance with the provisions of the GDPR (alternatively SCC, if the personal data processor is located in a country outside the EU / EEA), to ensure a secure and correct processing of personal data. If you want to know more about which service providers we have hired, you can contact our contact person for personal data matters to request a current overview.
Technical and organizational security measures
We follow the seven data protection principles in all processing of personal data. The principles are documented in internal routines, which our employees have access to and which they follow in all processing of personal data over which we are responsible for.
We implement various technical and organizational security measures with a focus on the integrity of the data subjects. The measures are intended to protect against intrusion, abuse, loss, destruction and other changes that may pose a risk to privacy (according to the principle of integrity and confidentiality).
For example, our databases, internal registers and systems that contain personal data are password protected. Our databases undergo a daily backup that is saved on a cloud storage. We have also designated certain specific individuals with access to passwords, customer registers and other systems that contain personal data, to restrict access.
What rights do data subjects have under the GDPR?
According to GDPR, you have different rights regarding the processing of your personal data. We hereby inform you that some of the rights only apply in certain situations and only if it is legal and possible for us to implement your request. You are welcome to contact our contact person for personal data matters, if you want to invoke any of the rights mentioned below regarding your personal data. According to the GDPR, as a data subject, you have the right to:
- access your personal data that we process (Art. 15).
- get incorrect personal data corrected (Art. 16).
- have your personal data that we process deleted (Art. 17).
- request a restriction on the processing of your personal data (Art.18).
- transfer your personal data (data portability) (Art. 20).
- receive information about personal data breaches concerning your personal data (Art. 34).
- object to the use of personal data for direct marketing and profiling (Articles 21-22).
What does a personal data breach mean?
A personal data breach is a security breach. For example, if we lose control of the personal data we process, it constitutes a personal data breach. Any personal data breaches are documented internally. Personal data breaches must be reported to the Swedish Authority for Privacy Protection (IMY) within 72 hours when it is required by the GDPR, and data subjects affected by incurred personal data breaches will be notified of the breach if it is required by the GDPR.
Who can I contact to file a complaint?
If you have any questions, concerns, or if you are dissatisfied with our processing of your personal data, you are always welcomed to contact us by e-mail: email@example.com. You can also contact the Swedish supervisory authority, the Swedish Authority for Privacy Protection (IMY), to file a complaint.
Contact information for the Swedish Authority for Privacy Protection:
Phone: 08-657 61 00
Postal address: Integritetskyddsmyndigheten, Box 8114, 104 20 Stockholm.