For Arbio AB – a collaboration between the Swedish Forest Industries’ Federation (Skogsindustrierna), the Swedish Federation of Green Employers (Gröna arbetsgivare), Swedish Graphic Industries’ Federation (Grafiska Företagen) and the Swedish Federation of Wood and Furniture Industry (TMF) – personal integrity is something that we consider to be of great importance. We therefore always strive for a high level of data protection. In this policy, we explain how we collect and use personal information. We also describe your rights and how you can enforce them.
Swedish Wood represents the Swedish sawmill industry and forms part of the Swedish Forest Industries Federation’s professional organisation. Arbio AB, which is responsible for formulating policy, is a cooperative venture between The Swedish Forestry Association, The Swedish Graphic Industries’ Federation, The Federation of Swedish Forestry and Agricultural Employers and The Swedish Federation of Wood and Furniture Industry.
You are always welcome to get in touch with us if you have any questions about how we process your personal data. Contact details can be found at the end of this statement.
What is personal data and what does processing personal data involve?
Everything that can be directly or indirectly traced to a natural person who is alive is covered by the concept of personal data. It not only concerns names and social security numbers but also, for example, photos and e-mail addresses.
Processing personal data is everything that happens with the personal data in IT systems, regardless of whether it involves mobile devices or computers. This includes collection, registration, structuring, storage, processing and transfer. In some cases, it might occur outside IT systems that can also be seen as data processing. This applies when it comes to registers.
Personal data manager
For the processing that takes place within Arbio AB’s operations, Arbio AB and the respective unions are jointly responsible for personal data.
The organisations are:
Arbio AB (556067–2924)
Föreningen Sveriges Skogsindustrier (802002–6061)
Grafiska Företagen (802004–3736)
Gröna arbetsgivare (802001–9892)
Trä- och Möbelföretagen (802003–5773)
The address is: Box 555 25, 102 04 Stockholm, Sweden. For some processing, such as in the member register, we use common systems with our member organisations. The responsibility between us and the member organisations is then regulated by agreements.
What personal information do we collect about you and why?
General
We mainly process your name, your e-mail address, your telephone number and your position. Sometimes additional information can be processed, for example if you are a member of parliament or a local politician, but only if you have made the information public yourself. For some services, you may also be asked to specify areas of interest, although you are not required to respond. If you create a user account with us, we will also process your login information.
We process your personal data in order to provide the services and products you have requested (for example, a newsletter or participation in a training). We will also process your personal data to nurture and manage our relationship with you and, where applicable, to manage the agreement with you or with your employer. We may also inform you about our courses, events and other things that we believe to be in both your and our interest.
In addition, we may use your personal information to inform you about the products and services that we offer and that may be of interest to you. If you are a professional user, we can also inform you about products and services from our member organisations and partners. If you are a professional user, analysis and processing of the information (including for profiling) that we may take part in as above (such as information in connection with ordering services or products or participation in seminars or activities organised by us) may take place. The purpose is to provide you with more personalised and relevant information.
Arbio AB always processes your personal data in accordance with the applicable legislation. We process your personal data when it is necessary to fulfil an agreement with you or respond to your request for service or when we have another legitimate interest in processing your personal data, such as an interest in marketing our services.
Should Arbio AB processes your personal data for any purpose that requires your consent, we will obtain your consent in advance. Some personal information may be mandatory to provide, for example in order for us to provide a service or fulfil another request from you. This will then be stated when the data is collected.
For employees in member companies
For employees in member companies, we may also process personal data in other ways than those mentioned above. This is mainly linked to the employer’s membership and applies to various contact persons. Contact information may be needed to manage membership and issues related to it. This can involve for example, contact persons for negotiations or tasks regarding membership in various working groups.
What sources do we collect personal data from?
The collection of your personal information takes place, for example, when you enter your information in connection with signing up to receive newsletters, attending seminars and other events, ordering services and/or products from us or contacting us. Even when the company you work for applies for and/or is part of a recruitment campaign, information can be collected about people in leading roles at the company. Sometimes we collect information from third parties.
Who can we share your personal information with?
Personal data processor
In some situations, it is necessary for us to hire other parties to be able to carry out our work. This involves, for example, the fact that we use IT suppliers. We regard them as personal data processors.
Arbio AB is responsible for signing agreements with all personal data processors and for providing instructions on how they may process personal data. Of course, we check all personal data processors to ensure that they can provide sufficient guarantees regarding the security and confidentiality of personal data.
When personal data processors are contracted, it is only within the scope we have for data processing ourselves.
Actors who are independently responsible for personal data
We also share your personal data with certain other actors that are independently responsible for personal data. This can include authorities, such as the Swedish Tax Agency, and other member organisations. Some information is also provided for statistical purposes.
When your personal data is shared with an actor that is independently responsible for personal data, that organisation’s privacy policy and personal data management apply.
We may also disclose personal information to our member organisations (and their companies) to the extent necessary for collaboration between the organisations to work. Furthermore, we may hire suppliers and partners to perform tasks on behalf of Arbio AB, for example to provide IT services or assist with marketing, analysis or statistics. Conducting these services may mean that these recipients have access to your personal data.
Arbio AB may also disclose personal data to third parties, such as the police or another authority, if it concerns the investigation of a crime or if we are otherwise obliged to disclose such information on the basis of law or authority decisions.
Where do we process your personal data?
We always strive for your personal data to be processed within the EU/EEA, but sometimes this is not possible.
For certain IT support, the information can be transferred to a country outside the EU/EEA. This applies, for example, if we share your personal data with a personal data processor that, either themselves or through a subcontractor, is based or stores information in a country outside the EU/EEA. As data controllers, we are responsible for taking all reasonable legal, technical and organisational measures to ensure that this processing takes place in accordance with EU/EEA regulations.
When personal data is processed outside the EU/EEA, the level of protection is guaranteed either through a decision by the European Commission that the country in question ensures an adequate level of protection or through the use of so-called appropriate protection measures. This includes ‘Privacy Shield’, the use of ‘Binding Corporate Rules’ and various contract solutions. If you would like further information about these protective measures, please feel free to contact us. Standardised
model clauses for data transmission, adopted by the European Commission, are also available on the European Commission's website.
How long do we store your personal information?
We never store your personal information for longer than is necessary for each purpose. We have developed cleaning routines to ensure that personal data is not stored longer than is needed for the specific purpose. How long this is varies depending on the reason for the processing. Due to legislation, certain data needs to be saved for at least seven years, while information on special diets is deleted within a week or so after the event has ended.
What are your rights as a registrant?
As a registered person, you have a number of rights under the current legislation. For more on how to manage your rights, see the section ‘Manage your rights’ below. We first list the registered person’s rights.
Right to the registered information (right of access)
If you want to know what personal data we process about you, you can request access to the data. When you submit such a request, we may ask some questions to ensure that your request is handled efficiently. We will also take steps to ensure that the information is requested by and provided to the right person.
Right to rectification
If you discover that something is wrong, you have the right to request that your personal information be corrected. You can also supplement any incomplete personal information. In some cases, you can make corrections yourself, which we will then inform you about.
Right to delete
You can request that we delete the personal data we process about you, including if:
- The data is no longer necessary for the purposes for which it is processed.
- You object to a balance of interests we have made based on our legitimate interest, where your reason for objection outweighs our legitimate interest.
- Personal data is processed illegally.
- Personal data has been collected about a child (under 13 years of age) for whom you have parental responsibility.
If the information has been obtained with your consent, but you want to withdraw your consent.
However, we may have the right to deny your request if there are legal obligations that prevent us from immediately deleting certain personal data. It may also be the case that the processing is necessary for us to be able to establish, assert or defend legal claims.
If we are prevented from deleting your personal data, we will block the personal data from being used for purposes other than the purpose that prevents them from being deleted.
Right to restriction
You have the right to request that our processing of your personal data be restricted. If you believe that the personal data we process about you is not correct, you can request limited processing during the time we need to check whether the personal data is correct.
If, and when, we no longer require your personal data for the stated purposes, our normal routine is for the data to be deleted. If you need them to be able to establish, assert or defend legal claims, you can request the limited processing of data from us. This means that you can request that we do not delete your data.
If you have objected to a balance of interests of legitimate interest that we have invoked as a legal basis, you can request limited processing for the time we need to check whether our legitimate interests outweigh your interests in having the data deleted.
If the processing has been restricted according to any of the above situations, we may only, in addition to the storage itself, process the data to establish, assert or defend legal claims, to protect someone else’s rights or if you have given your consent.
The right to object to a certain type of processing
You always have the right to object to any processing of personal data based on a balance of interests. You also always have the right to avoid direct marketing.
Right to data portability
As a registered person, you have the right to data portability if our right to process your personal data is based either on your consent or performance of an agreement with you. A prerequisite for data portability is that the transfer is technically possible and can take place automatically.
Manage your rights
The application for registered information or if you wish to invoke any of your other rights must be in writing and signed by the person to whom the information relates. We will respond to your requests without undue delay and within 30 days at the latest. Send your request to the GDPR
Group, Arbio AB, Box 555 25, 102 04 Stockholm.
How do we process social security numbers?
We strive to avoid processing social security numbers. In some cases, however, it is justified mainly by the fact that we need identification. With regard to the processing of social security numbers in the form of social security numbers for sole proprietorships, this processing is required as long as the company is a member.
How is your personal data protected?
We work actively to ensure that personal data is handled in a secure manner. This applies to both technical and organisational protection measures.
Regulatory authority
The Swedish Authority for Privacy Protection (IMY) is the authority responsible for monitoring the application of data protection legislation. If you believe that we are acting incorrectly, you can contact IMY. See imy.se.
Contact us with queries on how we process personal data!
If you have queries about how we process personal data or have a request in accordance with the above rights, you are always welcome to contact us at gdpr@arbio.se.
We may make changes to our privacy policy. The latest version of the privacy policy is always available here on the website.