2. DATA CONTROLLER AND DATA PROTECTION OFFICER
2.2 We have appointed a data protection officer (the “Data Protection Officer”). The Data Protection Officer has the task of overseeing that our use of personal data is in accordance with applicable law. The Data Protection Officer’s contact details are firstname.lastname@example.org.
3. OUR PROCESSING OF YOUR PERSONAL DATA
At Stromma, we process your personal data to provide you with the products and services we offer in the best way possible. That’s why we use your personal data for the following purposes:
– Administer and carry out contracts, and to safeguard both parties’ legal interests,
– Marketing, including customised offers,
– Method and business development.
In the tables below, you are provided with more information about e.g. why we process your personal data, which personal data we keep to achieve the purposes of the processing and for how long we store your personal data.
Purpose: Manage and carry out our contractual obligations with you and to safeguard the legal interests of both parties in case of any dispute.
What we do: We process your personal data to be able to provide, manage and adapt our product and services and provide customer services to you as a user. Should a dispute arise regarding e.g. payment, we are entitled to process your personal data to establish, exercise or defend the legal claim.
Legal basis: Performance of a contract. Should a dispute arise, we are entitled to process your personal data with legitimate interest as legal basis. Information that by law must be submitted to authorities, we have the right to collect through legal obligation.
Retention period: Your personal data is kept during the entire contract period and up to 36 months thereafter. We may keep your personal data for a longer time period if necessary to establish, exercise or defend a legal claim in case of a dispute regarding e.g. payment.
Your rights: You have the right to object to processing of your personal data based upon a legitimate interest as legal basis. See section 9 if you want to read more about your rights.
Purpose: Marketing, including customised direct offers.
Browsing behaviour and web browsing history;
Orders and payment information;
What we do: We use your personal data within the scope of our marketing and market segmentation. With market segmentation, we mean that we categorise our customers based on demographic selection criteria such as age, gender, marital status or place of residence to send direct advertisement and information that is not customised about offers, services, news and competitions to you.
Legal basis: Legitimate interest (for mail, phone and social media marketing – and for email, SMS, MMS and other automated marketing systems if the requirements of the Marketing Act are met).
Consent (for marketing third party products and services via email, SMS and MMS and other automated systems).
Retention period: If you are a customer of ours: The data is stored and used during the entire contract period and up to 36 months thereafter, provided that you have not objected to direct marketing during that time.
If you are not yet a customer of ours: We have the right to retain your information for the purpose of sending you marketing for 36 months from receiving your contact information. This requires, of course, that you have not objected to direct marketing. If you choose to become our customer, we refer you to the heading “If you are a customer of ours”.
If you wish to receive customised offers and information about news and competitions specifically formed for you, such as offers on specially-priced service packages, we need your consent. Then we will analyse, for example, during which months of the year you use our various services and the frequency you choose to use the services. We will also analyse your browsing behaviour on our website as well as your purchase and transaction history in respect of our products and services, but also your name, age, gender, civil status and address to provide you with relevant information.
Your rights: You always have the right to demand us to stop using your personal data for direct marketing. You also have the right to withdraw your consent at any time. If you revoke your consent, you will no longer be able to find information and offers that are customised for you. See section 9 for more information about your rights.
Purpose: Method and business development
What we do: We use your personal data within the scope of our market and customer analyses, consisting mainly of statistics, data from completed market segments and customer satisfaction assessments. The result of our analysis is then used as the basis for improving, replacing or developing new services, processes or working methods to meet your and other customers’ expectations and wishes. We may for example want to use personal data to improve our customer service, offer new package solutions, or customise our website and / or app to your and other customers’ wishes. However, we want to be clear that we always try to anonymise or pseudonymise your personal information as far as possible to achieve this purpose.
Legal basis: Legitimate interest.
Retention period: We save and use your personal data for this purpose during the entire contract period and up to 36 months thereafter.
Your rights: You have the right to object to processing of your personal data based upon a legitimate interest as legal basis. If you object to such processing, we will discontinue the processing or anonymise the data. Please see section 9 if you want to read more about your rights.
4. WHERE WE COLLECT YOUR PERSONAL DATA FROM
4.1 The personal data we process about you is the information you have provided us with. You provide us with information such as contact information and, in some cases, demographic information or health information when booking and when using our services. We do not obtain any information from other sources.
4.2 To be able to enter into contract and to enable us to offer you our experiences, you must in some cases provide us with certain personal data. We may need such data to fulfil practical and legal requirements. If you do not provide us with information that we need to offer you our experiences, we unfortunately cannot enter into contract with you or provide you with our products or services.
5. AUTOMATED DECISION-MAKING
We do not use any automated decision-making which has significant effects on you.
6. FOR HOW LONG DO WE KEEP YOUR PERSONAL DATA?
6.2 We may be required to keep your personal data for other reasons, such as to comply with legal obligations or to safeguard the parties’ legal interest, or for any other important public interest.
7. WHO WILL PROCESS YOUR PERSONAL DATA?
7.1 Your personal data will only be processed within the Stromma Group, by Stromma’s franchisees, its IT-suppliers and parties with which Stromma cooperate to provide our services. We may also in certain cases be required to share your personal data with public authorities or other third parties in connection with court proceedings or other legal proceedings.
7.2 We will not sell your personal data to any third party.
8. WHERE DO WE PROCESS YOUR PERSONAL DATA?
8.1 We endeavor only to process your personal data within the EU/EEA. In some cases, we may transfer your personal data to a country outside of the EU/EEA. If personal data is transferred to any such country, we will ensure that your personal data is protected and that the transfer is carried out in accordance with applicable law.
8.2 When carrying out any transfer to a country that lacks an adequacy decision by the European Commission, we will use the standard contractual clauses issued by the European Commission as legal basis for the transfer. You find these here.
8.3 When carrying out transfers to recipients in the United States that have joined the Privacy Shield program, we use the Privacy Shield as legal basis for the transfer, which you find here.
9. YOUR RIGHTS
9.1 Our responsibility for your rights
9.1.2 Stromma is responsible for answering your request to exercise your rights within one month from our receipt of your request. If your request is complicated or if we have received a large extent of requests, we are entitled to prolong our response period with another two months. If we assess that we cannot perform the actions you have requested, we will within one month explain why and inform you about your right to lodge a complaint with the data protection authority.
9.1.3 All information and communication, and all actions we carry out, is at no cost for you. If the action you request is manifestly unfounded or excessive, we are entitled to charge you an administrative fee to provide you with the requested information or carry out the requested action or refuse to meet your request.
9.2 Your right to access, rectification and erasure of personal data and restriction of processing
9.2.1 You have the right to request:
a) Access to your personal data. This means that you have the right to request an abstract from our data record regarding our use of your personal data. You also have the right to request a copy of the personal information being processed at no cost. However, we may charge you a reasonable administrative fee to provide you with additional copies of the personal data. If you make your access request by electronic means such as email, we will provide you with the information in a commonly used electronic format.
b) Rectification of your personal data. We will at your request, or at our own initiative, rectify, anonymize, erase or complement personal data that we discover is inaccurate, incomplete or misleading. You also have the right to complement the personal data with additional data if relevant information is missing
c) Erasure of your personal data. You have the right to request that we erase your personal data if we do no longer have an acceptable reason for processing the data. Given this, erasure shall be made by us if:
(i) the personal data is no longer necessary for the purposes for which it was collected,
(ii) we use your personal data with your consent as legal basis, and you revoke the consent,
(iii) you object to such processing that is based on a legitimate interest, unless we have legal and legitimate reasons for to continue the processing.
(iv) the personal data has not been lawfully processed,
(v) we are required to erase the personal data due to a legal obligation, or
(vi) you are a child and we have collected the personal data in relation to the offer of information society services.
However, there might be requirements under applicable law, or other weighty reasons, that entail in that we cannot immediately erase your personal data. In such case, we will stop using your personal data for any other reasons than to comply with the applicable law, or the relevant weighty reason.
d) Right to restrict processing. This means that we temporarily restrict the processing of your personal data. You have the right to request restriction of the processing when:
(i) you believe your information is incorrect and you have requested rectification in accordance with section 9.2.1 b) above during the time period we are verifying the accuracy of the data,
(ii) the processing is unlawful and you do not want the personal data to be erased,
(iii) we, in capacity of data controller, do no longer need the personal data for the purposes for which it was processed, but you need them for the establishment, exercise or defence of legal claims, or
(iv) you have objected to the processing in accordance with section 9.3 below during the time period we determine whether our interests override yours.
9.2.2 At Stromma, we will take all reasonable actions to notify any recipients of your personal data as set out in section 7 above regarding any rectification, erasure or restrictions of your personal data after you request us to do so. At your request, we will also inform you of which third parties we have shared your personal data with.
9.3 Your right to object to the processing
9.3.1 You have the right to object to such processing of your personal data based upon our legitimate interest or public interest (please see section 3 above). If you object to such processing, we will only continue with the processing if we have a legal and legitimate reasons to continue the processing.
9.3.2 If you do not want Stromma to use your personal data for direct marketing, you are always entitled to object to such use by contacting us. Once we have received your objection, we will discontinue using your personal data for this marketing purpose.
9.4 Your right to revoke your consent
9.5 Your right to portability
You have the right to portability. This means that you have the right to receive certain of your personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. You only have this right when your personal data is processed by automated means and our legal basis for the processing is your consent or the performance of a contract between you and Stromma. This means e.g. that you have the right to receive and transfer all personal data that you have provided us with when booking.
9.6 Your right to lodge a complaint with the data protection authority
You have the right to lodge any complaints regarding our processing of your personal data with the data protection authority.
10. WE PROTECT YOUR PERSONAL DATA
You shall always feel safe when providing us with your personal data. Therefore, Stromma has implemented appropriate security measures to protect your personal data against unauthorized access, alteration and erasure. In the case of a security breach that may significantly affect you or your personal data, e.g. when there is a risk of fraud or identity theft, we will contact you and inform you of what you can do to reduce this risk.
13. CONTACT INFORMATION
Renskutan AB/Tottbacken, org.nr. 566636-7230
Tottbacken 10, 83751 Åre