Meny

Privacy Policy

Privacy Policy

Privacy Policy

For SamCert AB

Customers’ Personal Data

Collection and Use
We process contact information and company information to maintain customer relationships and communication when preparing quotations, as well as for project management and financial administration. We also manage ISO documentation and other strategic information to ensure compliance with standards and auditing. We also handle internal documents for the purpose of completing and documenting bookings. We also process sensitive personal data of our customers in connection with participation in our events.

Employee Personal Data

Collection and Use
We process personal data for payroll administration, employment contracts, performance appraisals and health information to ensure correct salary payment and personnel administration. We also handle internal documents within the management system for internal control and follow-up, such as organizational charts and planning overviews to maintain internal control and security.

Personal Data of Contracted

Collection and Use
We process contracts and non-disclosure agreements to ensure the proper administration of services and to maintain security. We also handle internal documents within the management system for internal control and follow-up, such as organizational charts and planning overviews to maintain internal control and security.

Personal Data of Other Stakeholders

Data Collection and Processing
We collect and process data from job applications based on a balancing of interests for recruitment purposes. We handle contact information from forms on the website and from visitors who want to receive offers and news from us. Direct marketing to customer prospects is carried out based on a balancing of interests. For the handling of personal data for visitors to the website, see the Cookie Information.

General communication data and the use of AI

We conduct AI-generated searches in email management and documentation based on a balance of interests. We do this in order to deliver affordable services. Personal data from our employees, customers and suppliers is also processed in chats in Teams. Before we record and transcribe meetings in Teams, we obtain the consent of the participants. The purpose is to share information between us and our customers and partners and streamline the work through, for example, AI notes.

We ensure that only authorized access to AI-generated data sources and information is maintained. We adhere to the principle of least privilege and maintain high security standards for information security and responsible use of AI.

Third Country Transfer

For some of our services, it may be necessary to transfer personal data to third countries, i.e. to countries outside the EU/EEA. We undertake to transfer personal data to third countries only if an adequate level of protection can be guaranteed under applicable data protection legislation. This can be done through the use of standard contractual clauses approved by the European Commission, binding corporate rules or other appropriate safeguards.
You have the right to be informed of the safeguards applied to such transfers, as well as a copy of these measures upon request.

Security and Compliance

We take all reasonable technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. This includes regularly reviewing our security practices and policies to ensure that we comply with applicable laws and regulations.

Rights and Contact Information

You have the right to access your personal data, request rectification or deletion of inaccurate or unlawfully processed data, and object to specific processing. If you have given your consent to the processing of personal data, you have the right to withdraw this consent at any time. To exercise these rights or if you have any questions about this Privacy Policy, please contact us through the following channels:
E-mail: kontakt@samcert.se
Phone: +46 10-148 55 01

If you believe that we have not processed your personal data in accordance with applicable data protection rules, you have the right to file a complaint with the Swedish Authority for Privacy Protection (IMY).

We reserve the right to update this Privacy Policy at any time. Any changes will be posted on our website.

Below is information about the personal data processing that takes place in connection with our handling of whistleblowing cases and your rights as a data subject.

Data Controller

The controller for the processing of personal data is:

SamCert AB, org.nr. 556872-5344

Theres Svenssons gata 13, 417 55 Gothenburg

kontakt@samcert.se, +46 10-148 55 00

For further information about our handling of personal data, please see our Personal Data Policy in force from time to time.

Purpose of Processing and Legal Basis

The purpose of the processing is to be able to meet the legal requirements placed on the organization to provide whistleblowing and to carry out the investigation that the cases require. The purpose is also to process personal data where it is necessary in connection with follow-up matters. This means that we may need to process personal data in order to:

–       Handle reported whistleblowing cases,

–       Safeguard the organization’s rights and obligations based on the irregularities that emerge in whistleblowing cases,

–       Meet the legal requirements placed on the organization.

The legal basis for the processing of personal data in connection with whistleblowing cases is generally a legal obligation pursuant to Chapter 5. Section 2 of the Act on the Protection of Persons Who Report Misconduct.

The legal basis for processing personal data in connection with the follow-up of whistleblowing cases and other measures taken in connection with a reported case is the fulfilment of a legal obligation or the organization’s legitimate interest in safeguarding its rights based on suspected or established irregularities.

Categories of Data Subjects

In connection with the handling of whistleblowing cases, personal data may be processed in relation to the following categories of data subjects:

–       The person who reports a case, unless they choose to remain anonymous,

–       The person or persons who appear in a report,

–       The person who has an administrative role to process and investigate reported cases.

Disclosure of Data and Data Processors

The information may be disclosed to authorities (e.g. the police authority in cases where whistleblowing cases lead to a police report). Data may also be disclosed to other parts of businesses or other companies within the Group in connection with investigations, follow-ups and remedies in connection with a whistleblowing case.

Processing in connection with whistleblowing cases also takes place with personal data processors. These may only act on our instructions, which are regulated in particular in the assistant agreement.

Transfers to Third Countries

We  strives not to transfer data to a country or company located outside the EU/EEA and all storage of personal data relating to the content of whistleblowing cases takes place within the EU/EEA on servers owned by companies within Sweden.

Login administration is done through active directory, Microsoft Azure. The storage takes place within the EU/EEA, but since the provider is American, there is a risk that login-related personal data may be made available to US authorities, which may have a negative impact on privacy protection since US authorities are not bound to comply with GDPR. In the event of a transfer to a third country, there are standard contractual clauses as a safeguard. Please contact us for more information about how we protect your personal data.

Storage and Thinning

Your personal data that appears in a whistleblowing case will be stored for two years from the time the case is closed. The personal data that is used to manage administration and authorization is stored for as long as the authorization is valid. When the storage period expires, all personal data is deleted.

If a matter requires further investigation internally, we will continue to process your personal data for as long as the matter requires it.

Your Right as a Data Subject

When we collect and process your personal data, you have certain rights. You have the right to:

–    Request an extract of the personal data the Company processes and the manner in which it is processed;

–    Request correction of any inaccurate information;

–    Request to be deleted. However, this can only be carried out provided that the Company is not entitled to retain the data on any other legal basis;

–    Request that processing be restricted in certain circumstances, e.g. during the time a question about whether or not data is being investigated;

–    Exercise the right to data portability;

–    Object to profiling. Only applies to data you have provided to the company, and this is processed automatically and that this is processed on the basis of agreement or consent; and

–    Please contact the competent supervisory authority (in Sweden, the Swedish Authority for Privacy Protection (IMY) if you have any comments on how we process your personal data.

Please note that your rights according to the above may be affected by the duty of confidentiality that applies to whistleblowing-related information and in cases where disclosure makes the investigation more difficult. The possibility of exercising your rights will be assessed based on, among other things, the legal basis and the purpose of the processing in question.

If you have any questions regarding the processing of your personal data, please contact us via the contact details provided in the introduction to this information.

Safety

The Company takes appropriate technical and organizational information security measures to prevent and limit risks associated with the disclosure of personal data such as unauthorized access, disclosure, misuse, alteration and destruction. Only a few authorized persons bound by confidentiality have access to identifiable personal data.