For Bulls (“Bulls” “We” “we”), the most important thing is to protect our employees’, customers’ and other people’s personal data, and we apply and follow regulation (EU) 2016/679 of the European Parliament and the Council (“GDPR”). We strive for a high level of data protection. In this policy, we explain how we
process your personal data. We also explain your rights and how you can assert them. As a data subject, you are welcome to contact us if you have questions in terms of how we process your personal data. Our contact information can be found at the bottom of this policy.
Terms and definitions
Processing: an action or combination of actions concerning Personal Data or combinations of Personal Data, regardless of whether they are performed automatically or not, such as collecting, registering, organising, structuring, storing, adapting or changing, creating, reading, using, distributing by transferring, disseminating or releasing in some other manner, adjusting or summarizing, limiting, deleting or destroying.
Sensitive personal data: Sensitive Personal Data is data that concerns race or ethnic origin, political opinions, religious or philosophical conviction or membership in a union and Processing of genetic information, biometric information to clearly identify a physical person, information about health or information about sexual life or sexual orientation.
Legal Basis: Processing is only legal if it occurs on a Legal Basis. The reasons that are
relevant for the Company are listed below. In order for the Company to be able to Process Personal Data, either the consent of the Data Subject is needed/or Processing is necessary:
– to fulfil an agreement that the Data Subject is a part of,
– to fulfil a legal obligation that is the duty of the Personal Data Controller,
– for purposes that involve the legitimate interests of the Personal Data Controller or of a third party,
unless
the Data Subject’s interest or fundamental rights and freedoms weigh more heavily and require the protection in terms of their Personal Data, especially if the Data Subject is a child.
Necessary: Processing may only take place to the extent that it is Necessary for a specific purpose. According to GDP are, Necessary means that the Processing results in improved efficiency. Processing
is therefore not considered Necessary if the purpose can be achieve just as easily and cheaply
without Processing Personal data.
Personal Data: any information that involves an identified or identifiable physical person (“Data Subject”), where an identifiable physical person is a person who directly or indirectly can be identified Particularly with respect to an identifier such as a name, and identification number, location information or online identifiers or one or more factors that are specific to the physical person’s physical, physiological, genetic, mental, economic, cultural or social identity.
Personal Data Controller: a physical or legal person, public agency, institution or other body that alone or together with others determines the purposes and means for Processing Personal Data; if the purposes and means for Processing is determined by the European Union legal order or the national law of the member states, the Data Controller or the specific criteria for how they shall be appointed may be prescribed in the European Union legal order or in the national law of the member states.
Personal Data Processor: a physical or legal person, public agency, institution or other body that Processes Personal Data on behalf of the Personal Data Controller.
Personal Data Processor Agreement: a written agreement or other legal act that is binding for a Personal Data Processor with respect to a Personal Data Controller and is drawn up according to Article 28 of GDPR. The Personal Data Processor and Personal Data Controller shall always enter into a Personal Data Processor Agreement.
Data Subject: the physical person who can be identified directly or indirectly using specific Personal Data.
When is Bulls the personal data controller and when are we the personal data processor
For processing where Bulls determines the Processing, we are the Personal Data Controller. We are the Personal Data Controller when we Process Personal Data in our capacity as employers with respect to job applicants, in order to be able to perform recruiting procedures. We also handle Personal Data as controllers with respect to employees in order to be able to fulfil our obligation as employers to make wage and salary payments and to be able to contact your relatives in order to notify them that something has happened to you as an employee at Bulls.
We also share your Personal Data with certain other actors who are independent Personal Data Controllers, for example, public agencies such as the Swedish Tax Agency, when we are obligated to submit information according to laws or government decisions. When your Personal Data is shared with an actor who is an independent Personal Data Controller, the organisation is the Personal Data Processor for Processing your Personal Data.
Bulls can act as a Personal Data Processor with respect to the suppliers and partners who, in relation to Bulls, determine the Processing of your Personal Data.
Reasons for processing personal data
Bulls uses agreements, legal obligations, legitimate interest and consent as the Legal Basis for Processing the Personal Data of the Data Subject
Where personal data is processed
The Company only processes personal data within the EU and EEA.
End purposes of the processing
The Company Processes Personal Data when it is Necessary in order to perform Processing of Personal Data with respect to their employees, customers, suppliers and partners.
The Company also processes Personal Data in order to fulfil legal obligations, for example, the Swedish Accounting Act (1999:1078).
The personal data we process
Bulls collects the following types of Personal Data with respect to its business:
- First name and last name,
- email address,
- national ID number regarding employee, freelancer and if they pay PAYE tax,
- address and other contact information.
Submission – including where Bull’s collects Personal Data from
Personal Data is submitted to authorities only if required by law or governmental order.
Personal Data that Bulls Processes is primarily collected from the Data Subject. When necessary, for example, in order to fulfil agreements with the Data Subject or to fulfil legal obligations, additional information may be collected from agencies, publicly available sources and other organisations.
Cookies, Act (2003:389) regarding Electronic Communication
Bulls uses Cookies on its website. Cookies with the name “wp-” and “wordpress_” relates to WordPress; this is used to adjust the view in your administrator interface and the front page of the website. The value represented by [UID] is the users’ individual user-ID that is put in the users’ database table. Bulls only saves cookies for users that are logged in.
“Tk_ai” is a cookie that is placed by the plugin “Automatic”, “JetPack”, “WooCommerce”, it saves a user’s unique ID. The cookie is saved only for users who are logged in.
“_gid”,”_gat_gtag”, “_ga” relates to Google Analytics, and these values save each user as a unique ID, which is then used to trace and save the page views, and store anonymised statistics. These cookies are saved for all users who visit the website.
- “”MCPopupModalClosed” as a cookie that is saved when a user closes the pop-up module with the newsletter-form (“Get the latest news!”), this cookie then hides the pop-up for these users.
“PHPSESSID” is a cookie that shows that you are using PHP.
When a user has accepted cookies on the website, a cookie is saved for the user. This prevents the notice from reappearing for the user.
Marketing
If the Company engages in direct marketing, the Company may exercise their legitimate interest as a Legal Basis in accordance with reason 47 in the last section of GDPR, where it states that Processing Personal Data for direct marketing can be considered a legitimate interest.
Retaining personal data
Personal Data is saved for the period when the customer and Bulls have an ongoing contractual relation and for a period thereafter. The Company retains their customers’ Personal Data for accounting purposes for seven years according to the requirements in the Swedish Accounting Act. Personal Data involving contact persons at Bulls’ customers is kept for as long as the Data Subject retains their position with the customer company or the contact person requests that it be deleted.
Filtering personal data
Personal Data is filtered or depersonalised when Bulls no longer finds it Necessary to retain the data. Depersonalised means that the information can no longer be used to identify a person. Use of Personal Data during the retention period is restricted with respect to the purpose for the Processing. The filtering cannot be recalled/restored, and once the deletion has been performed, no one can be associated with the user account any more.
IT security
Bulls only uses personal data processors that have reliable IT and information security experience. When we are acting as the Personal Data Controller or the Personal Data Processor, we always take appropriate technical and organisational measures to protect the Personal Data being processed in accordance with section 2 of the General Data Protection Regulation.
We have created a special IT and Information Security Policy for addressing information security.
The rights of the Data Subject
The Data Subject has rights in accordance with Articles 15-22 and 34 in GDPR. This means that the Data Subject is entitled to request a data extract at no cost.
- The Data Subject is also entitled to have their Personal data corrected or erased (right to be forgotten). The right to be forgotten does not apply to accounting information since Bulls has a legal obligation to retain this information for seven (7) years.
In addition, the Data Subject is entitled to restrict the Processing, right of data portability and right to object. The Data Subject shall not be the subject of Processing that involves automated, individual decision-making, including profiling.
If a personal data incident occurs that may result in a high risk to the data subject, Bulls shall immediately notify the data subject regarding the personal data incident.
The data subject is also entitled to submit complaints to the Swedish Data Protection Agency.
Contact with Bulls
If you have questions about how we process personal data, please send an email to Tord Steinsvik.
- This Privacy Policy was created 3 Nov 2020.