PERSONAL DATA CONTROLLER
Brubakken holds necessary personal data about employees, customers and suppliers based on Article 6 of the General Data Protection Regulation (GDPR). This is done in order to meet contractual obligations and the requirements of public authorities. Examples of personal data include: name, address, date of birth and civic registration number, bank account number, telephone number, CV, testimonials, diplomas, certificates, contact persons and relatives. These personal data are used only for the purposes for which they are collected.
COLLECTING PERSONAL DATA
Brubakken collects personal data on the basis of agreements and legislation, or with the consent of its employees, customers and suppliers. The data we collect is necessary to establish and maintain employment agreements, customer relationships and supplier agreements. Brubakken does not collect data from third parties without complying with the applicable legal obligations.
STORING PERSONAL DATA
Personal data pertaining to employment agreements, customer relationships and supplier agreements are stored in Brubakken’s HR system, CRM system and supplier system. These systems are equipped with security measures and access control, password protection, firewalls, backup systems and encryption. Employees’ personal data kept in physical formats are stored in binders in locked cabinets. Only payroll personnel and HR/HSE managers have access to personnel files due to their roles involving employees and the need to process personal data. Brubakken has entered into data processing agreements with the system suppliers operating and maintaining the company’s systems.
GROUNDS FOR PROCESSING PERSONAL DATA
The grounds for processing personal data are those in accordance with Article 6 of the General Data Protection Regulation. Brubakken only processes personal data necessary for the activities providing the grounds for processing or for which consent has been obtained. The personal data processed by Brubakken are necessary to meet obligations to employees, customers and suppliers. The purposes of the processing of personal data are:
– To fulfil an employment agreement.
– To manage a customer agreement.
– To conduct supplier negotiations.
ERASING PERSONAL DATA
The rectification and erasure of personal data are managed in accordance with Article 17 of the General Data Protection Regulation. Brubakken erases personal data about employees, customers and suppliers when agreements expire and the legal grounds for processing the data cease to exist. In the event of termination of employment, employment data which the company is not obligated to provide under the Swedish Accounting Act and the Swedish Equal Opportunities Act are erased. Data which Brubakken is obligated to retain will be kept in accordance with the applicable legislation.
When an employee leaves, their personnel file is reviewed and unnecessary data are erased. Brubakken can still keep data, such as who has worked at the company, for how long and in what capacity. Personal data about customers and suppliers are erased when the customer and/
TRANSFERRING PERSONAL DATA TO THIRD PARTIES
Brubakken does not share, sell, transfer or otherwise disclose personal data to other parties, unless legally bound to do so to authorities. Personal data are not shared with external third parties.
RIGHTS AND THE RIGHT TO BE INFORMED
Employees, customers and suppliers have the right to be informed about which of their personal data Brubakken processes and how. Employees, customers and suppliers are also entitled to demand the rectification, erasure and restriction of processing of personal data in accordance with laws and policies. If the processing of personal data is based on consent, the person who provided that consent may withdraw it at any time. Should someone believe that Brubakken has failed to comply with their rights under the rules concerning privacy, they are entitled to lodge a complaint. Complaints are lodged with the Swedish Data Protection Authority.