Effective date: 07.10.2020.
2. SERVICE PROVIDER’S DATA
|Name of Controller||KassaiLaw AB|
|Registered seat of Controller||Frejgatan 13, 114 79 Stockholm, Stockholms län|
|The contact details of Controller, its electronic mailing address used for regular communication with firstname.lastname@example.org|
|Phone number||+46 76 324 4410|
3. APPLICABLE LAWS
KassaiLaw hereby declares to process your personal data in compliance with the prevailing laws and regulations, with special regard to the following:
- The related EU regulation: the General Data Protection Regulation of the European Union (Regulation 2016/679 (EU), the ‘GDPR’)
- Swedish Law (2018: 218) with supplementary provisions to the EU Data Protection Regulation [Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning]
4. LEGAL GROUND FOR DATA PROCESSING
4.1. The legal ground for personal data processing is one or more of the followings:
a) your voluntary consent (Article 6 (1) (a) of GDPR)
b) contract concluded by and between KassaiLaw and the Client for contractual performance (Article 6(1) (b) of GDPR)
c) the processing of the personal data is necessary for the performance of KassaiLaw’s legal obligations, such as auditing and accounting liabilities, or anti-money laundering and counterterrorist financing purposes (Article 6(1) (c) of GDPR).
d) for the enforcement of the legitimate interest of KassaiLaw or a third party (Article 6(1) (f) of GDPR).
4.2. You can grant and withdraw your consent to the use of your personal data for advertisement purposes.
5. THE DATA PROCESSED BY KASSAILAW
5.1. We may collect personal information from you in the course of our business, including through your use of our website, when you contact or request information from us or when you engage our Services. If you reject to comply with our request to provide personal data, KassaiLaw is entitled to lawfully reject the provision of Service, so you may be unable to use them.
5.2. Within the scope of data processing, we can in particular pursue the following activities: to collect, record, register, systematize, store and use the personal data for the purposes of data processing, to query, block, erase and destruct your data and to prevent the further use thereof. In lack of a related legal obligation, we never publish, align or coordinate your personal data with each other.
5.3. Our primary goal in collecting personal information from you is to help us:
- verify your identity
- deliver our Services
- improve, develop and market new Services
- carry out requests made by you on the Site or in relation to our Services
- investigate or settle inquiries or disputes
- comply with any applicable law, court order, other judicial process, or the requirements of a regulator
- enforce our agreements with you
- protect the rights, property or safety of us or third parties, including our other clients and users of the Site or our Services
- with recruitment purposes, and
- use as otherwise required or permitted by law.
5.4. To undertake these goals we may process the following data provided by you. The disclosure of these data is necessary for the provision of the Service:
|Data Subject||Legal grounds||Data category||Purpose of Data Processing|
|Individual Client in receipt of our Services or prospective individual Client||4.1. a), b), c)||Name, Contact information including email, phone number, Payment information, Information that you provide to us as part of us providing the Services to you, which depends on the nature of your instructions to KassaiLaw, Other information relevant to provision of Services.||Conclusion, amendment and performance of the contract, Maintenance and development of service Identification of the Client and ensuring the communication, Establishment and maintenance of a reliable and safe environment, enforcement of claims and rights, prevention and handling of fraud.|
|Person filling out the contact form as part of our Startup Toolkit offer||4.1. a)||Name, Contact information: Email address||Identification of the Client and ensuring the communication, Conclusion, amendment and performance of the contract,|
|Potential recruit, job applicant||4.1. a)||Name (first and last name)||Conclusion, amendment and performance of the legal relationship; employment, Identification of the applicant and ensuring the communication, Establishment and maintenance of a reliable and safe environment, enforcement of claims and rights, prevention and handling of fraud.|
|Email address||Conclusion, amendment and performance of the legal relationship; employment, Identification of the applicant and ensuring the communication, Establishment and maintenance of a reliable and safe environment, enforcement of claims and rights, prevention and handling of fraud.|
|Telephone||Identification of the applicant and ensuring the communication|
|Other data provided voluntary in the CV||Conducting the professional selection process|
|Employees, contributors||4.1. b), c)||Name (first and last name)||Performance of the contract Compliance with legal obligations relating to employment (e.g. reporting to the necessary authorities)|
|E-mail address||Performance of the contract Identification of the applicant and ensuring the communication|
|Telephone||Identification of the applicant and ensuring the communication|
|Mother’s name||Performance of the contract|
|Address and post address Tax number Social security number Bank account number, bank account details||Compliance with legal obligations relating to employment (e.g. informing necessary authorities)|
|Compliant, requestor||4.1. a), c)||Name (first and last name)||Conducting the complaint management process, carrying out a request Identification of the user and ensuring the communication|
|E-mail address||Conducting the complaint management process, carrying out a request Identification of the user and ensuring the communication|
|Phone number||Conducting the complaint management process, carrying out a request Identification of the user and ensuring the communication|
5.5. KassaiLaw is primarily engaged by corporate entities, who are not data subjects. However, personal information may be provided to us as part of instructions by the Client while engaging with our Service (e.g. personal information relating to the corporate clients’ or prospective clients’ officers or personnel, any opponent or vendor or purchaser or personal information relating to their legal advisors or personnel, as relevant or similar).
5.6. We do not control or process any sensitive data under any circumstances. We re-examine this from time to time, and if at any time in the future we may process sensitive data, we will do this with special care and diligence, and we will only process the sensitive data to the extent it is required, and only based on your expressed consent.
5.8. Data collected from third parties
5. 8.1. We only collect your personal data collected by third parties if you have given your explicit consent to the data transfer directly to those third parties which is your responsibility to arrange. We do not supervise that your consent is properly given, we trust both you and those third parties who shall also be compliant with the data protection rules. Therefore, we are not liable for the collection and processing of such data by third parties.
5.8.2. If you use the services of a third-party service provider (like Facebook, Instagram, etc.) to contact us, then we can request those data of yours from the concerned third party that are essential to the provision of the Services. To the provision or change of such data, the privacy policies of the concerned third-party service provider shall apply.
5.9. Cookies applied by the Controller
5.9.3. Types of cookies we use:
- Strictly necessary cookies: these are cookies that are required for the operation of a website, such as to enable you to log into secure areas.
- Performance cookies: these types of cookies recognise and count the number of visitors to a website and are used to see how users move around. This information is used to improve the way the website works.
- The cookies we use only last for the duration of your visit to the website or expire when you close the website: these are known as ‘session cookies’.
5.9.4. Blocking cookies: Most websites, mobile devices and apps automatically accept cookies but, if you prefer, you can change your browser, device or app settings to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser or device. To block the IDFA on your iOS mobile device, you should follow this path: Settings > General > About > Advertising and then turn on ‘Limit Ad Tracking’. To block Android ID on your Android device, you should follow this path: Google Settings > Ads and then turn on ‘Opt out of interest-based ads’.
6. THE METHOD AND TERM OF THE USE OF THE DATA COLLECTED
6.1 We only process your personal data if it is essential, suitable for and limited to the extent and duration required to the achievement of the purposes set for processing.
|Purpose of Data Processing||Justification of purpose||Duration of data processing|
|The conclusion, amendment and performance of the contract||KassaiLaw uses the data collected by them or through third party providers for the following purposes to create, modify and conclude the contract. The personal data collected in the course of the use of the Services are to facilitate and enable the performance of the transaction required by the Client. KassaiLaw uses the Client’s personal data to creation of the contractual background of the Client’s service order and to facilitate the fulfilment of the contract.||KassaiLaw shall process the personal data during the term of the contractual relationship or in case a contractual relationship has not been established, until the purpose of processing has ceased, or erases them in case further processing of such data is no longer necessary for the purpose of processing in accordance with the requirements for lawyers. Client may request for the erasure of his/her data in a letter sent to the email@example.com email address. For the purposes of evidencing in the case of a dispute, the data of the concerned Client shall be processed during the term of the general limitation period (5 years), and for five (5) years after the final and binding closure of the dispute.|
|Maintenance and development of service||KassaiLaw shall use the data collected by it or through third-party service provider for the following purposes of maintenance and development of the Service. KassaiLaw shall use the personal data of the Client to enable the continuous development and improvement of the Services.|
|Identification of the user and ensuring the communication||KassaiLaw may use the Client’s personal data to ensure effective communication with the Client, in the course of which KassaiLaw contacts and identifies user through their contact data provided.|
|Establishment and maintenance of a reliable and safe environment, enforcement of claims and rights, prevention and handling of fraud||KassaiLaw may use the personal data of the Client to secure the legitimate interests of Clients in the course of the use of Services. In the scope of the above, KassaiLaw shall be entitled to the following activities: the prevention and termination of fraud, spam, misuses and other harmful activities, to perform security investigations and risk analysis, to check and verify the data provided by the user.|
|Compliance with legal obligations relating to our Clients (e.g. informing necessary authorities)||Compliance with relevant informational, reporting obligations, authority administrations and obligations connected to taxation, contributions, etc.|
|Complaint management procedure||Documentation and verification of the conduct of the procedure, the actual examination.||KassaiLaw shall process the personal data concerned until the purpose of processing has ceased, or erases them in case further processing of such data is no longer necessary for the purpose of processing. The data shall be stored for 5 years according to consumer protection rules.|
|Compliance with legal obligations relating to employment (e.g. informing necessary authorities)||Compliance with relevant informational, reporting obligations and obligations connected to taxation, contributions, etc.||KassaiLaw processes the data for 5 years starting form the last day of the calendar year in which employment ends, with the prohibition to discard labor, wage and social security records. Otherwise the limitation period in labor law is 7 years.|
7. THE PERSONS HAVING ACCESS TO THE DATA PROCESSED, DATA TRANSFERS
7.2. Data transfer may take place in the following cases:
|Recipient of data transfer||Scope of data that may be transferred|
|Transfer of data to employees||To the personal data processed by us, KassaiLaw shall have access; the personal data shall also be made available to the employees of KassaiLaw, but only if their access to and processing of personal data is required for the purposes of data processing related to the given data category.|
|Transfer of data to contributors||To the personal data processed by us, KassaiLaw shall have access; the personal data shall also be made available to the contributors, as data processors of KassaiLaw, but only if their access to and processing of personal data is required for the purposes of data processing related to the given data category.|
|Publicly displayable information||KassaiLaw may only display publicly those information with respect to which the Data Subject has granted its consent to the disclosure thereof on the social/public surfaces of the KassaiLaw’s Partners.|
|Compliance with Laws||Except for the cases defined in this section 7 and the case if KassaiLaw is instructed by the court to transfer data upon provisions prescribing mandatory data transfer to a specific authority, state or administrative organ and such instruction cannot be lawfully rejected, KassaiLaw may not transfer the personal data provided to it to third parties.|
7.3. To be able to provide you with undisturbed Services, we use the contribution of the following third-party service providers:
|Hosting service provider, or a company providing system operation services to KassaiLaw upon contractual relationship (Data Processor)||Name: Google Ireland Limited The address of the hosting service provider: Gordon House, Barrow Street, Dublin 4, Ireland Company reg. no.: 368047 Telephone number of the hosting service provider: 353-1-436-1000 Contact page of the hosting service provider: https://about.google/contact-google/ The website of the hosting service provider: https://google.com/|
7.4. The Data Processor assists KassaiLaw in the smooth operation of the IT infrastructure that facilitates the storage of personal data provided to KassaiLaw, Data Processor has no direct access to personal data. We expressly declare that we have no direct or indirect liability with respect to the data processing activity of the Data Processor and the security of personal data in the course thereof; in this regard, the privacy policies and regulations of the Data Processor shall apply.
8. RIGHTS AND OBLIGATIONS OF THE PARTIES
|Swedish Data Protection Authority, with regards to the owner of KassaiLaw||Name: Swedish Authority for Privacy Protection (IMY) Website: https://www.imy.se/ Address: Drottninggatan 29, plan 5, 10420 Stockholm Post address: Integritetsskyddsmyndigheten, Box 8114, 10420 Stockholm Phone: 08-657 61 00 Email: firstname.lastname@example.org|
9. AUTOMATED DECISION MAKING, PROFILING
9.1. We do not apply decision-making procedures that are based solely on automated processing, including profiling, which would have legal effects on you. Should we introduce such procedures in the future, you will be properly notified about that and we will ask for your consent thereto.
10. FURTHER IMPORTANT INFORMATION
10.1. Data Protection Officer: in our standpoint, KassaiLaw is not obliged to appoint a data protection officer, as the main activities do not involve data processing operations that would allow a regular, systematic and high-scale follow-up monitoring of the Data Subjects; furthermore, KassaiLaw does not process any special categories of personal data or crime-related data which have relevance from criminal law aspect.
10.3. Processing of sensitive data
We do not process personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. If we decide to process such sensitive data, this activity shall be pursued with special care and diligence, having your expressed consent thereto, and only the extent it is required.
We do not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation or criminal data.
10.4. Processing children’s data
We do not knowingly collect personal information online from children under the age of 18.
11. PERSONAL DATA BREACH
11.1. In case of personal data breach, where the incident is likely to pose a high risk to the rights and freedoms of those concerned, we submit the report towards the data protection supervisory authority required by the laws and regulations, without undue delay, but in any case, within 72 hours from getting aware of the incident. We have developed internal procedures in case of personal data breach, and personal data breaches are also recorded into a registry. If you are affected by such personal data breach will also be notified, if the prevailing laws and regulations require so.
11.2. If you detect a threat of personal data breach, we ask to report it immediately via email at email@example.com. Furthermore, in case of personal data breach, you may initiate a court case against KassaiLaw.
12.2. In case of amendment, the Data Subject will be notified thereof thirty (30) days prior to the date of effectiveness of amendment, via e-mail or through the website.
12.3. In case the Data Subject objects to such amendment, he/she may notify KassaiLaw thereof and disclose his/her respective comments and notices via e-mail, furthermore, he/she may request the erasure of his/her personal data.