This policy applies to NYAB's board members, employees and contractors who are affected by NYAB's operations.
What is a personal information?
A personal data is all kinds of information that can be directly or indirectly attributed to a natural person who is alive. Examples of personal data are: social security number, name, addresses, telephone numbers and e-mail addresses or one or more factors that are specific to the natural person's identity.
An identified or identifiable natural person whose personal data is processed is called "registered".
What is personal data processing?
All forms of measures with personal data are personal data processing. Examples of personal data processing are: collection, registration, organization, storage, processing, reading, dissemination, adjustment, deletion or destruction.
Each personal data processing shall take place according to the following principles:
• Purpose limitation
• Task minimization
• Storage minimization
• Integrity and confidentiality
Personal data manager
NYAB Sverige AB is responsible for personal data for the personal data provided to NYAB Sverige AB and is responsible for ensuring that the processing of personal data takes place in accordance with current legislation.
NYAB Infrastruktur AB is responsible for personal data for the personal data provided to NYAB Infrastruktur AB and is responsible for ensuring that the processing of personal data takes place in accordance with current legislation.
NYAB's personal data processing
NYAB always has a legal basis for the processing of personal data. It is usually necessary to fulfill an agreement, but it can also be done with consent, if it is required to safeguard legal claims or due to legal requirements. NYAB can also process personal data if there is a legitimate interest. The legitimate interest then outweighs the data subject's interest in NYAB not processing his personal data.
In order to handle administration, payment of salaries and contact with employees, NYAB must process employees' personal data.
Name, e-mail address, telephone number, any relatives, account information, salary specifications, absence information and employer certificate.
The treatment is necessary to be able to fulfill employment contracts and administer and pay salaries.
As an employer, NYAB has a legal obligation to provide the Swedish Tax Agency with employees' control information.
Personal data is stored as long as there is a relationship with the data subject, and a period thereafter as long as there is a legal basis.
Origin of the data
The information comes from the data subject himself and is provided to us at the conclusion of the agreement or during the contractual relationship. Salary specifications are generated in NYAB's salary system and employer certificates are created by the HR department.
Suppliers and customers
NYAB buys services from suppliers and delivers services to customers. This entails a need to process the suppliers 'and customers' personal data in order to be able to make payments and to contact suppliers. Then the collaboration between NYAB and suppliers / customers can run efficiently and smoothly. The personal data that is processed in relation to suppliers / customers is name and contact information. For suppliers / customers who are natural persons, social security numbers and payment information are also handled. The processing is necessary for NYAB to be able to fulfill its supplier and customer agreements. Personal data is stored as long as there is a relationship with the data subject and for a period thereafter as long as there is a legal basis.
Personal data assistant
A personal data assistant is someone who processes personal data on behalf of the person responsible for personal data.
NYAB uses various consultants in its operations.
In cases where NYAB engages a personal data assistant, NYAB must enter into a written agreement with the personal data assistant. The agreement shall specifically stipulate that the personal data assistant may only process the personal data in accordance with the instructions from NYAB and that the assistant must take the security measures necessary to protect the data.
NYAB can only transfer the actual processing of personal data to the personal data assistant. The responsibility for personal data can never be transferred.
Who does NYAB disclose personal information to?
NYAB only discloses personal data (i) to personal data assistants, (ii) to prevent spam or attempted fraud, (iii) if the obligation to disclose follows from law, (iv) if necessary to prevent or stop an overload attack or the like on NYAB's IT -system.
NYAB will not sell your personal information to third parties.
NYAB will not transfer your personal data to countries outside the EU / EEA.
Email and other unstructured data
NYAB has a special IT policy for, among other things, the processing of personal data in e-mail and other unstructured data. In order for NYAB to be able to handle e-mail, a legal basis is required. This can consist of an ongoing contractual relationship or the negotiation of a contract. It may also, after a balance of interests, consist of a legitimate interest for NYAB to handle personal data in the e-mail or that the sender has expressly agreed that NYAB handles personal data in the e-mail.
NYAB is responsible for ensuring that personal data is processed in accordance with current legislation.
NYAB will, upon request or on its own initiative, correct, deidentify, delete or supplement information that is found to be incorrect, incomplete or misleading.
Every person about whom NYAB has registered personal data has the right to request:
• Access to their personal data. This means a right for each data subject to request an extract from the register of the processing that NYAB carries out regarding personal data. Furthermore, a right to receive a copy of the personal data that is processed. Every registered person has the right to once per calendar year, through a written signed application, receive free of charge a register extract of which personal data is registered, the purposes of the processing and to which recipients the data has been or will be disclosed. There is also a right to receive information in the register extract about where the data has been obtained from if the personal data has not been collected from the data subject. As well as the anticipated period during which the data will be stored or how this period is determined. Each registered person also has the right to receive information about his other rights in the register extract in accordance with this section.
Correction of personal data. Upon request, NYAB will as soon as possible correct the incorrect or incomplete personal data we process.
• Deletion of their personal data. Every data subject has the right to request that personal data be deleted if they are no longer necessary for the purpose for which they were collected. However, there may be legal requirements that prevent NYAB from deleting personal data, for example in accounting and tax legislation. NYAB will then terminate all other processing of personal data.
• Limitation of treatment. This means that personal data is marked so that it may only be processed for certain limited purposes. A registered person can, among other things, request a restriction if the registered person considers that the information NYAB processes if the registered person is incorrect and a correction has been requested as above. While the accuracy of the information is being investigated, the processing of it will be limited.
NYAB will notify each recipient to whom the information has been provided in accordance with paragraph 7 above of any corrections, deletion and restriction of personal data.
Every registered person has the right to data portability. This means a right to, under certain conditions, obtain and transfer registered personal data in a structured, generally used and machine-readable format to another personal data controller.
Every registered person has the right to submit any complaints regarding the processing of their personal data to the Data Inspectorate.
Handling in the event of safety incidents
Examples of security incidents are unauthorized access or other unauthorized influence regarding the personal data, theft, loss, forgotten computer, lost computer and lost USB memory.
Security incidents involving personal data processed by NYAB must be reported without delay in accordance with the contact information below. Following a risk and impact assessment, the necessary measures to minimize the negative effects of the incident must be taken. Furthermore, an assessment must be made of whether the security incident is to be reported to the Data Inspectorate, which in that case must take place within 72 hours.