Privacy policy


1. Introduction

This privacy policy describes how NYAB AB and NYAB Infrastruktur AB (in the policy commonly named as NYAB) collect, use and store your personal data. The aim is to ensure that NYAB processes personal data according to the Data Protection Regulation (GDPR). The privacy policy is applicable for NYAB’s board of directors, co-workers, contractors and others affected by NYAB’s business activities.

2. What is personal data?

Personal data is information that can be, directly or indirectly, connected to a living person. Personal identity numbers, names, addresses, phone numbers and email addresses are all examples of personal data. An identified or identifiable person whose personal data is processed is referred to as “registered” or the ”data subject”.

3. What is personal data processing?

All sorts of actions with personal data are personal data processing. Actions such as collecting, registering, storing, reading, spreading, adjusting and deleting are all forms of processing personal data.

Personal data processing must be done according to the following principles:

  • Legality

  • Purpose limitation

  • Data minimization

  • Correctness

  • Storage minimization

  • Integrity and confidentiality

4. Who is responsible for the personal data?

NYAB Sverige AB is responsible for the personal data submitted to NYAB Sverige AB and is responsible for correct usage of such data (following current legislation). NYAB Infrastruktur AB is responsible for the personal data submitted to NYAB Infrastruktur AB and is responsible for correct usage of such data (following current legislation).

5. NYAB’s personal data process

NYAB always has a legal basis for processing personal data. Processing of personal data is often necessary to fulfill agreements and contracts, but processing of personal data may also occur after consent, if this is required for legal claims or if there is a legal requirement for the processing. NYAB can process personal data if there is a legitimate interest. The legitimate interest will then be prioritized over the registrant’s interest in NYAB not processing the personal data.

Employee conditions

NYAB must store and manage employees’ personal data in order to administer salaries and have the ability to contact employees.

Personal data

Names, email addresses, phone numbers, relatives, account information, payslips, information about absence and employer certificates.

Legal basis

Processing personal data is necessary for meeting contractual obligations and for salary administration. As an employer, NYAB has a legal obligation to provide the tax agency (Skatteverket) with employees’ personal information. The personal data is stored as long as there is still a relation with the registered person, or a legal basis.

The origin of the data

The data is obtained from the registered person and is submitted to NYAB when entering into, or during the performance of, an agreement.

Suppliers and customers

NYAB purchases services from suppliers and delivers services to customers. NYAB is required to process and manage personal data from suppliers and customers in order to make payments and to contact suppliers. The personal data being collected from suppliers/customers includes names and contact information. Personal identity numbers and payment information will be processed for suppliers/customers who are deemed ‘identified or identifiable natural persons’. The processing of personal data is necessary for NYAB to fulfill supplier and customer agreements. The personal data is stored as long as there is still a relation with the registered person or a legal basis.

6. Personal data manager

A personal data processor is a person who processes personal data for the company/organization responsible for collecting personal data. NYAB uses a variety of different consultants. In cases where NYAB hires a personal data processor, a written agreement is made between the parties. The agreement shall prescribe that the data processor can only process personal data according to NYAB’s instructions. The personal data processor must take precautions to protect the information. NYAB can only assign the actual personal data processing; responsibility for the personal data remains with NYAB, who is the data controller.

7. Submitting and sharing personal data

NYAB only shares personal data (i) with personal data processors, (ii) to prevent spam and fraud, (iii) if disclosure is demanded by law, (iv) if it is needed to prevent or stop a cyber attack on NYAB’s IT system. NYAB will not sell your personal data to a third part. NYAB will not transfer your personal data to countries outside of the EU/ESS.

8. Email and other unstructured data

NYAB has a specific IT policy for processing personal data in emails and other unstructured data. In order for NYAB to manage emails, a legal basis is required, e.g., during the performance of an agreement or negotiations related thereto. If there is a legitimate interest for NYAB to process personal data from emails, or an expressed agreement to do so from the sender, NYAB will process the personal data.

9. Changes of the privacy policy

NYAB has the right to amend the privacy policy at any time. NYAB will revise the privacy policy on a yearly basis.

10. Legal rights

NYAB is responsible for processing personal data in accordance with applicable legislation. NYAB will, on request or on its own initiative, correct, anonymize, delete or complete information that is false, incomplete or misleading. Every person for whom NYAB controls personal data has the following rights:

  • Right of access by the data subject. Every registered person (data subject) has the right to obtain, on request from NYAB, information concerning how personal data concerning him or her is being processed by NYAB. The registered person also has the right to obtain, free of charge, an excerpt of the personal data being processed by NYAB. The excerpt states which personal data is being stored, for what reason, and to whom the data has been disclosed or will be disclosed. The registered person also has the right to know where and when the personal data has been collected and, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period. Every registered person also has the right to request information about their legal rights.

  • Right to rectification of personal data. On request, NYAB will change incorrect or incomplete personal data as soon as possible.

  • Right to erasure (‘right to be forgotten’). Every registered person has the right to request that their personal data be deleted if the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed. Legal requirements can prevent NYAB from deleting personal data, for example, due to accounting and tax law. NYAB will then cease all processing of personal data.

  • Right to restriction of processing of personal data. Personal data is marked for certain use only. A registered person can request restriction in the use of their personal data if the data is incorrect and a correction has been requested. During a period enabling the controller to verify the accuracy of the personal data, processing of the personal data will be restricted.

  • NYAB will inform every recipient of the personal data about possible corrections, deletion or restriction of processing personal data.

  • Every registered person has the right to data portability. In some circumstances the registered person has the right to obtain and transfer registered personal data in a structured, commonly used and readable format to another personal data controller.

  • Every registered person has the right to object to the processing of his or her personal data by lodging a complaint with the Swedish Data Protection Authority (Datainspektionen).

11. Handling personal data during security incidents

Security incidents may include unauthorized access to the personal data, such as theft, loss, forgotten/lost computers or a lost USB memory. Security incidents affecting personal data processed by NYAB shall be reported immediately to the contact below. After a risk and consequence analysis, necessary action shall be taken to minimize the negative effects. Furthermore, an assessment should be made as to whether the security incident should be reported to the Swedish Data Protection Authority (Datainspektionen). If so, the report should be submitted within 72 hours.

12. Contact information

If you have any questions regarding our privacy policy, how we process your personal data or if you wish to request an excerpt, you are welcome to contact NYAB’s Quality & Environmental Manager Magnus Broström at