1.1 The purpose of the policy on personal data protection is to define how CAPSULE (“we”, “us”, “CAPSULE APS”) process personal data. Personal data processing covers any use of personal data such as collection, registration, curation, storing, transmission, grouping or pooling, containment, deletion or destruction. Personal data is to be perceived as any information that may be used to verify the identity of a person including (but not limited to) first-name, surname, address, email address or other contact information regardless of said information relates to the private residence or workplace of the individual in question.
1.2 The processing of personal data must be in accordance with existing laws regarding the protection of personal data, among these the joint EU regulation in the EU General Data Protection Regulation and such as the regulations described in this policy.
2. Basic principles
2.1 This policy applies equally to all our units processing personal data. The rules for processing personal data apply both to electronic and the physical handling of such information.
2.2 When handling personal data, we are obligated to comply with the following basic principles:
2.2.1 Qualification of use:
Personal data is solely collected for the lawful purpose explicitly stated.
Be aware that personal data may only be employed for the same purpose to which they have been collected and which has been stated in advance.
It is prohibited to reuse personal data for any other purpose.
2.2.2 Legality, reasonableness and transparency:
Personal data must be processed legally, reasonably and in a transparent manner in relation to the registered party.
2.2.3 Minimization of data:
No more personal data may be collected than what is deemed appropriate and necessary in correlation with the purpose to which it is collected.
Personal data collected must be accurate and kept up to date if necessary.
2.2.5 Storage limitation:
Personal data must not be stored for a longer period of time than what is necessary to serve the purpose to which the data has been collected for.
2.2.6 Integrity and confidentiality:
Personal data must be processed in a manner to secure adequate data security using appropriate technical and organizational precautionary measures so as to avoid unauthorised or illegal processing, accidental loss of data or any destruction or damage.
We may at any time be required to demonstrate documentation that the above set of rules are being observed and complied with.
This policy forms the basis for company rules to adhere to.
3. Basic policy for the processing of personal data
3.1 As a general rule, personal data may not be processed unless there are valid reasons to do so.
3.2 The most commonly applied grounds for data processing are:
3.2.1 The individual in question has given consent to our handling of the personal data.
3.2.2 Our processing of the personal data is necessary to complete an agreement the individual in question is a part of, or has requested that be done prior to entering into an agreement.
3.2.3 Processing the data is a necessity to comply with a legal obligation.
3.3 As a rule, consent to the storage of personal data will be required in the examples stated under paragraph 3.2 unless a contractual relationship exists.
3.4 Further requirements of the law apply when processing sensitive information. Such include information about race or ethnicity, political persuasion, religious or philosophical persuasion, union membership and information regarding health or sexual preference.
As a rule, processing sensitive information requires consent.
4. Your rights
The GDPR Chapter 3 gives you, as the data subject, the following rights in respect of the personal data we hold on you;
At any time, you have the right to request correction of any incorrect or incomplete data we may have on you.
You have the right to request for erasure of the personal data we have on you.
Certain restrictions apply when requesting for erasure. One of the following grounds must apply before personal data can be erased:
(i) Personal data is no longer necessary in relation to the purpose for which it was collected
(ii) You withdraw your consent
(iii) You object to the processing and there is no justified reason for continuing processing
(iv) The processing is unlawful
(v) The personal data must be erased for compliance with a legal obligation in Union or Member State law.
Request restriction of processing:
You have the right to request restriction of processing which means that you can request that CAPSULE restricts the use of your personal data in certain circumstances.
This could be if you don’t want us to erase the personal data, but instead restrict the use or if the accuracy of the personal data is contested by you and needs to be verified by you.
You have the right to receive the personal data that you have provided to us in a machine-readable format.
Withdraw consent at any time:
At any time, you shall have the rights to withdraw you consent, provided the processing of your personal data is based on your consent.
5.1 Based on your consent, we process your personal data for the purpose of informing you of CAPSULE business operations, products, and services.
For the above purposes, we create marketing, tailored to your preferences and profile.
5.2 If you do not wish to receive any further information, you can easily and free of charge unsubscribe from our marketing communication anytime. You will find ways to unsubscribe in connection with subscribing to or receiving marketing communication from us. You can also contact us by e-mail or post to unsubscribe.
6. Storage period
6.1 Personal data collected may be stored only as long as it serves the stated purpose.
Specifically this means that personal data may be stored as long as a relation to the registered customer or business partner still exists. Personal data must be deleted within reasonable time from the termination of this relation.
6.2 At the expiration of the storage period allowed, all relevant information must be deleted or destroyed without undue delay.
6.3 We are obligated to ensure that our personal data is correct and continuously brought up to date. Incorrect, inadequate, or antiquated personal data must be corrected.
7. Use of data processors
7.1 Access to personal data is given to third parties only if guaranteed that the information is handled legally and following the necessary precautions.
7.2 A third party may not be labeled data processor or given access to personal data until a Data Processing Agreement is signed. A data processor may be a physical person or a legal entity, a public authority, an institution or other type of public body processing personal data on our direction.
7.3 The Data Processing Agreement imposes the data processor with appropriate technical and organizational precautionary measures to protect our personal data as well as condition that the processing of personal data may only be done on our direction.
7.4 If services are provided at a third party (such as Cloud Computing Services) it must be investigated whether any personal data is being processed by an additional third party on behalf of the third party providing the service for us, and if this additional cooperative relationship could entail the transfer of our personal data to a non-EU country. In both the above instances it must be secured in contract that the necessary precautionary measures for data protection are taken.
8. Transfer of personal data to non-EU countries
8.1 In some cases, we may also transfer personal data to organisations in countries outside EU, so called third countries. When transferring personal data outside EU we make sure that all necessary safeguards are in place for such transfer.
9. Precautionary measures
9.1 We have introduced a number of physical, technical and organizational precautionary measures to ensure our personal data from loss or damage, unauthorised alterations and unauthorised access and misuse.
9.2 As employee, some examples of precautionary measures to be aware of are:
9.2.1 To prevent unauthorised individuals from gaining access into our IT-systems through the use of passwords and other types of access control.
9.2.2 Ensure that individuals with access to our IT-systems do not gain access to any personal data outside the sphere of their granted area of responsibility.
9.2.3 Ensure that the transfer of personal data through the internet cannot be read, copied, modified or deleted without authorization.
9.2.4 Ensure appropriate logging of user access and attempted access into IT-systems.
9.2.5 Ensure that data processors are used only in accordance with the directions stated by us.
9.2.6 Ensure that personal data is protected from unwanted destruction or loss.
9.2.7 Ensure that personal data is not stored any longer than necessary.
9.3 The collected data is stored in Azure in Azure Cosmos Db which is located in Sweden.
10. Enquiries from registered parties and insight to own personal data
10.1 All enquiries from registered parties including requests for data access, demands for correcting information or demands to have data deleted, must be passed on to the IT systems administration with the responsibility to register any enquiry immediately.
10.2 Registered individuals are entitled to have access and insight to the data registered if such an enquiry is made in writing.
10.3 Written enquiries from registered individuals must be replied within 30 days. The IT systems administration is responsible for accommodating such requests but everyone is obliged to help make sure that enquiries and deadlines are observed.
11. Reporting data breach
11.1 If breach of personal data is suspected, the IT systems administration must be alerted and briefed of the incident immediately. The incident can be reported by email to firstname.lastname@example.org, or by telephone at 31 33 45 01.
11.2 The IT systems administration investigates all reported events to verify whether a breach of personal data security has taken place. If a breach is confirmed the IT systems administration will follow a set procedure dependent on the type of information and the extent of the breach.
This document was updated: November 2022