Privacy Policy

Processing of personal data

This day, 2019-04-01, the following policy has been established for Pelago Bioscience AB, reg.no 556924-1671 (the ”Company” or “Pelago”).

1 Background

In most cases, it is our client/customer/licensee, ie. the company that uses our services, who is the controller, which means that it has the ultimate responsibility for the processing of your personal data and the preservation of your rights. Any concerns should be addressed to the Company in accordance with section 6 of this document, you can find out who is the controller regarding your personal data.

The Company has, through agreements with our clients, been commissioned to and has undertaken to process personal data on their behalf and fulfills this task in the capacity of a processor. In some cases, the Company itself operates as a controller. This applies when we collect and process personal data for our own account, such as in relation to employees or in connection with marketing.

We do not process more personal data than is necessary for the purpose, and we always strive to use the least privacy-sensitive information.

The processing of employee’s and former employee’s personal data is specifically regulated in an internal policy.

2 Purpose

We protect your privacy and you should be able to feel safe when you entrust us with your personal data. Therefore, we have established this policy based on current data protection legislation to clarify how we work to defend your rights and your integrity.

The purpose of this policy is to inform you about how we process your personal data, what we use it for, who will get access to it and under what conditions and how you can exercise your rights.

3 Guidelines

What types of personal data do we process?

We only process personal data when we have a legal ground and, when we operate as a processor, only when we have explicit instructions from our client. We do not process personal data in any case other than when they are required to fulfill our obligations under law and
agreements or based on legitimate interests. Here are examples of the types of personal data
that we process:

  • Name
  • Address
  • E-mail address
  • Phone number
  • Age
  • Personal identity number
  • User name
  • Photos / pictures / sound recordings
  • Account number and other bank-related information
  • Education participation
  • CV
  • Information that you publish yourself or otherwise provide to us voluntarily including
    details regarding your health (i.e. sensitive personal data)

Special category data (sensitive personal data)

The processing of personal data that is deemed sensitive – for example information regarding
politics, religion, genetics or health– is made restrictively and with due observance of
confidentiality.

How do we access your personal information?

We will primarily get access to your personal information from our client in cases where we
are a processor and otherwise by you providing the personal data to us. We can also get access through the following ways:

  • Information which you provide us with directly
  • Information that is registered when you visit our website
  • Information we receive from public registers
  • Information that we receive when you answer surveys and other polls and investigations
  • Information we receive when you sign up for our events, presentations or seminars
  • Information that we receive when you sign up for newsletters and other mailings
  • Information that we receive when you contact us, seek employment with us, visit us or
    in other ways seek contact with us

In what ways and for what reasons do we process your personal data?

In most cases, we process personal data on behalf of our clients in the capacity of processor.
The controller is then responsible for determining which legal ground is applicable as well as
what personal data to collect, for which purposes and how to process them.

In cases where the Company itself is the controller, we mainly process personal data with the
support of law, so called legal obligation, for example in order to comply with requirements
under the Accounting Act, or with the support of an agreement with an individual (such as an
employment contract).

In some cases, we may also process your personal data based on legitimate interests. This will primarily be relevant when we need to process personal data for advertising or marketing purposes.

Regarding such processing of personal data which is not directly necessary to comply with applicable laws and which does not have another legal ground as described above, we will collect your consent in connection with the retrieval of such personal data.

You may withdraw your consent at any time for such processing as described above. We will then no longer process your personal data or obtain any new data, if it is not necessary to fulfill our obligations under a contract or law.

Is your personal data processed in a safe way?

We have routines and procedures for managing your personal data in a safe way. Only persons who need personal data to perform their duties and the Company’s commitments shall have access to personal data.

Our security systems are developed with your integrity in focus and to protect, to a great extent, against intrusion, destruction and other incidents that could endanger your privacy. We have agreements with our IT providers regarding IT security to ensure that your personal data is processed safely.

When do we share your personal data?

We may not disclose your personal data to anyone other than the client who is the controller for your personal information unless you have given your consent or where it is necessary to comply with our statutory obligations or is governed by our agreement with the controller
In some cases, personal data is transferred to our subcontractors for marketing-, information- and follow-up purposes and for storage. See more about processors/sub-processors in section 5 below.

We only transfer personal data outside the EU/EEA, if we have a legal ground for the transfer in accordance with applicable laws and regulations for data protection. This means, for example, that we can transfer personal data to Privacy Shield-certified data processors in the United States. For non-Privacy Shield-certified recipients, we may transfer your personal data outside the EU/EEA, using standard data protection measures adopted by the EU Commission. We may also transfer your personal data to a country that the EU Commission has assessed to have an adequate level of protection for the processing of personal data.

Retaining and deleting personal data

We retain your personal information according to the instructions we receive from the controller.

Where we are the controller, your personal data will not be retained for longer than what is necessary in order to fulfill the purpose of the processing and we will delete personal data in accordance with applicable law.

4 Your rights

When we are processor

The rights for individuals as set out below apply in relation to the relevant controller. In cases where we process personal data on behalf of others and as processor, please contact the respective controller for the exercise of your rights below. If you have any questions regarding this, you can contact us via the contact details in section 6 below.

When we are controller

Withdraw consent

To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time by contacting us via the contact information set forth in section 6 below. Withdrawal will not affect the lawfulness of processing before the withdrawal.

Request for rectification or erasure

You are entitled to request that personal data about you is rectified or erased. You also have the right to restrict the processing of your personal data or object to such processing in accordance with the General Data Protection Regulation or national privacy laws. Following such a request, we will examine whether there is reason to implement the requested change.

Request for a registry extract

You are entitled to request extracts from the Company and our registries/systems in which personal data about you is processed and, in such extracts, be informed of what personal data about you that the Company is processing and how we process this data.

If you have questions regarding the processing of your personal data or if you find that any data is incorrect, want to request rectification, erasure, restriction or objection to the processing please contact us in accordance with section 6 below.

The Swedish Data Protection Authority

The Swedish Data Protection Authority (DPA) is the supervisory public authority for processing of personal data and data protection in Sweden. You are entitled to lodge complaints regarding the processing of personal data to the DPA. Contact information for the DPA can be found on www.datainspektionen.se/in-english/contact-us/

5 Controller of personal data and our processors

The controller is ultimately responsible for how your personal data is processed and that your rights are protected. The Company is in most cases a processor of personal data.

The Company always ensures through personal processing agreements or otherwise that our processors/sub-processors only process personal data in accordance with this policy.

If you, as a registered person, want to know which personal data processors (sub-processors) we use, you can contact you in accordance with section 6 below and we will provide you with a list.

6 Contact details

Controller of personal data: Pelago Bioscience AB, reg.no 556924-1671
Address: Banvaktsvägen 20, 171 48 Solna,
E-mail address: dataprotection@pelagobio.com