Privacy Policy

Processing of personal data

This day, 2022-0906, the following policy has been established for Pelago Bioscience AB, reg.no 556924-1671 (”Pelago or “We”).

 

1 Purpose

In accordance with Pelago’s responsibilities, We respect your integrity and ensure that your personal data is processed with the confidentiality and respect that is required. Therefore, We have established this policy addressed to you who have a relationship with us by our business, or to you, who represent a company or an organisation (existing, previous or potential customers/partners), has visited our website, or in other ways has been in contact with us, for example as an employee. 

The purpose of this policy is to inform you, in accordance with the EU General Data Protection Regulation (“GDPR”) about how We process your personal data, what We use it for, who will get access to your personal data and under what conditions and how you can exercise your rights. 

 

2 Background

Pelago processes personal data in several different situations and in different roles. Pelago is sometimes personal data controller and sometimes personal data processor. In exceptional cases Pelago can also process personal data as a joint controller with one or more other personal data controllers. 

In most cases Pelago receives personal data from our customers, licensees or partners (below “customers”) which utilize from our services and systems (i.e. companies which purchase and use our services). Those customers are personal data controllers for the personal data (normally contact information to customers’ contact persons) that customers transfer to Pelago. The customers are responsible for ensuring that they have the right to transfer personal data to Pelago and that Pelago has the right to process such personal data. Pelago is responsible for processing personal data in accordance with agreements with customers, and in accordance with GDPR.  

In some cases, Pelago itself operates as a personal data controller. Pelago act as a personal data controller when We collect and process personal data for our own account, such as in relation to employees or in connection with marketing our services. 

We do not process more personal data than is necessary for the purpose, and We always strive to use the least privacy-sensitive information. 

The processing of employee’s and former employee’s personal data is specifically regulated in an internal privacy policy. 

 

3 Guidelines

3.1 What types of personal data do We process? 

Here are examples of the types of personal data that We process: 

  • Name,  
  • Address, 
  • E-mail address, 
  • Phone number, 
  • Age,  
  • Personal identity number, 
  • Username, 
  • Photos, pictures, and sound recordings, 
  • Account number and other bank-related information), 
  • Education participation, 
  • CV, 
  • Health (sensitive personal data) 
  • Information that you publish yourself or otherwise provide to us voluntarily. 

The processing of personal data deemed as sensitive – for example information regarding politics, religion, genetics, trade union membership or health – is made restrictively and with due observance of confidentiality. 

 

3.2 How do We access your personal information? 

Pelago primarily get access to your personal information from our customers and partners, and otherwise by you providing the personal data to us, through the following ways:  

  • When you provide us with information directly, 
  • When you register information in connection with visiting our website, 
  • When We receive information from public registers,  
  • When you answer surveys or other polls and investigations initiated by us,  
  • When you sign up for our organised events, presentations, or seminars,  
  • When you sign up for our newsletter and other mailings, 
  • When you provide us with information in connection with you contacting us, seek employment with us, visit us or in any other way seek contact with us.


3.3 In what ways and for what reasons do We process your personal data? 

In most cases, Pelago processes personal data in accordance with agreement with our customers. Each customer is in such cases a personal data controller and is therefore responsible for determining which legal ground is applicable as well as what personal data to collect, for which purposes and how the personal data are to be processed. Pelago is responsible for processing the personal data in accordance with such agreements and, of course, in accordance with GDPR. 

In cases where Pelago itself is the personal data controller, We may collect your personal data through different sources and for several purposes. Mainly, We collect your personal data by contacts with you, through our website or regarding the services We engage in. We process your personal data för the following purposes:  

Purpose 

Lawfullness 
To perform and deliver our services in accordance with a contract with a customer 

Processing is necessary for the purpose of legitimate interest 

Pelago’s processing of personal data in connection with performance of our services is based on the legal ground legitimate interest, as We assess that our interest to process personal data in order to be able to fulfil and deliver on our contractual obligations in relation to our customers outweighs the interests or fundamental rights and freedoms of the data subject which require protection of personal data 

Processing is necessary for the performance of a contract to which the data subject is party  

If our customer is a sole trader and thus not a legal entity, We process the customer’s (i.e. the data subject’s) personal data based on the legal ground contract.  
To comply with a contractual obligation with a supplier or other business partners. 

Processing is necessary for the purpose of legitimate interest 

Pelago’s processing of personal data in connection with performance of a contractual obligation with a supplier or other business partners is based on the legal ground legitimate interest, as We assess that our interest to process personal data in order to be able to fulfil and deliver on our contractual obligations in relation to our suppliers and/or business partners outweighs the interests or fundamental rights and freedoms of the data subject which require protection of personal data. 

To comply with legal obligations  

Processing is necessary for the purpose of compliance with legal obligations 

E.g. to perform our responsibilities in accordance with the Swedish legislation such as Swedish Accounting Act etc.  
To analyse the use of our website 

 

Processing is necessary for the purpose of legitimate interests 

Pelago’s legitimate interest to engage, market and inform about our services on our website outweighs the interests or fundamental rights and freedoms of the data subject which require protection of personal data as We assess that our interest to process personal data in order to be able to engage, market and provide our services to the market outweighs the interests or fundamental rights and freedoms of the data subject which require protection of personal data. 
To market our services, e.g., by newsletters, social media, publications, and events 

Processing is necessary for the purpose of legitimate interests 

Pelago’s legitimate interest to engage, market and provide our services outweighs the interests or fundamental rights and freedoms of the data subject which require protection of personal data as We assess that our interest to process personal data in order to be able to engage, market and provide our services to the market outweighs the interests or fundamental rights and freedoms of the data subject which require protection of personal data 

 

Regarding such processing of personal data which is not directly necessary to comply with applicable laws and which does not have another legal ground as described above, We will collect your consent in connection with the retrieval of such personal data. You may withdraw your consent at any time for such processing. 

 

3.4 Is your personal data processed in a safe way? 

We have routines and procedures for managing your personal data in a safe way. Only persons who need personal data to perform their duties and Pelago’s commitments shall have access to personal data. 

Pelago’s security systems are developed with your integrity in focus and to protect, to a great extent, against intrusion, destruction and other incidents that could endanger your privacy. We have agreements with our IT providers regarding IT security to ensure that your personal data is processed safely. 

 

3.5 When do We share your personal data? 

We do not disclose your personal data to anyone other than the customer who is the personal data controller for your personal information unless you have given your consent, or where it is necessary to comply with our statutory obligations or is governed by our agreement with the personal data controller. 

In some cases where necessary, personal data may be transferred to legal entities which act as sub-contractors for Pelago, i.e., a personal data processor. Pelago is ultimately responsible for how your personal data is processed and that your rights are protected, and the sub-contractors shall only process personal data in accordance with relevant data protections laws and agreements with us. Our sub-contractors are engaged for the following services:  

  • IT service providers 
  • Supplier of HR system  
  • Supplier for the management of internal purchases   

When your personal data are transferred to a personal data processer, such transfer will always be in line with the purposes for which Pelago has set out in this policy. Pelago verifies all personal data processors to ensure that they can provide adequate guarantees of security and confidentiality of your personal data. In most cases, We have written agreements with our personal data processors in which our personal data processors guarantee the security of the personal data processed and undertake to comply with Pelago’s security requirements, as well as restrictions and requirements relating to the transfer of personal data outside the EU and EEA.  

Where We use software and services, e.g., for email management, from leading global providers, We have ensured that their commitments comply with GDPR requirements, and We ensure that the highest level of security is required, and that personal data is not stored outside the EU/EEA. 

Pelago also uses digital tools to analyse how visitors use the Pelago website. Such digital tools are provided by third party providers who may also receive and process personal data for a very limited period of time. The providers of such services are personal data processors for Pelago and may only process personal data on behalf of Pelago.

 

3.6 Transfer of personal data outside the EU/EEA 

As a general rule of thumb, We never transfer personal data to any recipient outside the EU/EEA. In exceptional cases, We may transfer personal data to a recipient located in a third country (i.e. a country outside the EU/EEA), in which case We will check whether the country has an adequate level of protection (such as the UK, Japan and Switzerland), or whether any of the transfer mechanisms specified by the GDPR are reliable.  

However, it may be a situation when personal data may be transferred to the United States even if We have ensured that all of our processors only process (including store) personal data within the EU/EEA, if a processor is owned by a parent company located in the United States and an US authority has accessed the personal data under US law. We are monitoring developments in data protection law in this area in order to take steps to further protect personal data that may be at risk of being transferred to the United States.

 

3.7 Retaining and deleting personal data  

In accordance with applicable law, Pelago must keep accounting records (which may contain personal data) for seven (7) years counted from the current calendar year. 

Where Pelago is the personal data processer, We retain your personal information according to the instructions We receive from the personal data controller.  

Where Pelago is the personal data controller, your personal data will not be retained for longer than what is necessary to fulfil the purpose of the processing. We will delete personal data in accordance with applicable law. We also follow our retention routine and grate or delete personal data at least once (1) a year to ensure that only current and relevant personal data is processed.

 

4 Your rights

4.1 Your rights as a data subject 

The rights listed below apply in relation to you as the data subject (i.e. individuals). In cases where We process personal data on behalf of our customers or others and thus act as personal data processors, you are referred to the respective customer for the exercise of the listed rights. We do not have the right to take any action without the mandate of a data controller. If you have any questions regarding this, you can contact us via the contact details in section 5 below. 

When We, as a personal data controller, process personal data related to you as a data subject, you have several rights. If you wish to exercise any of those rights, the easiest way to reach us is via the contact details provided in section 5 

Pelago reserves the right to take steps to ensure that the identity of the person requesting the extract or any other right to which you are entitled as a data subject.  

All information about your rights can be found on the website of the Data Protection Authority www.imy.se.  

 

4.2 Right to be informed 

You have the right to be informed about how Pelago process your personal data. We do this through this policy about processing of personal data and by answering questions from you.

 

4.3 Request for rectification or erasure personal data (the right to be forgotten) 

You are entitled to request that personal data about you is rectified or erased in accordance with the General Data Protection Regulation or Swedish privacy laws. Following such a request, Pelago will examine whether there is reason to implement the requested change.

 

4.4 Request for restriction of our processing of personal data  

You also have the right to restrict the processing of your personal data in accordance with the General Data Protection Regulation or national privacy laws. Following such a request, Pelago will examine whether there is reason to implement the requested change.

 

4.5 The right to object to our processing of personal data  

You also have the right to object to such processing in accordance with the General Data Protection Regulation or national privacy laws. Following such a request, Pelago will examine whether there is reason to implement the requested change.

 

4.6 Request for a registry extract 

You are entitled to request extracts from Pelago and our registries/systems in which personal data about you is processed and, in such extracts, be informed of what personal data about you that Pelago are processing and how We process this data.

 

4.7 Right to data portability 

The right to transfer information (data portability) means that you can request your personal data to be transferred to someone else. However, this right only applies in cases where We have processed your personal data on the legal basis of consent or where you have personally entered into a contract with Pelago, and you yourself have provided us with the personal data you wish to move. 

 

4.8 Withdrawal of consent 

To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time by contacting us via the contact information set forth in section 6 below. We will thereafter no longer process such personal data or obtain any new and all personal data that we processed with your consent will be erased. Withdrawal will not affect the lawfulness of processing before the withdrawal. 

 

5 Controller of personal data and our processors

If We modify our processing of personal data, We will inform you as prominently as possible, both by updating this Privacy Policy and by providing specific information on our website: (insert URL) 

 

6 Contact details

6.1 Personal Data Controller 

Personal Data Controller: Pelago Bioscience AB, corp. id. 556924-1671 

Address: Scheeles väg 1, 171 65 Solna, Sweden 

E-mail address: dataprotection@pelagobio.com

 

6.2 The Swedish Authority for Privacy Protection 

The Swedish Authority for Privacy Protection (IMY) is the supervisory public authority for processing of personal data and data protection in Sweden. You are entitled to lodge complaints regarding the processing of personal data to IMY.  

Contact details of IMY: 

E-mail: imy@imy.se 

Phone number: 08-657 61 00 

Or at  www.imy.se/en.