Privacy Policy
Last Updated: September 26, 2024
1. General information about our processing of personal data
1.1 Information About Us as the Data Controller
For us at Southern Lights AB org.nr. 559380-4031 ("Southern Lights"), the protection and confidentiality of your personal data is an important issue. We take all necessary measures to ensure that we continuously comply with the provisions of the General Data Protection Regulation, Regulation (EU) 2016/679 (the "GDPR"). In accordance with the GDPR, Southern Lights does its utmost to ensure that your personal data and privacy are respected when your information is processed by us.
As the data controller, Southern Lights has issued this privacy policy (the "Policy") that explains how Southern Lights processes your personal data. It also describes your rights towards us and how you can exercise your rights.
The Policy also aims to clearly inform you about the purpose of the processing, what personal information Southern Lights collects and processes about you, how it is processed, the legal basis for the processing, how the information is shared, and what rights you have in relation to the processing. Below are also the measures taken to protect your personal data and how you can contact us if you have any questions about our handling of your personal data.
In the following sections, we outline the purposes (i.e., why) our personal data processing of your personal data takes place and the legal basis on which the processing is based. The subsequent sections discuss your possible rights and contact information.
We encourage you to review the Policy in its entirety.
1.2 Where Do We Receive the Personal Data From?
The personal data we process may come from various sources, including information provided directly by you, data collected through our interactions with you, and data obtained from third-party service providers.
Additionally, where applicable, we may collect data from publicly accessible sources, such as public records. This may include information from registers such as the population register, property register, or other public databases.
2. Customer Relationship Management
To fulfil our contractual obligations and ensure a smooth customer experience, we need to collect and process personal data such as names, email addresses, and purchase history. This information is essential for managing customer accounts, processing transactions, and providing customer support. The following personal data is processed:
| Category of Data Subjects | Type of Personal Data | Legal Basis |
|---|---|---|
| Customer | Name, personal identity number, address, phone number, personal email address, photograph. | Contractual obligations (art. 6.1(b) GDPR) |
| Customer Employees | Name, contact information | Legitimate interest (art. 6.1 (f) GDPR)* |
* Southern Lights' legitimate interest is to facilitate communication and ensure effective service delivery by interacting with the employees of our customers.
3. Product Functionality and Security
To provide core product functionality and ensure secure user authentication, we need to collect and process email addresses and encrypted passwords. This data is crucial for user identification and maintaining the integrity of our services. The following personal data is processed:
| Category of Data Subjects | Type of Personal Data | Legal Basis |
|---|---|---|
| User | Name, registered user email address | Contractual obligation (art. 6.1(b) GDPR) |
4. Marketing and Sales Activities
To support our marketing and sales activities, we collect and process contact information of potential customers. This allows us to reach out with relevant offers, updates, and promotions, enhancing our customer acquisition efforts. The following personal data is processed:
| Category of Data Subjects | Type of Personal Data | Legal Basis |
|---|---|---|
| Potential Customer | Name, address, phone number, e-mail address | Legitimate interest (art. 6.1 (f) GDPR)* |
| Potential Customer Employees | Name, phone number, e-mail address | Legitimate interest (art. 6.1 (f) GDPR)* |
* Southern Lights' legitimate interest is to grow the business by identifying and engaging potential customers through targeted marketing and sales activities.
5. Candidate data for Recruitment
5.1 Application and Interview
5.1.1 Reviewing applications, administering interviews, and conducting reference checks and recruitment tests.
To ensure that candidates meet the necessary requirements and qualifications for the advertised position, we need to review and evaluate application documents such as CVs, video CVs and cover letters.
We also need to communicate with relevant candidates to schedule interviews and evaluate interview results. We may also contact references and obtain personal data about you in this way.
In the context of a recruitment process, we may also process personal data related to the results of various job tests measuring, for example job suitability tests, job simulations, etc. The following personal data is processed:
| Category of Data Subjects | Type of Personal Data | Legal Basis |
|---|---|---|
| Job Applicant | Name, personal identity number, address, phone number, personal email address, photograph, grades and diplomas, references, job test results, etc. | Legitimate interest (art. 6.1 (f) GDPR)* |
| Designated Reference Person | Name, contact information | Legitimate interest (art. 6.1 (f) GDPR)* |
*Southern Lights' legitimate interest is to recruit staff who contribute with competence and profitability to the business.
5.2 Work Permit
5.2.1 Verification of Work Authorization
As an employer, we are required to conduct checks to ensure that the person offered or holding a position has the right to reside and work in Sweden. The following personal data is processed:
| Category of Data Subjects | Type of Personal Data | Legal Basis |
|---|---|---|
| Job Applicant | Name, personal identity number, address, | Legal obligation under law/regulation (Art 6.1(b) GDPR) |
| Phone number, personal email address | Legitimate interest (art.6.1 (f) GDPR)** | |
| If applicable, information about residence and work permits (type, number, and copy of the permit and/or a copy of the Migration Agency's decision) | Legal obligation (6.1 (c) GDPR) | |
| In the absence of a residence/work permit: offenses involving crimes | Legitimate interest (art.6.1 (f) GDPR)*** / Legal claims (art. 10GDPR) | |
| Employee | Name, personal identity number, address, | Legal obligation under law/regulation (Art 6.1(b)GDPR) |
| Phone number, personal email address | Legitimate interest (art.6.1 (f) GDPR) | |
| If applicable, information about residence and work permits (type, number, and copy of the permit and/or a copy of the Migration Agency's decision) | Legal obligation (6.1 (c) GDPR) / Legal claims (art. 10 GDPR) | |
| In the absence of a residence/work permit: offenses involving crimes | Legitimate interest (art.6.1 (f) GDPR)*** / Legal claims (art. 10GDPR) |
* Southern Lights' legitimate interest is to recruit staff who contribute with competence and profitability to the business.
** Southern Lights' legitimate interest is to be able to communicate effectively with job applicants and employees and to ensure that the right candidate is selected for the position.
*** Southern Lights' legitimate interest is to ensure that only individuals who have the legal right to work and reside in Sweden are employed, which is crucial to avoid legal and financial consequences.
6. Legal Actions and Processes
We particularly want to draw your attention to the fact that if a dispute arises, we may need to process your personal data if required for evidentiary purposes.
Such a dispute could be, for example, between Southern Lights and a customer, supplier or third party, or with you. The personal data will then be processed at least until the appeal period to the highest court has expired, or if a review is granted when the judgment has become final. This may concern all points covered by the Policy.
| Data Subjects | Type of Personal Data | Legal Basis |
|---|---|---|
| Prospect employee, customer, partner, third-party provider | All personal data specified in the Policy according to the above sections | Legitimate interest (Art.6.1 (f) GDPR)* |
| Personal data covered by Article 9 GDPR | Legitimate interest (Art.6.1 (f) GDPR)* / Establish, exercise, or defend legal claims (Art.9.2(f) GDPR) | |
| Personal data covered by Article 10 GDPR | Legitimate interest (Art.6.1(f) GDPR)* / Establish, exercise, or defend legal claims (Art.9.2(f) GDPR) / Establish, exercise, or defend legal claims (for personal data covered by Article 10 GDPR) |
* Southern Lights' legitimate interest is to protect its or, where applicable, third-party rights and interests in connection with legal disputes and to ensure that necessary evidence is available to establish, exercise, or defend legal claims.
7. Storage Period
The personal data will be processed and stored by Southern Lights for the period required to fulfil the purposes specified in the above summary. Thereafter, the personal data will be anonymized or deleted.
When determining the period during which your personal data will be stored, Southern Lights considers particularly the storage time requirements specified by law, prescription periods, recommendations from authorities, and industry practice.
Further information on how long Southern Lights processes specific personal data is stated in Southern Lights's archiving policy.
8. Your Rights Under the GDPR
8.1 General Principles
Below is an explanation of what you may be entitled to concerning our processing of your personal data. To exercise your rights, you are welcome to contact us. You will find our contact details below.
Each request to exercise the rights below must be issued in writing by the registered individual to Southern Lights's address. If there are doubts about the issuing person's identity, we may request identity documents to be submitted.
8.2 Access Your Data
As a registered individual, you have the right to access your personal data. Upon your request, we will provide information about the personal data we process about you, a so-called register extract.
8.3 Request Correction of Your Personal Data
You have the right to contact us and request that incorrect personal data about you be corrected. You may also have the right to have your data supplemented with such personal data that is missing and relevant for the purpose. Upon your request, we will correct the incorrect or incomplete data we process about you.
8.4 Request Deletion or Restriction of Processing
You have the right to request the deletion of your personal data, and we will, upon your requestor on our initiative, delete your personal data if they are no longer necessary for the purposes for which they were collected.
Please note that there may be legal obligations that prevent us from immediately, entirely or partially, deleting your personal data. These obligations may follow from accounting, tax, banking, or anti-money laundering legislation.
If we are prevented from deleting your personal data, we strive to ensure blocking of data that needs to be saved so that this data is not used for other purposes.
8.5 Request Restriction of Processing
In certain cases, you have the right to have the processing of your personal data restricted. This means that the personal data is marked so that in the future, it is only processed for certain limited purposes. You may, for example, request such a restriction in connection with disputing the accuracy of personal data. While the accuracy of the personal data is being investigated, the processing of your data may be restricted.
8.6 Request Data Portability
Under certain conditions (including technical feasibility), you may have the right to data portability, that is, to retrieve and transfer your personal data to another data controller.
8.7 Object to Personal Data Processing
You have the right to object if your personal data is processed to perform a task in the public interest as part of the exercise of official authority or after a legitimate interest assessment. If you object to such processing, we will only continue to process the data if there are legitimate reasons for processing the data that outweigh your interests.
8.8 Consequences of Withholding Personal Data or Withdrawing Consent
Where our processing of personal data, as described above, is based on either us being under a legal requirement or a contractual obligation (where, in the latter scenario, the provided data is necessary to be utilized to enter the contract), we want to inform you of the following.
Failure to provide the necessary personal data may result in consequences such as our inability to enter into or fulfil a contract, limited access to certain services, or non-compliance with a legal obligation, which may result in similar consequences.
Moreover, if the processing of your personal data is based on you having provided your consent you have the right to withdraw your consent at any time. However, please note that such withdrawal will not affect the lawfulness of processing based on consent before consent was withdrawn.
8.9 Complain About Our Processing of Your Personal Data
You have the right to file a complaint with a supervisory authority if you believe that the processing of your personal data does not comply with the GDPR rules. In Sweden, the supervisory authority is the Swedish Authority for Privacy Protection ("IMY").
Contact details for IMY are as follows:
Website: https://www.imy.se/en/
Phone: 08-657 61 00
Email: imy@imy.se
Postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm
9. Categories of Data Recipients
The GDPR defines a recipient of personal data as any natural or legal person who receives personal data. The recipients can therefore be internal or external to Southern Lights.
Internal recipients are all departments within Southern Lights authorised to process your data in accordance with their respective area of responsibility (authorised persons responsible for handling career development or salaries or to ensure the safety of people and property, the relevant person's manager, etc.).
External recipients relative to Southern Lights are various social security agencies (regarding social security, unemployment, pensions, paid leave, etc.), banks, financial institutions, education providers, company doctors, authorities, external consultants, and service providers.
Southern Lights will disclose such personal data to third parties as Southern Lights is legally required to disclose. Such disclosure will, among other things, be made to authorities such as the Tax Agency, the Swedish Social Insurance Agency, the Pensions Agency, and other authorities as required.
Southern Lights will also disclose information to third parties necessary to fulfil the employment contract, such as to enter into and maintain insurance for payroll administration and pension managers but also to suppliers, customers, partners against whom you will act as a contact person and invoice recipient.
In addition to what has been stated above, Southern Lights may disclose personal data to third parties to, for example, comply with a court order/authority decision or other legal obligations and to protect the rights, property, or to safeguard the safety of Southern Lights and its group companies or others.
Southern Lights will always strive to limit access to personal data as specified above and only share information reasonably necessary for the recipients to perform their work or provide their services. Southern Lights will strive to require these recipients of personal data to (i) protect your personal data in accordance with this Policy and applicable law and (ii) not use or disclose your personal data for any purpose other than the purpose for which it was disclosed.
10. Transfers to Third Countries
Southern Lights will normally not transfer personal data to third countries (i.e., a country outside the EU/EEA) or to an international organisation.
Should a transfer to a third country or international organisation occur, it will always be carried out in a secure and lawful manner. Your personal data will not be transferred to an external party outside the EU or EEA without us having entered into an agreement or ensured that the country is approved by the European Commission before the transfer
In the event of a transfer to the USA, we check that the organisation in question is certified under the EU-U.S. Data Privacy Framework, which ensures a level of protection equivalent to that provided by the GDPR.
If a transfer occurs to another third country outside the EU/EEA or to an international organisation, we will ensure that the rights of the affected individuals are respected. Alternatively, we will ensure that appropriate safeguards exist between us as the data exporter and the data importer in the third country. Such appropriate safeguards are, subject to the transfer itself, that we have entered into an agreement containing either contractual clauses or standard contractual clauses binding between us and the third country's data importer in accordance with the relevant provisions of the GDPR and other applicable laws.
We can also use an approved code of conduct in accordance with Article 40 GDPR and the requirements of Article 46.2(e) GDPR or use an approved certification mechanism according to Article 42 GDPR in accordance with the requirements of Article 46.2(f) GDPR.
In specific situations where neither an adequacy decision nor any of the above appropriate safeguards are applicable for such a transfer, we can also perform third-country transfers based on one of the applicable exceptions stated in Article 49 of the GDPR. If such exceptions are enforced for a specific transfer, we may inform you further about this separately.
If you want to know more about the requirements for transferring personal data to a country outside the EU or EEA based on the European Commission's decision on standard contractual clauses for transferring personal data to controllers or processors established in third countries, you can read more here.
Should a third-country transfer of your personal data be considered, and we are required to do so, we will provide you with further information about such a transfer.
11. Security Measures to Protect Personal Data
Southern Lights complies at all times with current legal requirements regarding the security of personal data processing and has taken the organisational and technical security measures required to protect personal data against unauthorised access, modification, and deletion. Measures that have been taken and will be continuously taken include secure login procedures for access to documents, authorisation limitations, antivirus protection, and deletion routines. For sensitive data, Southern Lights will take additional security measures, including strict authorisation limitation to a small group, clear deletion routines, and password protection
12. Updates to the Policy
We reserve the right to make changes to the Policy at any time. In the event of significant changes to it, you will be notified that the Policy is being updated before it takes effect.
13. Contact Information
For questions related to this Policy or GDPR, you are welcome to contact us as follows:
Address: Southern Lights AB, c/o The Works, Medborgarplatsen 25, 118 72 Stockholm, Sweden
E-mail: info@southernlights.io