Elfa International AB, reg. no. 556516-2012 (“we”, “us”, our”) is the data controller of the processing of your personal data and is accountable for ensuring that your personal data are processed in accordance with applicable data protection legislation. It is important to us that you feel safe when we process your personal data. Here (in this “privacy notice”) you can learn more about what personal data we collect and process about you, why we do it and what your rights are according to applicable data protection legislation. If you have any questions about our processing of your personal data, please contact us via the contact details provided in section 8 below.
SECTIONS
INDIVIDUALS COVERED BY THIS NOTICE AND THE PERSONAL DATA WE PROCESS
WHY WE PROCESS PERSONAL DATA
OUR COLLECTION OF YOUR PERSONAL DATA
WHO WE SHARE YOUR PERSONAL DATA WITH
WHERE WE PROCESS YOUR PERSONAL DATA
YOUR RIGHTS
CONTACT INFORMATION
CHANGES TO THIS PRIVACY NOTICE
Who we process personal data about
We process personal data about individuals who are in contact with us and our business, including:
- Representatives/contact persons of companies that are our customers or potential customers (prospects). The representatives/contact persons may be employed by one of our resellers or by a project client (e.g., a contractor, architect, or interior designer)
- Representatives/contact persons of companies that provide us their products and/or services. The representatives/contact persons may be employed by one of our service providers/suppliers or potential service provider/supplier (e.g., manufacturer, transportation company, designer, or installer).
- Individuals who work for us as consultants.
- Individuals who book a planning meeting with us, purchase a product/service, visit our website or otherwise contact us.
The personal data that we process
|
Contact information
|
such as name, e-mail address, telephone number, address and other contact details
|
|
Company information
|
such as company name and information about your role/title in the company
|
|
Correspondence and documentation
|
such as correspondence via e-mail, telephone or social media, documentation, feedback, meeting - and memory notes
|
|
Statistical information and information for analysis
|
such as IP-address, browser type, internet service provider (ISP) and digital footprints by browsing the website (such as weblogs, date and time stamp, location, referring/exit pages, number of clicks, etc.), log files, etc
|
|
Transactional data
|
such as information regarding bank account, payment details
|
|
Information about qualifications (applicable for consultants)
|
such as education, work experience and references, project information, registered time, information on fees, absence and information about internal training the employee has undergone
|
Communication with potential supplier/service provider and prospect
To respond to inquiries from potential service providers/suppliers and/or prospects, we will process contact information, company information and correspondence and documentation about representatives/contact persons of the company. The legal basis for our processing is our legitimate interest in taking steps prior to entering into a contract with a potential service providers/suppliers and/or prospects (GDPR, article 6.1(f)). Contact us if you want to learn more about how we balance your interests against ours. We will keep your personal data for as long as we have an ongoing mutual dialogue and for 12 months thereafter, unless we have entered into a contract with the company you represent by then (see 3.2 below).
Contractual obligations towards customers, suppliers/service providers, and consultants
To enter into an agreement with a service provider/supplier, customer and/or consultant and to manage the relationship and fulfil terms and conditions of the agreement (such as deliver and provide service to resellers and paying for the services used), as well as to establish, issue and save documents relating to the relationship, we will process contact information, company information, information about qualifications (consultants only), correspondence and documentation about you as a consultant or representatives/contact persons of the service provider/supplier/customer. The legal basis for our processing is our legitimate interest in concluding an agreement with the service provider and fulfilling the terms and conditions of such agreement (GDPR, article 6.1(f)). Contact us if you want to learn more about how we balance your interests against ours. We will keep your personal data during the period we have an agreement with the company you represent and for twelve months thereafter.
Keep our CRM system accurate and up to date
It is vital for the success of our business that we ensure our CRM systems are as up to date as possible and that we have accurate information. Therefore, we work extensively and continuously to keep our records accurate and up to date in the right way. For this purpose, we will process contact information, company information about representatives/contact persons of the service provider/supplier/customer. The legal basis for our processing is our legitimate interest in having accurate information about you as a contact person of the company you represent (GDPR, article 6.1(f)). Contact us if you want to learn more about how we balance your interests against ours. Representatives/contact persons who, for whatever reason, are no longer employed by the relevant company will be anonymized as soon as we become aware of this.
Access to internal systems and premises
To be able to give the consultants that are working on site with us authorization to our internal systems and programs as well as providing them with access to our premises, we will process the consultants’ contact information. The legal basis for our processing is our legitimate interest in being able to give you access to the systems, programs and premises you need access to in order to carry out your assignment (GDPR, article 6.1(f)). Contact us if you want to learn more about how we balance your interests against ours. We will keep your personal data while you perform the consulting assignment for us.
Access to Elfa Professional Online
To be able to give representatives/contact persons and other individuals access to login to Elfa Professional Online and use Elfa planning tool, access detailed product information and news, we will process your contact information. The legal basis for our processing is our legitimate interest in being able to provide you with a high level of service and the right tools to facilitate your mission and role (GDPR, article 6.1(f)). Contact us if you want to learn more about how we balance your interests against ours. We will keep your personal data for a maximum period of 12 months after your last login to the platform.
When you visit our website
To provide, operate, maintain, improve, personalize and expand our website, we use cookies and other similar tracking technologies. The cookies are used to store information about your settings and the pages you visit, both on our website and others in order to, inter alia, optimize your browsing experience as well as to improve the website’s functions. The website includes necessary, statistical, functional and marketing cookies.
Depending on your cookie preferences, we will process statistical information and information for analysis about the website visitor. The legal basis for our processing of personal data collected through cookies is your consent (GDPR, article 6.1(a)).
For further information on our use of cookies, please see the Cookie Information on our website, which includes a detailed list of the cookies we use and the applicable retention periods.
Marketing and information
To send you relevant updates, promotions, news and information about us and our business, events, products, and services and/or to enable for you to subscribe (or unsubscribe) to our newsletters or our events, we will process your contact information, company information and correspondence, as well as information about your wish to subscribe/unsubscribe. The legal basis is your consent. We will keep your personal data until you unsubscribe from e-mails or opt-out from direct marketing from us or during the period necessary to handle your request (newsletter and events subscription).
Customer support via telephone, e-mail or social media
To respond to your questions and provide you with a high level customer support via telephone, e-mail or social media we will process contact information, correspondence and documentation, history of your customer support cases and other personal data that you provide us with in regard to the support case/our contact. The legal basis for our processing is our legitimate interest to provide you with customer support services (GDPR, article 6.1 (f)). Contact us if you want to learn more about how we balance your interests against ours. We will keep your personal data (i) through social media: Until you choose to delete your content or account, or until we have to delete it following our rules on the social media platform (e.g., if the content is disrespectful, bullying etc.), (ii) through other communication channels: As long as your support case is ongoing and for a period of maximum two year after your case has been closed.
Planning meeting Online and at Studio Elfa
To book a meeting with our storage experts Online or at Studio Elfa and assist you in planning your storage based on your needs and preferences, we will process your contact information, correspondence and documentation. The legal basis for our processing is our legitimate interest to provide you with customer support services (GDPR, article 6.1 (f)). Contact us if you want to learn more about how we balance your interests against ours. We will keep your personal data for as long as we have an ongoing mutual dialogue and for six months thereafter.
Purchase of products/services via Studio Elfa
To administer your purchase of products from a planning meeting, including payment, packing and delivery of products/services ordered by you we will process contact information, correspondence and documentation and transactional data. The legal basis for our processing is performance of our contract with you (GDPR, article 6.1 (b)). We will also process your personal data to comply with laws and regulations, see section 3.13 below. We will keep your personal data until the purchase is completed, including payment and delivery, which in most cases is 30 days after the purchase is made.
Whistleblowing
To provide a whistleblowing function where you can report complaints or deviations associated with Elfa operations, people or environment we will process your contact information and other information you provide us with regarding the complaint/deviation that may contain personal data about you and others. This includes getting back to you personally about the management of the errand (if you report non-anonymously). If you report anonymously we will not process any personal data about you. The legal basis for our processing is our legal obligation under the Act (2021:890) on the protection of individuals reporting irregularities to provide a whistleblowing channel, and our processing of your personal data is based on this legal obligation (GDPR, Article 6.1(c)). The same applies to the processing of personal data relating to criminal convictions and offences. If the processing of special categories of personal data occurs, it is necessary for reasons of substantial public interest based on Union law and Swedish law (GDPR, Article 9(2)(g)).
The reports that are found to be obviously unfounded will be anonymized and deleted immediately. If a report does not result in any action, the relevant information will be anonymized and deleted within two (2) months after the investigation is concluded. The maximum retention period for personal data is two (2) years after the completion of an investigation. However, this does not apply if we need to retain the personal data for a longer period to handle future claims or disputes.
Camera surveillance
To prevent and investigate possible crimes committed against us and to ensure the safety of our employees and others, we monitor certain limited areas around our premises. This means that you as a visitor to Studio Elfa or Elfa’s manufacturing sites can be monitored by camera when you move in these areas. The processing is based on our legitimate interest of maintaining the security around our premises and being able to investigate any crimes committed against us. Contact us if you want to know more about how we have balanced your interests against ours. The recorded material is automatically deleted after three days unless the material is needed for further investigation, after which it is deleted when the investigation is completed.
Processing to comply with laws, legal obligations and voluntary undertakings
To comply with legal obligations
|
Purposes, legal obligation (GDPR, article 6.1(c))
|
Categories of personal data
|
Retention period
|
|
Handle and respond to data subject rights requests
|
Contact information as well as information provided in your request and additional information required to meet your request
|
For up to one year from the date your request has been met
|
|
Handle incidents and participate in supervisions
|
The categories of personal data relating to you that are necessary and requested during the incident/supervision
|
For as long as the incident or subsequent supervision is ongoing and one year thereafter
|
|
Bookkeeping
Legal obligation regarding bookkeeping legislation (for Sweden: Bokföringslag (1999:1078)).
|
Transactional data
|
Up to and including the seventh year after the end of the financial year the transaction took place
|
|
Recalls
Legal obligation regarding product safety (for Sweden: Produktsäkerhetslag (2004:451))
|
The categories of personal data relating to you that are necessary to comply with the legal obligation
|
Until the recall is administered
|
Claims and complaints
To administer, investigate and respond to claims and complaints, we will process your contact information as well as other information you provide us with regarding your claim or complaint. The legal basis for the processing is our legitimate interest to administer your claim or complaint (GDPR, article 6.1(f)). Contact us if you want to learn more about how we balance your interests against ours. We will keep your personal data during the period we investigate and administer your claim or complaint.
Disputes
To establish, exercise or defend a legal claim, in order to safeguard our and our affiliates’ legal rights, we will process the categories of personal data relating to you that are necessary with regard to the dispute and the parties involved. The legal basis is our legitimate interest in protecting our or the affiliate’s interests in the event of a dispute (GDPR, article 6.1(f)). Contact us if you want to learn more about how we balance your interests against ours. We will keep your personal data for as long as the dispute is ongoing and for ten years thereafter.
Mergers and acquisitions
To transfer personal data in the event of a merger, an acquisition or a sale of all or parts of our assets, we will process the categories of personal data relating to you that are covered by the merger or acquisition. The legal basis for the processing is our legitimate interest to proceed with a merger or acquisition and transfer relevant personal data for this purpose (GDPR, article 6.1 (f)). Contact us if you want to learn more about how we balance your interests against ours. No personal data is saved for this particular purpose.
How we collect personal data
Mainly, we collect your personal data directly from you (including from your device) when you communicate or in any other way interact with us for example through an order, personal contact, a request for a quote, a discussion, or a visit.
In some cases, we may also collect your personal data from other sources, namely when we collect it from publicly available sources/registers (for instance if you are the appointed contact person of a company we wish to get in touch with). We may also collect it from the company where you are employed and through online searches.
If you do not provide your personal data to us
When we process your personal data, we do so, among other things, to fulfil legal or contractual obligations. If you do not provide the personal data we request, it may mean that we cannot enter into a contract with the company that you represent or fulfil our obligations under the contract or law towards that company. If you have any doubts or concerns about providing certain personal data, please contact us (see section 8 below) for further information.
We may need to share your personal data with others to provide our services as well as to comply with laws and regulations. This includes:
- IT service providers who manage the necessary operation, technical support, and maintenance of our IT solutions, such as internally used systems, platforms and hosting services.
- Bank and payment service providers whose services we use to manage our payment transactions.
- Group companies.
Providers of analytics services (currently Google Analytics and Hotjar).
- Providers of social media platforms (Pinterest, LinkedIn, Instagram, Facebook och YouTube).
- External advisors and consultants who help us in different areas of our business (such as lawyers and auditors).
- Potential buyers in case of a merger, an acquisition or a sale of all or parts of our assets.
- Authorities in the event of an authorized request.
- Courts in the event of a dispute or other proceedings.
We strive to process your personal data within the EU/EEA area. However, in some situations it may be processed outside the EU/EEA (including in the USA), such as when we share your personal data with providers of analytics services operating outside the EU/EEA.
We always ensure that your personal data enjoys a high level of protection, even when the personal data is processed outside of the EU/EEA. In most cases, the importing party will reside in a country that has been deemed to offer adequate protection by the EU commission (such as the United Kingdom and New Zealand)] or adheres to the EU-US Data Privacy Framework (GDPR, article 45). If not, we will enter into the EU Standard Contractual Clauses (GPDR, article 46). In addition, we take additional technical and organisational security measures when needed.
Right of access
You have the right to know if we process personal data about you or not. If we do, you also have the right to receive information about the personal data we process and why we do it. Further, you have the right to receive a copy of all personal data we have about you. If you are interested in any specific information, please indicate this in your request. For example, you can specify if you are interested in a certain type of information, such as the specific contact details we have about you, or if you want information from a certain time period.
Right to rectification
If the personal data we hold about you is inaccurate, you have the right to have the personal data corrected. You also have the right to complete incomplete personal data, including by providing supplementary information. Once we have corrected or completed your personal data, we will inform those we have shared your personal data with (when applicable) about the update, if it is not impossible or too cumbersome. If you ask us, we will also tell you who we have shared your personal data with. If you request to have data corrected, you also have the right to request that we restrict our processing during the time we investigate the matter.
Right to erasure (right to be forgotten)
In certain cases, you have the right to request that your personal data are erased, e.g.:
- If the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, or
- When the personal data have been unlawfully processed.
If we erase the personal data following your request, we will also inform those we have shared your personal data with (when applicable), if it is not impossible or too cumbersome. If you ask us, we will also tell you who we have shared your personal data with.
Right to request restriction
Restriction means that the personal data are marked so that it may only be used for certain limited purposes in the future. The right to restriction applies:
- When you believe the personal data are inaccurate/incomplete and you have requested rectification. If so, you can also request that we restrict our processing while we investigate if the personal data are accurate/complete or not,
- If the processing is unlawful but you do not want the personal data to be erased,
- When you have objected to the processing and during the time we verify our legitimate grounds, or
- When we no longer need the personal data for the purposes for which we collected it, but you need it to be able to establish, exercise or defend legal claims.
Even if you have requested that we restrict our processing of your personal data, we have the right to use it for storage, to assert or defend legal claims or to protect someone else’s rights. We may also use the personal data for reasons relating to important public interest. We will let you know before the restriction expires.
If we restrict the processing of your personal data, we will also inform those we have shared your personal data with (when applicable), if it is not impossible or too cumbersome. If you ask us, we will also tell you who we have shared your personal data with.
Right to object
You have the right to object to processing that is based on our legitimate interest. If you object to the use, we will, based on your situation, evaluate if our interests in using the personal data outweigh your interests in the personal data not being used for that purpose. If we are unable to provide compelling legitimate grounds that override yours, we will stop using the personal data you object to – provided we do not have to use the data to establish, exercise or defend legal claims. If you object to the use, you also have the right to request that we restrict our use during the time we investigate the matter.
You always have the right to object to, and unsubscribe from, direct marketing.
Right to data portability
If the processing is based on your consent or an agreement between us, you have the right to obtain personal data that you have provided to us in a structured, commonly used and machine-readable format and transfer it to another controller (“data portability”). Please note that we seldom use one of these legal bases to justify our processing.
Right to withdraw consent
You have the right to withdraw your consent for a specific processing at any time. Your withdrawal will not affect processing that has already been carried out. Please note that we seldom use consent to justify our processing.
How to exercise your rights and right to complain
If you want to exercise any of your rights, please contact us using the below contact information.
If you have any objections or complaints about the way we process your personal data, please let us know and we will do our best to help you. You also have the right to lodge a complaint with the supervisory authority where you live, work or where you believe an infringement has taken place. In Sweden, the supervisory authority is the Swedish Supervisory Authority for Privacy Protection (IMY) (Integritetsskyddsmyndigheten Box 8114, 104 20 Stockholm, imy@imy.se).
If you have any questions about this privacy notice and how your personal data are processed, please use the contact details below.
Address: Elfa International AB, Lilla Nygatan 7, 211 38 Malmö
E-mail address: dataprotectionofficer@elfa.com
We reserve the right to change this privacy notice from time to time. We will inform you of any changes by posting the updated privacy notice on our website. If we make any material changes, we will send you a notification by e-mail.
