Last updated 19 February 2019
The controller responsible for your personal data in accordance with applicable da-ta protection legislation is Orio AB (hereinafter ”Orio”, ”we”, ”us” or ”our”). Orio is responsible for ensuring that your personal data is processed in accordance with this Policy and applicable data protection legislation.
Contact details for the controller:
Corp. reg. no.: 556602-9277
Address: Flättnaleden 1, 611 45 Nyköping, Sweden
Telephone no.: +46155244000
If you would like to contact us, you are welcome to e-mail or post a letter. Mark letters and e-mails with “GDPR”.
2. COLLECTION OF PERSONAL DATA
We process the personal data that you have provided us when you became a customer of ours or a member, or when you have otherwise contacted us (for example using the form on our website or via customer service. The personal data that we collect include e.g. the following categories of information:
• Names, e-mail addresses and telephone numbers. From corporate customers we can also collect relevant information concerning your position and contact details within the company you represent.
• Information within the framework of the customer relationship, such as customer contact, customer communication, payment and invoice information. Information concerning your car that can indirectly be connected to you is also saved, such as the registration number.
3. PURPOSE AND LEGAL GROUND FOR PROCESSING OF PERSONAL DATA
We process personal data for the following purposes:
3.1 Provision of services and handling of your customer relationship
The primary purpose for collecting your personal data is to provide you with our services and to handle the customer relationship between us and you or the company that you represent. Processing is necessary for fulfilment of the agreement between us pursuant to 6(1) b GDPR.
We process personal data in order to administer the sending of e-mail notifications and text messages to you regarding news about our services, request your feedback or provide you with other relevant information about our services. In this respect, our processing of your personal data is based upon our legitimate in-terest in providing you with relevant information about Orio and to promote our services pursuant to 6(1) f GDPR. You may at any time choose not to receive such marketing notifications by clicking here.
If you are not a customer of ours but you choose to sign up to our newsletter via any of our platforms, we will obtain consent to such processing pursuant to 6(1) a GDPR.
3.3 Development of technology and services, and information security
We will also process personal data in order to improve the quality of our services and to develop new ones. In these cases, our processing of personal data is based upon our legitimate interest, pursuant to 6(1) f GDPR, in ensuring that we have sufficient and relevant information to develop our services.
3.4 Invoice-related information
We will also process personal data in order to fulfil our legal obligations pursuant to applicable accounting and tax legislation. In these cases, our processing of personal data is based upon our obligation to fulfil mandatory provisions in law, pursuant to 6(1) c GDPR, that require us to store certain information for the purposes of accounting.
4. TRANSFER AND SHARING OF PERSONAL DATA
We may also share personal data with third parties:
• Within the Orio group, in order to carry out our daily business and to the extent required to fulfil our obligations to you.
• When we are required to do so by law, e.g. to meet the demands of an authorised body or in conjunction with legal proceedings.
• When our trusted service-suppliers provide us with service on our behalf and in accordance with the instructions we have given them. We will always control and be responsible for the use of your personal data.
• If we are subject to a merger, an acquisition or a disposal of all or part of our assets.
• When we believe, in good faith, that it is necessary to share personal data to protect our rights, protect your security or the security of others, investigate fraud or respond to an enquiry from the state.
5. TRANSFER OF PERSONAL DATA OUTSIDE EU/EES
The information we collect from you is primarily stored within the EU/EES but may also be transferred and processed in a country outside the EU/EES. In the event of a transfer to a third-party country, we warrant that we take sufficient security measures in accordance with the GDPR. For example, we use a service supplier that stores data in the USA. This company is connected to Privacy Shield, which ensures that a company maintains an adequate level of protection for personal da-ta. You are welcome to contact is if you would like more information.
7. STORAGE OF PERSONAL DATA
Your personal data will only be stored as long as it is necessary to fulfil the purposes defined in the Policy. You will find more detailed information about how long we store your data for each service at the end of this document.
8. YOUR RIGHTS
You have the right to access the personal data that we process regarding you. You have the right at any time to change, update and remove your personal data. You have the right to withdraw your consent at any time (Art. 13(2) point (c) GDPR). Please note, however, that certain information is necessary to be able to fulfil the purposes defined in this Policy and that may additionally be required under law. As a result of this, you cannot remove such personal data.
You have the right to object to certain processing, such as direct marketing and profiling. To the extent required under applicable data privacy legislation, you are entitled to restrict processing of personal data.
In certain cases, you have the right to have the processing of your personal data restricted. If you have the right to have the processing restricted, we may then only – with the exception for storage – continue to process your personal data with your consent or to determine, assert or defend a legal claim, or to protect another natural or legal person, or for reasons concerning important public interest.
You have the right to data portability, i.e. the right to receive your personal data in a structured, commonly-used and machine-readable format and to have these transferred to another data controller, to the extent required under applicable law.
Please send aforementioned request to use via the contact details in section 1 at the top of the Policy.
If you are not satisfied with the way we handle your personal data, you have the right to submit a complaint to a supervisory authority in the EU/EES. In Sweden the Swedish Data Protection Authority is the appropriate supervisory authority. You will find the contact details for the Swedish Data Protection on this link.
We maintain an appropriate level of security (comprising physical, electronic and administrative security) to protect personal data from loss, destruction, abuse and unlawful access or unlawful disclosure. For example, we restrict the personal data to authorised employees or consultants who need to know the information to perform their duties.
10. CHANGES TO THIS POLICY
We reserve the right to change this Policy. If we make any changes to this Policy, we will communicate this via our applications and websites, on which we will also keep the most recent version of this Policy available.
11. CONTACT US
If you have any questions concerning this Policy or the personal data we process regarding you, please contact us using the contact details in section 1 at the top of this Policy.