Privacy Policy
POL 05 rev. 1
1. Privacy policy
At Key2Compliance we are committed to protect the privacy and security of your personal information. This Privacy Policy explains how we collect, use, and disclose personal information that we collect from or about you when you visit our website, use our services, or otherwise interact with us. By visiting our website or using our services, you agree to the terms of this Privacy Policy. The Policy is applicable to Symbioteq AB (mother company), and the Key2Compliance AB, K2C Education AB and Key2Compliance Aps (subsidiaries). The responsible company within the group of companies for handling personal data is Key2Compliance AB.
2. Our confidentiality commitments
We commit ourselves to:
- Handle your information safely and confidential
- Not sell your information or forward it without your consent
- Give you the opportunity to manage and review your data at any time
3. How the law protects you
In addition to our confidentiality commitments, business and partner agreements, your personal data is protected by law and this section explains how it works.
According to the General Data Protection Regulation, (EU) 2016/679 (GDPR), we may only handle personal data if we have a legal reason to do so. This also includes processing outside of our group of companies. The law means we must meet one or more of these reasons:
- Fulfil an agreement or a contract
- Comply with legal obligations
- When it is our legitimate interest/balance of interest
- When consent is given
Balance of interest means that we can process personal data without consent if our interests weigh heavier than the individual’s and whether the processing is necessary for the particular purpose.
4. Collection of information
Key2Compliance may collect and process the following information about you, based on type of relationship:
4.1 Employees
4.1.1 Collected personal data
- Contact information: full name, date of birth/personal identification number, e-mail address, address, phone number, emergency contact information, photo
- Payroll /taxation related data: bank name, account number, account holder name, information about employee’s children (only when required by local legislation), health information as required by local law (e.g. sick leave information), union memberships, taxation information, salary and benefits information, worked hours, type of absence/leave, holidays
- Facility access (some of our office): name, company, position, email, social security number, phone number, registration number on car (in case of parking option), photo
- Employment history, job qualifications and education
- Communications and usage: Network connectivity, internal websites visited and applications used
4.1.2 Purpose and legal basis for processing
Key2Compliance collect and process the information for the following purposes:
- Contractual purposes:
- To manage and administer employment-related activities, such as payroll, benefits, pension and insurance
- Legal obligations of Key2Compliance:
- To comply with legal and regulatory requirements, such as tax and labor laws
- Processing of sensitive data such as health related data or social security related information which will only be processed when required by laws
- Legitimate interest
- To communicate with employees regarding employment-related matters. Also, information such as name and photo may be published on Key2Compliance’s internal channels for internal communication.
- To provide a safe and secure workplace
- Allocate resources
- For any other purpose with your consent
4.2 Customers (purchasers or potential purchasers of products and services)
4.2.1 Collected personal data
- Contact information: full name, e-mail address, company name and address, phone number
- Information provided via web forms, e.g. during registration to Key2Compliance events, courses or newsletter
- Payment/invoice related information: company and company number, payment & bank information, full name of the invoice approver, job title
4.2.2 Purpose and legal basis for processing
Key2Compliance collect and process the information for the following purposes:
- Contractual purposes:
- To provide our services to you
- To issue and process invoices and payments
- Legitimate interest
- To process and fulfil your orders or requests
- To communicate with you about our services
- To send you marketing communications about our services or to conduct market research
- Engaging with other business partners
- To maintain a safe, secure and efficient use of internal information, ensure that business critical information and other assets are safe and protected
- Planning of work and allocation of resources
- We may also send you promotional materials or communications regarding services provided that we believe may be of interest to you. You may at any time request that we discontinue sending you emails
4.3 Participants in courses and events
4.3.1 Collected personal data
- Registration information when you sign up for a course: full name, email, phone, company address, country
- Payment/invoice related information: company and company number, payment & bank information, full name of the invoice approver, job title
- Records of test results: name, email and IP address
- Note: We use online payment and security providers. Card details included in the booking process are entered directly with the provider, and your card information is never entered or stored in any of our systems. Once a payment is approved, the provider sends us a validated payment confirmation, which we store on our system. For privacy policy of our payment provider, see see Privacy Policy (stripe.com)
- Profile and user data. This includes the profile you create to identify yourself when you connect to our websites, portals or apps and other web services. It also contains other information about how to use these services. We collect this data from devices you use to connect to these services, such as computers and mobile phones, using cookies and Google Analytics / Google Ads.
4.3.2 Purpose and legal basis for processing
Key2Compliance collect and process the information for the following purposes:
- Legitimate interest:
- To provide our services to you
- To issue and process invoices and payments
- We may also send you promotional materials or communications regarding services provided that we believe may be of interest to you. You may at any time request that we discontinue sending you emails
- To issue certificates of performed courses
- To request course feed-back
4.4. Partners and sub-consultants
4.4.1 Collected personal data
- Contact information: full name, date of birth/personal identification number, e-mail address, address, phone number
- Payment related information: company and company number, payment & bank information, working time
- Employment history, job qualifications and education
- Performing and planning work such as availability, information supporting quality assurance process and applications for available assignments, searchable CV data that may be communicated to customers
- Supplier qualifications and evaluations
Instructors, information on website: Picture, name and relevant experience
4.4.2 Purpose and legal basis for processing
Key2Compliance collect and process the information for the following purposes:
- Contractual purposes:
- Entering into and performing business contracts with you;
- To manage and administer payment-related activities
- To deliver professional services and products
- Legitimate interest
- To communicate with you
- To communicate with customers about our services
- Planning of work and allocation of resources
4.5 Employee candidates
4.5.1 Collected personal data
- Contact information: full name, e-mail address, address, phone number
- CV related information: photo, job title, work experience, education, skills
- Other data provided by the applicant. Note that we are not in need of personal identification number
4.5.2 Purpose and legal basis for processing
Key2Compliance collect and process the information for the following purposes:
- Legitimate interest
- Managing job applications
- Communicate with you
4.6 Website visitors and email subscriptions
4.6.1 Collected personal data
- Cookie provided information: IP address and how and when you have used the website. See more below regarding use of cookies
- Contact information when registering to email subscriptions or request us to contact you: full name, email, phone
4.6.2 Purpose and legal basis for processing
Key2Compliance collect and process the information for the following purposes:
- Legitimate interest
- To be able to communicate with you
- We may also send you promotional materials or communications regarding services provided that we believe may be of interest to you. You may at any time request that we discontinue sending you emails
5. Protection of personal information
We use reasonable and appropriate physical, technical, and administrative measures to protect the confidentiality and security of employee personal information, including using encryption and secure data storage (see more information under Data security). We limit access to employee personal information to only those employees, contractors, and service providers who require the information to perform their duties.
6. How we share your information
We may share your personal information with third-party service providers who perform services on our behalf, such as payment processors, customer service providers, and marketing service providers. We may also share your personal information with third parties if we believe it is necessary to comply with a legal obligation or to protect our rights or the rights of others.
6.1 Sending personal information outside the EEA area
In the event Key2Compliance transfers personal data to a processor outside the EU/EEA, Key2Compliance has ensured that the processor’s level of protection is adequate by controlling that any of the following requirements are fulfilled:
- the EU Commission has determined that the level of protection is adequate in the third country where the data is processed;
- Key2Compliance and the processor have both signed up to the EU Commission’s standard contract clauses for data transfer to non-EU/EEA countries; or
- the processor has taken other appropriate safeguards prior to the transfer and that such safeguards comply with applicable data protection legislation.
7. How we use your personal information for automated decision making
We sometimes use systems to make automatic decisions based on personal information we have – or may collect from others – about you. It helps us to ensure that our decisions are quick, fair, effective and accurate, based on what we know. These automated decisions may affect the products, services or features we can offer you now or in the future, or the price we charge you for them.
See below for the types of automated decisions that we can make:
7.1 Pricing
- We can decide what to charge for certain products and services based on the overall information (e.g., quantity discounts when multiple people from the same company sign up for a course)
7.2 Customize products and services
- We can place you in groups with similar customer needs, so-called customer segments. We use these to study and learn about our customers’ needs and make decisions based on what we learn. It helps us to design products and services for different customer segments and manage our relationships with them.
8. If you choose not to share your personal information
We may need to collect personal data by law or under the terms of an agreement we have with your employer or you.
If you choose not to give us access to your personal information, it may delay or prevent us from fulfilling our commitments and obligations. It may also mean that we cannot perform our services. This may mean that we cancel or terminate a delivery of product or service you have with us.
It will be clear which data is mandatory and which is voluntary at the time of data collection.
9. Marketing
We may use your personal information to tell you about relevant products, services and offers.
This is what we mean when talking about “marketing.”
The personal information we have about you consists of what you tell us, the data we collect when you use our products and services, or from any third party we cooperate with.
We assess your information to understand what you may want or need, or what may be of interest to you. This is how we find out what products, services and offers may be relevant to you.
We can only use your personal data for marketing purposes if we have your consent or if our interest weighs heavier, so-called Balance of interest. In this way, we have a business or commercial reason to use your information, but it should not lead to unfair processing of your information and in no way infringe your rights.
You may at any time ask us to stop sending you promotional messages by contacting us.
We may ask you to confirm or update your information if you purchase products or services from us in the future. We will also ask you the same if there are changes in the law, regulations or structure of our business.
If you change your mind, you can at any time update your information by contacting us.
10. Retention period
The time span for how long your personal data is stored is depending on usage, system and purpose, see below:
- The basis for orders and invoicing are stored for 7 years according to the Swedish Accounting Act
- Communication that forms the basis for agreements/contracts and complaints is stored as long as the case is still open and current, or the length of the validity of the agreement
- Inquiries and order documents that do not need to be archived as described above are deleted after 24 months by automatic deletion processes
- Customer database information is saved as follows:
- Suspects, i.e., possible customers according to Balance of interest – until cancellation
- Prospects, i.e., received inquiries – until cancellation
- Customers, i.e., product and services orders – until cancellation
- Data on unsubscribed or relocated individuals is stored separately if the information is the basis for course certification, however, max 7 years after last contact
- Data on unsubscribed individuals is stored separately and blocked to avoid re-introduction
- Other data that cannot be updated is deleted immediately
- Signature lists and information for course administration are saved for 7 years and then deleted
- Information in other portals for information and consent subscriptions as above
- Information saved by suppliers with access to personal information as above and in accordance with a data processor agreement
We may handle your personal information for an indefinite period and if we do, we will ensure that your privacy is protected and secure and we commit to using the information for its specified purposes only.
11. Security measures
Key2Compliance has implemented appropriate technical and organisational measures to ensure that the Data Subject’s personal data is processed in a secure manner and that they are protected from loss, abuse and unauthorised access.
12. The Data subject’s right’s
This section describes your rights related to your personal information. Please contact us if you want to exercise your right.
Access – The Data Subject is always entitled to be given information about the collection and use of the personal data being processed about him/her.
Rectification – If the personal data that Key2Compliance processes about the Data Subject is inaccurate, the Data Subject has the right to have the information rectified.
Erasure – The Data Subject has the right to have his or her personal data erased in the following cases:
- the data is no longer needed for the purposes for which it was collected;
- the data is processed unlawfully;
- the processing of data is not necessary in order to comply with applicable laws or legislation or to determine, make or defend legal claims; and
- the processing of data is not permitted for archiving, research or statistical purposes.
Data portability – Upon the Data Subject’s request, Key2Compliance shall disclose personal data which the Data Subject has provided about herself/himself or which has been received by Key2Compliance in connection with an agreement entered into between Key2Compliance and the Data Subject. The Data Subject shall receive its personal data in a commonly used and machine-readable format which the Data Subject can then transfer to another personal data controller.
Right to complain – If the Data Subject suspects that Key2Compliance processes its personal data in a way that violates applicable data protection legislation, the Data Subject has the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) (Sw. Integritetsskyddsmyndigheten) or any other competent supervisory authority.
13. Cookies
We are committed to protect your personal information (anonymously or otherwise) that we collect about you online. The following describes how we use cookies and why and how this will help us improve our service. It also describes how you can handle which cookies are stored on your device.
By using our websites (via a device) you agree to the use of cookies.
Cookies are files that contain small amounts of information downloaded to the device you use when you visit a website. Cookies are then sent back to the original website at each subsequent visit or to another website that recognizes that cookie. Cookies make many different and useful jobs, such as managing information in forms, remembering your preferences and improving your online experience. There are different types of cookies, but they all work the same way, with marginal differences.
Our site uses session cookies that are stored temporarily in the computer’s memory while a visitor is on a web page. Session cookies disappear when you close your browser. The Google Analytics and Google AdWords services use different types of cookies to measure user interaction on the site. These are saved for different time periods, but no longer than 2 years.
If you wish to restrict or block cookies set on a site – including our sites – you should do so through the browser settings in all browsers you use, on any device you use to access the Internet.
Please note that some of our services will not work if your browser does not accept cookies. However, you can allow cookies from specific websites by making them “trusted sites” in your browser.
Alternatively, visit www.allaboutcookies.org which contains comprehensive information on how to do it on a larger number of browsers.
14. Updates
We reserve the right to change Privacy Policy. Any changes will be described here and come into effect immediately. Your ongoing and continued use of our websites or services means you agree to these changes.
15. Contact
If you have any questions or concerns regarding this Privacy Policy or the Company’s privacy practices, please contact us at privacy@key2compliance.com
