This applies when you consent to our policy
As of May 25, 2018, a European privacy regulation called The General Data Protection Regulation (GDPR) has effect. Peafowl Plasmonics AB cares about your privacy and personal data. To be able to send you relevant e-mails about our latest news and products, we need your consent to holding your personal data.
The personal data that you provide us with will be used for responding to your questions or requests and will be stored in our systems due to administrative and back-up reasons.
At any time, you have the right to:
Request copies of your data, rectification of your data, erasure of your data, object to us or restrict the processing of your data and where our systems allow give electronic access to copies of your data in a digital format.
You have the right to rectify any errors in information we hold about you and to change or correct any details you have already given us. Please inform us about changes to your details so that we can keep our records up to date.
You have a right to see a copy of the information we hold about you. Before we agree to this, you must provide us with sufficient irrefutable evidence of your identity and sufficient details of the information you wish to see to enable us to locate it.
If you have any questions about the processing of your personal data or about cookies, or if you want to exercise your rights referred to above you are welcome to contacts us as set out below.
Peafowl Plasmonics AB (reg. nr. 559152-0191)
Ulls väg 33 C, 756 51, Uppsala
Peafowl Plasmonics AB headquarter is placed in Sweden and as such our lead data protection supervisory authority is the Integritetsskyddsmyndigheten (IMY) (Box 8114, 104 20 Stockholm) in Sweden, www.imy.se/en/.
How data is collected
Your data, such as name and contact information, is collected when you are using our website services and provides us with data, e.g when you make a registration of interest about our products, services or when you apply for a job with us. In order to make a registration of interest it is mandatory to provides us certain data. Registration of interest and other data collection can also be made through our business partners websites, among other LinkedIn, which means that the partner in their turn sends the data to us.
We may also collect data such as IP-address, behavioral patterns when you visit our website (e.g. which websites you have visited before and how you use our website). Such data is collected through cookies or other similar technology. To see what cookies and services we use, scroll down in this document.
Processing through third party cookies can result in transferring av personal data to a third country. Such transferring is protected by applicable security measures in compliance with the GDPR.
What are cookies?
Cookies are small text files which is stored on your unit, such as computer, tablet or cellphone, when you visit our website and make it possible for us to recognize your browser when you visit our website. The cookies contains information about your browser, e.g what type of browser and screen resolution, and your activity on our website, among other when and which content you have seen and clicked on and which website you visited before ours.
Which cookies we use and why?
The different types of cookies we use and why we use them is categorized as follows:
Some cookies are necessary for you to be able to use the website and all its functions, e.g. so that we can identify the request from the same browser under a limited session.
Cookie notice (1 year)
Third party cookies
We are using Google Analytics in order to get an estimation of how our visitors navigates on the website, which parts of the website that is visited the most, the amount of time spent on the website. Through this we can obtain statistics and a good overview of the use of our website. Such information is in our favor in order to develop and improve our website, increase the functionality and offer a better user experience for our visitors. In addition to that we use the information for analysis measurements and marketing measurements.
Other tracking technologies
Web pages and emails from Peafowl Plasmonics AB may contain a small transparent image file or line of code (known as web beacons/gifs, page tags, script) to record how you interact with them. These are used to help us to better analyze and improve our services based on your browsing behavior and interests. For example, by knowing which web pages you visit or which elements of a page you viewed, when and for how long, whether you viewed and/or clicked on a link on the website or whether you opened or clicked on marketing emails sent to you.
How you can limit or delete cookies
Why we are processing your personal data and on which legal grounds
We are processing your personal data in according to the following purposes:
- In order to ensure an effective and secure use of our website and to optimize and improve the user experience of it.
- To analyze statistics and user behavioral patterns on the website.
- To be able to provide individualized services and content adapted accordingly to the data we have about the user.
- To be able to offer targeted marketing including ads, offers and recommendations adapted accordingly to the data we have about the user.
- To contact and communicate with the user if contact is initiated by the user through our website or business partners website; and
- to develop and improve the website in order to make adjustments to the users wishes.
Personal data processing referred to the list above is necessary for our legitimate interests, including our legitimate interest in good IT and Information security, direct marketing and further development of the website. Unless otherwise specified, the legal basis for these processing operations is therefore a balancing of interests.
Basic principles of Peafowl’s personal data processing
We shall comply with applicable Data Protection Legislation when processing personal data at any time.
We shall only process personal data in a lawful, correct and transparent manner in relation to the data subject and the controller. This means, among other things, that our personal data processing must follow these basic principles:
- Documented personal data liability: For each processing of personal data, where we determine the purpose and means, there shall be one or more companies within the company that have been deemed to be the data controller. Responsibility for processing where companies within the company are data controller must be documented in the Processing Register.
- Legal basis: Any processing of personal data shall be carried out on the basis of a documented legal basis.
- Purpose limitation: The data shall be collected for specified, expressly stated purposes and shall not subsequently be processed in an incompatible manner.
- Purpose limitation: Only personal data that is adequate, relevant and not too comprehensive in relation to the purpose shall be collected.
- Accuracy: The data shall be accurate and up-to-date and it shall be possible to trace changes.
- Storage minimization: The data may not be kept for longer than is necessary in relation to the purpose.
- Confidentiality: Personal data shall be protected by appropriate technical and organizational security measures to prevent unauthorized processing and loss, destruction or corruption of the data.
When the processing of personal data is legal
General legal basis
The processing of personal data is only legal if at least one of the following conditions is met:
- The data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes.
- The processing is necessary for the performance of a contract in which the data subject is a party or to take action at the request of the data subject before such contract is concluded.
- The processing is necessary in order to fulfil a legal obligation where the responsibility lies with the controller.
- The processing is necessary to protect interests of fundamental importance to the data subject or to another physical person.
- The processing is necessary for the performance of a task of general interest or as a part of the controller’s exercise of authority.
- The processing is necessary for the purposes relating to the legitimate interests of the controller or a third party unless the interests or fundamental rights and freedoms of the data subject outweigh and require the protection of personal data.
The legal basis for our processing of personal data shall be determined and documented in the controller’s Processing Register. In case of uncertainty, consultation shall take place with our Data Controller.
Legal basis for personal data processing in recruitment
The processing is necessary to be able to handle the application from you who applies for a job with us and is based on the consent you give in connection with your application. We have no interest knowing trade union, religious beliefs, sexual orientation, political opinions, any illnesses, or other information that is irrelevant to the recruitment process, and it is therefore important that you do not provide such sensitive data in connection with your application or in a later communication in the recruitment process. Social security number should not be sent, the date of birth is sufficient.
For certain specific processing operations, you may receive additional complementary or deviant information about the individual processing of your data.
Rights of the data subject
A fundamental aspect of the GDPR is that it contains certain statutory and mandatory rights for data subjects whose personal data are processed.
If a person wishes to know what information is registered about him or her, the person shall submit a written and self-signed request to Peafowl.
The data subject also has the right to withdraw any consent given. The withdrawal of consent shall not affect the legality of processing based on consent before it is revoked.
The data subject has among other things, the right to:
- You have the right to access your personal data, which means that you have the right to receive confirmation of whether personal data relating to you is being processed and if so, also access the personal data and certain additional information about the processing.
- You have the right to data portability which means that in certain circumstances you have the right to receive such personal data about you that you provided to us, in order for you to be able to transfer the personal data to another controller.
- You have the right to rectification, erasure or restriction of your personal data and the right to object to the processing.
- You have the right to complain to your national data protection agency (in Sweden IMY) if the processing of your personal data does not meet the requirements of EU/EEA data protection legislation.
- You have the right to withdraw your consent if and to the extent that you have given special consent to certain processing.
- You are entitled to an objection regarding balancing of interests when processing is based on so-called balancing of interests according to nature 6.1 (f) of GDPR.
- You have the right to object to direct marketing when processing your personal data. In this case, the personal data shall no longer be processed for such purposes.
Storage and deletion of personal data
According to data protection law, personal data may not be stored for longer than permitted by law, or otherwise necessary for the purposes for which the data is processed. Data that may no longer be stored shall be permanently deleted and destroyed (thinning). Under special conditions thinning can be carried out by anonymizing personal data instead of being destroyed. Anonymization means that any information that makes it possible to trace the data to a data subject is irrevocably deleted.
If there are certain laws or regulations that require the storage of personal data for a certain period of time, such as in tax-, accounting- or money laundering legislation, such provisions apply before the GDPR. For example, the Accounting Act states that accounting information must be kept for seven years from the year in which the financial year ended.
The main rule within the company is that personal data that is not subject to certain laws or regulations (in addition to data protection legislation) should be deleted when we no longer need the data to fulfil the purposes of the processing.
Security in the processing of personal data
Peafowl shall take appropriate technical and organizational measures to prevent the destruction, altering or distortion of personal data. This means that a security assessment needs to be made on a case-by-case basis and that different processing/systems require different levels of security measures depending on the sensitivity of the information, the risk of intrusion (and other risks) and vulnerability.
Before we start processing personal data, an initial risk analysis must be carried out to take a position on:
- The technical and organizational security measures appropriate for the processing in question, based on an assessment of information sensitivity, relevant risks and vulnerabilities.
- If the processing is adapted from the outside and meets our requirements regarding privacy by design and information security.
- Where the processing is likely to pose a high risk to the rights and freedoms of the data subject, for example through the use of new technologies or by the fact that data subjects cannot be expected to know that they are subjects to the processing. If such high risk is identified our Data Controller shall be informed and determine whether further analysis in the form of a Data Protection Impact Assessment is necessary.
Transfer of personal data
Personal data may be transferred to external parties with or without a personal data assistant agreement, depending on whether the recipient processes the data on Peafowl’s behalf or on his own account. In all cases, there must be a legal basis for the transfer and only the data that needs to be transferred. The transfer shall be documented in an appropriate manner.
Transfer to data processors
Peafowl may transfer personal data to external parties that processes personal data on our behalf and according to our instructions. Such external parties is a data processor assistant to us and shall always sign a personal data assistant agreement with Peafowl. Our Personal data controller is responsible to keep such templates updated and accordingly to applicable Data Protection Legislation from time to time.
Transfer to parties with their own personal data liability
Peafowl may transfer personal data to other external party which have their own personal data liability, provided that we have legal basis for such transferring. Such legal basis may be, for example, that the transfer constitutes a legal obligation for us, or a customer agreement that gives us the right to transfer the data.
Transfer of personal data to a third country
If and to the extent our personal data processing involves the transfer, storage or otherwise processing of personal data outside the EU/EEA, further measures are required for the processing to be lawful. It is sufficient that the personal data is accessible from the outside the EU/EEA, or that certain infrastructure or resource is outside the EU/EEA, that further action is necessary. When transferring personal data outside the EU/EEA, the data subject shall be informed of the purpose and scope of the transfer.
The measures we take to ensure that personal data processing outside the EU/EEA is legal must always be documented and approved by our Data Controller.
Request by the authority for information
Peafowl and its employees are obliged to provide information about our personal data processing and related circumstances if requested by the Privacy Protection Authority. Other authorities may also have the right to receive information that contains personal data from us, such as the Enforcement Authority, The Swedish Tax Agency or the Swedish Economic Crime Authority. There may also be an obligation to disclose information to the police or prosecutors in the event of a criminal investigation, information being disclosed only at the written request of the lead investigator och prosecutor.
In addition to regular and mandatory transfers of personal data to authorities that we have a legal obligation to report (e.g. salary data to the Swedish Tax Agency and information about sick leave to the Swedish social insurance), personal data shall be disclosed to the authority only after consultation with our Data Controller.
Our Data Controller is responsible for contact with the Privacy Protection Authority. All contacts with the Privacy Protection Authority, or other authorities regarding personal data processing issues, on behalf of Peafowl shall be referred to our Data Controller.
Our Data Controller shall report annually or if necessary to management about our processing of personal data and, in addition, immediately report to management if serious flaws, privacy risks or problems arise.
- If the processing as adapted from the outside and meets our privacy by design and information security requirements.
- Number of personal data breaches
- Any contact with the Privacy Protection Authority; and
- Changes in applicable Data Protection Legislation and supervisory practices regarding the processing of personal data.