Data sharing in Sweden
The following information is relevant to the Azets companies registered in Sweden, as listed in the Azets Group of companies chart. In addition to the processing activities described in the main body of this policy, the Swedish Azets group companies process personal data for the following purposes:
Processing Activity | Lawful Basis |
|---|---|
The Azets Barometer survey to individuals who have requested to receive the results) | Consent |
UX research – identification and contact of prospective interview participants (processing of personal data to identify and contact suitable users for UX interviews and usability tests in order to conduct user research and product development) | Legitimate interest |
UX research – recording of interviews (recording of UX interviews in order to analyse how users interact with products and prototypes, identify usability issues and document user feedback) | Consent |
UX research – database of future interview participants (building and maintaining a database of individuals who have consented to being contacted for future UX interviews) | Consent |
Direct recruitment and proactive candidate sourcing (processing of personal data collected proactively from publicly available sources such as LinkedInTM, for the purpose of identifying and contacting potential candidates for current or future vacancies) | Legitimate interest |
Sharing of personal data
Table of organisations or types of organisations with which personal data may be shared
Organisation or category of organisation | Lawful basis for data sharing |
|---|---|
Agencies who provide credit referencing, identity verification checks, adverse media checks, sanction screening, PEP checks, KYC//anti-money laundering checks and fraud prevention services | Legal obligation or legitimate interest if there is no legal obligation |
Banks and other financial institutions | Legitimate interest |
Government agencies for immigration status, visas and right-to-work information (Migrationsverket in Sweden) | Legal obligation |
National anti-fraud and anti-money laundering authorities (Finanspolisen, Finansinspektionen in Sweden) | Legal obligation |
National prosecution authorities for criminal cases (Åklagarmyndigheten in Sweden) | Legal obligation |
National employment authorities (Arbetsförmedlingen in Sweden) | Legal obligation |
National bankruptcy and insolvency authorities (Kronofogdemyndigheten in Sweden) | Legal obligation |
National business administration authorities (Bolagsverket in Sweden) | Legal obligation |
National Revenue, Customs and Excise authority (Skatteverket in Sweden) | Legal obligation |
Pension Providers | Performance of a contract |
Police (Polismyndigheten in Sweden) e.g. criminal cases | Legal obligation |
Regulators including: Revisorsinspektionen, FAR, Finansinspektionen and the Swedish Association of Chartered Accounting Consultants (SRF) | Legal obligation |
Other accountants/Specialist accountancy advisors | Legitimate interest |
Targets e.g. for Corporate Finance purposes | Legitimate interest |
CRM system providers | Legitimate interest |
Electronic signature and identity verification providers | Legal obligation |
Contract management system providers | Legitimate interest |
Video conferencing and communication platform providers | Consent |
Cloud storage and document management providers | Legitimate interest |
Ticket system and support platform providers | Legitimate interest |
Webinar platform providers | Legitimate interest |
Marketing automation and email distribution platform providers | Consent |
Market research companies (conducting surveys on behalf of Azets) | Consent |
Accounting and bookkeeping software providers | Legitimate interest |
Client portal providers | Legitimate interest |
External auditors | Legitimate interest |
Retention periods
The Swedish Azets companies retain personal data for as long as is necessary to provide their services and to fulfil the purposes set out in this policy. Different types of data may be retained for different periods depending on the criteria set out below. As a general principle, personal data will be retained for the longest of the following periods: (i) as long as is necessary for the relevant activity or services; (ii) any retention period that is required by applicable law; and (iii) the end of the period in which litigation or investigations might arise in respect of the services provided. Azets uses the following criteria when determining relevant retention period, if it is not specified by law:
Criteria for determining retention periods in Sweden
- How long is the personal data needed for the Swedish Azets companies to provide their services?
This includes, among other things, maintaining and improving their systems, managing the data subject's engagements or other agreements the Swedish Azets companies have with the data subject, protecting their systems and administering necessary business and accounting information. This is the general rule that forms the basis for calculating most retention periods. - Is the personal data of a sensitive nature?
Where the Swedish Azets companies process special categories of personal data, the retention period will generally be shorter and limited to what is strictly necessary for the purpose for which the data was collected. - Are there legal, contractual or similar obligations to retain the data?
Examples include mandatory data retention legislation, such as the Swedish Bookkeeping Act (Bokföringslag 1999:1078) which requires retention of accounting records for a minimum of seven (7) years, the Swedish Anti-Money Laundering Act (Lag 2017:630) which requires retention of customer due diligence records for a minimum of five (5) years, and the Swedish Auditors Act (Revisorslag 2001:883) which requires retention of audit documentation for a minimum of ten (10) years. Other examples include government orders to retain data relevant to an investigation, or data that must be retained in order to resolve a potential dispute having regard to applicable limitation periods under Swedish law. - Has the data subject consented to a longer retention period?
Where applicable, for example in the context of recruitment, the Swedish Azets companies may retain personal data for a longer period with the data subject's consent, such as for the purpose of future employment opportunities. - Legitimate interest assessments: where personal data is processed on the basis of legitimate interest, the retention period is determined by reference to the purpose for which the data was collected and is reviewed periodically to ensure that continued retention remains necessary and proportionate
- Recruitment data: personal data collected from unsuccessful employment applicants is removed after the conclusion of the recruitment process, unless the applicant has consented to a longer retention period for the purpose of future employment opportunities;