Privacy Policy

 

 1.                          Introduction
 

1.1                       General

This privacy policy (the “Privacy Policy”) concerns all processing of Personal Data within Bulten AB (publ) including its subsidiaries (“Bulten”). The purpose of this policy is to explain how Bulten collects and uses Personal Data. The policy also explains your rights as a Data Subject. 

 

1.2                       Privacy Policy responsibility

Responsibility for the Privacy Policy rests with the Personal Data Coordinator. This Privacy Policy is to be reviewed and revised as needed. The Personal Data Coordinator is responsible for ensuring that this occurs.

2.                          Scope

Bulten is committed to maintain the highest standards of its processing of Personal Data whether such data relates to an employee of Bulten or a customer, supplier, job applicant or other stakeholders. It is the policy of Bulten to require its managers and employees, wherever located, to comply with all applicable legal and regulatory requirements.

Any questions concerning the applicability of these procedures should be directed to the Personal Data Coordinator. The contact information of the Personal Data Coordinator is:

 

Claes Lundqvist, Information Security

dataprotection@bulten.com

+46 31 7345934

+46 70 7730599

 

3.                          General Data Protection Considerations

Bulten AB (publ) is considered to be the Data Controller of Bulten. The Data Controller strives to always protect Personal Data from unauthorized access, disclosure, alteration or destruction. Bulten´s operations are subject to the requirements of various national data protection laws, in particular European data protection laws, but also other laws and in other jurisdictions, as well as European data protection authorities, which impose certain limitations and procedures on processing of Personal Data. Some processing is required by law and therefore always legitimate, such as the processing of Personal Data relating to health and union affiliations for the purpose of the administration of sick pay, rehabilitation of employee, fulfilment of obligation to negotiate with unions and union fee deduction on salary and in order for Bulten to otherwise perform its obligations or exercising its rights under employment law. Further, the Personal Data is processed for the purpose of Bulten´s reporting obligations according to applicable law, e.g. to unions and authorities such as tax and social insurance. However, almost all countries’ data protection law stipulates a requirement to inform the data subject of its rights to access its data and to correct and amend such data.

 

4.                          Data subjects

4.1.1 Bulten will hold, process and transfer Personal Data regarding its employees, employees’ next of kin, job applicants, customers, suppliers and other stakeholders for the purpose of conducting business activities. This Personal Data is used solely for legitimate employment and business purposes, and it is only disclosed to those who are authorized to use it for these purposes.

4.1.2                    The Personal Data is not collected uniformly within Bulten as the subsidiaries are subject to different national legislation which are providing different legal requirements for the processing of Personal Data. However, Bulten does not intend to process any excessive data that is not required by the specific business unit within Bulten.

4.2                       Employees

4.2.1 Bulten will, as a part of its normal business activities, process its employees’ Personal Data e.g. name, address, telephone number , social security number/national insurance number, personal identity number or employment number etc.

4.2.2                    The information will be used for administration, evaluation and development of the employment relationship.

4.3                       Job applicants

Bulten will, as a part of its normal business activities, process Personal Data relating to job applicants. Such Personal Data is mainly provided by the job applicant but can also be gathered by Bulten from the job applicant’s previous employers or from any third party or source such as the Internet. The Personal Data consists of data submitted by the job applicant, normally in a C.V. Such Personal Data shall only be processed for the purpose of evaluating the job applicant for the intended position or for another position which Bulten deems appropriate from time to time. In the event Bulten wishes to retain the job applicant’s Personal Data after the intended position has been appointed, Bulten shall inform the job applicant of such storage. In no event shall such Personal Data be stored for a longer time than necessary for the purpose of its processing or in conflict with any applicable data protection law.

4.4                       Customers, suppliers and other stakeholders

Bulten will, as a part of its normal business activities, process Personal Data relating to customers, suppliers and other stakeholders. Such Personal Data is mainly provided by the contact person at respective customer, supplier or by other stakeholders. However, the Personal Data may also be gathered from any third party or source such as the Internet. The Personal Data consists of name, telephone number, e-mail address and other data necessary to fulfil any customer/supplier agreement or obligation. In no event shall such Personal Data be stored for a longer time than necessary for the purpose of its processing or in conflict with any applicable data protection law.

5.                          Transfer of Personal Data

In the course of Bulten´s business and following this Privacy Policy, Bulten AB (publ) and its subsidiaries may find it necessary to transfer or coordinate Personal Data to subsidiaries within or outside the Company Group and within or outside EU. Such transfers to Processors can be to e.g. the Company Group’s subsidiaries, authorities, federations of trade unions and insurance associations, inter alia within the computer network of Bulten, to fulfil obligations according to law or contracts. Further purposes of such transfers may be the duty to report to authorities, the need of supplying information for cooperation within Bulten and internal and external marketing.

 

5.1                       Transfer of Personal Data within Bulten

An important requirement under EU data protection laws is that Personal Data only may be transmitted from any entity in an EU member state to an entity outside of the EU or EEA where the destination country provides an “adequate” level of protection for the data. Some of the subsidiaries within Bulten are, or may be, based in countries that from time to time are not considered “adequate” by the EU, and special precautions are required if the data is transferred to a Third country. However, the data will normally only be transferred from the subsidiary outside the EU to Bulten´s main offices within the EU, and not the other way around. Third countries may have slightly different rules, which this Privacy Policy shall not be in conflict with. Personal Data will be transferred to a jurisdiction outside of Europe, in accordance with this Privacy Policy to the extent applicable under European data protection laws. The appropriateness of forwarding such information will depend on the nature and foremost on the need to transfer the Personal Data. When in doubt as if Personal Data may be transferred, consult the Personal Data Coordinator. Bulten shall always strive to have obtained Consent or see to that measures are taken to ensure that such transfer and processing is permissible under applicable data protection legislation having regard to inter alia the rules on transfers to Third countries (e.g. by use of standard contractual clauses for the transfer of Personal Data to Processors established in Third countries). However, inter alia the necessity of the transfer shall always be assessed and precautions shall be maintained.

5.2                       Transfer of Personal Data outside Bulten

Bulten will, as a part of its normal business activities, transfer Personal Data relating to its employees, job applicants, customers, suppliers and other stakeholders. Such transfers are concerning employees in relation to third parties with whom Bulten has entered into agreements, e.g. banks in order to pay salary; insurance providers in order to provide insurance for the employees; unions in order to fulfil the union obligations; occupational health care providers in order to provide health care; and pensions funds in order to fulfil its pension obligations etc. Any transfer shall be limited to strictly required and necessary Personal Data. Transfer of personal data shall always be assessed and precautions shall be maintained.

5.3                       Data Transfers from countries outside Europe to EU

Other provisions may apply to Personal Data transfer from a subsidiary in a European country that is not part of the EU, of which this Privacy Policy shall not be in conflict with. Personal Data will be transferred to a jurisdiction outside of Europe, in accordance with this Privacy Policy to the extent applicable under European data protection laws.

5.4                       Processors

A Processor and a person or those persons who work under the Processor’s or the Controller’s direction may only Process Personal Data in accordance with instructions from the Controller. Any engagement of a Processor shall be governed by a written agreement of the Processor’s Processing of the Personal Data on behalf of the Controller. Such agreement shall specifically stipulate that the Processor may only process Personal Data in accordance with instructions from the Controller and that the Processor is liable to implement appropriate technical and organisational measures to protect the Personal Data that is processed. The measures shall provide a level of security that is appropriate having regard to (a) the technical possibilities available, (b) what it would cost to implement the measures, (c) the special risks that exist with Processing of Personal Data, and d) how sensitive the Processed Personal Data really is.

6.                          Access and rectification

According to Personal Data law and this Privacy Policy, each Data Subject is entitled to at any time access its records, which shall be for free. According to Personal Data law the request shall be duly signed by the Data Subject and sent to the Personal Data Coordinator.  The Data Subject is entitled to request rectifying, blocking or erasing of its Personal Data that has not been processed in accordance with applicable Personal Data law. There may be deadlines under various data protection laws within which an access request must be addressed, and the Personal Data Coordinator should be consulted when in doubt.

7.                          Security

While Bulten cannot guarantee that unauthorized access will never occur, please be assured that all employees must take great care in maintaining the security of any Data Subject’s Personal Data and in preventing unauthorized access to it through the use of appropriate technology and internal procedures.

8.                          Retention of personal data
8.1                       Employees

Personal Data about employees should not be retained after ended employment. However, some Personal Data may be required by law to be retained for an extended period. Bulten may also retain information for as long as a dispute with a former employee is current. It may also be necessary to retain certain data for administrative purposes, such as payment of pensions. Bulten may retain purely factual information such as “termination due to redundancy”, “dismissal” and “termination due to personal reasons” as well as grades and employment certificates with ratings which Bulten has provided the employee after ended employment relationship.

8.2                       Job candidates

Personal Data in job applications, interview notes and data from references should normally be sorted out when the recruitment procedure has been completed. However, Bulten may retain the information e.g. as long as the job candidate has the opportunity to appeal a negative decision. If Bulten wishes to use any Personal Data for future recruitment purposes, information is required to be provided to the job candidate as well as obtaining his/her consent.

8.3                       Customers, suppliers and other stakeholders

Bulten may not retain its customers’, suppliers´ or other stakeholders´ Personal Data after such relationship has ended, for example, when a contractual agreement regarding goods/services has ended. If Bulten has undertaken to fulfil any warranty obligations, the retention of some Personal Data may be justified until such warranty period has expired.