Nordic Equities Kapitalförvaltning cares about your privacy and always strives for a high level of data protection. This privacy policy explains how we collect and use your personal information in our activities under the rules set out in the EU’s new data protection regulation (EU 2016/679) [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC] (“GDPR”) It also describes your rights and how you can exercise them.
Nordic Equities Kapitalförvaltning AB, corporate identity number 556571-9126, address Grev Turegatan 7, 114 46 Stockholm, is the controller for the Company’s processing of personal data.
Terminology and definitions
The following terms are used in these guidelines with the meanings stated below:
Personal data refers to all types of information that directly or indirectly can be attributed to a natural person who is alive. Images and sound recordings processed electronically, for example, may be personal data, even if no names are mentioned. Encrypted data and different types of electronic identifiers, such as IP addresses, are considered to be personal data if they can be linked to natural persons.
Processing of personal data refers to everything that happens to the personal data. Every action taken with personal data represents processing, irrespective of whether it is performed in an automated manner or not. Examples of common forms of processing are collection, recording, organisation, structuring, storage, adaptation, alteration, transmission and erasure.
What data do we collect, and for what purpose?
The Company collects and processes personal data in the areas and functions listed below. We process the following categories of personal data for the purposes stated below and on the legal basis indicated in relation to the processing concerned.
Customer relationship
What is the legal basis for the processing?
At the time when a natural person becomes a customer of ours, we process his or her personal data to meet statutory obligations.
What personal data is processed and who are recipients?
Personal data that is processed consists principally of name, address, personal identity number, copy of ID document, e-mail address, telephone number, account details, financial information such as accounts, ownership, transactions, income, the customer’s financial experience and investment goals, propensity to risk, information on family situation, etc. Those who may come into contact with the personal data are the marketing department, back office, the IT department, the financial department, the risk department, auditors, the depositary and authorities.
For what purposes is the personal data processed?
The personal data is processed for the following purposes: performing a transaction with a customer, managing the customer relationship, providing and administering access to products and services, administering customer registers, carrying out suitability assessment in investment services, and carrying out checks to prevent money laundering and terrorist financing. Personal data may also be processed for the purpose of e-mailing interesting offers and advertising, news and other information about the Company and our services and products. As stated in 8.4.3, there is always a right to object to processing for direct marketing.
How long will the data be stored?
The Company never stores data longer than necessary in consideration of the purposes of the processing. The Company therefore carries out regular weeding among personal data and removes data that is no longer needed. In order to fulfil its statutory commitments, the Company needs to retain certain data even after a customer relationship has ended. For example, data must be retained to fulfil statutory obligations regarding taxation or book-keeping or for defence against legal claims. In these exceptional cases, data is stored for between 5 and 10 years (with regard to book-keeping, taxation and time-bars).
Recruitment
What is the legal basis for the processing?
The Company must process certain personal data to enable it to handle applications submitted by the data subjects, conduct interviews and make decisions in a recruitment procedure. The basis of this processing is a balance of interests. When we store personal data for future recruitments in our candidate database, consent is obtained.
What personal data is processed and who are recipients?
Personal data processed by the Company is name, date of birth, address, information about experience and skills, any photographs, etc.
Those who may come into contact with the data are principally the HR officer, senior managers and engaged recruitment firms. In cases where recruitment firms handle recruitment, a data processing agreement is always drawn up with the external actor.
For what purposes is the personal data processed?
To enable the Company to handle applications, interviews and decision-making in a recruitment procedure, we collect and process personal data. We may also retain the personal data in our candidate database for the purpose of contacting the applicant in future recruitments.
How long will the personal data be stored?
The Company never stores data longer than necessary in consideration of the purposes of the processing. The Company therefore carries out regular weeding among stored personal data and removes data that is no longer needed. The Company may, however, need to store the personal data after the recruitment procedure has ended, if we deem it necessary to retain it in order to respond to legal claims that might be lodged against the Company. The period of storage in these cases is 2 years.
We may also retain applications from candidates who are interested in future recruitments in our candidate database. The data is retained for a maximum of 2 years in such cases. The candidates are, however, always given the opportunity to oppose such future contacts.
Marketing
What is the legal basis for the processing?
Personal data may also be processed for the purpose of e-mailing interesting offers and advertising, invitations to seminars, news and other information about the Company and our services and products. The basis for this processing is a balance of interests. As stated in 8.4.3, there is always a right to object to processing for direct marketing.
What personal data is processed and who are recipients?
Personal data processed by the Company is the name and e-mail address and, in certain cases, allergies and diets (principally for seminars and training events).
Those who may come into contact with the data are principally the Company’s administrative department and the marketing department.
How long will the personal data be stored?
The Company never stores data longer than necessary in consideration of the purposes of the processing. The Company therefore carries out regular thinning among stored personal data and removes data that is no longer needed. The Company for the time being stores personal data for marketing purposes.
What is the legal basis for the processing?
Personal data may be processed for other purposes such as responding to enquiries, establishing, exercising and defending legal claims, for example in order to deal with complaints and in connection with a legal dispute, handling, protecting
and developing our systems and services and fulfilling legal obligations.
for example rules of book-keeping.
The basis for this processing is statutory obligation.
What personal data is processed and who are recipients?
Personal data processed by the Company is name, contact details (e.g. address and telephone number), information on previous assignments, log information, information on paid fees, charges and other financial transactions with the data subject.
Those who may come into contact with the data are principally the Company’s administrative department, legal department, financial department and customer complaints officer.
How long will the data be stored?
The Company never stores data longer than necessary in consideration of the purposes of the processing. The Company therefore carries out regular weeding among stored personal data and removes data that is no longer needed. The Company stores documentation in order to respond to enquiries for 24 months from the time when the enquiry was received. The Company applies appropriate time bars in the event of legal claims, etc. In the management, protection and development of its systems and services, the Company stores the data for 12 months from time of the log event. In fulfilling statutory obligations, for example under the Book-keeping Act, the Company stores data for 7 years from the end of the calendar year in which the relevant financial year concluded.
From what sources do we obtain your personal data?
In addition to the data you yourself supply to us, we may also collect personal data from another source (‘third party’). The data we collect from a third party is as follows:
Address information from public registers to ensure that we have the correct address details for you,
Data on creditworthiness from credit rating agencies, banks or reference agencies.
Who may we share your personal data with?
Processors
In cases where it is necessary to enable us to offer our services, we share your personal data with businesses that act as ‘processors’ for us. A processor is an enterprise that processes the information on our behalf and in accordance with our instructions. We have processors who assist us with:
IT services – enterprises that deal with necessary operation, technical support and maintenance of our IT solutions
Suppliers of systems for administration of registers of unit holders
Back-office services – enterprises that deal with administrative actions, for example mailing reports to customers
When your personal data is shared with processors, this takes place solely for purposes consistent with the purposes for which we have collected the information (for example in order to be able to fulfil our commitments under the agreement with you as our customer). We check all processors to ensure that they can provide sufficient guarantees regarding the security and secrecy of personal data. We have written agreements with all the processors (data processing agreements) under which they guarantee the security of the personal data processed and undertake to fulfil our security requirements and requirements regarding international transmission of personal data.
Other independent controllers
We also share your personal data with certain enterprises which are independent controllers. The fact that the enterprise is an independent controller means that it is not we who control how the information to be submitted to the enterprise is to be processed. Independent controllers we share your personal data with are:
Financial and legal advisers, auditors
Credit institutions and financial institutions, insurance providers and brokers for financial services, third parties taking part carrying out orders, settlement or reporting
Third parties that maintain databases and registers, for example credit registers, population registers, trade registers, securities registers or other registers containing or passing on personal data
Credit reference agencies
Participants and/or parties related to domestic, European and international payment systems
When your personal data is shared with an enterprise that is an independent controller, the privacy policy and personal data handling of that enterprise apply.
Where do we process your personal data?
Your personal data is in general processed only within the EU/EEA [but in certain cases may be transmitted and processed in countries outside the EU/EEA].
Transmission and processing of personal data outside the EU/EEA may take place if there is a legal basis, i.e. a legal obligation or consent from the data subject, and there are appropriate safeguards. Appropriate safeguards are that:
An agreement is in place that covers EU standard agreement clauses or other approved clauses, codes of conduct, certifications, etc. approved in accordance with GDPR.
The country outside the EU/EEA where the recipient is located has a reasonable level of data protection which is established by the European Commission
The recipient is certified according to Privacy Shield (applicable to recipients in the United States).
Further information on transmission of personal data to countries outside the EU/EEA can be obtained on request.
How long do we retain your personal data?
We never retain personal data for longer than is necessary for the particular purpose. For the specific storage periods, see under the purpose concerned.
The Data Subject’s rights
Right of access (‘register extracts’)
The data subject has the right to approach the Company in its capacity as controller to request access to the personal data which the Company processes and also be informed, among other things, about the purposes of the processing and who has received the personal data.
In its capacity as controller, the Company has to provide the data subject with a free copy of the personal data that is processed. If any extra copies are requested, the Company may levy an administration charge.
Right to rectification, erasure or restriction of processing
The data subject has the right, without undue delay, to have his or her personal data rectified or, subject to certain conditions, restricted in processing or erased. If the data subject is of the opinion that the Company processes personal data concerning him or her which is incorrect or incomplete, the data subject may require that this be rectified or supplemented.
If the data subject requests that the data be rectified, erased or restricted in processing, the Company in its capacity as controller has a routine procedure of making reasonable efforts to inform each recipient of the personal data about the data subject’s request.
You may request erasure of personal data we process concerning you if:
The data is no longer necessary for the purposes for which it has been collected or processed.
You object to a balance of interests we have done based on legitimate interest and your reason for objecting outweighs our legitimate interest.
You object to processing for direct marketing purposes.
The personal data is processed in an unlawful manner.
The personal data must be erased to fulfil a legal obligation we are covered by.
Personal data has been collected concerning a child (below the age of 13 years) for whom you have parental responsibility and the collection has taken place in connection with offering of information society services (e.g. social media).
Bear in mind that we may have the right to deny your request if there are legal obligations preventing us from immediately erasing certain personal data. These obligations come form book-keeping and tax legislation, bank and money-laundering legislation, but also from consumer legislation.
It may also happen that the processing is necessary to enable us to establish, exercise or defend legal claims. If we are prevented from acceding to a request, we will instead block the possibility of the personal data being used for purposes other than the purpose preventing the requested erasure.
Right to restriction of processing. You have the right to request that our processing of your personal data be restricted. If you contest the accuracy of the personal data, you may request restricted processing for the period we need to verify the accuracy of the personal data. If we no longer need the personal data for the established purposes, but you need it in order to be able to establish, exercise or defend legal claims you may request limited processing of the data by us. This means that you may request that we not erase your data.
If you have objected to a balance of legitimate interest we have done as a legal basis for a purpose, you may request restricted processing during the period we need to verify whether our legitimate interests outweigh your interests in having the data erased.
If the processing has been restricted according to one of the situations above, we may only, beyond the actual storage, process the data in order to establish, exercise or defend legal claims, to protect the rights of another, or if you have given your consent.
Right to object to a particular type of processing
As a data subject, you have the right at any time to object to processing of your personal data if the legal basis for the processing is public interest or balance of interests under Article 6(1)(e) and (f) GDPR.
In cases where we apply a balance of interests as a legal basis for a purpose, it is possible for you to object to the processing. To enable us to continue to process your personal data after such an objection, we need to be able to demonstrate a compelling legitimate reason for the processing concerned that outweighs your interests, rights or freedoms. We are otherwise allowed to process the data only in order to establish, exercise or defined legal claims.
It is also possible for you to object to your personal data being processed for direct marketing. The objection also includes the analyses of personal data (‘profiling’) carried out for direct marketing purposes. Direct marketing means all types of outreach marketing actions (for example by post, e-mail and text message). Marketing actions where you as customer have chosen to use one of our services or have otherwise reached out to us to find out more about our services are not counted as direct marketing (for example product recommendations or other offers). If you object to direct marketing, we will discontinue the processing of your personal data for the purpose and discontinue all types of direct marketing actions.
Right to data portability
If our right to process your personal data is based either on your consent or on fulfilment of an agreement with you, you have the right to request that the data concerning you and that you have provided to us be transmitted to another controller (‘data portability’). A condition to be met for data portability is that transmission is technically feasible and can be automated.
Right to withdraw consent
If the personal data processing is based on your consent, you have the right to withdraw this consent at any time. Such withdrawal of consent does not affect the lawfulness of the personal data processing before the consent was revoked.
How do we handle personal identity numbers?
We will only process your personal identity number when it is clearly warranted in consideration of the purpose, necessary for reliable identification or if there is some other notable reason. We always minimise the use of your personal identity number as far as possible by using your birth registration number instead, in cases where this is sufficient.
What are cookies, and how do we use them?
Cookies are small text files consisting of alphanumeric characters sent from our web server and saved on your web browser or unit. We use the following cookies on [www.nordeq.se].
Session cookies (a temporary cookie that stops when you close your web browser or unit).
The cookies we use normally improve the services we offer. Some of our services need cookies to work correctly, while others improve the services for you. We use cookies for overall analytical information concerning your use of our services and to save functional settings such as language and other details. We also use cookies to enable us to target relevant marketing to you.
You can control the use of cookies yourself by changing the settings in your web browser or unit.
How is your personal data protected?
We use IT systems to protect secrecy, privacy and access to personal data. We have taken special precautions to protect your personal data against unlawful or unauthorised processing (such as unlawful access, loss, destruction or damage). Only those persons who actually need to process your personal data to be able to satisfy our stated purposes have access to it.
Supervisory authority
The Swedish Authority for privacy protection is responsible for monitoring application of the legislation. Anyone who considers an enterprise to be processing personal data incorrectly can submit a complaint to the Swedish Data the authority for privacy protection.
Contact details
Telephone number: +46 (0)8-657 61 00 E-mail address: Imy@imy.se
Amendments to the Policy
The Company reserves the right to amend and update the policy. In the event of amendments to the policy or if existing information is to be processed in a different way than is stated in the policy, the Company will provide information on this in an appropriate manner.
Contact
If you have any questions concerning the Company’s handling of personal data, contract Mikaela Fredriksson.
