Contact

Privacy Policy

1. Introduction

1.1 Background and purpose

The Privacy Policy applies to Marstrom Composite AB (556324-3384), or other businesses within the
same corporation group as previously named (henceforth “Marstrom Composite”, “we”, “our”, “us”).

The policy is approved by the management and is updated on a needs basis. The policy constitutes
general information about how the company processes internal and external personal data.

This policy constitutes the common Privacy Policy of Marstrom Composite and serves as the minimum
standard for all entities within the group. Where necessary, individual subsidiaries may introduce
additional requirements to reflect local practices or regulatory obligations.

We value your privacy and are committed to protecting your personal data. This Privacy Policy explains
how we collect, use, disclose, and safeguard personal information when you interact with us. It is
structured as follows:

  1. INTRODUCTION
  2. BASIC PRINCIPLES OF MARSTROM COMPOSITE PERSONAL DATA PROCESSING
  3. WHEN THE PROCESSING OF PERSONAL DATA IS LEGAL
  4. RIGHTS OF THE DATA SUBJECT
  5. STORAGE AND DELETION OF PERSONAL DATA
  6. SECURITY IN THE PROCESSING OF PERSONAL DATA
  7. TRANSFER OF PERSONAL DATA
  8. REPORTING
  9. CONTACT INFORMATION

According to applicable data protection legislation, personal data may only be collected for specific,
explicit, and legitimate purposes, and may not be processed in a manner incompatible with those
purposes. Furthermore, any processing of personal data must be supported by a lawful basis.

1.2 Definitions and dictionary

Processing (personal data) is any measure or series of measures taken in respect of personal data,
whether automatic or not, such as collection, registration, organization, storage, processing,
alteration, restriction, adjustment, erasure or destruction, disclosure by transmission, dissemination
or other provision of data, compilation or interconnection.

Processing register refers to the register Marstrom Composite is obliged to keep of personal data
processing in accordance with Article 30 of the GDPR. We use the service “GDPR Hero” to keep our
processing register.

Data protection legislation refers to Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April on the protection of physical persons with regard to the processing of personal data
and on the free movement of such data (“GDPR”) and any other national or European law, regulation
or directive applicable from time to time to the company’s processing of personal data.

Personal data is any information relating to an identified or identifiable living natural person.
An identifiable natural person is a person who can be identified directly or indirectly by reference
to an identifier such as a name, identification number, location data or online identifiers, or one or more
factors specific to the physical, physiological, genetic, psychological, economic, cultural or social
identity of the natural person.

The personal data controller is the legal person who alone or together with others determines the
purposes and means of the processing of personal data.

The personal data processor is a legal entity that processes personal data on behalf of the controller,
for example Marstrom Composite IT providers.

The Privacy Protection Agency (IMY) conducts checks in response to complaints from individuals,
information in the media or on its own initiative. Measures include field inspections and inspections
by questionnaires or other verification by e-mail, telephone or letter.

2. Basic principles of Marstrom Composite personal data processing

We shall comply with applicable Data Protection Legislation when processing personal data at any time.

We shall only process personal data in a lawful, correct and transparent manner in relation to the data
subject and the controller. This means, among other things, that our personal data processing must
follow these basic principles:

  • Documented personal data liability: For each processing of personal data, where we determine the purpose and means,
    there shall be one or more companies within the group that have been deemed to be the data controller. Responsibility
    for processing where companies within the group are data controller must be documented in the Processing Register.
  • Legal basis: Any processing of personal data shall be carried out on the basis of a documented legal basis.
  • Purpose limitation: The data shall be collected for specified, expressly stated purposes and shall not subsequently
    be processed in an incompatible manner.
  • Data minimization: Only personal data that is adequate, relevant and not too comprehensive in relation to the purpose
    shall be collected.
  • Accuracy: The data shall be accurate and up-to-date and it shall be possible to trace changes.
  • Storage minimization: The data may not be kept for longer than is necessary in relation to the purpose, see further paragraph 5.
  • Confidentiality: Personal data shall be protected by appropriate technical and organizational security measures to prevent
    unauthorized processing and loss, destruction or corruption of the data. See further paragraph 6.

3. When the processing of personal data is legal

3.1 General legal basis

The processing of personal data is only legal if at least one of the following conditions is met:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • The processing is necessary for the performance of a contract in which the data subject is a party or to take action at the request of the data subject before such contract is concluded.
  • The processing is necessary in order to fulfil a legal obligation where the responsibility lies with the controller.
  • The processing is necessary to protect interests of fundamental importance to the data subject or to another natural person.
  • The processing is necessary for the performance of a task of general interest or as a part of the controller’s exercise of authority.
  • The processing is necessary for the purposes relating to the legitimate interests of the controller or a third party unless the interests or fundamental rights and freedoms of the data subject outweigh and require the protection of personal data.

The legal basis for our processing of your personal data is described below. In case of uncertainty or if
you have any questions, please contact us. See contact information below.

4. Data collection and use

We only process your personal data to the extent necessary for the purposes described above and will not store the data longer than needed.

When do we need to process your personal data?

We may process your personal data in several situations, depending on your relationship with us and how you interact with us.

1. When you are a customer

If you have purchased products or services from a company within Marstrom Composite, we need to process your personal data in order to:

  • Identify you as a customer
  • Deliver products and services
  • Manage invoicing, support matters, and complaints
  • Exercise our rights and fulfil our obligations under the agreement

Personal data processed: Name, address, e-mail address, telephone number, purchase history, and usage data.

Legal basis: Performance of contract.

Retention: We store your data for as long as you are a customer and for 12 months thereafter.

2. When you have shown interest in our products or services

We may process your personal data when you:

  • Request a quote or information
  • Leave your details at an event, seminar, or training

Personal data processed: Name, address, e-mail address, telephone number, and other details you voluntarily provide.

Purpose: To communicate with you and follow up on your request.

Legal basis: Legitimate interest (our interest in offering and marketing our services outweighs the intrusion on your privacy).

Retention: 12 months from your request or event, or as long as contact is ongoing.

3. Customer support and service matters

If you contact customer support, we may need to verify your identity and review data about your use of our products or services.

Personal data processed: Name, contact information, case notes, product/service usage details.

Legal basis:

  • Performance of contract, and/or
  • Legal obligation (for example consumer rights laws)

Retention: Stored during the case handling period and 12 months thereafter.

4. Security and misuse prevention

We process data to maintain security, prevent fraud, and ensure that services are used in accordance with applicable terms.

Personal data processed: IP address, device information, login or usage activity.

Legal basis: Performance of contract (to provide secure services).

Retention: Up to 12 months.

5. Communication about products and services

We may contact you regarding updates, service notifications, or customer satisfaction surveys.

Personal data processed: Name, contact information, product/service usage details.

Legal basis: Legitimate interest (keeping customers informed and developing our services).

Retention: For as long as you are a customer and 12 months thereafter.

6. Product and service development

We may compile statistics and perform analysis to improve and develop our products and services.

Personal data processed: Contact details, device information, usage patterns.

Legal basis: Legitimate interest (our interest in improving and developing our offering).

Retention: For as long as you are a customer and 12 months thereafter.

7. Marketing

We may use your contact information to send marketing communications about our products and services.
You may opt out at any time by following the instructions in each communication.

Personal data processed: Name, address, e-mail address, telephone number, and information about your use of our services.

Legal basis: Legitimate interest (direct marketing).

Retention: For as long as you are a customer and 12 months thereafter.

8. Recruitment processes

If you apply for a job with us, we process your application data to:

  • Evaluate your qualifications
  • Contact you during the recruitment process
  • Fulfil legal obligations in the recruitment process

Personal data processed: Name, contact details, CV, education, work history, references, and additional materials you submit.

If you consent to future contact, we may store your data for future recruitment opportunities.

Legal basis:

  • Legitimate interest (recruitment)
  • Legal obligation
  • Consent (optional, for storing your application for future opportunities)

Retention:

  • If not hired: 12 months from end of recruitment process
  • If consent given: stored as agreed for future opportunities

9. Cookies and similar technologies

Our website uses cookies and similar technologies to enhance your experience, analyze traffic, and enable certain features.

You can change your cookie preferences at any time via your browser settings. For more information about the cookies we use and their purposes, please see our cookie policy.

4. Rights of the data subject

A fundamental aspect of the GDPR is that it contains certain statutory and mandatory rights for data subjects whose personal data are processed. As a data controller, Marstrom Composite has an obligation to facilitate those who wish to exercise their rights under the GDPR. The data subject also has the right to withdraw any consent given. The withdrawal of consent shall not affect the legality of processing based on consent before it is revoked.

Data subjects have the following rights, among others:

  • Right to access your personal data, meaning the right to receive confirmation of whether personal data relating to you is being processed and, if so, access the personal data and certain additional information.
  • Right to data portability, meaning the right under certain circumstances to receive personal data in order to transfer it to another controller.
  • Right to rectification, erasure or restriction of personal data and the right to object to processing.
  • Right to complain to the national data protection agency (in Sweden IMY) if processing does not meet EU/EEA requirements.
  • Right to withdraw consent if and to the extent that specific consent was given for certain processing.
  • Right to object to processing based on balancing of interests under Article 6.1(f) GDPR.
  • Right to object to direct marketing; in that case, personal data shall no longer be processed for such purposes.

To exercise your rights, please contact us by email or by post (see below).
We will process your request without undue delay and no later than 30 days from receipt. If we are
unable to fulfill your request, we will explain the reason for this.

5. Storage and deletion of personal data

According to data protection law, personal data may not be stored for longer than permitted by law, or otherwise necessary for the purposes for which the data is processed. Data that may no longer be stored shall be permanently deleted and destroyed (thinning). Under special conditions, thinning can be carried out by anonymizing personal data instead of being destroyed. Anonymization means that any information that makes it possible to trace the data to a data subject is irrevocably deleted.

If there are laws or regulations that require storage of personal data for a certain period of time, such as tax, accounting or anti-money laundering legislation, such provisions apply before the GDPR. For example, the Accounting Act states that accounting information must be kept for seven years from the year in which the financial year ended.

The main rule within the company is that personal data not subject to such specific laws or regulations should be deleted when we no longer need the data to fulfil the purposes of the processing.

6. Security in the processing of personal data

6.1 General

Marstrom Composite shall take appropriate technical and organizational measures to prevent destruction, alteration or distortion of personal data. This means that a security assessment needs to be made on a case-by-case basis and that different processing/systems require different levels of security measures depending on the sensitivity of the information, the risk of intrusion (and other risks) and vulnerability.

6.2 Risk analysis

Before we start processing personal data, an initial risk analysis must be carried out to take a position on:

  • The technical and organizational security measures appropriate for the processing in question, based on an assessment of information sensitivity, relevant risks and vulnerabilities.
  • Whether the processing is adapted from the outside and meets our requirements regarding privacy by design and information security.
  • Whether the processing is likely to pose a high risk to the rights and freedoms of the data subject, for example through the use of new technologies or because data subjects cannot be expected to know that they are subject to the processing. If such high risk is identified, our Data Controller shall be informed and determine whether further analysis in the form of a Data Protection Impact Assessment is necessary.

7. Transfer of personal data

Personal data may be transferred to external parties with or without a personal data assistant agreement, depending on whether the recipient processes the data on Marstrom Composite’s behalf or on its own account. In all cases, there must be a legal basis for the transfer and only the data that needs to be transferred. The transfer shall be documented in an appropriate manner.

Marstrom Composite may transfer personal data to external parties that process personal data on our behalf and according to our instructions. Such external parties are data processors and shall always sign a personal data processing agreement with Marstrom Composite. Our Personal Data Controller is responsible for keeping such templates updated in accordance with applicable Data Protection Legislation.

7.1 Where do we store your data

As a general rule, we store and process personal data within the European Union (EU) and the European Economic Area (EEA). This means that your information is protected by the data protection standards set out in the GDPR.

If we need to transfer personal data to a country outside the EU/EEA, such transfers will only take place where appropriate safeguards are in place to ensure an adequate level of protection for your personal data. Such safeguards may include the use of Standard Contractual Clauses approved by the European Commission or other lawful transfer mechanisms.

7.2 Request by the authority for information

Marstrom Composite is obliged to provide information about our personal data processing and related circumstances if requested by the Privacy Protection Authority. Other authorities may also have the right to receive information containing personal data from us, such as the Enforcement Authority, the Swedish Tax Agency or the Swedish Economic Crime Authority. There may also be an obligation to disclose information to the police or prosecutors in the event of a criminal investigation. Information is disclosed only upon written request from the lead investigator and prosecutor.

Our Data Controller is responsible for contact with the Privacy Protection Authority. All contacts with the Privacy Protection Authority, or other authorities regarding personal data processing issues, on behalf of Marstrom Composite shall be referred to our Data Controller.

8. Reporting

Our Data Controller shall report annually or when necessary to management about our processing of personal data and, in addition, immediately report to management if serious flaws, privacy risks or problems arise.

The report shall contain the results of the follow-up and verification of personal data carried out in accordance with this Privacy Policy, including:

  • If the processing is adapted from the outside and meets our privacy by design and information security requirements.
  • Number of personal data breaches.
  • Our compliance with applicable Data Protection Legislation and this Privacy Policy.
  • Any contact with the Privacy Protection Authority.
  • Changes in applicable Data Protection Legislation and supervisory practices regarding the processing of personal data.

9. Contact information

If you have any questions about the processing of your personal data or about cookies, or if you want
to exercise your rights specified above, you are welcome to contact us according to the information below.

Marstrom Composite AB (reg. nr. 556324-3384)
Lucernavägen 9
593 50 Västervik
Phone: +46 (0)490 89580
E-mail: mail@marstrom.com