EVOLABEL’S POLICY ON PERSONAL DATA FOR EMPLOYEES, WORKERS AND CONSULTANTS

Purpose

All employees, workers and consultants must feel confident with the way in which we handle their personal data. Evolabel need to gather and use information or “data” about you as a part of our business and to manage our relationship with you. We intend to comply with our legal obligations under the General Data Protection Regulation (“GDPR”) as well as supplementary, national legislation when applicable. This policy provides an overall description of how personal data is processed, for what purposes and in what way.

This policy applies to current and former employees, trainees and consultants as well as job applicants, or other relations that are similar to an employee.

What is personal data?

This policy concerns the processing of personal data. Personal data refers to all information that can be used to identify an individual, directly or indirectly. 

The expression processing of personal data includes all types of handling of personal data, for example, the administration of, communication with, and storage of such data for different purposes and in different contexts.

Special rules apply to sensitive personal data used in Evolabel AB’s activities. Sensitive personal data refers to:

●      Information that reveals race or ethnic origin,

●      Information that reveals political views,

●      Information that reveals religious or philosophical belief,

●      Information on trade union membership,

●      Information on health,

●      Information on sex life or sexual orientations,

●      Genetic data, and 

●      Biometric data for the clear identification of a natural person.

How do we collect personal data?

We collect personal data in the following situations:

●      Information you provide us during a recruitment process, for example through CV, personal letter or on an interview.

●      Information you provide us within the scope of employment, consultancy or similar relationship. Such data can for example be provided through employment agreements, consulting agreements, relative forms and medical certificates.

●      Information from a third party. The third party can be authorities, credit institutions, recruit firms or references that you supplied us with in the recruitment process.

What categories of personal data do we process?

The categories of personal data that we usually collect and process before, during or after an employment relationship or similar constellation are:

●      Your contact information such as name, phone number, address email address and social security number.

●      In a recruitment process we may collect official information about your potential involvement in other companies. Historical information about finances, such as annual income and payment notices from credit rating agencies. We may also process personal data obtained from personality tests.

●      Your bank account details for salary payment.

●      Contact information to one or a few relatives that the employee/consultant provided us with.

●      Health information such as medical certificates and illness reports.

●      Information about misbehavior at the workplace.

●      Data that appears from a whistleblower report.

●  Data arising from the use of a company car, such as an electronic driving record. Position information will not be collected or processed.

●      Group pictures or individual images on our website or social media.

Sensitive data will only be collected and used when absolutely necessary. In situations where we need to collect and process sensitive data, we do so to fulfill our obligations as an employer.

Why do we collect personal data?

We will only collect data that is compatible with the GDPR regulation. This means that we must have a legal basis for our processing of personal data. Most of the data that is collected through the employment/or consultant relationship is processed because we are obligated by law to do so, or because it is necessary in order to fulfill our contracted obligation towards the employee or consultant. In a recruitment process the legal basis applicable is often legitim interest or your consent.

The legal basis we use for the common purposes are:

Legitimate interest

●      Your contact information such as name, phone number, address, email-address and social security number are processed within the legal basis of legitimate interest. The legitimate interest of the matter is to proceed with a recruitment process. If the data-subject already works with us, the legal basis of the processing is the employment contract.

●      Information about finances, involvement in companies and data obtained from personality tests are normally processed within the legal basis of legitimate interest. The amount of data we collect depends on the scope of the position and work field, we do so as a part of our background check on a potential employer.

●      Contact information to relatives is gathered on the basis of legitimate interest, which is to ensure a safe working environment.

●      Individual images of our employees or consults are publicized with the legal basis of legitimate interest. The legitimate interest behind the processing is to favor the communication with our partners.

Contract

●      Bank account details are collected in order to fulfill our obligations which arise from the employment contract.

●      Information about illnesses and absence thereof is collected with the employment contract as the legal basis.

●      Information on an employees or consultant's misconduct is collected within the legal basis of the employment contract.

 Legal obligation

●  Data that arises from a whistleblower report are collected on the basis of legal obligation (Lag (2021:890) om skydd för personer som rapporterar om missförhållanden)

●      Information arising from the use of a company car, such as driving records, are collected in order to comply with taxation rules on company cars.

Consent

●      Group photos or individual photos that occur in connection with company events may be used on our website and social media. In that case, processing takes place with your written consent as the legal basis.

To whom do we transfer personal data?

Your personal data may be shared with other companies in the EU, such as other companies in our group and external companies that provide services.

As part of our business, we cooperate with international suppliers and distributors, therefore we may share data with companies in a third country. We strive to minimize the information that is provided to a third country. The category of personal data that may be shared is contact information; such as name, your professional email-address and your professional phone number. The shared information is necessary in order to conduct our business towards our international partners and suppliers.

The category of partners who may process collected personal data are:

●      Consultants, such as accounting, auditing and law firms

●      Suppliers and distributors, both within and outside of the EU

●      Software suppliers, such as payroll processing and contract achieving

●      Authorities, for example the Swedish Tax Agency

The suppliers we use who handle personal data have the same requirements for their collecting and processing as we have internally.

How long do we store personal data?

We will not save personal data longer than necessary. Personal data shall be deleted when there is no longer a legal basis for the processing. In some situations, we may store data for a longer period when it is demanded by legislation, for example:

●      Accounting document are saved for 7 years, according to Bokföringslag (1999:1078)

●      Application documents submitted by candidates in connection with a recruitment process must be saved for two years, according to Diskrimineringslag (2008:567)

●      Certain documents arising from whistleblowing, which need to be followed up, will be saved for approximately two years, according to Lag (2021:890) om skydd för personer som rapporterar om missförhållanden.

Other situations may also justify a longer storage period, such as legal proceedings.

Which rights does the data-subject have?

Right to information

A data-subject has the right to get information about which data is processed by us. After demand the data-subject are entitled to information on what categories of data being processed, how it has been collected, on what legal basis it has been processed and to whom the data may be shared with. The subject requesting such information must be able to identify their identity. We will process your request within one month, from the receipt of the request.

Right to rectification

Everyone has the right to request correction of their personal data if it is incorrect or processed in violation of applicable law.

Right to erasure

Evolabel delete personal data when there is no longer a legal basis for the processing. As a data-subject you have the right to request a immediate erasure under the following circumstances:

●      If the data is no longer needed for the purposes for which it was collected.

●      If the processing is based on the individual's consent and the data-subject withdraws it.

●      If the data-subject objects to personal data processing after a weighing of interests and there are no legitimate reasons that override the data-subject’s interests.

●      If the personal data has been processed unlawfully.

●      If erasure is required in order to fulfill a legal obligation.

Right to limitation of processing

In some cases, you have the right to demand that the processing of your personal data be restricted. This applies, among other things, if you believe that the personal data is incorrect, and you have requested correction. While the investigation is ongoing, you can request that the processing of the personal data be restricted.

Right to data portability

Everyone who is a data-subject has the right to obtain this data on paper or in standard electronic format for, for example, transfer to another party.

Right to object

When data being processed on the legal basis of legitimate interest, the data-subject has the right to object towards the processing. To do this, you must specify which processing you object to. In order to continue with such processing, we must prove that there is a legal basis for processing the personal data that outweighs your interests.

Right to withdrawal of consent

When consent is the legal basis of the processing, the data subject has the right to withdraw their consent at any time.

Right to not be the subject of automatic decision making

Evolabel will not use automatic decision making.

Right to complain

A data-subject that suspects that the processing of their personal data breaches the GDPR-regulation has the right to complain to the Swedish Authority for Privacy Protection.

Who is responsible for our processing of personal data?

Evolabel AB is the personal data controller, registration number: 556712-6767.

Questions regarding personal data processing or requests shall be sent to: hr@evolabel.com