Introduction
This is one Privacy Notice for Arjo focusing on our business interests, specifically in this relating to the use of the Arjo Academy Platform. This Privacy Notice relates to the processing of personal data of platform users and employees. It provides information to the relevant stakeholders about the who, what, why, when, where and how of our data processing activities, as well as setting out what rights individuals have in relation to these processing activities.
Who is processing the personal data?
As indicated above, the data controller for the processing of your personal data is Arjo Sverige AB one of Arjo’s many legal entities as part of an international organisation. To make this notice easier to read, Arjo refers to any and all Arjo entities. Appendix A of this privacy notice provides a list of Arjo legal entities to determine to whom these arrangements should be considered applicable.
Arjo aims to be compliant in everything we do. As such, we invite you to contact us whenever you feel it is necessary so we can partner with you in addressing any comments or concerns you might have. We have appointed a Data Protection Lead who is also able to support you with any queries you may have. The Data Protection Lead is:
James Stone
Data Compliance Analyst
What personal data are we processing?
The type of personal data we may process about you depends on the type of data subject and the nature of our relationship with you, as well as the location where you are. The processing of your personal data could include the following:
Platform users
|
|
Identifiers |
· Name · Job title |
Contact data |
|
Location data |
· Address · IP address |
Audio / visual data |
· Photos (only where provided by the platform user) |
Please note, the contact and location data processed relates to data used in a professional capacity and may come directly from you or from the organisation you are working for.
Employees
|
|
Contact data |
|
Why are we processing personal data?
Arjo processes personal data for the reasons listed below.
- Managing the production and distribution of our products and equipment via our logistics supply chain.
- To fulfil our customer orders and requests, as well as to provide support to customer representatives in the event of a complaint or issue or handling claims.
- To manage our legal, regulatory and statutory obligations as well as to maintain accurate and reliable administrative and accounting records, which include managing queries, concerns and investigations.
- The pursuit of our commercial interests through marketing activities.
No automated decision making is undertaken, with the exception of monitoring the success of marketing activities. This includes generating a profile based on the use of our online resources which performs an evaluation. This information is only used to better inform how Arjo can support you. The information is only used for this purpose and no individual data protection or statutory rights are infringed in this process. Any evaluation is subject to human review. If you have any questions or concerns about the potential use of automated decision-making, please contact dataprivacy@arjo.com.
Which lawful basis do we use for processing personal data?
Arjo only process personal data if there is a legal basis for the processing. For the processing described in this privacy notice, Arjo uses the following lawful basis for processing:
Lawful basis for processing |
Processing activities |
Your explicit consent. You are able to withdraw your consent at any time. You can do this by contacting dataprivacy@arjo.com. |
Marketing activities including direct marketing. |
Your implicit consent to fulfil our legal obligation or if processing is in our legitimate interests (dependent upon the legislative framework that is applicable). |
Activities linked to our regulatory and statutory requirements. Marketing activities including managing our relationship with you as a contact of Arjo. Processing of personal data is necessary to manage and deliver the online courses and events that platform users have subscribed to. |
Where we rely on a legal obligation to justify the processing of your personal data, this is to ensure that our regulatory and statutory requirements are fulfilled. This is important in order to maintain the quality of the service and products that many stakeholders rely on.
There may also be times when legitimate interest is the appropriate justification for processing your personal data. In this situation, we have undertaken a legitimate interests assessment where the needs, expectations, rights and freedoms of all parties have been considered. Before relying on legitimate interest, we have made sure that our interests are compelling enough and will not cause any unwarranted harm.
For how long do we process your personal data?
We save information for as long as the information is necessary to fulfil the purposes for which the information was collected. The information can be saved for a longer period of time if it is required by applicable law. Arjo have established routines to ensure that we do not store unnecessary information about you.
Information regarding representatives of customers and contacts:
- Most commercial, customer or financial information, relating to e.g. purchase, order and order history, is retained for ten years.
- Information collected after consent is saved for as long as it is relevant or no later than within six months after consent is revoked.
Where are we processing personal data and who do we transfer personal data to?
We may on occasion transfer your personal data outside of the region in which the data is collected through the use of a particular processor. When this occurs, we will aim to only transfer and process personal data in countries where an adequacy agreement has been established. This means that the legal framework in the third country provides the same level of data protection as in the European Economic Area (EEA). There are occasions where we need to process personal data outside of the EEA and away from countries with an adequacy agreement with the EEA as we work with processors who process personal data in the United States. In this instance. In these instances, we have undertaken a privacy impact assessment and transfer impact assessment to identify appropriate additional measures to implement, prior to establishing data processing agreements including approved standard contractual clauses. In the event that the contractual and organisational measures are still inadequate, we will seek your consent to undertake the proposed processing.
We use different systems and platforms to manage the data we process, and a list of the key data processors are listed below:
- ON24 – Management of our online education and training materials.
- Pardot – Used for the management of marketing efforts.
- SalesForce – Used for the storage of CRM information.
- Sparta Systems – Management of quality related records.
Additionally, we use Microsoft Office storage and productivity tools to process personal data in the course of our commercial, production, logistical, operational, research and administrative activities.
We may also share personal data with partners and in line with our regulatory or statutory obligations. In all instances, data will only be shared in line with an appropriate lawful basis for processing. Data sharing is frequently undertaken following a privacy impact assessment and a transfer risk assessment to ensure the necessary safeguards and control measures are in place prior to any data sharing.
How are we processing personal data?
Arjo have adapted the following to enable secure and compliance towards handling and processing data:
- Arjo have an IT policy, Information Security Directive, Data Privacy and Acceptable Use of IT devices Directive.
- Access management based on least privilege with access reviews performed on a quarterly basis, additionally each user will have unique and individual usernames where none are shared.
- Admin access only given to system and database owners who have the correct skills and training, normally senior IT staff.
- Robust change management process.
- All data and systems are encrypted at rest and in transit, where the systems/data can only be accessed via our VPN solution for each named user.
- All Third Parties that host or work on Arjo systems are subject to a Risk Assessment on a yearly basis.
- Arjo also have an overall Incident management process which is run by our Service Management team.
- Patch management; as part of our service management.
- Pen testing and vulnerability management.
- IT audits performed by a third party annually.
What are your rights in relation to this data processing?
Depending upon the data protection laws of the country you are in or the legal entity processing your personal data, you may have rights including:
- Your right of access – You have the right to ask us for copies of your personal information that we process about you. Through this copy you will be able to understand which of your personal data we have and process. The right of access is applicable when a record contains information where an individual can be identified, and the information is about them. This means that records that are accessible to you will have the personal data about other people redacted where appropriate, in order to protect their right to privacy. Your personal data will be redacted if someone else requests access to a record containing your personal data. Legislation provides other exemptions that may be applicable such as records where legal privilege needs to be observed or there is an obligation of confidentiality in specific circumstances. Any exemption applied will have a relevant legal basis and will be explained to you were necessary.
- Your right to be informed – You have the right to be informed of how we process your personal data. This Privacy Notice is an initial means of informing you about the processing of your personal data. Additional methods of keeping you informed include through FAQs, contractual agreements and through discussions – if you have a question about how we are processing your personal data, you can contact us by writing to dataprivacy@arjo.com.
- Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. Any request to rectify your personal data will also be transferred and actioned by any processor with whom your personal data has been shared. This process is managed by us and will not require any additional action from you for your right to be exercised in full.
- Your right to erasure – You have the right to ask us to erase your personal information when the information is no longer necessary to fulfil the purpose of processing the information or keeping it or if you retract your consent. Arjo is obliged to keep extensive records in accordance with our legal obligations. As such, Arjo may not be able to delete every record that is processed about you, however this will be explained where relevant. Any request to be forgotten will also be managed by Arjo with any processor that is processing your personal data on our behalf.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances such as if the personal data is not relevant to fulfil our legal obligations.
- Your right to object to processing – You have the right to object to the processing of your personal data. The right can be invoked when the legal basis is legitimate interest, including profiling. If an objection is made, Arjo must show compelling legitimate interests to continue processing personal data for that specific purpose.
- Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation. This enables you to transfer it in a machine-readable format to another recipient. The right to data portability applies to personal data that is processed based on your consent or to perform a contract. It applies only to such personal data that you have provided Arjo with yourself.
- Your right regarding automated decision-making – You have the right to request that a review of any profiling that is undertaken using your personal data to be undertaken by a human.
- Your right to withdraw consent – You have the right to withdraw consent where this is the lawful basis established for the processing of your personal data i.e. when collected for certain marketing activities.
For more information about your specific data protection rights, please visit the website of your local data protection authority. Appendix A provides a list of the data protection authorities for the locations where Arjo have a legal entity, along with the relevant contact details.
You are not required to pay any charge for exercising your rights in most instances. If you make a request, we have one month to respond to you.
Please contact us by email if you wish to make a request.
Finally, you have the right to complain to a data protection authority. As above, Appendix A contains a comprehensive list of the data protection authorities for each Arjo legal entity, along with contact details.
The main establishment of Arjo is in Malmö, Sweden. Therefore, our supervisory authority is Integritetsskyddsmyndigheten (IMY).
IMY’s contact details are:
Integritetsskyddsmyndigheten
Box 8114, 104 20 Stockholm
0046 (0)8-657 61 00