Privacy Policy

Read more about Easyweb's data storage at www.easyweb.site. 

1 Background and purpose 

1.1 Sphinxly AB values the privacy of its customers, suppliers, partners, and employees and always strives to comply with current data protection regulations. Everyone has the right to protection of personal data concerning them. 

1.2 Sphinxly AB has therefore adopted this Policy for the processing of personal data to ensure that everyone within the organization complies with data protection rules. 

1.3 On May 25, 2018, the General Data Protection Regulation came into effect. It provides enhanced protection for individuals whose personal data is processed and imposes more and stricter requirements on organizations that process personal data. 

2 Scope and extent

2.1 The policy applies to all employees and consultants of Sphinxly AB, in all markets and at all times. 

2.2 The board of Sphinxly AB shall ensure that this Policy is followed, which includes training for all employees. Information provided to employees shall also include information that violation of the policy may result in, for example, labor law consequences. 

3 Fundamental principles

3.1 The fundamental principles described below should always be observed when personal data is processed. Sphinxly AB is responsible for and must be able to demonstrate that the principles are followed. 3.1.1 Lawfulness, fairness, transparency – Personal data shall be processed lawfully, correctly, and transparently concerning the data subject. This means that each type of processing must be based on a valid so-called legal basis, such as fulfilling an agreement, fulfilling a legal obligation, performing a task of public interest, legitimate interest, or consent (see section 5 below). If no applicable legal basis can be identified for the processing, the processing must not be carried out. The starting point for this principle is clear communication with the data subject about, among other things, the purposes for which personal data is processed, the type of processing performed, if and how personal data is shared with others, how long personal data is stored, and how to contact Sphinxly AB. The data subjects should be given clear and transparent information about the processing of their personal data. 

3.1.2 Purpose limitation – Personal data may only be collected and otherwise processed for specific, explicitly stated, and legitimate purposes and may not be processed later in a manner incompatible with these purposes. 

3.1.3 Data minimization – Personal data processed shall be adequate, relevant, and not excessive concerning the purposes. 

3.1.4 Accuracy – Personal data processed shall be correct and, if necessary, updated. 

3.1.5 Storage limitation – Personal data must not be stored longer than necessary, considering the purposes of the processing. When the data is no longer needed, it must be deleted or anonymized. 

3.1.6 The principle of accountability means that Sphinxly AB must be able to demonstrate that the General Data Protection Regulation is followed. The company must, for example, document implemented and planned processes and measures concerning data protection issues.

There shall also be a register of all types of personal data processing carried out, and Sphinxly AB must be able to present such a register to the supervisory authority when required.

4 Personal data 

4.1 Personal data are all data concerning an identified or identifiable natural person that can directly or indirectly identify a person. Examples of personal data are names, contact details, location data, or factors specific to a person's physical, economic, cultural, or social identity. Data that individually do not meet the requirements can together still constitute personal data. 

4.2 All processing of personal data is covered by the General Data Protection Regulation and its rules, also known as GDPR. Processing means an action or combination of actions concerning personal data, carried out entirely or partially automated. Personal data in emails and documents on servers, in simple lists, on websites, and in other unstructured material are also covered. 

 
5 Legal basis for the processing of personal data

5.1 A processing of personal data is only lawful if and to the extent that one of the following bases is applicable. 

5.1.1 The data subject has given consent for the personal data to be processed for one or more specific purposes. There are specific requirements that must be met for the consent to be valid. 

5.1.2 The processing is necessary to fulfill a contract to which the data subject is a party or to take measures at the request of the data subject before such a contract is entered into. 

5.1.3 The processing is necessary to fulfill a legal obligation imposed on Sphinxly AB. 

5.1.4 The processing is necessary to protect interests essential for the data subject or another natural person (e.g., when life is at risk). 

5.1.5 The processing is necessary for purposes concerning Sphinxly AB's or third-party interests unless the data subject's interests or fundamental rights and freedoms outweigh and require protection of personal data (balancing of interests). In the case of a balancing of interests, specific requirements for documentation regarding the assessment made apply.

6 Security measures, access control, and deletion

6.1 Personal data shall be processed in a manner that ensures appropriate security for the personal data using technical and organizational measures. Organizational security measures may involve using access control for systems containing personal data, logging of access to personal data, or ensuring computers and the like containing personal data are stored to hinder unauthorized access and are not left out. Examples of technical measures that must be checked include whether the company has sufficient backup routines, adequate firewalls, password-protected wireless networks, updated virus protection, password protection for mobile devices such as mobile phones and tablets, protection against unauthorized internal access, password requirements, encryption when needed, logging of, access to and use of IT systems, etc. 

6.2 Personal data must not be kept longer than necessary, considering the purpose of the processing. By establishing and following a deletion routine for each database/processing, the structured deletion work is ensured. Personal data in so-called unstructured material, such as in documents on servers, in a simple list, on websites, etc., also need to be deleted when the purpose of the processing is fulfilled.

 
7 Transfer to third countries 

7.1 Special rules apply for the transfer of personal data to countries outside the EU and EEA (so-called third-country transfers). The General Data Protection Regulation means that all EU member states and EEA countries have equivalent protection for personal data and personal privacy and can therefore transfer personal data freely within that area without restrictions. However, for countries outside that area, there are no general rules providing equivalent guarantees, and therefore third-country transfers can only occur under special conditions.

8 Impact assessment 

8.1 Sphinxly AB has a specific procedure in place to identify and manage special privacy risks within the business and for structured follow-up. Specific risks to the rights and freedoms of natural persons may occur in connection with a certain type of data processing, particularly sensitive data, processing on a particularly large scale, use of new technology, or the like. 

8.2 If a new or changed personal data processing in certain respects is likely to pose a high risk to the rights and freedoms of natural persons, the procedure should be followed, and an assessment of the effects of the intended processing on the protection of personal data should be made before the processing begins. 

 
9 Extracts and disclosures 

9.1 The General Data Protection Regulation provides the data subjects with several rights regarding the processing of personal data. It is Sphinxly AB's responsibility to fulfill these rights and ensure that adequate processes exist to accommodate the data subjects. 9.1.1 The data subject has the right to information when personal data is collected. This information shall be provided in an easily accessible written form with clear and plain language. The General Data Protection Regulation prescribes several clear requirements that must be met, and the requirements vary depending on whether the information has been collected from the data subject themselves or from a third party. 

9.1.2 The data subject has the right to obtain confirmation of whether personal data concerning them are being processed, and if so, receive a copy of the personal data (extract). This right applies regardless of where the personal data is processed. 

9.1.3 If personal data being processed is incorrect or incomplete, the data subject can request correction. If the data subject shows that the purpose for which the personal data is processed is no longer permitted, necessary, or reasonable under the circumstances, the relevant personal data shall be deleted unless there are legal provisions stating otherwise. 

9.1.4 The data subject has the right to transfer personal data provided to Sphinxly AB to another data controller (right to data portability) if the processing is based on the legal grounds of contract or consent. The personal data shall be provided to the data subject in a structured, commonly used, and machine-readable format. If technically possible, the data subject can request the data be transferred directly to another data controller. The right only applies to the personal data that the data subject has provided to Sphinxly AB. 

9.1.5 The data subject has the right in certain cases to request that Sphinxly AB restricts the processing of their personal data, i.e., restrict the processing to certain limited purposes. The right to restriction applies, among other things, when the data subject believes the data is incorrect and has requested that the personal data be corrected. The data subject can then request that the processing of the personal data be restricted while the accuracy of the data is being verified. When the restriction ceases, the individual shall be informed of this. 

9.1.6 The data subject has the right to object to the processing of personal data based on legitimate interest as a legal basis. In the event of an objection, the company must cease processing unless it can demonstrate compelling legitimate grounds for the processing that outweigh the data subject's interests, rights, and freedoms or if the processing of personal data is carried out for the establishment, exercise, or defense of legal claims. 

9.1.7 In some cases, the data subject has the right to request the deletion of their personal data (“the right to be forgotten”). An example is when consent is the legal basis for the processing, and the data subject withdraws their consent. 

9.1.8 When personal data is processed for direct marketing, the data subject has the right to object at any time to the processing of personal data concerning them. If a data subject objects to the processing of personal data for direct marketing purposes, processing for such purposes shall cease. 

 
10 Personal data incidents 

10.1 A personal data incident is a security incident that leads to the accidental or unlawful destruction, loss, alteration, or unauthorized access to personal data. Examples of personal data incidents can include the theft of customer registers, accidental disclosure of salary information via email to the wrong recipient, an employee taking home an unencrypted work computer that is later stolen in a burglary leading to the disclosure of employee or customer information, personal data being published on the web by mistake, a portable computer containing personal data being lost or stolen, etc. 

10.2 Personal data incidents may need to be reported to the supervisory authority within 72 hours of the discovery of the incident if it is likely that there is a risk to the rights and freedoms of natural persons. Occurred incidents shall be documented, and affected data subjects may need to be notified.  

11 Miscellaneous

11.1 For definitions concerning terms used in this policy, refer to the General Data Protection Regulation. 

11.2 This policy shall be updated annually or as needed based on instructions from the board of Sphinxly AB.

12 Questions

If you have questions related to the processing of personal data, please contact us!