We may earn a commission from links on this website.
Privacy Notice for Customers, website visitors, suppliers, partners and other third parties
Last updated: 2023-08-18
With this Privacy Notice for customers, website visitors, suppliers, partners and other third parties (“Notice”) we inform you about how we process your personal data in connection with our services, visits to our website or otherwise in relation to our business or being in contact with us. In this Notice, references to “GRC Media”, “we”, “us” and “our” will mean GRC Media AB. For contact information, please see “Questions and queries” below.
Considering the volume of information in this Notice, please use the content section below to navigate to the areas you are most interested in.
Content
- Why do we inform you?
- Who is the data controller?
- Which personal data is processed and how do we process it?
- Does GRC Media share personal data with others?
- Does GRC Media transfer personal data to countries outside the EEA?
- How is my personal data secured?
- What are my rights under applicable data protection laws?
- Questions and queries
- Changes to this Notice
Why do we inform you?
We know that your privacy and how your personal data is used is important to you. This Notice outlines in detail how we collect, process, use and transfer (collectively “process”) your personal data.
Personal data is information connected to an individual who can be identified from that information, whether or not in conjunction with any other information. Common examples of personal data processed by GRC Media in our day-to-day business include name and contact information as well as information on how our services and websites are used.
It is necessary for us to process your personal data in order to provide our services and websites to you, to answer your questions or otherwise communicate with you. If we are not allowed to process your personal data, we will have to reject you from using the service.
Who is the data controller?
The data controller is GRC Media AB, reg. no 559235-0226, meaning that we decide why and how your personal data is processed. Please use the following email to contact us: privacy@grc-media.com.
Currently, we do not have a data protection officer but if we do appoint one you may contact him or her via the same email as provided above.
Which personal data is processed and how do we process it?
The personal information we collect from you or via our website, services or other contacts with you, help us manage our contractual relationship (if we have one) and to provide our service to you or your employer but also to comply with our legal obligations or to conduct our business. We use your personal information for several different purposes. Most of the personal data we process is obtained from you when you or your company use our services or our websites, or when you are otherwise in contact with us. We must always have a legal basis, i.e., a lawful ground to process your personal data. We may also process so-called sensitive personal data, which require a higher standard of protection, for this data there are also other lawful grounds. Where our legal basis is legitimate interest, we have performed a so-called legitimate interest assessment, feel free to contact us (using the contact information under “Questions and queries” below) if you would like to take part of the assessment.
Please note that the personal data processed may vary depending on your relationship with us. In some cases, the processing may also be performed by a third party on our behalf (see “Does GRC Media share personal data with others?” below). In some circumstances, we may request your (explicit) consent to process personal data. In these circumstances, you are able to withdraw your consent at any time by following the instructions provided when you gave your consent or as described under “What are my rights under applicable data protection laws?” below.
In the table below you can find details on how we process your personal data and the different reasons we have for processing them. There may be more than one legal basis stated in relation to a purpose, but only one of them will be relevant in each given situation. Please use the headings in the table to navigate to the information on a specific purpose you are most interested in.
|
WHY do we use your personal data (purposes) |
Types of personal data |
WHAT are we doing with it? |
How long will we keep it |
Legal basis |
|---|---|---|---|---|
|
To provide our services and websites (including customer support) |
Name, contact information, work title, employer, information for invoicing purposes, information on your use of the services or websites, your potential questions. |
Setting up our service based on your needs and communicating with you. Answering potential questions from you. Providing the services and websites as well as and handling payment. |
During the term of the contract and up to a period of 36 months thereafter. For a period of 12 months following your visit to a website. |
Performance of our contract to provide our services. Our legitimate interest to provide our services to your employer and to have a well-functioning website. |
|
Personalizing our services for you |
IP address and other device information, session-ID, behavioural data (e.g., what you click on), other meta data created when you use our services or websites (e.g., via cookies). |
Show relevant content to you and analysing your preferences to personalize suggestions to you and the use of our services. |
During the term of the contract and up to a period of 36 months thereafter. During a period of 12 months following collection of the information. |
Performance of our contract to provide our services. Our legitimate interest to make our websites relevant based on your needs. |
|
To manage questions and complaints |
Name, contact information, information on the question or complaint provided by you and our communication and actions in relation to the same. |
Communicate with you and manage your question or complaint. |
Up to 6 months after the matter is closed. |
Our legitimate interest (and yours) to answer questions and manage complaints. |
|
To perform marketing activities (including newsletters and offers from our partners) |
Contact information, and your consent to receive newsletters and offers from our partners . |
Sending newsletters, including offers from our partners.. |
For the duration of a valid consent. |
The consent provided by you when signing up for our newsletters. |
|
To improve and develop our business |
Information of the use of our services and websites, behavioural data e.g. clicking behaviour, your potential feedback as well as information from cookies. |
Analysing aggregated information on the use of our services and our websites as well as your potential feedback on the same in order to improve and develop our business. |
For a period of up to 36 months from the collection of the information. |
Our legitimate interest to develop our business. Your consent, to our use of cookies. |
|
To fulfil our legal obligations |
Name and contact information, payment information and other information relevant for book-keeping, your correspondence and use of our services and websites as well as potential complaints. |
Necessary actions to fulfil our legal obligations as stipulated by law, case law or binding authority decisions, for example connect to book-keeping |
For the term of the contract and for a period of 36 months thereafter unless a longer retention time is required by law. For book-keeping the information will be retained for a period of 7 years. |
Our legal obligation. |
|
To prevent abuse or misuse of our services, websites, and business and to act on potential findings |
IP-address, contact information, location, information on use of our services and websites, including clicking behaviour on our websites and information from cookies, as well as technical data on the units used. |
Monitor and analyse the use of our services, websites and business interactions. Prevent and investigate potential fraudulent behaviour. Protect and prevent our IT environment from threats and unauthorized access. |
For a period of 36 months after the collection of the information. |
Our legitimate interest to protect our customers and our business. |
|
To host meetings or similar and follow up on the same |
Contact information, other information relevant for our meeting or following up on the same. This could include also special categories of personal data such as potential special diets or accessibility requirements. |
Organizing and inviting you to meetings organized by us or visits to our premises, as well as following up on the same. |
For special categories of personal data for a period of 30 days after the meeting. For contact information and attendance information, for a period of 12 months after the meeting or event. |
Our legitimate interest in organizing and inviting you to meetings. Your explicit consent (for access requirements or special dietary needs). It is necessary based on substantial public interests (in case of an accident at our premises). |
|
To manage a potential restructuring, merger or sale of our business or part of it |
Contact information about you as a customer, information on the use of our services and websites. |
Gathering information as part of a potential due-diligence and making this available to a potential buyer. Answering questions from the same. Please note that personal data will be kept to a minimum, as far as possible only anonymized data will be shared. |
During the discussion on the potential transaction and for a period of two months after finalized process. |
Our legitimate interest to potentially selling our business or parts of it. |
It is voluntary for you to provide your personal data to us but please note that if you do not provide us with your contact information, we may not be able to provide you with any information you request, and if you are a supplier or prospective supplier and you do not provide us with contact information, we may not be able to enter into a contract with you. Please note that we may use your personal data for automated decisions or profiling.
Cookies and similar technologies
For more information on how we use cookies and similar technologies in connection with your use of our website or services, please read our Cookie Notice.
Does GRC Media share personal data with others?
Service Providers
We use third party service providers who provide services including IT services (such as hosting, communication, analytical tools, and storage), audit and book-keeping. Your personal data may, therefore, be processed by service providers on our behalf. For details on what service providers will process your personal data, please refer to the table under “Does GRC Media transfer personal data to countries outside the EEA?”.
We will control any third party that we use to ensure that they can provide sufficient guarantees regarding the confidentiality and security of your personal data. We will have written data processing agreements with them which provide warranties regarding the security of your personal data as well as warranties that they comply with our data security standards and international transfer restrictions.
Disclosure to third parties
We share personal data with the partners that we provide websites together with, this means that we will share information with them which they will process in accordance with their own purposes and under their own control, for more information we refer to their respective privacy notices.
In certain circumstances, we also share or are obliged to share your personal data with third parties, for the purposes described above and in accordance with applicable laws. These third parties include:
- administrative authorities (tax authorities and enforcement authorities)
- financial institutions
- insurance providers
- police, public prosecutors
- external advisors
- third parties involved in a merger or acquisition of our business
Does GRC Media transfer personal data to countries outside the EEA?
We may share your personal data with service providers which may have their staff or equipment within or outside the European Economic Area (the “EEA”). This means that your personal data may be subject to privacy laws that differ from the country you reside in. This also means that personal data collected within the EEA may be transferred to third parties in countries outside the EEA and vice versa. We have put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercising of your rights. We ensure that your privacy is protected by an adequate level of data protection through for example EU Standard Contractual Clauses based on the EU commission’s model clauses and supplementary measures as relevant. If you would like more information on the security measures in place, please contact us (see “Questions and queries” below).
In the table below you will find information on what countries outside of the EEA that your personal data will be transferred to and, also what third parties your data will be shared with.
|
Type of individual |
Third party |
Countries outside of the EEA |
|---|---|---|
|
Customer or contact person of customer |
IT-services, audit service, security services and marketing services |
USA, UK |
|
Website visitor |
IT-services and marketing services |
USA, UK |
|
Contact person of supplier or partner |
IT-services |
USA, UK |
|
Other third parties |
IT-services |
USA, UK |
How is my personal data secured?
GRC Media operate state of the art IT security systems to protect the confidentiality, integrity, and availability of your personal data. We have taken appropriate security measures against unlawful or unauthorized processing of personal data, and against the accidental loss of, or damage to, personal data. Access is only granted on a need-to-know basis to those people whose roles require that they process your personal data.
What are my rights under applicable data protection laws?
You have various rights which you can enforce, including the right to be informed in accordance with this Notice. The below table provides a summary of the rights that the law entitles you to and how you can exercise them.
|
Your right |
What does it mean? |
How do I execute this right? |
|---|---|---|
|
Right of access |
You have the right to access the personal data that we have on you. Please note, that we will need to verify your identity in order to provide access to your data. |
Requests should be made in writing to privacy@grc-media.com. If possible, please specify the type of information you would like to see to ensure that our disclosure meet your expectations. |
|
Right of data portability |
If we process your personal data to perform a contract you may have the right to receive personal data to be used with other parties, for example to have the data transferred to another data controller |
Requests should be made in writing to privacy@grc-media.com. If possible, please specify the type of information you would like to receive to ensure that our disclosure meet your expectations. |
|
Rights in relation to inaccurate or incomplete data |
You may challenge the accuracy or completeness of personal data which we process about you. If it is found that personal data is inaccurate, you are entitled to have the inaccurate data removed, corrected, or completed, as appropriate. |
We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details, or telephone number. Request should be made in writing to privacy@grc-media.com. Please be as specific as possible in your request. |
|
Right to object to our data processing of your personal data |
You have the right to object to the processing of your personal data that is based on our legitimate interest, including where it is processed for direct marketing purposes. Objections must be based on grounds relating to your particular situation. This means that your objection cannot be generic or too general. |
Requests should be made in writing to privacy@grc-media.com. Please be as specific as possible in your request. |
|
Right to restrict our processing of your personal data |
You have the right ask us to restrict the processing of your personal data, for example if you have objected to our processing of personal data based on our legitimate interest. This way you can stop us from using your data other than to e.g., defend legal claims. You can also prevent us from deleting the data, for example if you need it to be able to claim damages. Requests for restrictions must be based on grounds relating to your particular situation. This means that your request cannot be generic or too general. |
Requests should be made in writing to privacy@grc-media.com. Please be as specific as possible in your request. |
|
Right to have personal data erased |
You may be entitled to have your personal data erased (also known as the “right to be forgotten”), e.g., where you think that the information, we are processing is inaccurate, or the processing is unlawful. |
Requests should be made in writing to privacy@grc-media.com. Please be as specific as possible in your request.
|
|
Right to withdrawal |
You have the right to withdraw your consent to any processing for which you have previously given consent to. If you withdraw your consent, it will only take effect for the future. |
Requests should be made in writing to privacy@grc-media.com or as instructed when you gave your consent. Please be as specific as possible in your request. |
Questions and queries
If you would like further information about our processing of your personal data, your rights, including rights about access to data and correction of inaccurate data, please send an email to privacy@grc-media.com.
If you find that our processing is in breach of this Notice or applicable laws, please feel free to contact us but also know that you can always lodge an official complaint with the competent authorities, in Sweden this is Integritetsskyddsmyndigheten (IMY).
Changes to this Notice
We may decide to do changes in this Notice. If you are a partner and the change is indicative of a fundamental change to the nature of the processing (e.g., enlargement of the categories of recipients or introduction of transfers to a third country) or a change which may not be fundamental in terms of the processing, but which may be of great importance to you, then we will inform you of the update of the Notice. If you are a website visitor or other third party, we ask that you refer to the date at the top of the document to know when the last update was made. The most recent version will always be available on our website(s).