Privacy Policy
At Norrköping Visualisering AB, we value your privacy and always strive for a high level of data protection (for example, we would never sell your personal data to another company). This privacy policy explains how we collect and use your personal information. It also describes your rights and how you can exercise them.
The privacy policy and procedures described here comply with the General Data Protection Regulation (GDPR). More information about the regulation can be found on the Data Inspection Authority’s website.
We believe it is important that you read and understand the privacy policy. We hope you feel secure in our handling of your personal data. You are always welcome to contact us with any questions.
What is Personal Data and What is the Processing of Personal Data?
Personal data is any kind of information that can directly or indirectly be linked to a living individual. For example, images and audio recordings processed in a computer can be personal data even if no names are mentioned. Encrypted data and various types of electronic identities (e.g., IP numbers) are personal data if they can be linked to physical persons.
Processing of personal data encompasses everything done with the personal data. Every action taken with personal data constitutes processing, whether it is automated or not. Examples of common processing activities include collection, registration, organization, structuring, storage, processing, transfer, and deletion.
Who is Responsible for the Personal Data We Process?
The data controller is the entity that determines why and how personal data is processed. A data controller can be, for example, a municipality, authority, organization, or company. Norrköping Visualisering AB is responsible for the personal data we store. Organization number: 556779-5298. Address: Kungsgatan 54, 602 33 NORRKÖPING.
If you have questions about your personal data, you can contact us at: gdpr@visualiseringscenter.se
About Changes to the Privacy Policy
We may make changes to our privacy policy. The latest version of the policy is always available on our website.
For updates that are crucial to our processing of personal data (e.g., changes to specified purposes or categories of personal data), or that may be significant to you, you will be informed via email well in advance before the updates take effect. We will also explain the significance of the updates and how they may affect you.
What Personal Data Do We Collect About You and For What Purpose?
When You Become Our Customer
To manage you as a customer, we store some of your personal data in our customer register.
The personal data we store are:
- Name
- Contact details (such as address, email, and phone number)
- Your communication with us
- Information about your bookings
- Other financial details.
The processing activities performed are:
- Registration and identification to manage you as a customer
- Collection of email addresses to send newsletters and provide information about upcoming events or other information.
The processing of your personal data is necessary to meet our and your interest in managing you as a customer with us. This so-called legitimate interest, together with the entered agreement, constitutes a legal basis for us to store your personal data. We have assessed that this legitimate interest in these cases outweighs the protection of your personal integrity. When you become a customer, you will also be informed about how we process your personal data.
The data is cleared in the following January, 24 months after the last relationship. We need to retain your information for a while in case you return as a customer and to see history in our systems.
When We Establish a Business Relationship
When you become a customer with us, we must be able to handle your booking and payment. We register your booking in our customer system, and record billing information in our accounting system. We need your email address so that you can receive booking confirmations and other information regarding the booking. The collection of your personal data is required for us to fulfill our obligations when you book a venue or attend an event we organize.
The personal data we store are:
- Name
- Contact details (such as address, billing address, email, and phone number)
- Billing and payment information
- Dietary preferences or other information you provide
The data is cleared in the next January, 24 months after the last relationship. In the billing system, they are stored according to accounting laws. If you have specified dietary preferences or other additional information, it is not stored elsewhere than in the booking itself.
The processing of your personal data is necessary to meet our and your interest in managing your bookings. This so-called legitimate interest, together with the entered agreement, constitutes a legal basis for us to store your personal data. We have assessed that this legitimate interest in these cases outweighs the protection of your personal integrity. When you become a customer, you will also be informed about how we process your personal data.
For those of you appearing in our marketing materials who consented before May 25, 2018, and agreed to our use of your image, there is an existing agreement that allows us to use the image and store your personal data.
When You Participate in Events, Occasions, or Conferences
In connection with your registration, we inform you that we sometimes take pictures or film at our events. If you do not want to appear in pictures or films, contact us before the event and let us know. You also need to inform the photographer at the event that you do not want to be included in pictures/films to be identifiable. If you subsequently discover that you appear in pictures/films published on our website or social media, you have the right to have these removed. Contact info@visualiseringscenter.se.
The legal basis for the images/films is legitimate interest. You still have the right to request that we do not publish pictures of you.
When We Use Your Personal Data to Evaluate Our Work
We continuously analyze and evaluate our work to develop and improve our services and systems. It is important to us that you, as a customer, have a say in our offerings.
For example, we may send out a survey to gather our customers’ opinions and preferences. Sometimes we also analyze the data we already have about you to tailor our event offerings.
Based on the data we collect (e.g., position, region, and booking history), we conduct an analysis that may result in you being classified into a group (customer segment), but the analysis is never done at the individual level. The insights from the analysis form the basis for which services are offered.
The personal data we store are:
- Position
- Organization type
- Postal address
- Correspondence and feedback regarding our services
- Booking history
- Information on how you learned about events.
The processing is necessary to meet our and our customers’ legitimate interest in evaluating, developing, and improving our services and systems. We have assessed that this legitimate interest in these cases outweighs the protection of your personal integrity.
The data is cleared in the following January, 24 months after the last relationship.
From Which Sources Do We Collect Your Personal Data?
The data we have about you is only the information you have provided to us or that we have collected from you based on your registrations. We do not collect any information about you from third parties.
When you send us an email, we handle the content according to our email policy. The policy states that:
- If we receive an email containing personal data that needs to be saved, we transfer it to the appropriate system and then delete the message.
- If the message contains sensitive personal data, such as health information, religious beliefs, or political opinions, it is immediately deleted and none of it is saved.
- If you contact us spontaneously via email and you are not already in our register, we will ask for your consent to save your information.
With Whom Can We Share Your Personal Data?
When necessary, we share your personal data with companies that, in one way or another, are subcontractors to us. These subcontractors are called data processors. A data processor is a company that processes information on our behalf and according to our instructions. We have data processors that help us with:
IT services (companies that manage necessary operations, technical support, and maintenance of our IT solutions, as well as newsletter services and form tools).
Payment solutions (acquiring companies, banks, and other payment service providers).
When your personal data is shared with data processors, it is only for the purposes we have specified. We check all data processors to ensure they can provide adequate guarantees for the security and confidentiality of personal data. We have written agreements with all data processors where they guarantee the security of the personal data processed and commit to following our security requirements, as well as restrictions and requirements concerning the international transfer of personal data.
We never share your personal data with any other third parties.
Where Do We Process Your Personal Data?
We always strive to process your personal data within Sweden. If that is not possible, we choose, as far as possible, similar solutions within the EU. If you would like a copy of the safeguards that have been implemented or information on where these have been made available, please contact us at info@visualiseringscenter.se.
How Long Do We Keep Your Personal Data?
We never keep your personal data longer than necessary. See more about specific storage periods under each section above.
What Rights Do You Have as a Data Subject?
All information about your rights is available on the Data Inspection Authority’s website.
For requests based on the sections below, contact info@visualiseringscenter.se.
Right to Access (Data Subject Access Request)
We are always open and transparent about how we process your personal data. If you want to know more about what personal data we process about you, please contact us to access your data. The information is provided in the form of a data subject access request with a description of the purposes, categories of personal data, retention periods, and information about the sources from which the data was collected.
When you request access to your personal data, we may ask for additional information to ensure effective handling of your request and to ensure that the information is provided to the right person. Data subject access requests are provided within 14 days.
Right to Rectification
You can request the rectification of your personal data if the information is incorrect. Within the scope of the stated purpose, you also have the right to supplement incomplete personal data.
Right to Erasure
You can request the erasure of personal data we process about you if:
- The data is no longer necessary for the purposes for which it was collected or processed.
- You object to a legitimate interest assessment we have made, and your reason for objection outweighs our legitimate interest. You object to your personal data being used for direct marketing purposes.
- The personal data is processed unlawfully.
- Note that we may have the right to deny your request if there are legal obligations that prevent us from immediately erasing certain personal data. These obligations come from accounting and tax legislation.
Right to Restriction
You have the right to request that our processing of your personal data be restricted. Restriction can be done for several reasons.
- If you dispute the accuracy of the personal data we process, you can request restricted processing while we verify the accuracy of the personal data.
- If you oppose the erasure of your data. This may be because you need the data we have about you to establish, exercise, or defend legal claims. In these cases, you can request restricted processing of the data with us.
- If you have objected to a legitimate interest assessment we have made as the legal basis for a purpose, you can request restricted processing while we verify whether our legitimate interests outweigh your interests in having the data erased.
If processing has been restricted according to any of the above situations, we may only process the data, other than storage, to establish, exercise, or defend legal claims, protect another’s rights, or if you have given your consent.
Right to Object to Certain Types of Processing
You always have the right to opt out of direct marketing and to object to all processing of personal data based on a legitimate interest. An objection can be made on two grounds:
Legitimate Interest: if we use a legitimate interest as the legal basis for a purpose, you have the opportunity to object to the processing. To continue processing your personal data after such an objection, we must demonstrate a compelling legitimate reason for the processing that outweighs your interests, rights, or freedoms. Otherwise, we may only process the data to establish, exercise, or defend legal claims.
Direct Marketing: you have the option to object to your personal data being processed for direct marketing purposes. The objection also includes analyses of personal data (so-called profiling) carried out for direct marketing purposes. Direct marketing includes all types of outreach marketing measures, such as by post, email, and SMS.
If you object to direct marketing, we will stop processing your personal data for that purpose and cease all types of direct marketing activities.
Right to Data Portability
In certain cases, you have the right to obtain and use your personal data elsewhere, such as in another membership organization or customer register. We are then required to facilitate such a transfer of personal data. Currently, it is not possible to make this transfer in an automated and machine-readable manner. Read more about data portability on the Data Inspection Authority’s website.
How Are Your Personal Data Protected?
We use IT systems to protect the confidentiality, integrity, and access to your personal data. We have implemented special security measures to protect your personal data from unauthorized or unlawful processing (such as unauthorized access, loss, destruction, or damage). Only those individuals who actually need to process your personal data to fulfill our stated purposes have access to them.
What Does It Mean That the Data Inspection Authority Is the Supervisory Authority?
The Data Inspection Authority is responsible for overseeing the application of the legislation. Anyone who believes that a company is handling personal data incorrectly can file a complaint with the Data Inspection Authority.
If a personal data incident occurs, we are required to report it to the Data Inspection Authority. An incident is an event that leads to the accidental or unlawful destruction, loss, or alteration of your personal data.
It may also be a personal data incident if the event leads to unauthorized disclosure of or access to the processed personal data. The incident must be reported to the Data Inspection Authority within 72 hours from its discovery.