The website: https://setly.com/
Customer: refers to a natural or legal person who enters into an agreement with Setly Sweden AB regarding Setly Sweden AB’s services.
Services: refers to the services provided by Setly Sweden AB at any given time.
Personal data: any information which, directly or indirectly, alone or in conjunction with other information, can be linked to an identified or identifiable natural living person, is Personal Data within the meaning of the GDPR. Common examples of Personal Data are: name, phone number, address, email address, user ID, account card number, vehicle registration number, IP address, etc.
Data Subject: the person who can be identified by the Personal Data.
Processing: processing of Personal Data may take place in different ways. Anything done with Personal Data, automated or otherwise, is a form of Processing. Treatment can be a single measure or a combination of measures. Examples of common Processing of Personal Data are storage, erasure, sharing, reading, recording, copying, collection, organisation, use, adjustment, destruction, etc.
Data controller: The person who determines the purpose of a particular Processing of Personal Data and how the Processing is to be carried out is considered a Controller under the GDPR. Natural persons, legal persons, public authorities, institutions or other bodies may be data controllers.
Processor: anyone who processes Personal Data on behalf of a Controller, under the Controller’s instructions, is considered a Processor under the GDPR.
Third party: third party means someone other than the Controller (and the persons authorised to Process the Personal Data), the Data Subject or the Processor (and the persons authorised to Process the Personal Data). A third party may be a legal person or a natural person, institution, authority or other body.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
SCC: Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, or later updated version.
Who is responsible for the Processing of Personal Data?
Our Processing of your Personal Data is carried out in accordance with the GDPR (and SCC where applicable) and the basic data protection principles.
Setly Sweden AB is the controller of all Processing of Personal Data carried out by us or on our behalf, and we are responsible for the Processing thereof to the extent that we determine the means and purposes of the Processing (in accordance with the principle of accountability). For example, Setly Sweden AB acts as a data controller when the Company registers the Customer as a customer in the systems we use in the context of the business or when Setly Sweden AB handles the Customer’s data including any Personal Data in order to fulfill obligations under the customer agreement, carry out billing for the Service, etc.
In some cases, Setly Sweden AB acts as a Data Processor for the Customer, who is the Data Controller. For example, Setly Sweden AB processes Personal Data on behalf of the Customer and in accordance with the Customer’s instructions, when a Customer engages Setly Sweden AB as its accounting firm in order for Setly Sweden AB to handle the Customer’s bookkeeping/accounting/invoicing, etc. The processing of Personal Data that Setly Sweden AB performs in its capacity as Personal Data Processor is regulated in more detail in a Personal Data Processor Agreement that has been entered into with the Customer.
Categories of Personal Data We Process
In accordance with the principle of data minimisation, we only process Personal Data that is adequate, necessary and relevant to fulfil the purposes for which it was collected.
We primarily Process the following categories of Personal Data that we may obtain when you contact us, enter into a contract with us or otherwise in connection with the performance of our services:
- Identifying information: first name, surname, social security number or equivalent.
- Contact details: phone number, email address, address, social media user ID.
- Other Personal Data: any other Personal Data that is provided to us, such as that which is included in a message sent to us.
Purposes and legal basis for our Processing of Personal Data
In accordance with the purpose limitation principle, we only process Personal Data for specific, explicit and legitimate purposes. In addition, any Processing is legally justified and lawful in accordance with the provisions of the GDPR. Below you can read more about the legal basis and purposes of the Processing of Personal Data.
- When you visit our website:
- When we receive contact via email, phone, social media or contact form:
We may contact you, and you may contact us, via email, telephone or social media and in such cases we will have access to your Personal Data as disclosed in connection with such contact. For example, we may obtain the following Personal Data: first name, last name, phone number, email address, social media user ID (if applicable) and other information you provide to us. This information is processed by us to know who we are talking to and to keep in touch with you on the matter. Legal basis for the Processing: legitimate interest.
- When you enter into a contract with us:
We Process Personal Data of the Customer’s contact person and/or company signatory in order to perform the contract for our Services. The personal data that we Process relating to the Customer’s contact person and/or company signatory include: first name, last name, telephone number, e-mail address, employer. Legal basis for Processing: contract.
We Process and store our invoices and other accounting records that we are required to Process and store under applicable legislation, such as the Accounting Act (1999:1078). Accounting records and supporting documents may in some cases contain Personal Data, such as the contact details of the Customer’s contact person and/or company signatory. Such data is stored for at least seven (7) years or as long as required by law. Legal basis for Processing: legal obligation.
- When you sign up to receive newsletters from us:
You can choose to receive newsletters from us by giving your voluntary and active consent to us processing your email address for that purpose. You can unsubscribe at any time by clicking on the link in the newsletter to unsubscribe from the newsletters or by emailing us. Legal basis for Processing: consent.
- Other purposes of our Processing of Personal Data:
If we are obliged by law, court or authority decision to Process certain Personal Data, the Processing is carried out on the basis of a legal obligation as a legal basis. In such cases, Processing will only take place to the extent necessary for us to comply with our legal obligations and we will only Process necessary Personal Data for as long as required by law (in accordance with the principle of retention minimisation).
Where a Processing of Personal Data is carried out on the basis of a Legitimate Interest, we consider that the Processing does not constitute an infringement of your right to privacy and integrity. We have reached this conclusion after balancing what the Processing in question means for your interests and right to privacy on the one hand, and our legitimate interest in the Processing in question on the other. However, we never Process sensitive Personal Data on this legal basis.
Based on our Legitimate Interest , we may Process Personal Data in order to:
- protect our rights and property,
- carry out direct marketing of our services,
- ensure the technical functionality of the Website,
- collect anonymous statistics, performance measurements, etc. relating to our services.
Storage location and storage time
We aim to store all Personal Data that we Process within the EU/EEA, in accordance with the principle of integrity and confidentiality. If Personal Data is stored in a country outside the EU/EEA, we shall ensure that such storage location ensures an adequate level of protection in accordance with the provisions of the GDPR and the SCC.
Personal data will be stored for as long as it is necessary to fulfil the purposes for which it was collected. When the Personal Data no longer need to be stored for the purposes, they are either deleted (erased) or anonymised, in accordance with the principle of minimisation of storage.
We follow internal guidelines and written procedures regarding the deletion and logging of deleted Personal Data, to ensure that the Processing of Personal Data is in compliance with the GDPR.
Sharing of Personal Data
Personal data that we Process will not be shared with unauthorised persons. We may disclose Personal Data to someone else, such as public authorities or data processors that we engage in order to fulfil our obligations under contract and applicable law from time to time. Below is a brief summary of the different situations in which we may share Personal Data that we Process.
Authorities: we may share Personal Data that we Process if necessary to prevent, detect, deter or investigate criminal activity and to protect our interests and property.
- protect our legal interests;
- fulfil our contractual and legal obligations;
- detect and prevent technical, operational or safety problems; and
- provide, improve and maintain the Website (software maintenance).
Examples of service providers that we use are: web developers, document management systems, sub-consultants for the performance of contracted Services on our behalf to the Customer, etc.
Before we share any Personal Data with such service providers, we enter into a Data Processor Agreement with them in accordance with the provisions of the GDPR (or SCC if the Data Processor is located in a country outside the EU/EEA). This is done to ensure the safe and accurate Processing of Personal Data.
Technical and organisational security measures
We take and implement various technical and organisational security measures with a focus on the privacy of the Data Subjects. These measures are intended to protect against intrusion, misuse, loss, destruction and other changes that may compromise privacy (in accordance with the principle of integrity and confidentiality).
Below are examples of some of the security measures we take and implement:
- Internal procedures have been established with instructions regarding the processing of Personal Data that all staff must follow. This includes internal procedures for the deletion of Personal Data and the handling/documentation of Personal Data incidents.
- Internal procedures, policies and instructions are reviewed regularly, at least annually and as needed.
- A contact person for personal data matters has been appointed, who also reports directly to the company’s senior management.
- Staff have knowledge of how the Processing of Personal Data may take place.
- Access to databases, IT systems and parts of the IT infrastructure and network requires passwords.
- The suppliers and subcontractors used guarantee an adequate level of technical and organisational security for the services provided and the tasks performed.
- All employees have undertaken to respect the confidentiality of, among other things, Personal Data processed in the context of the activities and performance of the work.
- We follow the seven basic data protection principles in all Processing of Personal Data. The principles are documented in internal procedures, to which our employees have access and which they follow in all Processing of Personal Data for which we are Data Controllers.
Rights of data subjects under the GDPR
If we Process your Personal Data, you have various rights under the GDPR in relation to our Processing of your Personal Data.
Under certain conditions, you have the right to:
- obtain access to your Personal Data.
- have inaccurate Personal Data corrected.
- request restriction of our Processing of your Personal Data.
- have your Personal Data deleted.
- move your Personal Data (data portability).
- receive information about Personal Data Incidents involving your Personal Data.
- object to the use of Personal Data for direct marketing and profiling purposes.
We hereby inform you that some of these rights only apply in certain situations and only if it is legal and possible for us to carry out your request.
You are welcome to contact us using the contact details set out below, should you wish to exercise any of the rights set out above in relation to your Personal Data that we Process.
According to the GDPR, a Personal Data Incident means a security incident that has caused the destruction, loss, alteration or unauthorised disclosure of Processed Personal Data. An incident can be intentional or unintentional, for example due to negligence or a crime (data breach, etc.).
Regulatory authorities are independent public authorities. Each country within the EU has designated its own supervisory authority to handle GDPR-related cases. In Sweden, the supervisory authority is the Swedish Data Protection Authority (IMY).
We comply with the provisions of the GDPR regarding the handling, notification and documentation of Personal Data Incidents. Where required by the GDPR, we will notify IMY of any Personal Data Incident that has occurred within 72 hours, and notify the Data Subjects affected by the Personal Data Incident that has occurred.
Questions or complaints
If you have any questions or concerns, or are dissatisfied with our Processing of your Personal Data, you are always welcome to contact us. Below are our company and contact details
Company: Setly Sweden AB
Org. no.: 559060-9045
Postal address: David Bagares gata 7, 114 32 Stockholm
Our contact person for personal data matters:
We have appointed a Personal Data Contact Person whom you can contact if you have any questions regarding our Processing of Personal Data.
Name: Caroline Hassel
You also have the right to contact the Swedish supervisory authority to lodge a complaint.
Name: the Privacy Authority (IMY).
Telephone: 08-657 61 00.
Postal address: the Swedish Data Protection Authority, Box 8114, 104 20 Stockholm.