This privacy policy applies when companies within the Excedo Group provide services and/or products to customers and where Excedo is the controller of personal data.  The privacy policy describes Excedo's processing of customer data and traffic data as well as the rights which an employee, contractor or  customer’s end customer (“users”) may exercise with regard to its personal data. 

Excedo is to be regarded as the controller of personal data for data which is processed to provide services and/or products and for other tasks where Excedo determines the purpose and means of processing such data. 

If the customer determines the purpose and means of processing the data, the customer is to be regarded as the controller of personal data and Excedo to be regarded as the personal data assistant.  Excedo’s processing of such data on behalf of the customer is not covered by this privacy policy. 

What kind of data we process

Excedo processes two kinds of information about our customers - customer data and traffic data.  What kind of information we collect about the customer depends on which of our services and/or products are used. 

Customer data : data related to the service/product we provide to the customer, for example user’s name, address, email address, phone number, username and password as well as professional title/role. 

Traffic data : data related to what happens when the customer uses our services.  Traffic data is processed for the purpose of sending an electronic message via an electronic communications network or for invoicing this message, such as time, scope and technical data. 

How do we collect the data
Depending on the service and/or product we provide, we collect and process data which:

  • the customer submits when the customer concludes an agreement with Excedo and communicates with us, 
  • is created when the user uses some of the services and/or products we provide to the customer, 
  • is collected from other sources - eg  company information from company registers, data from credit assessment and from other suppliers and partners, or 
  • is generated by our web pages using cookies that collect information on and from users' browsers.  

What we use the data for
The process of personal data must be allowed according to applicable data protection regulations, ie there must be a legal basis for the processing.  In order for our processing of personal data to be legal, it must be necessary 

  • to fulfill the agreement with the customer;  or 
  • to fulfill a legal obligation. 

 The processing of personal data may also be made 

  • after a balance of interest;  or 
  • after consent has been given for that particular process.

In order to provide services and/or products to the customer, we need to process personal data.  The following are examples of the purposes for which we process personal data, on which legal basis and the length of time we save the data. The period of time we save personal data varies based on what the data is required for.  We never save data longer than we need for current purposes. 

Provide and fulfill service and/or product agreements
We process customer data and traffic data in order to provide services and/or products to the customer and its users , fulfill agreements and exercise our rights under the agreement.  For example, we need to identify a customer/user to manage orders, manage invoices and payments for the service/product, credit assessments, registry management, troubleshooting and correcting faults, managing views and complaints of services/products, and ensuring that the traffic in the network reaches the intended recipient. 

Legal basis: fulfill agreement, legal obligation. 

Develop services and products
We process customer data to develop and manage our business, our services and products and networks, as well as our processes and practices.  For this purpose, we may also compile statistics for analysis needs. 

Legal basis: legitimate interest (customer data) and consent (traffic data). 

Provide and improve service to our customers
We process customer data and traffic data to manage customer case history, provide support and customer service, and educate our employees and improve our ways of work. 

Legal basis: fulfill agreement and balance of interests (to maintain good customer service). 

Direct marketing
We process customer data and traffic data in order to market our services and products directly to the customer/user.  Marketing is performed via mail, phone, SMS and email. 

Legal basis: legitimate interest (customer data) and consent (traffic data). 

Information security and to prevent abuse of services and products
We process customer data and traffic data in order to ensure the security of all our services, products and electronic communications networks, to detect or prevent various types of illegal use or use that otherwise violate the terms of the service/product and/or to detect and prevent fraud, virus attacks, etc. 

Legal basis: fulfill agreements (customer data) and legal obligation (traffic data). 

Comply with statutory obligations or other regulations, government regulations, decisions, requests or guidelines and to safeguard our interests
We process customer data and traffic data in order to fulfill our obligations under law or other regulations, government regulations, decisions, requests or guidelines, for example, we save documentation in accordance with the Accounting Act and the Electronic Communications Act. 

Legal basis: legal obligation. 

How long we save data 

We never save data longer than we need.  Certain data is deleted immediately, other data is saved various periods of time depending on the usage of data and our statutory obligations. 

  • Customer data is saved as long as the customer relationship is ongoing and thereafter no later than 12 months after termination of the agreement.  Exceptions apply to such documents that must be stored by law, such as the Accounting Act. 
  • Traffic data is saved for billing purposes.  In the case of unpaid invoices, the data is saved until the claim is paid.  Once the invoice is paid, the data is deleted after 6 months, except for the data stored according to law, for example the Accounting Act. 
  • We also save traffic data to help the customer/user if something is wrong with the services we provide. These data are stored no later than 12 months after termination of the agreement. 

To whom we provide information 

To subcontractors or to companies within our group of companies that process data on our behalf
We engage subcontractors and in some cases companies within our own group of companies to deliver our services and/or products.  This means that they need certain information about our customers and their users. However, these parties may not use personal data for any purpose other than providing the service and/or the product or under the terms and conditions we specify. 

Transfer of personal data to third countries
We also engage certain suppliers which have its business outside the EU / EEA, in a so called third country, to provide services and/or products. Such transfer may only be made if the conditions for transfer to third countries as set out in applicable data protection legislation have been met, ie there is an adequate level of protection in third countries or that there are special and sufficient safeguards to protect data and rights.  Should these terms not be met in third countries, we ask you as a customer for specific consent for transfer. 

Other recipients
We also provide information to other recipients where we are required by law or authority to disclose data. 

User's exercise of individual rights 

In accordance with applicable data protection legislation, customer’s users have a number of rights that allow the user to get information about and control of their personal data.  Because it is important that it is the registered, ie the individual user whose data we process, who exercises the individual rights,  we may request the customer to assist.  In that case, the customer shall identify the individual user, specify the rights that the user wishes to exercise and the additional information necessary to manage the request and fulfill the user's rights. 

We respond to a request from users without unnecessary delay and usually within one month. 

Right to information and access to personal data
The user is entitled to request confirmation if we process personal data about the user, and if so, we will inform the user of how his/hers personal data is processed.  The user is also entitled to receive a copy of the data we process. 

Right to rectification
It is important for us that the personal data we have about users is accurate.  If the data is incorrect, the user has the right to contact us and ask for rectification.  The user also has the right to request that data be added if something is missing, if the addition is relevant with regard to the purpose of the processing.  We will inform those to whom we have provided the user's data that corrections have been made.  We will also inform the user, at the user's request, to whom information about rectification has been provided. 

Right to erasure (right to be forgotten)
The user has the right to contact us to request its personal data to be deleted: 

  • if the data is no longer needed for the purposes for which they were collected; 
  • if the process is based solely on consent and the consent is revoked; 
  • if the process is for direct marketing and the user opposes the processing of the data; 
  • if the user is opposed to personal data processing on the basis of a balance of interests, and there are no legitimate reasons that outweigh the interest of the user; 
  • if the processing of the user's data has not complied with applicable regulations;  or 
  • if deletion is required to fulfill a legal obligation. 

If deletion has been made, we will inform them to whom we have provided the user's data that deletion has occurred.  We will also inform the user, at the user’s request, to whom information about deletion has been provided. 

Right to object

  • The user is always entitled at any time to object to the use of personal data for direct marketing.  If such objection is made , we will no longer process the data for that purpose. 
  • The user is also entitled to object to the processing of its personal data based on a balance of interest.  If we can not show that there are compelling legitimate reasons for processing that outweigh the user's reasons, treatment should be discontinued. 

Right to restriction
The user has the right to contact us and request that the processing of personal data is restricted and that the data then only be saved by us in the following situations: 

  • during the time it takes for us to check if the personal data are correct if the user contests the correctness of the personal data; 
  • if the processing is illegal and the user opposes deletion of the data and instead wants to restrict the use of the data; 
  • if, although we do not need the data anymore, the user wants us to save the data, allowing the user to use the data to determine, enforce or defend legal claims;  or 
  • pending verification of whose legitimate reasons, the user or ours, outweigh the other’s, if the user has objected to the process. 

In some cases, however, we can not meet a request for restriction, for example, if the data is required to enable us to defend our rights or protect someone else's rights.  In case of restriction, we will notify those to whom we have provided the user's data that a restriction has been made.  We will also inform the user, at the user's request, to whom information about restriction has been provided.

Right to data portability
The user is entitled to request his/hers personal data in a machine-readable format and is entitled to use such personal information elsewhere.  This right applies to such personal data the customer/user has submitted to us and which is processed on the basis of the user's consent or if the processing is based on an agreement with us.

Contact information Excedo 

If the customer or its users have questions or want to exercise their rights, for example revoke consent

  • Contact our helpdesk by email or by phone 08-501  612 50. 

Direct marketing
The customer and its users are always entitled to decline our direct marketing of services and/or products. Then contact our helpdesk, send a letter to our mailing address, or click on unsubscribe if the marketing came via SMS or email. 

Complaint
If the user deems his/hers personal data is processed in violation of applicable laws and regulations, the user may submit a complaint directly to us or to the Swedish Data Protection Authority (Datainspektionen). 

Controller of personal data
Excedo Networks AB or Excedo Digital Management Services AB is responsible for the processing of our customer’s and its users' personal data.  As a personal data controller we determine the purpose and the means for the processing. 

Excedo Networks AB, reg.  no. 556787-9944
Excedo Digital Management Services AB, reg.  no. 559016-2961 

Box 3065
169 03 Solna
Sweden

Validity and amendment of the privacy policy
This privacy policy will enter into force on May 25, 2018. 

Excedo may, from time to time, make changes to this privacy policy.  The latest version is always available on our a websites. 

www.excedo.se 

www.excedodms.se