Personal data processing policy

Policy on privacy and processing of personal data in GAEU Ventures AB

Purpose

We care about privacy. Anyone who entrusts us with their personal data should be able to feel confident that it will be handled in a prudent and secure manner. This also applies to our customers and other stakeholders who, in the course of our business, allow us to process personal data for which they are responsible. That is why we have drawn up this policy. It is based on current data protection legislation and sets out guidelines on how we will manage the balance between privacy, business conditions and other applicable legislation.

The purpose of this policy is to set out guidelines for our internal work and to show our stakeholders in a transparent way how we process personal data. Ultimately, it is about protecting personal data from unauthorised access and making it easier for data subjects to find out what data we process about them and to be able to easily erase it at the request of the data subject if and when the law so permits.

Validity

The European General Data Protection Regulation (GDPR) entered into force on 25 May 2018. We see that the meaning of

subject to interpretation from time to time and that practice may therefore change over time.

time. GAEU Ventures is a small company that processes personal data on behalf of a large number of customers, investment candidates and investment targets (hereinafter referred to collectively in this policy as "customers") with varying requirements that may be the basis for changing practices. Therefore, this Policy may be updated periodically. The current policy is always the one posted on our website. This version was adopted by management and the Board of Directors on July 1, 2021, at which time previous versions will expire.

GAEU Ventures AB 

GAEU Ventures is an investment company that invests in innovative small companies in Sweden and the Nordic region. We process personal data both on our own behalf and on behalf of our clients. GAEU has only legal entities as clients and both private individuals and legal entities as investors. GAEU is a data controller when we process personal data of our employees, job candidates and contact persons at suppliers, customers and potential customers. This policy covers how we will process personal data in this role.


Reasons for processing personal data

We do not process personal data other than when it is necessary to fulfil the purpose of the business or obligations under contract and law. We must be careful to justify the reason why we are processing personal data. Here we divide this as follows:

  • Legal requirements

  • Contractual commitments

  • Operational reasons, so-called balancing of interests

  • Consent of the data subject*

* We never keep personal data longer than is justified by the purpose of the business or obligations under contract and law. Therefore, we do not foresee any situation where we will need to obtain consent for the processing of personal data. However, there may be situations where large amounts of personal data cannot always be deleted immediately after the business purposes and legal and contractual obligations have ceased to apply for administrative reasons. In such situations, individual personal data shall be erased immediately upon request of the data subject.

We process the following types of personal data

Personal data is any information that can be directly or indirectly attributed to a natural living person. Below are examples of the personal data we process. In individual cases, we may process other personal data in addition to those listed below.

  • Name

  • Address

  • E-mail address

  • Telephone number

  • Age

  • Date of birth

  • Sex

  • Title

  • Username and password

  • Photographs

  • Bank account number and other bank related data

  • Salary data

  • Information provided to us in connection with recruitment processes, such as education and work experience

Particularly sensitive personal data

We do not usually process personal data that the GDPR classifies as sensitive personal data. However, in exceptional cases, we may process sensitive personal data in connection with specific personnel matters, e.g. rehabilitation or other employment law matters for our employees (then as a data controller). Where the processing of such personal data differs from the processing of other personal data, this is set out in this policy.

We process personal data relating to the following groups

As a data controller, we process personal data relating to our employees, mainly the data contained in a normal employment contract, data relating to payroll management and data related to HR, such as data for individual development. All such data is never kept longer than required by law. This means, among other things, that HR-related data is deleted as soon as possible after an employee has left the company.


Candidates

We process personal data relating to people who apply for employment with us or our customers, and personal data that we search for via LinkedIn. Personal data collected by the candidate himself/herself is kept as long as it is justified for business purposes, but never longer than two years after it was collected. Personal data collected via LinkedIn is stored in LinkedIn's own systems and is therefore never kept longer than the candidate chooses to make it available on LinkedIn.

Customers

We process personal data about the contacts of our existing customers. This personal data is never processed in any other way than what can be justified by the ongoing customer relationship. These personal data are stored for a maximum of two years after the end of the customer relationship.


Potential customers

We process personal data about the contacts of potential customers. This personal data is never processed in a way that is not justified by normal sales and marketing processing. Where this personal data is used for targeted mailings, it must be made clear how to unsubscribe and when someone does so, the personal data must be deleted. The same applies if someone contacts us and asks for their personal data to be deleted.

Suppliers/partners

We process personal data of contact persons of our existing suppliers/partners. This personal data is never processed other than as justified by the ongoing business relationship. These personal data are stored for a maximum of two years after the end of the cooperation.

Processing of personal data

Below are our guidelines on how we process personal data at each stage from collection to final erasure. In order to ensure that the guidelines are met in our daily work, we have procedures that take into account and cover all the steps in the processing of personal data listed below. In addition, where applicable, we include procedures for the processing of personal data in the terms of reference we have

with the respective customer.

  • Collect and record

  • Structure, organise, process and use

  • Store and protect

  • Distribute, transfer and disseminate

  • Delete

Collect and record

  • We will only collect personal data that we are legally obliged to process based on our business or that can be considered essential to fulfill our existing obligations to our customers and employees as our business stands today. We will not collect personal data for the purpose of using it in the future for any purpose other than that for which it is intended today.

  • The only exceptions to the above are personal data that is used for marketing and sales purposes to persons in their capacity as directors of companies within our target group and personal data that is provided to us in connection with the recruitment of staff.

  • We will never collect personal data for the purpose of directly or indirectly selling them.

  • Based on the above points, we believe that we do not need consent in any case to collect the personal data we process, and therefore we should never ask for consent.

  • The collection of personal data shall be carried out in such a way that the personal data shall be transferred to the systems or storage location where they are to be used as soon as possible after we receive them. This is to ensure the secure storage of personal data. This means that personal data should never remain in emails, web forms, physical paper or similar documents unless these documents can be considered as part of the long-term storage of personal data and the protection of personal data is therefore adequate.

Structure, organise, process and use

  • We only use personal data for its primary purpose, i.e. in accordance with the purposes and reasons for which it was originally collected or transferred to us. These purposes are set out in contracts or other types of agreements with our customers and employees or in routine documents that govern the use of specific personal data in detail.

  • Where we structure or process personal data, this is never done for a purpose or in a way that alters the original purpose of use or allows the personal data to be analysed in a way that is incompatible with that purpose.


Store and protect

  • We only store personal data where we can ensure that it is adequately protected. This means the following:

    • Physical material containing personal data is kept locked in fire-rated cabinets to which only authorised persons have access.

    • Digital storage on your own server is protected by firewalls from leading manufacturers. Only authorised personnel have access to the server room.

    • Digital storage in the cloud takes place only in CRM systems (and similar) with large established providers that guarantee at least the security justified by the nature of the personal data and the contractual obligations we have in relation to our customers.

  • Antivirus software is installed on all servers and clients. Antivirus definitions are automatically updated daily.

  • Access to data (both from our own server and from the systems in the cloud) is controlled by permissions based on the principle that no employee should have access to data that is not required for us to fulfil our obligations to customers and authorities. All employees have their own login with passwords created and changed in accordance with high security recommendations.

Distribute, transfer and disseminate

  • We never disclose or transfer personal data to third parties, except for what we are required by law to report to authorities (e.g. the Swedish Tax Agency and the Swedish Social Insurance Agency).

  • We interpret the framework to mean that we can still distribute personal data to the data subject or to the controller via email. However, to ensure a high level of privacy protection when distributing personal data, the following applies:

    • We never distribute so-called sensitive personal data via regular unencrypted emails, but use higher security distribution methods.

    • We avoid emailing personal data together with other data in order to make it easier for the recipient to delete the email once the personal data is stored in accordance with the recipient's guidelines.

Delete

  • We must always delete personal data when it is no longer needed for the purposes for which it was collected and used. In many cases, however, we rely on the systems we use for processing personal data to be adapted to delete data in an administratively manageable way. We currently apply the following guidelines for the deletion of personal data for which there are no longer any reasons to keep:

    • All such data must be deleted within two years at the latest.

    • Upon request by the controller to erase a large amount of personal data, this shall be done as soon as administratively possible, but within three months at the latest.

    • Upon direct request from the controller or from a data subject to erase personal data relating to an individual data subject, the data shall be erased as soon as possible, but within one month at the latest.

    • Any sensitive data must be deleted as soon as possible.

  • When we terminate engagement with a customer, we will return all personal data to the customer or to another party referred by the customer upon request. Thereafter, all personal data related to the customer will be deleted. In some cases, parts of our contractual obligation may remain for a transitional period. This may include, for example, the obligation to report data to authorities. In such cases, the personal data will be deleted when this obligation ends.

Rights of the data subject

As a data subject, you have a number of rights related to how personal data is processed.

Below are the rights that are most relevant to our business and the personal data we process:

Right to information

The data subject has the right to obtain information about which personal data we process, a so-called register extract.

Right to rectification or amendment

The data subject has the right to request the rectification of inaccurate data or the amendment of personal data provided.

Right to withdraw consent

In principle, we never use consent as a reason to process personal data. In cases where this has been done, the data subject always has the right to withdraw this consent, in which case we will delete the personal data collected with consent.

Right to erasure in certain circumstances

The data subject has the right to have his or her data erased in cases where we have used operational reasons, so-called balancing of interests, as grounds for processing personal data. However, this right does not apply if, for example, we are obliged to process the personal data by law.


Please note that in some cases, the data subject's rights must be exercised against the controller, which in turn ensures that we take the relevant measures.

Website

Use of Cookies

Cookies are small text files that are stored on your device. Our website uses cookies that provide insights for us so that we can make your experience of visiting our website better. Cookies do not contain any personal information. By using our website, you accept the use of cookies in your browser.

If you want to opt out or delete your cookies, go to your browser settings and change your cookie preferences.

Cookies we use on this website

We use Google Analytics for traffic analysis and to understand our visitors' browsing habits on our website. These cookies do not contain any personal information. 

Contact form on our website

When you use any of the contact forms on our website, we assume that you consent to us collecting and storing the information you provide. 

Other

If you have any questions about this policy, please email us at info@gaeuventures.se