1. Purpose of collecting personal data
Creuna process personal data only for purposes that are needed by Creuna’s services and to perform the processing according to privacy rights and regulations, including the need to protect personal integrity and private life and to ensure that personal data are of right quality.
Further it is the policy of Creuna to adhere to local data privacy legislation as well as corporate policies and procedures and applicable privacy directives, including General Data Protection Regulation (EU 2016/679). Processing may include collection, recording, alignment, storage, transfer and disclosure or a combination of this. Creuna may use resources from subcontractors outside EU-/EEA-area in a way that is considered as transfer of personal data for carrying out tasks (I a support services) based on EU standard contractual clauses. Creuna processes personal data both as a processor and as a controller.
2. Categories of Personal data
Personal data are related to employees, customers, and customers of the customers, vendors and visitors on Creuna’s webpages. Creuna processes:
1. Personal data on behalf of Creuna’s customers and
2. Personal data where Creuna is data controller
It is the policy of Creuna to limit these data only to include contact details, strictly professional information and information related to the activities Creuna has performed in relation to the persons concerned. Creuna may collect, store, use and transfer personal data for specifically expressed purposes when the user visits Creuna’s webpages. Such purposes are in general daily operation of the system and communication.
3. Principle rules
When processing personal data Creuna will fulfill obligations
1. towards the data subjects,
2. towards public authorities and
3. towards customers and other controllers than Creuna
regarding how the processing is carried out.
The obligations are further detailed below.
3.1. In relation to the data subject there are provisions in the applicable personal data act stipulating conditions for authorizing the processing. Consent from the data subject is normally a sufficient authorization. Dependent upon the data being sensitive or not, other conditions may authorize the processing. Furthermore, Creuna has an obligation to provide information to the data subject and upon request to provide access to the data. To ensure that personal data are of right quality, inadequate personal data may be corrected.
3.2. In relation to the public authorities the applicable Personal Data Act contains an obligation to give notification.
3.3. When Creuna is providing services to customers that include processing of personal data, such processing can only take place when there is a contractual basis for such processing. The transfer of personal data to Creuna’s subcontractors in countries outside EU/EEA can only take place when the data subject or the customer has approved the transfer. A legal basis is required for such transfer, for example a specific EU model clause agreement.
3.4. Regarding the processing itself there are obligations with regard to data security and internal control. Organizational, physical and technical security measures shall be implemented to ensure adequate level of data security. The measures shall be in proportion to the probability and consequences of any breaches of security to prevent loss of life or health, economical loss or loss of reputation and personal integrity. The use of external resources to process personal data may be subject to specific provision of applicable Personal Data Act, as well as the transfer of data to other countries. Creuna will delete personal data when all purposes of the processing of the personal data are fulfilled. The retention time of each category of personal data is assessed considering practical, technical and other considerations.
4. Audit program
To verify that Creuna’s processing meets data protection and privacy requirements, Creuna will conduct audits according to standard audit regime.
5. Changes to the Privacy Statement
Creuna reserves the right to amend this Statement at any time.
6. Complaint Mechanisms
Complaints may be addressed to email@example.com