Introduction
Creuna takes data privacy seriously and we are committed to comply to General Data Privacy Regulation (GDPR). Here you will find our Privacy statement and Creuna Information Security & Data Privacy Statement.
Privacy statement
This Privacy Policy tells how Creuna gather and use certain information about individuals.
1. Purpose of collecting personal data
Creuna process personal data only for purposes that are needed by Creuna’s services and to perform the processing according to privacy rights and regulations, including the need to protect personal integrity and private life and to ensure that personal data are of right quality.
Further it is the policy of Creuna to adhere to local data privacy legislation as well as corporate policies and procedures and applicable privacy directives, including General Data Protection Regulation (EU 2016/679). Processing may include collection, recording, alignment, storage, transfer and disclosure or a combination of this. Creuna may use resources from subcontractors outside EU-/EEA-area in a way that is considered as transfer of personal data for carrying out tasks (I a support services) based on EU standard contractual clauses. Creuna processes personal data both as a processor and as a controller.
2. Categories of Personal data
Personal data are related to employees, customers, and customers of the customers, vendors and visitors on Creuna’s webpages. Creuna processes:
- Personal data on behalf of Creuna’s customers and
- Personal data where Creuna is data controller
It is the policy of Creuna to limit these data only to include contact details, strictly professional information and information related to the activities Creuna has performed in relation to the persons concerned. Creuna may collect, store, use and transfer personal data for specifically expressed purposes when the user visits Creuna’s webpages. Such purposes are in general daily operation of the system and communication.
3. Principle rules
When processing personal data Creuna will fulfill obligations
- towards the data subjects,
- towards public authorities and
- towards customers and other controllers than Creuna regarding how the processing is carried out.
The obligations are further detailed below.
3.1. In relation to the data subject there are provisions in the applicable personal data act stipulating conditions for authorizing the processing. Consent from the data subject is normally a sufficient authorization. Dependent upon the data being sensitive or not, other conditions may authorize the processing. Furthermore, Creuna has an obligation to provide information to the data subject and upon request to provide access to the data. To ensure that personal data are of right quality, inadequate personal data may be corrected.
3.2. In relation to the public authorities the applicable Personal Data Act contains an obligation to give notification.
3.3. When Creuna is providing services to customers that include processing of personal data, such processing can only take place when there is a contractual basis for such processing. The transfer of personal data to Creuna’s subcontractors in countries outside EU/EEA can only take place when the data subject or the customer has approved the transfer. A legal basis is required for such transfer, for example a specific EU model clause agreement.
3.4. Regarding the processing itself there are obligations with regard to data security and internal control. Organizational, physical and technical security measures shall be implemented to ensure adequate level of data security. The measures shall be in proportion to the probability and consequences of any breaches of security to prevent loss of life or health, economical loss or loss of reputation and personal integrity. The use of external resources to process personal data may be subject to specific provision of applicable Personal Data Act, as well as the transfer of data to other countries. Creuna will delete personal data when all purposes of the processing of the personal data are fulfilled. The retention time of each category of personal data is assessed considering practical, technical and other considerations.
4. Audit program
To verify that Creuna’s processing meets data protection and privacy requirements, Creuna will conduct audits according to standard audit regime.
5. Changes to the Privacy Statement
Creuna reserves the right to amend this Statement at any time.
6. Complaint Mechanisms
Complaints may be addressed to compliance@creuna.com
Creuna Information Security and Data Privacy statement
1. General
This document is an overview of the Creuna Information Security and Data Privacy Governance.
2. Risk Assessment and Treatment
Creuna has the organization and routines in place to continuously identify and mitigate risks regarding:
• Security in IT operations
• Business
• Legal
3. Security and Data Privacy Policies
Creuna has, through the Creuna Security Governance and in accordance with ISO 27001 and OWASP S-SDLC, implemented several security- and data privacy policies:
- DATA CLASSIFICATION POLICY
- DATA PROTECTION POLICY
• PERSONAL DEVICES POLICY - NETWORK POLICY
- ENCRYPTION POLICY
- IDENTITY AND ACCESS POLICY
- SOFTWARE AND SYSTEMS POLICY
- DATA CENTER POLICY
- TRAFFIC, DEVICE AND DATA MONITORING POLICY
- SOFTWARE DEVELOPMENT POLICY
- BREACH AND DATA LEAK DISCLOSURE POLICY
- TRAINING AND AWARENESS POLICY
- DATA SHARING AND COLLABORATION POLICY
- PII PROCESSING POLICY
- LOCAL POLICIES
4. Organization of Information Security
The Creuna SOC (Security Operations Center) is responsible for maintaining the high level of Security and Data Privacy stated in the Creuna Security Governance document. The Creuna SOC is not only responsible for the IT operations part of security and data privacy, but also has close collaboration with HR, Legal and Management. The Creuna SOC department reports to NMT (Nordic Management Team) which is the top-level operational management entity within the Creuna organization. The Head of SOC is responsible for identifying, reporting and mitigating any Security and Data Privacy risks and/or incidents. The Head of SOC is also available for consultation on specific customer, partner, sub-contractor and/or 3rd party requirements and questions.
5. Asset Management and Confidentiality Controls
As part of the Security Governance, Creuna has an implemented Data Classification policy. This policy aims to ensure that all data processed by Creuna is classified as either Forbidden, Highly Sensitive, Sensitive, Normal or Public, and handled accordingly. Creuna has systems and routines in place to monitor the compliance of the classified data, and act on violations.
6. Human Resources Security
The Creuna SOC works closely together with HR to make sure we maintain a high level of awareness and competence in regard to Information Security and Data Privacy among our employees and sub-contractors. Creuna incorporates training and awareness as part of our onboarding process, and continuously host training sessions. All Creuna employees and sub-contractors have a responsibly to keep up-to-date with the Security and Data Privacy policies and procedures.
7. Physical and Environment Security
The Creuna server facilities (Data Centers) has high levels of certification in regard to physical and environmental security. Creuna also has procedures and systems in place to security our premises and monitor access to facilities and equipment:
- Visitor system
- Key-card access
- Alarms
- Pin codes and screen locks on computers and devices
8. Communications and Operations Management
The Creuna Data Center is our common infrastructure in the organization. This allows us to approach Information Security and Data Privacy in an efficient and unified fashion. Some of the common tools implemented in this infrastructure are:
- anti-malware
- phishing protection
- services disruption protection
- intrusion prevention
- DLP
- cloud services assessment, monitoring and compliance
- identity and access management
- vulnerability scanning and patch management
- network encryption and segmentation
- monitoring and incident response
Creuna provides and maintains numerable systems (Sanctioned Systems) for collaboration and processing of data and documents covered by the infrastructure security and compliance tools listed above.
9. Access Control
Creuna control access and authentication centrally and can quickly deploy and demote access as needed.
10. Information Systems Acquisition, Development and Maintenance
The Creuna Systems & Security board are responsible for deciding on introduction of- and changes to- sanctioned systems. The board evaluates and decides requests on recurring meetings through a change management process. Decisions are made based on:
- Security
- Business risk
- Compliance
- Business needs
- Cost
The Creuna SOC is responsible for ensuring that our customer solutions are developed in a secure manner (Secure by design, Privacy by default), and that the solutions maintained by Creuna stay secure through continuous vulnerability monitoring
11. Information Security Incident Management
The Creuna SOC is responsible for monitoring our compliance and respond to incidents. This includes, but is not limited to, notifying authorities of breaches.
12. Business Continuity Management
Creuna has implemented several solutions and processes to secure our Business Continuity in case of disaster or emergency.
- perimeter security and access control
- education and awareness
- onboarding and offboarding procedures
- highly available and geo-resilient data center
- backup and D/R
- Personnel and knowledge retention
- Procedure documentation and procedure automation
- Continuous risk assessment and adaptation
13. Compliance
The Creuna SOC has the main responsibility for ensuring compliance. We also rely on external specialists and mechanisms to validate the work of the SOC and make sure we’re compliant. For example:
- Recurring Legal auditing
- Electronic whistle-blowing system
- External InfoSec specialists doing recurring auditing
Our use of cookies
The information in this Cookie Policy is provided to you in an open and transparent way, so that you can see how cookies are used to enrich your visitor experience and make an informed choice to allow their usage. However, if you wish to delete cookies, this can be done via settings in your web browser. Below you can read more about our use of cookies.
Cookies
When you visit this website your online device will automatically receive one or several cookies, which are transferred from this website to your internet owser.
What is a cookie?
A cookie is a small text file. It does not contain any personal information and is not able to collect information. Two types of cookies can be used, "session-only" and "persistent". "Session-only" cookies are deleted when you end your browser session. "Persistent cookies" remain on your device for the time period set in the cookie after which time they delete themselves. However, these cookies may be renewed every time you visit the website.
Cookie types
It is common to distinguish between first-party cookies and-third party cookies. First-party cookies are allocated to the website that you visit while third-party cookies come from a third-party, such as a web analytics program.
Why does the website use cookies?
We use cookies to assess content usage and to compile statistics about the use of the website in order to improve the user experience. This data may be used to define where the visitors come from, what content is viewed and for how long. This information cannot be used to identify a visitor as an individual. Both first-party and third-party cookies may be used on this website.
How long will cookies be stored on my computer?
Cookie lifetime may vary. Some cookies will disappear when you close the browser while others exist for longer. For more information on cookie expiry see the cookie declaration.
Can I still visit the website if the cookie-function is disabled?
Yes. Should you have cookies disabled on your online device, you will continue to have the same access to the website content as with cookies enabled. However, some functions such as surveys and tools might operate with reduced functionality or not at all.
How to avoid or delete a cookie?
Most browsers accept cookies by default. You can alter your browser settings to not accept cookies or delete the cookies from your computer. Different web browsers may use different methods for managing cookies. Please follow the instructions below, from the most common web browser manufacturers directly, to configure your browser settings*.
Microsoft Internet Explorer (IE)Google ChromeSafariFirefox* These links are to third party sites, over which we have no control – no liability can be claimed if they are inaccurate.
This cookie declaration is delivered and maintained byCookie Information
Cookie declaration last updated on 06.03.2020
Strictly necessary (7)
Name | Provider | Purpose | Expiry | |
---|---|---|---|---|
JSESSIONID | .nr-data.net | Collects information about the website and its contents for reporting and security purposes. | Session | |
stsservicecookie | login.microsoftonline.com | Required for the website to perform properly. | Session | |
ARRAffinity | .creuna.com | Required for the website to perform properly. | Session | |
x-ms-gateway-slice | login.microsoftonline.com | Required for the website to perform properly. | Session | |
ASP.NET_SessionId | www.creuna.com | Supports the integration of a third-party platform on the website. | Session | |
fpc | login.microsoftonline.com | Required for the website to perform properly. | a month | |
__cfduid | .errorception.com | Required for the website to perform properly. | a month |
Functional (1)
Name | Provider | Purpose | Expiry | |
---|---|---|---|---|
__cfduid | .myvisitors.se | Required for the website to perform properly. | a month |
Statistical (9)
Name | Provider | Purpose | Expiry | |
---|---|---|---|---|
_hjIncludedInSample | www.creuna.com | Collects information about the users and their activity on the website for analytics and reporting purposes. | Session | |
_dc_gtm_UA-xxx-xxx | .creuna.com | Collects information about the users and their activity on the website through embedded elements with the purpose of analytics and reporting. | a few seconds | |
player | .vimeo.com | Collects information about the users and their activity on the website through embedded video players for analytics and reporting purposes. | a year | |
_sp_ses.xxx | .simplecast.com | Collects information about the users and their activity on the website for analytics and reporting purposes. | 30 minutes | |
_ga | .creuna.com | Collects information about the users and their activity on the website for analytics and reporting purposes. | 2 years | |
_sp_id.xxx | .simplecast.com | Collects information about the users and their activity on the website for analytics and reporting purposes. | 2 years | |
_hjid | .creuna.com | Collects information about the users and their activity on the website for analytics and reporting purposes. | a year | |
vuid | .vimeo.com | Collects information about the users and their activity on the website through embedded video players for analytics and reporting purposes. | 2 years | |
_gid | .creuna.com | Collects information about the users and their activity on the website for analytics and reporting purposes. | a day |
Marketing (19)
Name | Provider | Purpose | Expiry | |
---|---|---|---|---|
fr | .facebook.com | Facebook's primary advertising cookie, used to deliver, measure and improve the relevancy of ads. | 3 months | |
UserMatchHistory | .linkedin.com | Supports online marketing by collecting information about the users to promote products through partners and other platforms. | a month | |
lang | .linkedin.com | Supports online marketing by collecting information about the users to promote products through partners and other platforms. | Session | |
bcookie | .linkedin.com | Supports online marketing by collecting information about the users to promote products through partners and other platforms. | 2 years | |
xxx_u | c.23video.com | Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. | a year | |
uuid | c.23video.com | Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. | a year | |
ad_session_id | creunano.videomarketingplatform.co | Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. | an hour | |
www.facebook.com | Supports online marketing by collecting information about the users to promote products through partners and other platforms. | Session | ||
session_referer | creunano.videomarketingplatform.co | Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. | Session | |
IDE | .doubleclick.net | Used for online marketing by collecting information about the users and their activity on the website. The information is used to target advertising to the user across different channels and devices. | a year | |
lang | .ads.linkedin.com | Supports online marketing by collecting information about the users to promote products through partners and other platforms. | Session | |
lidc | .linkedin.com | Supports online marketing by collecting information about the users to promote products through partners and other platforms. | a day | |
bscookie | .www.linkedin.com | Supports online marketing by collecting information about the users to promote products through partners and other platforms. | 2 years | |
_visual_swf_referer | c.23video.com | Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. | Session | |
GPS | .youtube.com | Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. | 30 minutes | |
YSC | .youtube.com | Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. | Session | |
VISITOR_INFO1_LIVE | .youtube.com | Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. | 6 months | |
xxx_p | c.23video.com | Collects information about the users and their activity on the website through embedded video players with the purpose of delivering targeted advertising. | a year | |
_fbp | .creuna.com | Identifies browsers for the purposes of providing advertising and site analytics services. | 3 months |
Unclassified (4)
Name | Provider | Purpose | Expiry | |
---|---|---|---|---|
x-ms-routing-name | .t.myvisitors.se | an hour | ||
TiPMix | .t.myvisitors.se | an hour | ||
spscreqid | .simplecast.com | 19 years | ||
_cunaid | www.creuna.com | Pending | 2 years |
Your consent applies to the following domains: creuna.com