Paloma deals with various categories of personal data in a number of different contexts.
In the main part of the processing of personal data, Paloma acts as a data processor on behalf of Paloma’s customers (customers are hereinafter referred to as “Users”). Such processing occurs when Users use Paloma’s services that administer registration for events and sending of e-mails (Postman and Magnet). The personal data will in this way be processed by Paloma, but it is the Users who are responsible for the processing of personal data. The Users are seen as data controllers. That means that they have influence and control over how the processing of personal data occurs, and therefore have the primary responsibility to ensure that personal data is processed in accordance with the applicable legislation.
Paloma also processes some personal data of which we are data controllers. When Paloma acts as data controller it means that we control how the processing of personal data occurs and that we are primarily responsible for ensuring that the personal data is processed in accordance with the applicable legislation.
PALOMA AS PERSONAL DATA CONTROLLER
Categories of data subjects
This section will explain which categories of personal data that are processed under each category of data subjects for which Paloma is the data controller. The categories of data subjects are: customers, suppliers, job seekers and website visitors.
Paloma treats personal data relating to its customers. Personal data is collected primarily in connection with the creation of a customer account at Paloma’s website. The categories of personal data that are collected and processed when an account is created are:
Paloma also processes payment information of their customers including payment history, billing and if applicable, payment reminders.
Paloma processes personal data about their suppliers. The categories of personal data collected and processed are:
Personal data are processed when you are seeking employment at Paloma. The categories of personal data that are collected and processed in connection with recruitments are:
Paloma also processes certain personal data when you visit Paloma’s home page. The categories of personal data which are processed are:
Personal data may additionally be supplemented, collected and controlled by the use of public and other registers, such as a population registration register, registers from credit reporting companies, company registers etc.
The use of personal data
Paloma only processes such personal data that we have a lawful basis and a specific purpose of processing.
The purpose of the processing is to fulfil obligations in Paloma’s obligations towards customers, suppliers and employees. Paloma has, for example, obligations to its customers to deliver Paloma’s services.
The legal basis for the processing of customers’ and suppliers’ personal data is fulfilment of the respective agreements that Paloma has entered into with its customers and suppliers.
If you are seeking employment at Paloma, we will handle your personal data in connection with the recruitment process in order to find a suitable candidate. The legal basis for this is Paloma’s legitimate interest. If we have a purpose to save your application documents for later recruitments, we will ask for your consent.
Paloma’s lawful basis to process personal data about our website visitors is Paloma’s legitimate interest.
Personal data may also be processed for marketing on the basis of Paloma’s legitimate interest to communicate with customers that are using Paloma’s services, or those that might be interested in using the Paloma’s services in the future. Personal data may also be processed to administer invitations to events and to develop the business. It may also be necessary for Paloma to process the personal data in order to fulfil Paloma’s legal obligations.
The processing of personal data may be based upon a given consent for a specific purpose. If you have given consent for processing of your personal data for a specific purpose, you are free to revoke the consent by contacting us. Even though the consent is revoked, Paloma may have the right to continue the processing on the basis of other lawful bases, such as fulfilling an ongoing agreement between you and Paloma.
Recipients of the personal data
Paloma may share personal data that Paloma is a data controller for to the data subject and to third parties where this is necessary or beneficial for Paloma. A third party shall mean a company that Paloma has a business relationship or a personal data processing agreement with, or a governmental authority.
When Paloma shares personal data with our processors (for example suppliers of IT services) it is done only for purposes that are compatible with the purposes for which we collect the data. Paloma has entered into agreements with our processors and we conduct audits of processors to ensure they can provide sufficient guarantees regarding the security and confidentiality of personal data, and comply with our limitations and requirements for the transfer of personal data to third parties outside the EEA.
In some cases, personal data is disclosed to parties located outside the European economic area (EEA) and the personal data may therefore be processed outside the EEA. Paloma will only share personal data with companies in third countries which have an adequate level of protection, or by approved methods that are considered to achieve an adequate level of protection.
Paloma has taken appropriate technical, administrative and organizational security measures in order to ensure that personal data may only be processed by qualified personnel, and to prevent the occurrence of personal data breaches.
The storage period
Your personal data will be stored as long as necessary to fulfill the purposes of the processing. Personal data relating to a customer agreement will for example be saved as long as the customer agreement is active and for one years thereafter. The processing of personal data for other purposes than completion of customer agreements are saved in accordance with an established retention routine. Paloma also works continuously to retain personal data when it has been depreciated and/or when the purpose of the processing has ended.
Personal data controller
Paloma is the persona data controller for the treatment described above. Paloma is responsible for the processing carried out in respect to personal data. Paloma can be contacted via firstname.lastname@example.org.
PALOMA AS PERSONAL DATA PROCESSOR
Paloma also processes personal data on behalf of its Users. The processing occurs in accordance with the Users instructions and in accordance with applicable legislation. Paloma has entered into data processing agreements with the Users where Paloma guarantees to take appropriate technical and organizational measures to ensure that the data subject’s rights are protected. When the contractual relationship between Paloma and a User expires, personal data will be deleted or returned in accordance with the data processing agreement between Paloma and the User. The Users have the right to carry out audits in order to ensure that Paloma follow their commitments on security and privacy for personal data.
Below follows information on the processing of personal data that can occur when Users are processing the personal data within Paloma’s services.
Categories of personal data
Paloma essentially provides two types of services. When personal data is processed by Paloma’s service Postman (sending newsletters) the following categories of personal data will typically be processed:
When personal data is processed by Paloma’s service Magnet (Registration pages and ticket sales), the following categories of personal data will typically be processed:
Paloma’s services are structured in such a way that Users are able to freely add information, which sometimes may include personal data. Other categories of personal data may thus occur in specific e-mails or on specific event-registration pages.
The personal data is often collected with the data subject as an informant, or through the use of the public and other records, such as registers, credit reporting companies, company registers etc.
The use of personal data
Paloma’s User’s have in the data processing agreement committed to only process such personal data that they have a lawful basis for processing, and a specific purpose to process.
Paloma does not have full insight into the Users specific purposes for the processing of personal data. Typical purposes for the processing of personal data in connection with the use of Paloma’s service for newsletter (Postman) is marketing and advertising as well as being able to convey news. Typical purposes for the processing of personal data in connection with the use of Paloma’s service for events (Magnet) is to administer registrations and notifications to, for example, events, courses and seminars.
Users may have a number of lawful basis for their processing. They may obtain consent, have a contractual relationship with the data subject or have a legitimate interest of the processing. Personal data may also be processed for Users to be able to fulfil the obligations imposed on them by law.
If the processing of personal data is based on a given consent for a specific purpose, you are free to withdraw your consent by contacting the User. Paloma may, if necessary, refer to the appropriate Users. Even if the consent is withdrawn, the User may have the right to process personal data on the basis of another lawful basis, such as to fulfill an ongoing contract between you and the user.
The storage period
Paloma’s services are structured in such a way that the Users are able to freely add information, which sometimes may include personal data. It is the Users who retain personal data when the purpose of the processing is fulfilled. When a User terminates their agreement with Paloma, a notice period is set. After this date the User no longer has access to the account. 60 days after this date, all data, including personal data, is deleted on the account (address lists, questionnaires, etc.).
The reason that data is saved for 60 days is that sometimes all users of a User account are not aware of who is currently using the account. Suddenly another person using an account may no longer have access. Then it is important that Paloma is able to recreate the account for some time after the termination.
Recipients of personal data
Outside of the processing that Paloma carries out after Users instructions, Paloma does not have full insight into your Users’ processing of personal data. The user may disclose personal data to other third parties when this is necessary or beneficial to the user. Users may also share the information with other processors than Paloma where it is necessary or advantageous to enable them to perform their duties. The User would also disclose personal data to such party who is outside the EEA.
YOUR RIGHTS AS A DATA SUBJECT
You have the right to request information about which personal data we process. You also have the right to request that your personal data is deleted, corrected or restricted. You also have the right to request that your data shall not be used for direct marketing purposes. You furthermore have the right to request us to deliver your personal data in a machine-readable format (or, if technically possible, to transfer the data to a third party of your instruction).
A request for information, deletion, correction or restriction shall be addressed to the personal data controller. Contact Paloma if Paloma is the personal data controller for your personal data and the respective User if they are the personal data controller for your personal data. Paloma will pass on requests to the User if such a request would be wrongly directed to Paloma.
If you are dissatisfied with the processing of your personal data, you can file a complaint to the supervisory authority, which in Sweden is Datainspektionen (www.datainspektionen.se).
You may also contact the supervisory authority in your country of residence.
ADDITIONS AND CHANGES
Paloma may make additions and changes to this policy. If this occurs, an updated policy will be published on our website. We then encourage you to carefully review the updated policy.