Politique de confidentialité
We process your personal data that we get access to when you contact us or enter into an agreement with us. For example, it may happen in connection with your order of Products from our online store: arcticroe.com (hereinafter referred to as "the Online Store") or when you contact us.
Your personal information is processed by us primarily to be able to handle your order and, in those occasions when you have wished to receive newsletters or promotional offers from us - to be able to adapt the marketing to your individual needs.
Online Store: refers to the online store that is available through the domain arcticroe.shop which is owned by Arctic Roe of Scandinavia AB.
Customer: refers to a person who orders Products through the Online Store.
Third party: refers to someone other than Customer or Arctic Roe of Scandinavia AB.
Products: refers to all types of Products that are sold through the Online Store at any given time.
Payment service provider: refers to a Third Party that processes payments from the Customer on behalf of Arctic Roe of Scandinavia AB through the various payment methods provided in the Online Store.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
All references to "personal data", "processing" (of personal data), "data subject", "personal data breach", "supervisory authority" shall have the same meaning as set forth in Article 4 of the GDPR.
SCC: Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
Personal Data Controller
Arctic Roe of Scandinavia AB is the Personal Data Controller regarding all processing of personal data performed by us or on our behalf and we are responsible for ensuring that the processing takes place in accordance with the GDPR (according to the principle of accountability).
Company: Arctic Roe of Scandinavia AB.
Reg. no: 559035–8924.
Postal address: Lagastigsgatan 6, 28732 Strömsnäsbruk.
Our contact person for personal data matters:
We have appointed a contact person for personal data matters whom you can contact if you have questions regarding our processing of personal data.
Name: Torbjörn Ranta
Personal data that we process
In accordance with the principle of data minimization, we only process personal data that is relevant, necessary and adequate to fulfill the purpose for which it was collected.
We mainly process the following categories of personal data that we can access from you when you contact us by phone, e-mail or social media or enter into an agreement with us:
- Identification information: first name, last name.
- Contact information: telephone number, e-mail address, address, username for social media.
- Financial information: purchase history, order number, payment method.
- Other personal information: any personal information that is provided to us, such as those that are included in a message sent to us or registered in connection with ordering our Products.
Purpose of the processing of personal data
We only process personal data for specific, explicitly stated and legitimate purposes (in accordance with the principle of purpose limitation).
All processing of personal data is done carefully and does not share the data with unauthorized persons. Furthermore, each processing is legally based and thus legal in accordance with the provisions of the GDPR.
Below you can read more about the legal basis and purpose of the processing of personal data.
When you visit our website:
Access data and device information: Device identification, operating system, operating version, device ID, access time, configuration settings, time zone, country. Legal basis: Consent (Art. 6 (1) a GDPR).
When you contact us:
We process your personal data that we get access to when you contact us through e-mail, contact form, social media or in any other way. The purpose of the processing is to enable us to know who we are talking to and to be able to help you in the matter.
Identification information: first name, last name, address, telephone number, e-mail, username or user ID from social media (if applicable), message content. Legal basis: Legitimate interest (Art. 6 (1) f GDPR).
Customer matters: In order to be able to handle purchases and customer matters, we process the following information: first name, last name, address, telephone number, e-mail and order history. Legal basis: Contract (Art. 6 (1) b GDPR).
When you enter into an agreement with us:
When you enter into an agreement with us, for example in connection with the purchase of Products, we need to process your personal data in order to fulfill the purchase agreement. Among other things, the following information: First name, last name, address, telephone number, e-mail. Legal basis: Contract (Art. 6 (1) b GDPR). More information about our terms of purchase can be read through the following link: https://arcticroe.shop/policies/terms-of-purchase .
When you send an order to us through the Online Store, we get access to your personal data that you provide in connection with the order process and the order information and payment information specified below. In addition, we also store accounting documents.
Order information: Name, order ID, order history, delivery address, canceled orders, completed orders, social security number (if stated in connection with the order). This information is processed by us every time you place an order, to handle the purchase. Legal basis: Contract (Art. 6 (1) b GDPR).
Consumer rights: In the case of an agreement to purchase a Product between us and a Customer as a consumer, the Customer's personal data is stored for at least three (3) years in order to fulfill, among other things, the right of complaint and other consumer rights that apply in accordance with applicable consumer protection legislation. Legal basis: Legal obligation (Art. 6 (1) c GDPR).
Payment information: Payment method, pseudonymized credit / debit card information. We must process this information in order to track the payments you have made and link them to your orders of our Products, to enable us to fulfill our contractual obligations. Legal basis: Contract (Art. 6 (1) b GDPR).
Accounting documents: We process and store receipts and other accounting documents that we are obliged to process and store in accordance with, among other things, the Swedish Tax Agency's requirements and the Accounting Act (1999: 1078). Such documentation is stored for at least seven (7) years or as long as required by law. Legal basis: Legal obligation (Art. 6 (1) c GDPR).
When you register to receive newsletters from us:
You can agree to receive newsletters from us by giving a voluntary active consent to the processing of your e-mail address for that purpose. You can cancel your subscription at any time by clicking on the link in the newsletter to unsubscribe from the newsletters or email us at email@example.com.
If you revoke your consent, you will be removed from the email list for recipients of the newsletters, but your email address will remain in the database with a block for receiving newsletters. The purpose of this is to ensure that you do not receive any newsletters from us.
If you want your e-mail address to be deleted from the list of blocked e-mail addresses, you can contact us by e-mail and request this. However, if you request that we remove your email address from the list of blocked e-mail addresses, you will be able to receive newsletters from us if you or someone else registers your email address to receive newsletters again.
Identification information: name, e-mail. Legal basis: Consent (Art. 6 (1) a GDPR).
When we have a legal obligation to process:
If we are obliged by law, court or authority decision to process certain personal data, the processing takes place on the basis of a legal obligation, as a legal basis. In such cases, the processing takes place only to the extent that it is necessary for us to fulfill our legal obligations. In accordance with the principle of storage limitation, we will only process necessary personal data, as long as the law requires it. Legal basis: Legal obligation (Art. 6 (1) c GDPR).
When we have a legitimate interest for the processing:
Based on our legitimate interest, we may process personal data in order to:
- protect our rights and property,
- carry out direct marketing of our Products,
- ensure the technical functionality of our Online Store,
- collect statistics etc. regarding the use of the Online Store.
When a processing of personal data takes place on the basis of a legitimate interest as a legal basis, our assessment is that the processing does not constitute an infringement of your right to privacy. We have come to this conclusion, after having made a balancing between, on the one hand, what the processing in question means for your interests and the right to privacy, and, on the other hand, our legitimate interest in the processing in question. We never process sensitive personal data with legitimate interest as a legal basis.
Storage location and duration
In order to achieve the principle of integrity and confidentiality, we strive to store all personal data that we process within the EU / EEA. In the event that personal data is stored in a country outside the EU / EEA, we shall ensure that such storage site ensures an adequate level of protection in accordance with the provisions of the GDPR (and the SCC if applicable).
We store personal data as long as we have a legal basis to process the data, for example to fulfill the agreement between us or to comply with a legal obligation under, such as the Accounting Act. In accordance with the principle of storage limitation, personal data that are no longer necessary to fulfill the purposes for which they were collected are erased (deleted) from our storage sites or anonymized.
Sharing of personal data
Payment service provider
When completing purchases made through the Online Store, information is shared with our payment service provider (currently Swish) The data stored is: first name, last name, address, e-mail address and telephone number. If you choose to pay by invoice, the buyers social security number is also processed by the payment service provider. The information is processed in order to complete the purchase and to protect us and the payment service provider against fraud.
More information about Swish terms can be found through the following link:
In order to deliver your order and complete the purchase agreement entered into, we must share specific information with the shipping company. What is shared with the shipping company is the Customer's first name, last name and address information for delivery. The Customer's e-mail address and / or mobile number may also be shared with the shipping company for notification. The shipping companies we work with today are: DHL, UPS and Schenker.
If you have chosen to subscribe to our newsletter, your first and last name and e-mail address will be shared with our newsletter service provider.
Other service providers
We hire various service providers to, among other things, fulfill our contractual and legal obligations, detect and prevent technical, operational or security problems, safeguard our legal interests and to provide, develop and maintain the Online Store.
In some cases, we may need to share personal data for which we are responsible for with such service providers. Before we share any personal data, we enter into a data processing agreement in accordance with the provisions of the GDPR (alternatively SCC if the personal data processor is located in a country outside the EU / EEA), to ensure a secure and correct processing of personal data.
If you want to know more about which service providers we have hired, you can contact our contact person for personal data matters to request a current overview.
Technical and organizational security measures
We use industry standards such as SSL / TLS and one-way hash algorithms to store, process and communicate sensitive information such as personal data and passwords in a secure way. We use the Shopify platform in our Online Store.
We follow the seven data protection principles in all processing of personal data. The principles are documented in internal routines, which our employees have access to and which they follow in all processing of personal data which we are responsible for.
We take and implement various technical and organizational security measures with a focus on the integrity of the data subjects. The measures are intended to protect against intrusion, abuse, loss, destruction and other changes that may pose a risk to privacy (according to the principle of privacy and confidentiality).
For example, our databases, internal registers and systems that contain personal data are password protected. Our databases undergo a daily backup that is saved in a cloud storage. We have also designated certain specific individuals with access to passwords, customer registers and other systems that contain personal data, to restrict access.
Your rights under the GDPR
If we process your personal data, you have different rights according to the GDPR regarding the processing of personal data. We hereby inform you that some of the rights only apply in certain situations and only if it is legal and possible for us to implement your request.
According to the GDPR, as a data subject, you have the right to:
- access your personal data that we process (Art. 15). You have the right to receive extracts from all information available about you that we process. Excerpts are delivered electronically in a readable format.
- have incorrect personal data corrected (Art. 16). You have the right to ask us to update incorrect information or supplement information that is incomplete.
- have your personal data that we process erased (Art. 17). You can request that the information concerning you to be deleted at any time. There are few exceptions to the right to erasure, such as whether it should be retained because we must fulfill a legal obligation (for example, according to the Accounting Act).
- request a restriction on the processing of your personal data (Art.18).
- transfer your personal data (data portability) (Art. 20).
- receive information about personal data breaches concerning your personal data (Art. 34).
- object to the use of personal data for direct marketing and profiling (Articles 21-22).
If you would like to invoke any of the above rights regarding your personal data that we process, you are welcome to contact us. We will try to fulfill your wishes as far as it is possible and legal for us to do so and respond to your message without undue delay.
Personal Data Breaches
A personal data breach means a security breach that can occur if, for example, we lose control of the personal data that we process. We document all personal data breaches that occur internally in logbooks and carry out a follow-up work, to minimize the risks of repeated breaches.
We follow the provisions of the GDPR regarding the handling, reporting and documentation of personal data breaches. We will report personal data breaches to the Swedish Authority for Privacy Protection (IMY) within 72 hours and notify the data subjects affected by the personal data breaches, when it is required by the GDPR.
Questions or complaints
If you have any questions or concerns or if you are dissatisfied with our processing of your personal data, you are always welcomed to contact our above-mentioned contact person for personal data matters. We will do our best to answer your questions and assist you in the matter. You also have the right to contact the Swedish supervisory authority to file a complaint.
Contact information for the Swedish Authority for Privacy Protection:
Name: Integritetsskyddsmyndigheten (IMY)
Phone: 08-657 61 00
Postal address: Integritetskyddsmyndigheten, Box 8114, 104 20 Stockholm.