When making everyone Learn More, we emphasise privacy as a fundamental human right. Privacy adherence and GDPR compliance is important to us.
By making privacy adherence an integrated part of our processes and routines, we fulfill our obligations as a controller, while we comply with the requirements in applicable data protection legislation.
Personal Data exists in many forms as well as being stored, transmitted and used in many ways. Included in this paragraph is any information that relates to an identified or identifiable person. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Data privacy is all about preserving confidentiality, integrity and availability of information crucial to data subjects to whom we process or control personal data.
We use risk-based approach to all information handling, including Data Privacy. We identify risks associated to our business, we assess & analyse and plan for necessary counter measures to mitigate the risks to an acceptable level. We read, store, transfer personal information in line with the IST Classification Policy. Situations that could place the organisation in breach of laws and statutory regulations will not be tolerated.
· IST Group AB, reg. no. 556254-0806, Ingelstadsvägen 9, SE-352 34 Växjö, Sweden
· IST Sverige AB, reg. no. 556265-4755, Ingelstadsvägen 9, SE-352 34 Växjö, Sweden
· IST ApS, reg. no. 25545079, Gammel Marbjergvej 9, DK-4000 Roskilde, Denmark
· IST International Software Technology AS, reg. no 970 944 443, Elveveien 81, 1366 Lysaker, Norway
· IST Deutschland GmbH, reg. no. HRB 1408, Bergstraße 23, DE-23843 Neritz, Germany
· IST GmbH, reg. no. HRB 197284, Bergstraße 23, DE-23843 Neritz, Germany
· IST Schmalkalden GmbH, reg. no HRB 300185, An der Asbacher Straße 5, DE-98574 Schmalkalden, German
3.1 We process your personal data for one or more specific purpose and in accordance with the data protection regulations. We process your information is you are a customer with us, if you participate at our courses and seminars or if you sign up for our newsletter, among other things. The information will generally come directly from you, and we will only process your information for as long as it is necessary for the purpose for which it was collected.
In addition to the personal data you provide us, or which we collect when providing our services, we may also collect personal data from third parties. These third parties can differ but include inter alia suppliers of address information from public records in order to ensure we have the correct address information and credit rating agencies (CRA’s) or banks from where we obtain information regarding creditworthiness or information in order to conduct anti-money laundering controls.
Below you can read more about the types of processing we do.
3.1.1 Website Activity
Our website also includes integrated plugins from social media platforms that may also collect data from you if you have given your consent hereto. In this connection, we have a joint data responsibility with every media platform. Read more about their processing of your personal data here: · Facebook and Instagram · LinkedIn · YouTube (Google)
3.1.2 Customer Relationship Management
In connection with the sale and delivery of services, we process personal data about you in order to enter into and fulfil an agreement with you (GDPR Article 6(1)(b)). The personal data includes name, email, telephone number, position, payment information, username and password upon registering, customer reference, photos of you and correspondence with you.
When you act as a representative or contact person for a company, municipality or organisation which is a costumer of IST, we process your personal data regarding name, email, telephone number, position, payment information, username and password upon registering, customer reference, photos of you and correspondence with you. The data is processed either to enter into an agreement with the company, municipality or organisation (GDPR Article 6(1)(b)) or if we as a part of the agreement have a legitimate interest in processing the specific contact person’s data (GDPR Article 6(1)(f)).
We store relevant contact information as part of our customer relationship and collaboration and delete the information on an ongoing basis. Written correspondence is deleted continuously and at latest 5 years after the end of the customer relationship. Information required to comply with the bookkeeping legislation is stored for the current accounting year plus 5 years.
3.1.3 IST Customer Centre
When you sign up at our IST Customer centre, we process personal data about you to enter into and fulfil an agreement with you (GDPR Article 6(1)(b)). This data includes contact information such as name, email, telephone number and information about your municipality, school, and position as well as your username and password for the login.
We delete the information on an ongoing basis however at the latest 5 years after the end of the customer relationship.
3.1.4 Customer Service and Contact
When you contact us via email, telephone, or our contact form on our website, we process information about name, email address, place of work, job title and the information your inquiry also contains. We use the information to answer your inquiry, to provide good customer service and to investigate any complaints.
We process your information based on our legitimate interest in processing the specific information for handling customer service matters in an efficient and customer friendly manner (GDPR Article 6(1)(f)).
We keep your personal data regarding your inquiry for the duration of the customer case. Personal data relating to the case will be deleted automatically 90 days after having concluded your inquiry. Some data may be anonymized to retain statistical data to improve our services.
If you have signed up for our newsletter, we need to process your personal data when we send you newsletters and other marketing initiatives. We only process information about your name, telephone number, email, job title and, if necessary, your place of work.
We process your information based on your consent (GDPR Article 6(1)(a)). You have the right at any time to withdraw your consent by writing to our data protection officer via mail or by unsubscribing via the link that appears in each newsletter.
We keep documentation of your consent for up to 2 years after you have unsubscribed from our newsletter, as any criminal liability expires after this period.
3.1.6 Courses, Workshops, Seminars, and Events
When you sign up for one of our online or physical courses, workshops, seminars, or events, we process personal data about your name, telephone number, email address, billing address, profession, place of work, and payment information. We process your information to fulfil an agreement with you on your participation in the event in question (GDPR art. 6 (1) (b)).
We store the information collected for the purpose of your participation in said event for the current accounting year plus 5 years in order to comply with the bookkeeping legislation.
3.1.7 Publishing of Photos and Customers’ References
When we publish photos of you or references that you have made about us as our customer on our websites, we process your personal data. This can include information regarding name, position, place of work and your photo.
We process your information based on your consent (GDPR Article 6(1)(a)). You have the right at any time to withdraw you consent by writing to our data protection officer via email
We keep documentation of your consent for 2 years after you have withdrawn your consent.
3.1.8 Job Applicants
If you apply for a job at IST, we process your personal data to assess if you are qualified for an existing or future position with us. We process the information that you provide, including name, contact information, birthdate, work related and educational background information and references, and, possibly, personality or proficiency tests.
We process your personal data based on our legitimate interest in finding a suitable candidate for our job positions (GDPR Article 6(1)(f)). We process your data if we assess that our interests in processing your personal data outweigh your interests in them not being processed, e.g. information collected from social media platforms published by you or information acquired from concluding a personality or proficiency test.
We will generally store your application and related personal data for up to 3 years in case we are met with any objections or accusations regarding the requirement process, following applicable legislation. If we wish to store your information beyond the recruitment process for any future job openings, we will collect your consent hereto (GDPR Article 6(1)(a)).
4.1 We use Facebook, LinkedIn, Instagram and YouTube as channels in order to come into contact with our customers and other business partners, as well as to market and inform about our business and services.
In connection with this, IST is joint data controllers with Facebook (Facebook and Instagram), Google (YouTube) and LinkedIn respectively for publications and information on the social media platforms that contain personal data and are provided by you as a user in the form of e.g. comments, photos and video. You can read more about their processing of data under section 3.1.1.
5.1 IST utilises various tool’s in the category of diagnostic and usage analytics for collecting statistical data. The purpose for collecting analytics data is to monitor how the services are performing and learn how users interact with the services in order for IST to be able to meet agreed service level agreements and improve our services.
5.2 The information we collect is anonymised so that an individual person cannot be identified via the data sets. We make sure that it is not possible to reverse the anonymisation. The categories of data we collect is technical data related to the users device (hardware type, OS and browser type), usage of the service (session information and how users interact with the service), and monitoring (page load times, query’s timeouts and bugs).
5.3 Since the information is anonymised, the collected data sets do not involve personal data. As such, we do not process any personal data in relation with these analytic tools.
6.1 We process your personal data with confidentiality and we generally do not disclose your information with third parties. However, we may disclose your personal data if you have given your consent hereto, if we have to fulfil an agreement with you, if we have a legitimate interest in the disclosure or when we are required to do so by law.
6.3 We will disclose your personal data if it is required by law or if we, as a company, reasonably deem it to be necessary in order to protect our company’s rights and/or in order to comply with a court ruling or abide by the verdict of a legal negotiation or legal process. We will, however, do everything we can to ensure that your personal data will remain protected in the future.
6.4 Some of our data processors and the social media platforms that we have a joint data responsibility with may be located outside the EU/EEA in which a transfer to a third country occurs. In this case, we have made sure that a legal transfer basis has been prepared, including by using EU Commission Standard Contractual Clauses (SCC). If you wish to know more about this or get a copy of the legal transfer basis we use, please contact us at .
7.1 When we collect information about you, you have a number of fundamental rights in the personal data regulations that you can use. Your rights include the right to request access to and rectification or erasure of your personal data, restriction and objection to our processing, and the right to receive your data in a structured, commonly used and machine-readable format (data portability).
7.2 If you have consented to our processing of your data, you have the right to revoke this consent at any time.
7.3 Please note that the above-mentioned rights may be associated with conditions and restrictions. Whether you as a data subject can request, for example, getting your personal data deleted will in any case depend on a specific assessment.
7.4 You also have the right to file a complaint with the relevant supervisory authority if you are unsatisfied with our processing of your personal data. Please find the contact information for your relevant supervisory authority below in section 8.2.
8.1 If you are dissatisfied with how your personal data has been processed or believe that your personal data has been processed contrary to the data protection legislation, you are welcome to contact our data protection officer via the contact information at the bottom of the page. You also have the right to contact the supervisory authority in the EU/EEA Member State where you have your place of residence or where a possible data breach has occurred.
8.2 The supervisory authorities where IST is located may be contacted at the following web addresses:
· Sweden: Integritetsskyddsmyndigheten (IMY), www.imy.se
· Norway: Datatilsynet, www.datatilsynet.no
· Denmark: Datatilsynet, www.datatilsynet.dk
· Germany: The German federal states each have a supervisory authority which is responsible for the execution of the data protection legislation and which functions as the competent authority for data controllers established in the federal state in question. You may find your local German supervisory authority via the following link: www.datenschutzkonferenz-online.de.