We are regarded as the personal data controller regarding all processing of personal data that is performed by us or on our behalf, insofar as we determine the means and purpose of the processing according to the principle of accountability, and the definition set out in the General Data Protection Regulation (“GDPR”) of the European Union.
- Website: refers to swedishforprofessionals.com.
- Course participant: refers to individuals that participate in the courses that we provide.
- Customer: refers to the individual or entity that has entered into an agreement with us regarding the services that we provide, such as courses, workshops, or other education.
- Personal data: refers to all data that, directly or indirectly, alone or together with other data, can be linked to an identified or identifiable physical living person, is personal data according to GDPR. Common examples of personal data are name, telephone number, address, email address, user ID, credit card number, etc.
- Data subject: refers to the natural person who can be identified through personal data.
- Processing: refers to everything that is made with personal data, automated or otherwise. Processing can take place through an individual measure or through a combination of different measures. Examples of common processes of personal data are storage, erasure, sharing, usage, registration, copying, collection, organization, use, adjustment, destruction, etc.
- Controller: refers to the person/entity who determines the purpose of particular processing of personal data and how the processing is to be carried out. Natural persons, legal persons, authorities, institutions, or other bodies may be personal data controllers.
- Processor: refers to the one who processes personal data on behalf of a personal data controller, according to the controller’s instructions.
- Third-party: refers to someone other than the personal data controller (and the persons who are authorized to process the personal data), the data subject, or the personal data processor (and the persons who are authorized to process the personal data). A third party may be a legal person or a natural person, institution, authority, or other body.
- GDPR: refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
- SCC: refers to the Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or a later updated version.
Categories of personal data
In accordance with the principle of data minimization, we only process personal data that is relevant, necessary, and adequate to fulfill the purpose for which it was collected.
We mainly process the following categories of personal data that we get access from you when you contact us or enter into an agreement with us:
· Identification information: name, social security number, User-ID, employer.
· Contact information: postal address, e-mail address, telephone number.
· Other Personal data: any other Personal data that is provided to us, such as those that are included in a message sent to us or registered in connection with the performance of our courses. For example language skills, profession, city, etc.
The purpose and legal basis of the processing of personal data
All our processing of personal data is made carefully, and we do not share the data with unauthorized persons. Each processing is based on a legal basis in accordance with the provisions of the GDPR. Furthermore, we only process personal data for specific, explicitly stated, and legitimate purposes (in accordance with the principle of purpose limitation).
We may process your personal data on the following legal basis:
- Consent: you have given your consent to processing your personal data for one or more specific purposes;
- Contract: the processing is necessary to fulfill an agreement between you and us or to take action at your request prior to the conclusion of an agreement;
- Legal obligation: the processing is necessary in order to fulfill a legal obligation that owes us;
- Legitimate interests: the processing is necessary to protect interests that are of fundamental importance to us, you, or to any other physical person, or the processing is necessary for purposes of our or third party’s legitimate interests unless your interests or fundamental rights and freedoms weigh heavier and require the protection of personal data, especially if you are a child;
- other legal grounds for processing personal data in accordance with national law.
Provision of your personal data may be necessary due to statutory or contractual requirements, to enter into an agreement with us or to receive such products and services as you have ordered. You can also provide your personal data voluntarily.
If you do not provide your personal data, it may be a disadvantage to you, for example, because you cannot access certain products or services. Unless otherwise stated, however, there will be no legal consequences for you if you do not provide your personal data.
When data processing is based on your consent, you have the right to withdraw the consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
When processing of personal data takes place on the basis of Legitimate Interest, our assessment is that the processing does not constitute an infringement of your right to privacy and integrity. We have come to this conclusion, after making a balance between, on the one hand, what the processing in question means for your interests and the right to privacy, and, on the other hand, our legitimate interest in the processing in question.
Below you can read more about the legal basis and purpose of the processing of personal data.
When you visit our website/services
When you contact us
We can contact you, and you can contact us, through email, telephone, or social media, and in such case, we will get access to your personal data that appear in connection with such contact. For example, we may have access to the following personal data belonging to you: name, telephone number, e-mail address, user ID from social media (if applicable), and other information that you provide to us. The purpose of the processing is to enable us to know who we are talking to and to keep in touch in the matter. We have concluded that both we and you have a legitimate interest in the personal data being processed for the purpose stated above. Legal basis for the processing of personal data: Legitimate interest.
The provision of personal data for the purposes stated above is not a statutory or contractual requirement, and you are not obliged to provide the personal data, but the possible consequences of failure to provide your personal data that we request and/or need in order to respond to you, is that we may not be able to provide you with the support that you request.
In order for us to be able to handle matters relating to for example a purchase agreement or the purchased service, we may contact you and process the following information belonging to you: name, telephone number, e-mail address, employer, and order history. We will get access to any personal data that appear in connection with such contact between us. The information is necessary for us to process, in order to fulfill our contractual obligations and provide support in the matter in order to try to remedy any issues. Legal basis for the processing of personal data: Contract.
We use a recruitment platform that individuals can use to apply for jobs with us, and the link to the application form is published on our website. In connection with the application, the job seeker approves the recruitment platform’s terms and conditions, and also that we may store the applicant’s personal data provided in the application in order to process the application. Legal basis for the processing of personal data: Consent.
Direct marketing purposes
In order to conduct our outreach to acquire new customers, we source and process the personal data of company representatives with a similar profile to previous clients. The personal data we source is the name of the company representative, the company email address, and role in the company, and the information is collected either from LinkedIn or from the company web page. This is grounded in the lawful basis of the legitimate interest of marketing of our courses and programs to the candidates and customers.
In our CRM system, we handle our existing customers’ data in order to perform the services they have ordered, including follow-ups on these services. We also register customer-related data in our CRM system to: identify a potential customer and initiate contact, record completed meetings/conversations, and to administer our business relationships. Personal data that we can process for these purposes are the following: name and email of the customer’s contact person, CEO, other employees, and/or signatory. We have concluded that we have a legitimate interest in the personal data being processed for the purpose stated above and that our legitimate interest does not constitute an infringement of your right to privacy and integrity. Legal basis for the processing of personal data: Legitimate interest.
You can choose to receive newsletters from us, by giving your voluntary and active consent for us to process your email address for that purpose, by signing up to our newsletters through our website or our app EnOrEtt. If you sign up for our newsletter, you will receive an email in which you must confirm the registration (by clicking on a link). This means that the engaged service provider in question gets access to your email address, in order to be able to send out the email with the link for the confirmation of the subscription to the newsletters. They have access to this personal data for 60 days before the link becomes out of date and the personal data is deleted (provided that you have not confirmed the registration for the newsletters). You can cancel your subscription at any time by clicking on the link in the newsletter to unsubscribe from the newsletters or email us. Legal basis for the processing of personal data: Consent.
If you revoke your consent regarding our newsletters, you will be removed from the email list for recipients of the newsletters, but your email address will remain in the database with a block for receiving newsletters. The purpose of this is to ensure that you do not receive any newsletters from us. If you want your email address to be deleted from the list of blocked email addresses, you can contact us by e-mail and request this. We have concluded that both we and you have a legitimate interest in the personal data being processed for the purpose stated above and that our legitimate interest does not constitute an infringement of your right to privacy and integrity. Legal basis for the processing of personal data: Legitimate interest.
However, we hereby inform you that if you request that we remove your email address from the list of blocked email addresses, you will be able to receive newsletters from us if you or someone else registers your email address to receive newsletters from us again.
When we enter into an agreement
We process personal data belonging to our customers and the course participants in order to fulfill the agreement regarding our services. The personal data that we process may refer to, among other things but not exclusively: name, email, or address. The provision of personal data for the purposes stated above is a contractual requirement, and the possible consequences of failure to provide the personal data is that we can not enter into the service agreement or provide our services to the customer.
Legal basis for the processing of personal data: Contract.
We register personal data in our financial system in order to be able to invoice for services rendered. Personal data that we can process for this purpose are the following: name and email belonging to the customer and the customer’s reference person, contact person, and/or signatory. If the customer runs a sole proprietorship, we also process the company owner’s social security number. If we invoice a consumer, we process the consumer’s name, social security number, e-mail, address, and telephone number. The above-mentioned categories of personal data are necessary for us to process in order to invoice for our services. Legal basis for the processing of personal data: Contract.
We also process the information stated above that is registered in our financial system and that appears on invoices that we issue and/or receive, as part of our administrative work regarding bookkeeping. The processing is necessary for us to fulfill our legal obligations according to applicable legislation, such as for example the Swedish Accounting Act (1990:1078), as well as to fulfill the requirements of the Swedish Tax Agency. Legal basis for the processing of personal data: Legal obligation.
Execution of our services
We provide course material primarily through the following course platforms: Monday.com and Knowly.com. In individual cases, we may send course material via email, and in such cases, we process the e-mail address of the course participant. The processing is necessary in order for us to provide the course materials and to fulfill our contractual obligations stated in the service agreement regarding the provision of the service. Legal basis for the processing of personal data: Contract.
We also process course participants’ e-mail addresses to send out information about the courses, welcome letters, and similar messages. The processing is necessary in order for us to provide information about the service and important notifications, as part of the service. Legal basis for the processing of personal data: Contract.
We process the email address belonging to the customer’s contact person, in order to share a link to a diagnostic test, which the contact person in question is responsible for forwarding to the participants chosen by the customer. We have concluded that both we and the customer have a legitimate interest in the personal data being processed for the purpose stated above and that our legitimate interest does not constitute an infringement of your right to privacy and integrity. Legal basis for the processing of personal data: Legitimate interest.
We mainly work with the following digital tools in connection with the execution of our services:
We use Google Workspace for diagnostic testing (Google Forms), course coordination (Google Sheets), and participant contact (Gmail). We process the course participants’ names and email addresses in Google Workspace, in order to enable us to fulfill our contractual obligations and provide the services in accordance with the service agreement. Legal basis for the processing of the personal data: Contract.
We register course participants’ email addresses in the course portal “Monday.com”, so that the course participants will receive an invitation to register their own user accounts on this platform. In this course portal, course participants get access to relevant course material. NOTE: Course participants who are registered in the same group, as well as the group’s language coach, can see the email addresses belonging to the group’s course participants within this digital platform. Legal basis for the processing of the personal data: Contract.
We also register course participants’ emails in the course portal Knowly.com, so that the course participants will receive an invitation to register their own user accounts on this platform. This is a learning tool where the course participants can watch grammar videos, do interactive exercises, etc In this platform, course participants can see their own profile and their registered personal data. However, we can see all registered course participants including the personal data that each course participant has registered in their user account belonging to this platform. Legal basis for the processing of personal data: Contract.
The provision of personal data for the purposes stated above under this section is a contractual requirement, and the possible consequences of failure to provide the personal data that we request and/or need for the purposes stated above is that we may not be able to provide the customer and/or course participant with the educational materials or fulfill the services and our contractual obligations in accordance with the service agreement.
If the course participant wishes, the course participant may also choose to register a user account with the platform “Memrise.com” (this is optional). The link for registration with Memrise is available to course participants through the course portal Monday.com.
Course participants may also choose to create a user account in the application “EnOrEtt” (this is optional).
NOTE: The course participant is hereby informed that the course participant accepts the above-mentioned platform’s own conditions and personal data policy in connection with registering their user account on the respective platforms. Course participants who have registered a user account on the platforms can choose to delete their user account at any time.
When we have a legal obligation to process personal data
If we are obliged by law, court, or authority-decision to process certain personal data, the processing takes place on the basis of a “Legal obligation” as a legal basis. In such cases, the processing takes place only to the extent necessary for us to fulfill our legal obligations and in such cases, we process only necessary personal data for as long as the law requires it (in accordance with the principle of storage limitation).
For how long do we store your personal information?
We store personal data as long as we have a legal basis to process the data. Personal data that are no longer necessary to fulfill the purposes for which they were collected are erased (deleted) from our storage locations or anonymized (in accordance with the principle of storage limitation). We may store the data for a longer period of time if required by law or to safeguard our legal interests, for example, whether a legal process is in progress.
We store job application documents for 2 years after the decision on the appointed position. Job applications including registered data in the application are automatically deleted from the recruitment platform after 2 years. The purpose of our processing and the above-mentioned storage duration is that recruitment is covered by the Swedish Discrimination Act (2008:567) and that a lawsuit against us may be made within 2 years according to this law. In order for us to be able to defend any claims that arise in connection with a recruitment process, we store the personal data that may be needed to justify that discrimination did not occur when filling the position.
We may be required by law to store certain personal data for up to 7 years after the relevant tax year. Personal data can for example be included in receipts and other accounting documents that we are obliged to process in accordance with, among other things, the Swedish Tax Agency’s requirements and the Swedish Accounting Act (1999:1078). Legal basis for the processing of personal data: Legal obligation.
The course participants’ names, email addresses, and information about course levels will be stored as long as it is necessary to provide the services and products that have been ordered, and for up to 3 years thereafter, so that we can fulfill our obligations according to, among other things, consumer protection legislation. Legal basis for the processing of personal data: Legal obligation. We also consider that the above-mentioned storage duration is necessary for the event that a customer and/or course participant wants to pause their education or return in the future for further education and continue from the most recently completed course level, or similar. We have concluded that both we and the course participants have a legitimate interest in the personal data being processed for the purpose stated above and that our legitimate interest does not constitute an infringement of the course participants’ right to privacy and integrity. Legal basis for the processing of personal data: Legitimate interest.
After the above-mentioned retention period has ended, we will either delete the personal data or anonymize them, unless otherwise stated by law e.g. for tax purposes.
We may store personal data after our contractual relationship with the customer has ended for a longer period than the retention periods stated above, if it is required by applicable law or to the extent necessary to determine, enforce or defend legal claims. We will, as far as possible, limit the processing of your personal data after our contractual relationship has ended. We have concluded that we have a legitimate interest in the personal data being processed for the purpose stated above and that our legitimate interest does not constitute an infringement of your right to privacy and integrity. Legal basis for the processing of personal data: Legitimate interest.
We may store your contact details and interests for our products or services for a longer period of time if we have the right to send you marketing content until you object to our processing of your personal data for this purpose. We have concluded that we have a legitimate interest in the personal data being processed for the purpose stated above and that our legitimate interest does not constitute an infringement of your right to privacy and integrity. Legal basis for the processing of personal data: Legitimate interest.
Transfer of personal data
Transfers to service providers
We may hire external service providers who act as personal data processors to our company and provide services related to, for example, our website, marketing or IT support. When providing such services, external service providers may access and/or process your personal data in accordance with our instructions. We have concluded that we have a legitimate interest in the personal data being processed for the purpose stated above and that our legitimate interest does not constitute an infringement of your right to privacy and integrity. Legal basis for the processing of personal data: Legitimate interest.
Before we transfer any personal data to external service providers, we enter into a data processing agreement with them, in accordance with the provisions of the GDPR (alternatively SCC if the processor is located in a country outside the EU / EEA), to ensure secure and correct processing of personal data. We will also require external service providers to take technical and organizational security measures to ensure the protection and security of your personal data.
In accordance with applicable privacy laws, we may transfer personal data to regulatory authorities, other public entities, legal advisors, external consultants, and partners.
Personal data may also be disclosed if it is necessary to (a) comply with applicable law, regulations, legal processes, or requests from executive authority; (b) safeguard the Swedish legal interests of the Professionals, or (c) detect, prevent or otherwise pay attention to fraud, security or technical problems.
In the event of a merger or acquisition of a company, personal data may be transferred to third parties involved in the merger or acquisition. We have concluded that we have a legitimate interest in the personal data being processed for the purpose stated above and that our legitimate interest does not constitute an infringement of your right to privacy and integrity. Legal basis for the processing of personal data: Legitimate interest.
International transfers of personal data
The personal data we collect or receive from you may be transferred to and processed by recipients outside the EU / EEA area (hereinafter “EU”). The recipients may be in the countries listed at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en which ensures an adequate level of protection of personal data from an EU legal data protection perspective.
Other recipients may exist in countries that do not ensure an adequate level of protection of personal data from an EU legal data protection perspective. We will, in accordance with applicable law, take all necessary steps to ensure an adequate level of protection of personal data that is transmitted outside the EU. Such transfers will be based on appropriate safeguards such as the standard contractual clauses of the European Commission (“SCC”) or applicable data protection authorities, approved codes of conduct in conjunction with binding and enforceable commitments by the recipient or certifications in conjunction with binding and enforceable commitments from the recipient. You are entitled to obtain information on such appropriate safeguards by contacting us as specified below in section 10 (Questions or complaints).
What rights do data subjects have?
According to the GDPR, you have the right to:
(1) request access to your personal data: You have the right to information about whether we process your personal data or not, as well as the right to access your personal data that we process and information about how the personal data is used. In the event that we process your personal data, you have the right to receive a copy of the processed personal data in the form of a compilation of the personal data that we process about you. For example, you have the right to get information about which categories of personal data we process, the purpose of the processing, the duration of the processing, how we have collected the personal data, who has received the Personal data, etc. The purpose of the compilation is for you to be able to check the legality and accuracy of the information. However, this does not mean that you have the right to obtain the documents that contain the processed personal data.
- Exemption from the right of access: There may be situations where the disclosure of certain information would entail disadvantages for other persons, that other legislation or other exceptions prevent the disclosure of certain information or extract from the records of processing activities. In such situations, we may not disclose the information in question and there may therefore be personal data and/or other information about you that you do not have the right to access.
(2) request the correction of your personal data: We are responsible for ensuring that personal data that we process is accurate and updated over time. However, personal data may be incorrect or incomplete. If we were to process personal data about you that is incorrect or incomplete, you have the right to contact us to have your personal data corrected. After we have corrected the information, we will notify you of this, provided that it is not proved to be impossible or would involve excessive effort.
(3) request the deletion of your personal data: We will delete your personal data at your request. This is also called the “right to be forgotten”. In addition, there are more occasions when we erase your personal data that we process. For example, a) when they are no longer necessary for the purpose for which they were collected, b) when the legal basis is consent and you revoke the consent, c) in your objection to direct marketing or d) if the Processing is not legal. When we erase your personal data at your request, we will inform you after the deletion has been performed, provided that it is not proved to be impossible or would involve excessive effort.
- Exemption from the right to deletion: We have the right to continue to process your personal data, and thus not delete the personal data despite your request, if the processing is necessary to: a) satisfy the right to freedom of expression and freedom of information, b) to fulfill a legal obligation, c) to perform a task carried out in the public interest or in the exercise of official authority, d) to defend, establish or assert legal claims, e) archiving purposes of public interest or statistical, historical or scientific purposes, or f) for reasons of public interest in the field of public health.
(4) request limitation of the processing of your personal data: In some cases, you have the right to demand that our processing of your personal data shall be limited. This means that personal data may only be processed in the future for certain limited purposes. An example of when this right is applicable to you is if your personal data that we process is incorrect and you ask us to correct it, you may request that our processing of the personal data in question shall be limited until the accuracy of the data has been investigated. In addition, we will inform you when the limitation has ceased to apply.
(5) request data portability: You have the right to request that we transfer your personal data that we process to you or any other third party. You are hereby informed that this right only applies if the processing of personal data is performed automatically, and only if our processing takes place to implement an agreement in which you are a party to a contract or based on your consent. Also, the transfer of personal data to another company only takes place if it is technically possible. If this right applies, we will at your request move your personal data, and provide your personal data in a structured, commonly used, machine-readable format.
(6) object to the processing of your personal data (including the right to object to profiling): You have the right to object when your personal data is processed a) to perform a task of public interest, b) as part of the exercise of authority or c) when it is processed after a weighing of interest has been made. If you object to this right, we will cease the processing, unless our interest outweighs your interests, rights, and freedoms. If this is the case, we will inform you about the balance of interests we have made and our interests. However, if we process your personal data for the purpose of performing direct marketing, you have an absolute right to oppose the processing of your personal data for marketing purposes without any costs in addition to normal transmission costs/traffic costs. In such cases, we will also inform you when we have deleted the personal data used for direct marketing purposes if you request it.
(7) object to automated decision making (including profiling): In short, automated decisions are about processing that is automatic, for example through algorithms, where personal data is processed to assess and analyze a person’s personal characteristics. Automated decisions can have legal consequences for the data subject or affect the data subject in other significant ways, and if this happens, the data subject has the right not to be the subject of the automated decision. If an automated decision has been made, with or without profiling, you have the right to have the automated decision reviewed or to challenge it.
How to exercise the rights
In order to exercise your rights, please contact us through the information specified in section 10 (Questions or complaints) below. Exercising the rights is free of charge, provided that your requests are not exaggerated or repeated. In such cases, we have the right to charge a reasonable fee to process your request or refuse the execution of your request.
Before we process or respond to your request, we may request additional information from you if it is necessary to enable us to verify your identity.
We will inform you of our processing of your request without delay, and no later than within one (1) month after we receive the request. If the request is complex or if, for example, we have received a large number of requests, this time period can be extended by another two (2) months. In such cases, we will notify you of the extension within the first month after we receive your request.
If we are unable to comply with your request due to applicable law or other exceptions, we will notify you and inform you of the reasons why we are unable to comply with your request (with the limitations imposed by applicable law).
Personal data breaches
We follow the provisions of the GDPR regarding the handling, reporting and documentation of personal data breaches.
When it is required by the GDPR, we will report personal data breaches to the Swedish Authority for Privacy Protection (IMY) within 72 hours and notify the data subjects affected by the personal data breaches.
A personal data breach means a security breach that occurs if we lose control of the personal data that we process. We document all personal data breaches that occur internally in logbooks and carry out follow-up work, to minimize the risks of repeated breaches.
Questions or complaints
Swedish for Professionals
116 32 Stockholm
You also have the right to contact the Swedish supervisory authority to file a complaint regarding our processing of your personal data.
Name: Integritetsskyddsmyndigheten (IMY).
Phone: 08-657 61 00.
Postal address: Integritetskyddsmyndigheten, Box 8114, 104 20 Stockholm.
Links to other websites