Last updated 17 December 2018
The controller responible for your personal data in accordance with applicable data protection legislation is Orio AB (hereinafter ”Orio”, ”we”, ”us” or ”our”). Orio is responsible for ensuring that your personal data is processed in accordance with this Policy and applicable data protection legislation.
Contact details for the controller:
Corp. reg. no.: 556602-9277
Address: Flättnaleden 1, 611 45 Nyköping, Sweden
Telephone no.: +46155244000
If you would like to contact us, you are welcome to e-mail or post a letter. Mark letters and e-mails with “GDPR”.
2. COLLECTION OF PERSONAL DATA
As a main rule, we process the personal data that you have provided us when you became a customer of ours or a member, or when you have otherwise contacted us (for example using the form on our website or via customer service). We can also collect personal data from external sources, for example information about your car at The Swedish Transport Agency. The personal data that we collect include e.g. the following categories of information:
- Names, e-mail addresses and telephone numbers. From corporate customers we can also collect relevant information concerning your position and contact details within the company you represent.
- Information within the framework of the customer relationship, such as customer contact, customer communication, payment and invoice information. Information concerning your car that can indirectly be connected to you is also saved, such as the registration number.
3. PURPOSE AND LEGAL GROUND FOR PROCESSING OF PERSONAL DATA
We process personal data for the following purposes:
3.1 Provision of services and handling of your customer relationship
The primary purpose for collecting your personal data is to provide you with our services and to handle the customer relationship between us and you or the company that you represent. Processing is necessary for fulfilment of the agreement between us pursuant to 6(1) b GDPR.
We process personal data in order to administer the sending of e-mail notifications and text messages to you regarding news about our services, request your feedback or provide you with other relevant information about our services. In this respect, our processing of your personal data is based upon our legitimate interest in providing you with relevant information about Orio and to promote our services pursuant to 6(1) f GDPR. You may at any time choose not to receive such marketing notifications by clicking here.
If you are not a customer of ours but you choose to sign up to our newsletter via any of our platforms, we will obtain consent to such processing pursuant to 6(1) a GDPR.
3.3 Development of technology and services, and information security
We will also process personal data in order to improve the quality of our services and to develop new ones. In these cases, our processing of personal data is based upon our legitimate interest, pursuant to 6(1) f GDPR, in ensuring that we have sufficient and relevant information to develop our services.
3.4 Invoice-related information
We will also process personal data in order to fulfil our legal obligations pursuant to applicable accounting and tax legislation. In these cases, our processing of personal data is based upon our obligation to fulfil mandatory provisions in law, pursuant to 6(1) c GDPR, that require us to store certain information for the purposes of accounting.
4. TRANSFER AND SHARING OF PERSONAL DATA
We may also share personal data with third parties:
- Within the Orio group, in order to carry out our daily business and to the extent required to fulfil our obligations to you.
- When we are required to do so by law, e.g. to meet the demands of an authorised body or in conjunction with legal proceedings.
- When our trusted service-suppliers provide us with service on our behalf and in accordance with the instructions we have given them. We will always control and be responsible for the use of your personal data.
- If we are subject to a merger, an acquisition or a disposal of all or part of our assets.
- When we believe, in good faith, that it is necessary to share personal data to protect our rights, protect your security or the security of others, investigate fraud or respond to an enquiry from the state.
5. TRANSFER OF PERSONAL DATA OUTSIDE EU/EES
The information we collect from you is primarily stored within the EU/EES but may also be transferred and processed in a country outside the EU/EES. In the event of a transfer to a third-party country, we warrant that we take sufficient security measures in accordance with the GDPR. For example, we use a service supplier that stores data in the USA. This company is connected to Privacy Shield, which ensures that a company maintains an adequate level of protection for personal data. You are welcome to contact is if you would like more information.
7. STORAGE OF PERSONAL DATA
Your personal data will only be stored as long as it is necessary to fulfil the purposes defined in the Policy. You will find more detailed information about how long we store your data for each service at the end of this document.
8. YOUR RIGHTS
You have the right to access the personal data that we process regarding you. You have the right at any time to change, update and remove your personal data. Please note, however, that certain information is necessary to be able to fulfil the purposes defined in this Policy and that may additionally be required under law. As a result of this, you cannot remove such personal data.
You have the right to object to certain processing, such as direct marketing and profiling. To the extent required under applicable data privacy legislation, you are entitled to restrict processing of personal data.
In certain cases, you have the right to have the processing of your personal data restricted. If you have the right to have the processing restricted, we may then only – with the exception for storage – continue to process your personal data with your consent or to determine, assert or defend a legal claim, or to protect another natural or legal person, or for reasons concerning important public interest.
You have the right to data portability, i.e. the right to receive your personal data in a structured, commonly-used and machine-readable format and to have these transferred to another data controller, to the extent required under applicable law.
Please send aforementioned request to use via the contact details in section 1 at the top of the Policy.
If you are not satisfied with the way we handle your personal data, you have the right to submit a complaint to a supervisory authority in the EU/EES. In Sweden the Swedish Data Protection Authority is the appropriate supervisory authority. You will find the contact details for the Swedish Data Protection on this link.
We maintain an appropriate level of security (comprising physical, electronic and administrative security) to protect personal data from loss, destruction, abuse and unlawful access or unlawful disclosure. For example, we restrict the personal data to authorised employees or consultants who need to know the information to perform their duties.
10. CHANGES TO THIS POLICY
We reserve the right to change this Policy. If we make any changes to this Policy, we will communicate this via our applications and websites, on which we will also keep the most recent version of this Policy available.
11. CONTACT US
If you have any questions concerning this Policy or the personal data we process regarding you, please contact us using the contact details in section 1 at the top of this Policy.
STORAGE OF PERSONAL DATA APPENDIX
Purpose of processing your personal data
Personal data which is processed
How long the personal data is stored
With whom we share personal data
The purpose of the processing is to enable Orio to fulfil its undertakings in accordance with the purchase agreement.
- Customer number
- Mobile phone number
- Place of residence, country
- Last order you have made and previous orders
Until the purchase has been executed (including delivery and payment) and for a period thereafter for the purpose of enabling Orio to handle complaints and warranty matters, if any.
- Orio AB
- Our trusted service suppliers
Legal grounds: Fulfilment of the purchase agreement. This collection of your personal data is required in order for us to fulfil our undertakings in accordance with the purchase agreement. If the data is not provided, our undertakings cannot be fulfilled and we will be forced to deny you the purchase.
The purpose of the processing is to enable Orio to provide the Newsletter.
The data will be removed when you inform us that you no longer wish to be a customer/member with us.
Legal grounds: Consent. If you agree to receive our newsletter, the processing of personal data which is necessary for administering the send-out, is based on your consent. For more details on how to withdraw your consent, see the Policy.
The purpose of the processing is to enable Orio to provide information, offers and services which can be beneficial to your car ownership.
- Information about your use of the service, information about your Saab, e.g. registration number, car model, mileage, last service etc.
The data will be removed when you inform us that you no longer wish to a customer/member with us.
Legal grounds:Legitimate interest. The processing is necessary in order to satisfy our legitimate interest in evaluating, developing and enhancing our services, products and systems, and our legitimate interest to keep in contact with you within the framework of the customer relationship.