Privacy Policy
1. General and purpose
This privacy policy describes how Pelago Bioscience AB, reg.no 556924-1671 (“Pelago” or “We“) processes Your personal data.
We respect Your integrity and ensure that Your personal data is processed with the confidentiality and respect that is required. Therefore, We have established this policy addressed to You who have a relationship with us by our business, or to You, who represent a company or an organisation (existing, previous or potential customers/partners), has visited our website, or in other ways has been in contact with us, for example if You want to apply for a job at Pelago.
The purpose of this policy is to inform You, in accordance with the EU General Data Protection Regulation (“GDPR”) about how We process Your personal data, what We use it for, who will get access to Your personal data and under what conditions and how You can exercise Your rights.
The person whose personal data is processed is hereinafter referred to as “Data Subject” or “You“.
If You have any questions about how we work with privacy, You can find our contact details at the bottom (section 11) of this Privacy Policy.
2. Background
Pelago processes personal data in several different situations and in different roles. Pelago is sometimes personal data controller and sometimes personal data processor. In exceptional cases Pelago can also process personal data as a joint controller with one or more other personal data controllers.
In most cases Pelago receives personal data from our customers, licensees or partners (below “customers”) which utilize from our services and systems (i.e. companies which purchase and use our services). Those customers are personal data controllers for the personal data (normally contact information to customers’ contact persons, for example employees) that customers transfer to Pelago. The customers are responsible for ensuring that they have the right to transfer personal data to Pelago and that Pelago has the right to process such personal data. Pelago is responsible for processing personal data in accordance with agreements with customers, and in accordance with GDPR.
In some cases, Pelago itself operates as a personal data controller. Pelago act as a personal data controller when We collect and process personal data for our own account, such as in relation to employees or in connection with marketing our services.
We do not process more personal data than is necessary for the purpose, and We always strive to use the least privacy-sensitive information.
The processing of employee’s and former employee’s personal data is specifically regulated in an internal privacy policy.
3 Personal data and processing of personal data
3.1 Basic concepts
Cookies
Two fundamental concepts in the processing of personal data are “personal data” and “processing” and We describe these in more detail below.
Personal data is any information that can be linked to a living person. Each individual piece of information does not have to be personal data in itself; it is sufficient that several pieces of information lead to the identification of a person, in which case each piece of information is also personal data.
Typical examples of personal data are social security number, name, address, telephone number, email address, IP address, individual passwords, voice recording, photographs, location data, biometric information and genetic information.
Processing of personal data is anything that is done with the personal data. Any operation performed on personal data constitutes processing, whether or not by automated means and whether or not by digital means.
Examples of typical personal data processing are collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, transfer and erasure.
3.2 How do We access Your personal data?
Pelago primarily get access to Your personal data from our customers and partners, and otherwise by You providing the personal data to us, through the following ways:
If You visit our website https://www.pelagobio.com, we use cookies, which may contain personal data, to improve our web services. You can read more about how we use cookies in our Cookie Policy at the bottom of this page. .
When You provide us with information directly,
When You register information in connection with visiting our website,
When We receive information from public registers,
When You answer surveys or other polls and investigations initiated by us,
When You sign up for our organised events, presentations, or seminars,
When You sign up for our newsletter and other mailings,
When We receive information from third parties such as conference organisers and other partners,
When You provide us with information in connection with You contacting us, seek employment with us, visit us or in any other way seek contact with us.
3.3 In what ways and for what reasons do We process Your personal data?
In most cases, Pelago processes personal data in accordance with agreement with our customers. Each customer is in such cases a personal data controller and is therefore responsible for determining which legal ground is applicable as well as what personal data to collect, for which purposes and how the personal data are to be processed. Pelago is responsible for processing the personal data in accordance with such agreements and, of course, in accordance with GDPR.
In cases where Pelago itself is the personal data controller, We may collect Your personal data through different sources and for several purposes. Mainly, We collect Your personal data by contacts with You, through our website regarding the services We engage in or when We receive personal data from conference organisers or other third parties and networks that provide relevant personal data to us.
3.4 Why does Pelago process Your personal data and on what legal basis and for how long do we process Your personal data?
Pelago processes Your personal data for several different purposes. These are described in more detail below:
| Purpose | Personal data that may be processed | Legal basis for processing | Storage time |
| To perform and deliver our services in accordance with a contract with a customer | Name, Address,telephone number email address | Legitimate interest Pelago’s processing of personal data in connection with performance of our services is based on legitimate interest/balancing of interests as the legal basis for processing, as We assess that our interest to process personal data in order to be able to fulfil and deliver on our contractual obligations in relation to our customers outweighs the interests or fundamental rights and freedoms of the data subject which require protection of personal data Performance of a contract to which the Data Subject is party If our customer is a sole trader and thus not a legal entity, We process the customer’s (i.e. the Data subject’s) personal data based on the legal basis performance of a contract. | The data will be processed for this purpose as long as We have an agreement with our customer and for a maximum of one year after the expiration of the agreement. |
| To comply with a contractual obligation with a supplier or other business partners | Name, Address,telephone number email address | Legitimate interests Pelago’s processing of personal data in connection with performance of a contractual obligation with a supplier or other business partners is based on legitimate interest/balancing of interests as the legal basis for processing, as We assess that our interest to process personal data in order to be able to fulfil and deliver on our contractual obligations in relation to our suppliers and/or business partners outweighs the interests or fundamental rights and freedoms of the data subject which require protection of personal data. | The data will be processed for this purpose as long as We have an agreement with our customer and for a maximum of one year after the expiration of the agreement. |
| To manage our payments to our suppliers and other parties with whom we have contracts or to receive payments from customers | Name, Address,telephone number email addresspayment history account information | Legitimate interests Pelago’s processing of personal data in connection with performance of a contractual obligation such as payments to a supplier or other business partners is based on legitimate interest/balancing of interests as the legal basis for processing, as We assess that our interest to process personal data in order to be able to fulfil our payments outweighs the interests or fundamental rights and freedoms of the data subject which require protection of personal data | The data will be processed for this purpose for a maximum of eight years in order to fulfil our legal obligations regarding accounting and tax registration |
| To be able to contact You when You have entered Your information at our website (in an online form (“Request quote”) or provided us with such information at an event, congress, seminar or the likewise | Name, email addressthe company or organisation that You represent | Legitimate interests Pelago’s processing of personal data in connection with contacting You is based on legitimate interest/balancing of interests as the legal basis for processing, as We assess that our interest to process personal data in order to be able to contact you outweighs the interests or fundamental rights and freedoms of the data subject which require protection of personal data, because We believe that You are interested due to the fact that You have provided us with Your contact information. | The data will be processed for this purpose for as long as we consider that we have a legitimate interest in contacting You. If You contact us and indicate that You do not want Your personal data to be processed for this purpose – we will stop marketing and informing You and delete the personal data we have processed for this purpose. Thinning/deletion takes place annually |
| To market and inform about our services, for example by newsletters, in social media, emails, publications, and at events | Name, telephone number email addressvisit history in the form of what You visited on our website and how long the visit lasted | Legitimate interests Pelago’s processing of personal data in connection with marketing and information about our services is based on legitimate interest/balancing of interests as the legal basis for processing, as We assess that our interest to process personal data in order to be able to market and inform about our services outweighs the interests or fundamental rights and freedoms of the data subject which require protection of personal data, because We believe that You can benefit from our marketing and information. | The data will be processed for this purpose for as long as we consider that we have a legitimate interest in sending You such marketing. If You contact us and indicate that You do not want Your personal data to be processed for this purpose – we will stop marketing and informing You and delete the personal data we have processed for this purpose. Thinning/deletion takes place annually. |
| To establish, defend and enforce our legal claims | Name, addresstelephone number email addresspayment historyaccount informationinformation that You have provided to us | Legitimate interests We consider that our interest in establishing, defending or enforcing a legal claim outweighs Your interest in protecting Your rights and freedoms, including Your privacy | The data will be processed for this purpose for as long as We see that We may need it to fulfil the stated purposes, however, a maximum of 10 years (based on the time limits in the Limitation Act). Thinning/deletion takes place annually. |
| In order to analyse Your behaviour on our website and Your reaction to our information or marketing. | Name, email address.IP addressBrowsing habits and visit history in the form of the pages You visited on our website and the duration of the visit | Legitimate interests Pelago’s processing of personal data in connection with analysing Your behaviour and reactions is based on legitimate interest/balancing of interests as the legal basis for processing, as We assess that our interest to process personal data in order to be able to analyse and to target offers outweighs the interests or fundamental rights and freedoms of the data subject which require protection of personal data, because We believe that You are or will be interested in our services. | The data will be processed for this purpose for as long as we consider that we have a legitimate interest in analysing Your behaviour and reaction. If You contact us and indicate that You do not want Your personal data to be processed for this purpose – We will cease our analysis and targeted offers to You and delete the personal data that We processed for this purpose. Thinning/deletion takes place annually |
| If You apply for a position at Pelago | Name, Address, E-mail address, Phone number, Age, Personal identity number, Photos/pictures, Education participation, CV, References Information that you publish yourself or otherwise provide to us voluntarily. | Performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract; | The data will be processed for this purpose at a maximum of 12 months from the end of the recruitment process |
4. Is Your personal data processed in a safe way?
We have routines and procedures for managing Your personal data in a safe way. Only persons who need specific personal data to perform their duties and Pelago’s commitments shall have access to such personal data.
Pelago’s security systems are developed with Your integrity in focus and to protect, to a great extent, against intrusion, destruction and other incidents that could endanger Your privacy. We have agreements with our IT providers regarding IT security to ensure that Your personal data is processed safely.
5. Who may We share Your personal data with?
We do not disclose Your personal data to anyone other than the customer who is the personal data controller for Your personal data unless You have given Your consent, or where it is necessary to comply with our statutory obligations or is governed by our agreement with the personal data controller.
In some cases where necessary, personal data may be transferred to legal entities which act as sub-contractors for Pelago, i.e., a personal data processor. Pelago is ultimately responsible for how Your personal data is processed and that Your rights are protected, and the sub-contractors shall only process personal data in accordance with relevant data protections laws and agreements with us. Our sub-contractors are engaged for the following services:
• IT service providers
• Supplier for the management of internal purchases
When Your personal data are transferred to a personal data processer, such transfer will always be in line with the purposes for which Pelago has set out in this policy. Pelago verifies all personal data processors to ensure that they can provide adequate guarantees of security and confidentiality of Your personal data. We have written agreements with our personal data processors in which our personal data processors guarantee the security of the personal data processed and undertake to comply with Pelago’s security requirements, as well as restrictions and requirements relating to the transfer of personal data outside the EU and EEA.
Where We use software services, e.g., for email management, from leading global providers, We have ensured that their commitments comply with GDPR requirements, and We ensure that the highest level of security is required, and that personal data is not stored outside the EU/EEA.
Pelago also uses digital tools to analyse how visitors use the Pelago website. Such digital tools are provided by third party providers who may also receive and process personal data for a very limited period of time. The providers of such services are personal data processors for Pelago and may only process personal data on behalf of Pelago.
Please contact us as described below in section 11 if You want to know exactly which personal data processors process Your personal data.
6. Transfer of personal data outside the EU/EEA
As a general rule of thumb, We never transfer personal data to any recipient outside the EU/EEA. In exceptional cases, We may transfer personal data to a recipient located in a third country (i.e. a country outside the EU/EEA), in which case We will check whether the country has an adequate level of protection (such as the USA, UK, Japan and Switzerland), or whether any of the transfer mechanisms specified by the GDPR are reliable.
7. Retaining and deleting personal data
Where Pelago is the personal data controller, Your personal data will not be retained for longer than what is necessary to fulfil the purpose of the processing. We will delete personal data in accordance with applicable law. We also follow our retention routine and thin or delete personal data at least once (1) a year to ensure that only current and relevant personal data is processed.
In accordance with applicable law, Pelago must keep accounting records (which may contain personal data) for seven (7) years counted from the current calendar year.
Where Pelago is the personal data processer, We retain Your personal data according to the instructions We receive from the personal data controller.
8. Your rights
8.1 Your rights as a Data Subject
The rights listed below apply in relation to You as the Data Subject (i.e. individuals).
In cases where We process personal data on behalf of our customers or others and thus act as personal data processors, You are referred to the respective customer for the exercise of the listed rights. We do not have the right to take any action without the mandate of a data controller. If You have any questions regarding this, You can contact us via the contact details in section 11 below.
When We, as a personal data controller, process personal data related to You as a Data Subject, You have several rights. If You wish to exercise any of those rights, the easiest way to reach us is via the contact details provided in section 11.
Pelago reserves the right to take steps to ensure that the identity of the person requesting the extract or any other right to which You are entitled as a Data Subject.
All information about Your rights can be found on the website of the Swedish Authority for Privacy Protection www.imy.se.
8.2 Right to be informed
You have the right to be informed about how Pelago process Your personal data. We do this through this policy about processing of personal data and by answering questions from You.
8.3 Request for a registry extract
You have the right to request extracts from Pelago and our registers/systems where personal data about You are processed and to obtain information in such extracts about what personal data about You We process and how We process this data. We are obliged to send You a register extract within one month, or in exceptional cases within two months, of Your request.
8.4 The right to object to our processing of personal data
You have the right not to be subject to automated decision-making, including profiling, where the decision could produce a legal effect on You or produce a similar effect on You.
You always have the right to object to processing on grounds relating to Your particular situation, including profiling based on a balance of interests. You also have the right to object to the processing of Your personal data for direct marketing purposes. If You object to the processing, we will cease processing for this purpose.
8.5 Request for rectification or erasure of personal data (right to be forgotten)
You have the right to request that personal data about You be corrected or deleted in accordance with the GDPR). Following such a request, we will investigate whether there are grounds to implement the requested change. Please note that certain information is necessary to fulfil the purposes defined in this Policy and may be further required by law. As a result, You cannot have such personal data deleted.
8.6 Request for restriction of our processing of personal data
You also have the right to restrict the processing of Your personal data in accordance with the GDPR. Following such a request, Pelago will investigate whether there are grounds to implement the requested change and notify You of the outcome of the investigation. If Pelago concludes that We may and can restrict our processing in accordance with Your request, we will immediately implement such restriction.
8.7 Right to data portability
The right to transfer information (data portability) means that You can request Your personal data to be transferred to someone else. However, this right only applies in cases where We have processed Your personal data on the legal basis of consent or where You have personally entered into a contract with Pelago, and You Yourself have provided us with the personal data You wish to move.
8.8 Withdrawal of consent
To the extent that the legal basis for our processing of Your personal data is consent, You have the right to withdraw that consent at any time by contacting us using the contact details set out below. We will then no longer process such personal data or obtain any new ones and any personal data that we have processed with Your consent will be deleted. The withdrawal does not affect the lawfulness of the processing prior to the withdrawal.
8.9 The Swedish Authority for Privacy Protection (IMY)
If You are dissatisfied with the way we handle Your personal data, You have the right to lodge a complaint with the competent supervisory authority. In Sweden, the competent supervisory authority is the Swedish Authority for Privacy Protection (IMY).
Contact details of IMY:
Swedish Authority for Privacy Protection
Box 8114
104 20 Stockholm
E-mail: imy@imy.se
Phone number: 08-657 61 00
Or at www.imy.se/en.
9. Cookies
A cookie is a passive text file that is stored by the browser on the User’s computer or other device when using the Service or visiting our website.
Pelago uses cookies and other technologies to function properly. See our cookie policy at the bottom of this page.
10. Amendment of the policy
If We modify our processing of personal data, We will inform You as prominently as possible, by updating this Privacy Policy and by providing specific information on our website.
10.1 Version management
The policy was last updated on 2024-09-26
11. Contact details
Please do not hesitate to contact Pelago or if You have any questions about the processing of Your personal data or wish to exercise any of Your rights, as set out in section 8 above.
Pelago Bioscience AB, corp. id. 556924-1671
Address: Scheeles väg 1, 171 65 Solna, Sweden
E-mail: dataprotection@pelagobio.com