1. introduction.
Your trust is important to us. We therefore take issues relating to your privacy very seriously. We have drawn up this policy so that you can feel confident that we are processing your personal data. The policy clarifies how we work to ensure your rights and your privacy.
This privacy policy has been prepared for JCDecaux Sverige AB (hereinafter “JCDecaux”, “we” or “our”).
1.1 OUR PRINCIPLES
We process your Personal Data based on the following principles.
– Freedom of choice: The starting point when we process your Personal Data is that it belongs to you. We will, as far as possible, strive to let you decide whether you want to share your Personal Data with us.
– Proportionality: We do not collect more Personal Data than we need to provide you with our services. We do not process more personal data than is necessary for the purpose and always strive to use only the least privacy-sensitive data.
– Transparency and security: We inform you about how your personal data is processed. We have systems and procedures in place to protect your personal data as far as possible against unauthorized access, alteration, destruction or disclosure.
– Compliance with legal requirements: We will ensure that your personal data is processed in accordance with applicable law.
2. the data controller.
JCDecaux is the Data Controller for JCDecaux’s processing of your Personal Data. We are therefore responsible for ensuring that your Personal Data is processed in accordance with applicable law.
3. collection and purpose.
3.1 HOW DO WE COLLECT YOUR PERSONAL DATA?
We collect your Personal Data when you register on our website. The data we process are those you have provided us with.
3.2 WHAT PERSONAL DATA DO WE PROCESS?
We only process Personal Data when we have a legal basis to do so, and we always aim to use the least privacy-sensitive Personal Data. Examples of the Personal Data we process are:
– Contact information
– Date of birth (full social security number may, but is not required)
– Payment card information
– Images of individuals in advertising campaigns or uploaded via DIY on our website
3.3 LEGAL BASIS
We process your Personal Data on a number of different legal bases. We process some of your Personal Data in order to fulfill the contract you have entered into with us and to provide the agreed service. When you enter into a contract with us, you agree that we may process your Personal Data to the extent set out in the contract and in this policy. We also process some of your Personal Data based on your consent. We try as far as possible to obtain your consent before we start processing your Personal Data. You consent to us processing your Personal Data in connection with your acceptance of our general terms and conditions. We never take your consent for granted. You therefore have the right to withdraw your consent at any time. We will then no longer process your personal data or obtain new ones, provided that it is not necessary to fulfill our contractual or legal obligations. Please note that withdrawal of consent may mean that we cannot fulfill our obligations to you.
Where the processing of your Personal Data is necessary to meet a legitimate interest, we may process some of your Personal Data after a balancing of interests. If our interest in using the Personal Data outweighs the need to protect your privacy, we may process this Personal Data without obtaining your explicit consent. If you object to our processing, we will reassess the balance of interests and then decide whether our interest is more important or whether we should cease processing.
3.4 FOR WHAT PURPOSES DO WE PROCESS THE PERSONAL DATA?
We process your Personal Data for various purposes. The main purposes of our processing are:
– In order to provide our contracted services and their administration
– For sending information from JCDecaux regarding the bike-sharing scheme
– For securing payment for bike-sharing subscriptions
3.5 WITH WHOM DO WE SHARE PERSONAL DATA?
We have, together with our group companies, a system for storing Personal Data. It is therefore necessary for us to transfer your Personal Data to our group companies. We may also disclose your Personal Data to third parties when necessary for the performance of contracts or after you have given your explicit consent.
Some of the actors we work with are based outside the EU/EEA. It may therefore be necessary for us to transfer personal data to such countries. In cases where we disclose personal data to a country outside the EU/EEA, we always draw up the necessary agreements and ensure to the greatest extent possible that your personal data is processed in a safe manner.
We never transfer personal data outside the EU/EEA unless it is compatible with the GDPR. This may be the case, for example, if the country to which your personal data is transferred meets the Commission’s adequacy requirements, or if you have given your explicit consent. Such transfers may also be permitted if they are necessary for the performance of our contract with you.
If we transfer your personal data to a country outside the EU/EEA, we take the necessary safeguards. Nevertheless, there is always some risk involved in transfers. We only work with reputable operators outside the EU/EEA, which means that you can feel safe with any transfers.
We may also disclose your Personal Data when we are obliged to do so by applicable law, when required by a public authority, to defend our legal interests or to detect or prevent fraud.
Where we disclose your Personal Data to third parties, we will draw up the necessary agreements and ensure to the greatest extent possible that your Personal Data is processed in a secure manner.
3.6 HOW LONG DO WE KEEP PERSONAL DATA?
We do not keep Personal Data longer than is necessary to fulfill the purposes for which the Personal Data was collected. We will delete your Personal Data at your request, or otherwise after termination of your subscription. The Personal Data we process must be adequate, relevant and not excessive in relation to the purposes for which they are processed.
We do not collect Personal Data for unspecified future needs, nor do we process Personal Data that is so old that it is irrelevant to the original purposes for which it was collected.
4. privacy and security.
We take the protection of your Personal Data seriously. We have developed procedures and working methods that we constantly revise to ensure that your Personal Data is handled in a secure manner. We have taken, and will continue to take, the organizational and technical security measures necessary to maintain a high level of security for your Personal Data.
Only employees and other persons within our organization who need the personal data to perform their duties have access to it.
Our security systems are designed with your privacy in mind and provide a high level of protection against intrusion, destruction and other changes that may put your privacy at risk. We have several IT security policies in place to ensure that your Personal Data is processed securely.
5. your rights.
RIGHT TO RECTIFICATION
We are obliged to ensure, as far as possible, that the Personal Data we process is accurate and up-to-date. You who are registered with us have the right to contact us and have incorrect information corrected. You also have the right to supplement with missing data that is relevant to the content. If data is rectified at the request of the data subject, we must also inform those to whom we have disclosed the data that it has been rectified. However, this does not apply if it would prove impossible or involve disproportionate effort.
RIGHT TO ERASURE
Data subjects have the right to request the erasure of their Personal Data. Sometimes this right is also referred to as the “right to be forgotten”.
We delete the data in the following cases:
– If the data is no longer needed for the purposes for which it was collected
– If the processing is based on the data subject’s consent and the data subject withdraws the consent
– If the processing is for direct marketing purposes and the data subject objects to the processing
– If the data subject objects to the processing based on a balancing of interests and there are no legitimate grounds that override the data subject’s interest
– If the Personal Data has been processed unlawfully
– If erasure is necessary for compliance with a legal obligation
If a data item is deleted at the request of the data subject, those to whom we have disclosed the data will be informed that it has been deleted. However, this does not apply if it would prove impossible or involve excessive effort.
There are exceptions to the right to erasure and the obligation to inform others. If the Personal Data is necessary for the exercise of other important rights such as the right to freedom of expression and information, to comply with a legal obligation or to perform a task carried out in the public interest, we do not need to erase it.
RIGHT TO RESTRICTION OF PROCESSING
In certain cases, data subjects have the right to demand that the processing of personal data be restricted. Restriction means that the data is marked so that it can only be processed for certain limited purposes in the future.
The right to restriction applies, among other things, when the data subject considers the data to be inaccurate and has requested rectification. In such cases, the data subject may also request that the processing of the data be restricted while the accuracy of the data is being investigated.
When the restriction ends, the data subject will be informed of this.
DATA PORTABILITY
If you have Personal Data registered with us, you may in some cases have the right to obtain and use this Personal Data elsewhere. We have an obligation to facilitate such a transfer of Personal Data. A prerequisite is that we process the Personal Data based on the consent of the data subject or to fulfill a contract with the data subject and this only applies to such Personal Data that the data subject has provided.
RIGHT TO OBJECT
Data subjects have the right to object to our processing of their Personal Data in certain cases. The right to object applies when Personal Data is processed to perform a task in the public interest, as part of the exercise of official authority or after a balancing of interests.
If the data subject objects to the processing in such cases, we as the Data Controller may only continue to process the data if it can be shown that there are compelling legitimate reasons for the data to be processed that outweigh the interests, rights and freedoms of the individual or if the processing is for the establishment, exercise or defense of legal claims.
The data subject always has the right to object to the use of his or her Personal Data for direct marketing purposes. Such an objection can be made at any time. If an objection is made to direct marketing, the Personal Data may no longer be processed for such purposes.
REGISTER EXTRACTS
You have the right to access Personal Data that has been collected about you.
In order for us to send you a register extract containing your Personal Data, we need to know who you are. You should therefore prove your identity when you request a register extract. We do this for your own security. Your register extract will be provided to you in electronic form unless you request otherwise.
RIGHT TO COMPLAIN
The data subject has the right to complain about the processing of Personal Data if they consider that it is being processed in breach of the GDPR. If you want to complain, you can do so with the Data Protection Authority.
WITHDRAW CONSENT
You have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of the processing based on the consent before it was withdrawn.
6. information for you as a data subject.
Where reasonably practical or where required by applicable law, we will provide you, at the time of collection or recording of your Personal Data, with (i) specific information about the purposes of the processing of your Personal Data, (ii) the identity of the Controller, (iii) the identity of any third party to whom the data may be disclosed, and (iv) any other information that may be necessary to ensure that you are able to exercise your rights.
7. updating the policy.
This policy may be updated from time to time. If we make any significant changes, we will notify you by email or through information the next time you log in to your account. By continuing to use our services after receiving such notice, you agree to the updates to this policy to the extent permitted by law. If you do not agree to the changes, you have the right to terminate the agreement.
We encourage you to periodically review this Policy for the latest information on our privacy practices.
8. contact.
If you have any questions about this policy, the processing of your Personal Data, or wish to exercise any of your rights such as requesting an extract from the register, please contact us.
JCDecaux Sverige AB Box 13138 , 10303 Stockholm
Customer Center: JCDecaux Sverige AB, Customer Service, Box 13138, 10303 Stockholm
Opening hours: 08.00 – 17.00 all weekdays except public holidays.
Telephone 08-474 83 00
Website: www.jcdecaux.se
E-mail address: [email protected]