Choose language

Change language

PRIVACY NOTICE 

  1. 1. INTRODUCTION

Here you can read about how G. Larsson Starch Technology AB (company registration no. 556117–0050) (“we”, “our” or “us”) processes personal data, such as which personal data are processed, why the processing takes place, how long the personal data are stored, who may gain access to them, and which rights data subjects have under the EU General Data Protection Regulation 2016/679 (“GDPR”). References to “you”, “your” or “yours” refer to the data subject whose personal data we process. 

  1. 2. DEFINITIONS

In this privacy notice, definitions are used that correspond to those set out in the GDPR, such as “personal data”, “processing”, “data subject”, “supervisory authority”, “controller”, “processor”, and others. These definitions have the same meaning as set out in Article 4 of the GDPR. For a complete list and exact definitions, please refer to that article. 

  1. 3. DATA CONTROLLER

We are the data controller for the processing of personal data when we determine the means and purposes of the processing, in accordance with the principle of accountability. Our processing of personal data is carried out in accordance with the GDPR, the fundamental data protection principles, and supplementary Swedish data protection legislation. Unless otherwise stated, we are the data controller for the processing of personal data described in this privacy notice. Our contact details can be found in section “14. Questions or complaints”. 

Where we process personal data in the role of a data processor, such processing is carried out pursuant to a data processing agreement entered into with the data controller and in accordance with the controller’s instructions. Such processing is not covered by this privacy notice. 

  1. 4. HOW WE OBTAIN ACCESS TO YOUR PERSONAL DATA

We primarily collect personal data directly from you, for example when you: 

    • visit our website, 
    • contact us, 
    • enter into an agreement with us, or 
    • participate in our marketing materials, instructional videos, or interviews. 

In some cases, we may obtain access to your personal data from someone else, for example your employer or a colleague. This may occur if, for example, you are a contact person or an authorized signatory for a company we cooperate with, or if someone else contacts us in a matter that concerns you. In such cases, the personal data usually consist of your identifying information and contact details in your professional capacity. 

When we process your personal data that have not been collected directly from you, we will provide you with this information no later than one (1) month from the date the data were received, or earlier if we contact you within the scope of the matter. When we receive personal data about you from a third party, this privacy notice applies in the same way, including information about the processing and your rights under the GDPR. 

  1. 5. CATEGORIES OF PERSONAL DATA WE PROCESS

We only process personal data that are adequate, necessary, and relevant to fulfil the purpose for which they were collected, in accordance with the principle of data minimization. 

The personal data we primarily process include identifying information (e.g. first and last name), contact details (e.g. email address, telephone number, and postal address), and work-related information (e.g. job title and employer). More information about the personal data processed is provided in section 7 below, where we describe the purposes of specific processing activities in more detail. 

  1. 6. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

We process personal data only for specific, explicitly stated, and legitimate purposes in accordance with the principle of purpose limitation. The processing is primarily based on one of the following legal bases: 

    • Consent (Article 6(1)(a) GDPR): You have given your consent to our processing of your personal data for specific purposes. Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to the withdrawal. 
    • Contract (Article 6(1)(b) GDPR): The processing of your personal data is necessary for us to enter into or perform a contract with you. 
    • Legal obligation (Article 6(1)(c) GDPR): We are required to process your personal data in order to comply with legal obligations. 
    • Legitimate interest (Article 6(1)(f) GDPR): The processing of your personal data is necessary for our legitimate interests or those of a third party, following a balancing of interests against your rights and freedoms. 

In some cases, providing personal data to us is voluntary. However, where personal data are required in order for us to enter into or perform a contract (e.g. in customer relationships or deliveries), such data are necessary. If such necessary personal data are not provided, we will not be able to enter into or perform the contract or provide the relevant services. 

For processing based on legitimate interest, we have carried out a balancing of interests and assessed that a legitimate interest exists and that the processing does not infringe upon your right to privacy and personal integrity. 

  1. 7. PURPOSES OF THE PROCESSING OF PERSONAL DATA

Below we describe the purposes for which we process personal data, which personal data are processed, the legal basis applied for the processing, any recipients of the personal data, and how long the personal data are stored. 

7.1 Processing of personal data in connection with contact 

    • Purpose: To receive, administer, respond to, and document contact, inquiries, customer and support matters, and other communication with us, including follow-up and case history, via, for example, email, post, telephone, and social media. 
    • Personal data: Identifying information (e.g. first name and last name); contact details (e.g. email address, telephone number, postal address, social media usernames); work-related information (e.g. job title and employer); case-related information (e.g. message content, description of the matter, correspondence, attached files). 
    • Processing: Collection, registration, storage, structuring, reading, and use of personal data in order to manage and respond to contact and matters; internal access where necessary; deletion in accordance with established procedures. 
    • Legal basis: Legitimate interest – our legitimate interest in being able to communicate with and provide services to customers, partners, and other individuals who communicate with us. 
    • Recipients: The data are processed internally. In the case of email communication and case management, the data are also processed by providers of email and case management systems acting as data processors. 
    • Retention period: Personal data are normally stored for up to 3 years after the matter has been closed. 

 

7.2 Detecting, preventing, and managing security threats, crime, and technical incidents 

    • Purpose: To ensure information and IT security by detecting, preventing, analyzing, and managing security threats, suspected activity, technical incidents, and crime, as well as protecting our systems, networks, data, and data subjects. 
    • Personal data: Account and user information (e.g. user ID, IP address, login attempts); technical information (e.g. log files, device and performance data); security-related data and indicators of suspected or unauthorized activity (e.g. abnormal patterns). 
    • Processing: Collection, registration, storage, analysis, and use of logs and technical data to identify, investigate, and manage security threats and incidents; disclosure to authorized recipients where necessary; deletion in accordance with established procedures. 
    • Legal basis: Legitimate interest – our legitimate interest in protecting the business, our IT systems, information assets, and data subjects against security threats, intrusions, and misuse. 
    • Recipients: IT security providers acting as data processors; authorities where disclosure is required by law or necessary for the investigation of crime (e.g. the Police or a supervisory authority). 
    • Retention period: Log data and security-related personal data are normally stored for up to 1 year. 

 

7.3 Fulfilment of legal obligations and compliance 

    • Purpose: To comply with and document compliance with legal obligations under applicable legislation, including accounting and tax regulations; to manage and respond to requests concerning data subjects’ rights under the GDPR; and to document, investigate, and, where necessary, report personal data breaches to the supervisory authority and inform affected data subjects. 
    • Personal data: Identifying information; contact details; personal data included in accounting and financial records (e.g. reference person); data related to rights requests; incident-related information (e.g. logs, user activities, incident descriptions, and measures taken). 
    • Processing: Storage, archiving, documentation, and administrative handling of personal data required to fulfil legal obligations; registration and handling of data subject rights requests; documentation, investigation, and, where necessary, notification of personal data breaches; disclosure of data to competent authorities as required by law; deletion in accordance with established retention periods. 
    • Legal basis: Legal obligation. 
    • Recipients: Authorities where required by law (e.g. the Swedish Tax Agency, the Swedish Authority for Privacy Protection, the Police); providers of business, accounting, and financial systems and audit firms; IT and security providers assisting with incident investigations. 
    • Retention period: 
    • Accounting data: Personal data included in accounting records are normally stored for up to 7 years from the end of the calendar year in which the financial year ended, in accordance with the Swedish Accounting Act. 
    • Rights requests: Personal data related to a request under the GDPR are normally stored for up to 3 years after the matter has been closed. 
    • Incident documentation: Personal data included in documentation of personal data breaches are normally stored for up to 3 years after the investigation has been concluded, unless longer storage is required by law or for legal claims. 

 

7.4 Contracts, projects, and business relationships 

    • Purpose: To initiate, enter into, administer, and perform contracts, projects, and business relationships, including handling orders, deliveries, payments, and ongoing communication; to administer contact details in business and CRM systems; and to enable collaboration through digital workspaces and meetings where required for the relationship. 
    • Personal data: Identifying information (e.g. first name and last name); contact details (e.g. email address, telephone number, postal address, social media usernames); work-related information (e.g. job title and employer); purchase information (e.g. ordered services/products, order history, payment status); correspondence history (e.g. customer service, support, complaints); technical and administrative data related to digital meetings and collaboration spaces (e.g. meeting links and user identity in collaboration tools). 
    • Processing: Registration, storage, and updating of contact, contract, and project data; use of data to administer contracts, orders, deliveries, payments, and communication; storage and handling of correspondence and case history; creation and administration of digital workspaces and meeting invitations where contact details are shared with other participants; deletion in accordance with established procedures. 
    • Legal basis: 
    • Contract – where the processing is necessary to enter into or perform a contract with you as a natural person (including sole traders). 
    • Legitimate interest – where the processing is necessary to manage and maintain business relationships with legal entities and their representatives. 
    • Recipients: Providers of financial and business systems, CRM platforms, and communication and support services (data processors); providers of collaboration and meeting tools (e.g. digital workspaces and video conferencing platforms). 
    • Retention period: Personal data are stored for the duration of the contractual or business relationship and thereafter normally for up to 3 years after termination. 

 

7.5 Marketing and customer analysis 

    • Purpose: To analyze and evaluate customer and market insights in order to improve our services, products, offerings, and communication, including conducting customer and market surveys and handling incoming feedback. 
    • Personal data: Identifying information; contact details; purchase information (e.g. product category, date, and amount); data on user behavior and interaction (e.g. response patterns in mailings or surveys); feedback and survey responses (including free-text responses that may contain personal data which the data subject chooses to provide, even where the survey is otherwise intended to be anonymous). 
    • Processing: Collection, compilation, and structuring of data for analysis and statistical purposes; segmentation and processing of data for market and customer insights; preparation of aggregated, pseudonymized, or anonymized analyses and statistics; use of results for the development of services, products, and offerings; deletion or anonymization of personal data in accordance with established retention periods. 
    • Legal basis: Legitimate interest – our legitimate interest in understanding customer needs and market conditions in order to develop and improve our business. 
    • Recipients: Providers of analytics, survey, and statistical tools that process personal data on our behalf (data processors). 
    • Retention period: Personal data for analysis purposes are stored for as long as necessary for the purpose, but no longer than 3 years from collection. 

 

7.6 Recruitment 

A.Recruitment process

    • Purpose: To administer and carry out recruitment processes, including receiving applications, selection, interviews, assessments, and decisions on employment. 
    • Personal data: Identifying information (e.g. name and personal identity number); contact details (e.g. telephone number and email address); application documents (e.g. CV, cover letter, and references); educational and professional background; interview results and test results; other information voluntarily provided by the candidate during the recruitment process. 
    • Processing: Collection, registration, and storage of application documents received via recruitment platforms, recruitment agencies, or directly by us; use of data for selection, interviews, and assessments; contact with references in accordance with the candidate’s instructions; documentation of recruitment decisions and the conduct of the process; disclosure to relevant recipients where required; deletion in accordance with established procedures. 
    • Legal basis: Legitimate interest – our legitimate interest in conducting an efficient, structured, and legally secure recruitment process. Certain processing may also be carried out on the basis of a legal obligation, for example where legislation requires specific documentation. 
    • Recipients: Recruitment platforms and recruitment agencies (data processors); reference persons specified by the candidate; authorities where required by law. 
    • Retention period: Personal data relating to candidates who are not employed are normally stored for up to 2 years after the recruitment process has been concluded, in order to manage potential legal claims. Personal data relating to employees are handled in accordance with our personnel administration procedures.

B.Candidate pool

    • Purpose: To, with the candidate’s consent, store application documents for future recruitment needs and enable contact regarding relevant positions. 
    • Personal data: Application documents and related data (e.g. CV, cover letter, contact details, educational and professional background), as well as any additional information that the candidate voluntarily provides in connection with the consent. 
    • Processing: Storage of application documents in a separate register (candidate pool); reading and use of the data when relevant recruitment needs arise; deletion of data when consent is withdrawn or the retention period expires. 
    • Legal basis: Consent – the candidate may withdraw their consent at any time, in which case the personal data will be deleted without undue delay. 
    • Recipients: Cloud storage service where the candidate pool is administered (data processor); recruitment agencies assisting in recruitment processes where relevant. 
    • Retention period: The personal data are stored for up to 3 years from the date the consent was given, or for a shorter period if the consent is withdrawn. Before the retention period expires, new consent may be requested in order to extend the storage period. 

 

7.7 Participation in marketing materials, instructional videos, or interviews 

    • Purpose: To plan, produce, document, and publish marketing and informational materials presenting our business, products, services, and activities, including material from trade fairs, study visits, events, interviews, and instructional videos, in digital and printed channels. 
    • Personal data: Identifying information (e.g. name, image, and voice); work-related information (e.g. job title and employer); recorded and visual material (e.g. photographs, video, audio recordings, and interview content); contact details to the extent required for planning and carrying out the participation. 
    • Processing: Photography, filming, audio recording, and interviews; editing, storage, and organization of material; publication and distribution in digital and printed channels, including websites and social media; disclosure to production and marketing service providers; deletion or archiving in accordance with the purpose, agreements, and internal procedures. 
    • Legal basis: 
    • Legitimate interest – our legitimate interest in documenting and communicating our business and marketing products, services, and participation in relevant contexts (e.g. images and video from trade fairs and events). 
    • Contract – where a specific agreement is entered into in advance for planned and individual material (e.g. participation or model release agreements). 
    • Recipients: Communication and marketing agencies and production companies (data processors). The material may also be made publicly available via websites, social media, and other marketing channels, as well as in printed form. 
    • Retention period: Personal data in marketing materials are stored and used for as long as the material is relevant to the purpose. Relevance is assessed based on, for example, whether the material is still used in current channels or campaigns, whether it is up to date or has been replaced by newer material. Upon a request for removal, an individual assessment is carried out. If our legitimate interest continues to outweigh, continued storage and use may take place. If deletion is appropriate, it will be carried out in the channels and systems that we control. Material published in printed form cannot be withdrawn or deleted after publication. Material that has been published digitally and subsequently disseminated by third parties (e.g. shared on social media) cannot always be controlled or deleted by us afterwards. 

 

7.8 Use of cookies and similar technologies 

    • Purpose: To provide and ensure the functionality and security of the website and to improve the user experience through the use of cookies and similar technologies. With consent, cookies are also used for analytics and marketing in accordance with our Cookie Notice. 
    • Personal data: Technical data (e.g. IP address and device information) and data on website usage. 
    • Processing: Collection, storage, and use of data via cookies and similar technologies for functionality, security, analytics, and marketing, in accordance with the choices made via the cookie banner. 
    • Legal basis: 
    • For necessary cookies: Legitimate interest – our legitimate interest in providing a functional and secure website. 
    • For other cookies: Consent. 
    • Recipients: Providers of cookie, analytics, and marketing services, as specified in the Cookie Notice. 
    • Retention period: Varies depending on the type of cookie and is specified in the cookie banner and cookie list. Consent may be withdrawn at any time via the cookie banner. 

  1. 8. HOW LONG WE STORE PERSONAL DATA

We store personal data only for as long as necessary for the purposes for which they were collected or for as long as required to comply with legal obligations, in accordance with the principle of storage limitation. 

The exact retention period depends on the processing activity in which the personal data are included. Retention periods for each type of processing are set out in section 7 of this privacy notice. 

Personal data may need to be stored for a longer period if required by law, if needed for an ongoing matter, or to establish, exercise, or defend legal claims. Therefore, in the event of a request for erasure, we may need to retain certain personal data where required to comply with a legal obligation or to handle a dispute. 

When personal data are no longer required to be retained, they are deleted or anonymized in accordance with our internal retention procedures and applicable legislation. 

  1. 9. WHERE WE PROCESS PERSONAL DATA

We strive to always process personal data within the European Union (EU) or the European Economic Area (EEA). However, in some cases, personal data may be transferred to and processed outside the EU/EEA. To ensure an adequate level of protection for your personal data in such transfers, we implement appropriate safeguards. These may include the use of standard contractual clauses approved by the European Commission, as well as other supplementary safeguards where required under the GDPR and guidance from EU data protection authorities. You may contact us for more information about the safeguards used and, where applicable, to obtain a copy of the relevant standard contractual clauses. 

  1. 10. RECIPIENTS OF PERSONAL DATA

We process personal data with care, and the sharing of personal data takes place in accordance with applicable data protection legislation. 

    1. Authorities: We may share personal data where we are legally obliged to do so, for example under applicable legislation or in connection with an authority investigation (e.g. with the Police, the Swedish Tax Agency, or the Swedish Authority for Privacy Protection). We may also share personal data where required to prevent, detect, or investigate crime, or to protect our business against fraud, intrusion, or other security threats. 
    2. Suppliers and business partners: In order to fulfil our obligations towards our customers and other stakeholders, we may share personal data with external suppliers, subcontractors, authorized resellers, distributors, or other business partners. These parties process personal data as independent data controllers and are responsible for their own processing of the data in accordance with the GDPR. 
    3. Service providers and data processors: We also cooperate with service providers who process personal data on our behalf, such as IT providers, providers of accounting systems, and accounting firms. These entities act as our data processors and may only process the personal data in accordance with our documented instructions. The processing is governed by data processing agreements in accordance with Article 28 of the GDPR. 
    4. Group companies: Personal data may be shared between companies within our group for group administrative and operational purposes, such as shared finance and accounting management, IT operations, internal reporting, customer service, personnel administration, and local sales and service activities. Sharing takes place only to the extent necessary to carry out and administer the group’s operations and internal services. When personal data are shared within the group, this takes place either (i) between companies acting as independent data controllers, or (ii) where one group company processes personal data on behalf of another group company as a data processor (and, where applicable, with sub-processors). Such intra-group transfers and processing are governed by a joint intra-group agreement with associated appendices that specify the allocation of roles, types of transfers, applicable security measures, and other conditions for the processing of personal data. 
    5. Other independent data controllers: In certain cases, we may share personal data with external parties that act as independent data controllers and are responsible for their own processing of the personal data. This may occur, for example, in connection with business transactions such as a sale, merger, restructuring, or cooperation projects where an external party has a legitimate business interest in processing certain personal data. The receiving party is responsible for informing the data subjects and ensuring that the processing is carried out in accordance with the GDPR. 

  1. 11. DATA SUBJECTS’ RIGHTS UNDER THE GDPR

Under the GDPR, you as a data subject have the following rights: 

    • Right to information: You have the right to receive clear information about how we process your personal data, including the purposes, categories of data, and any recipients. This information is provided in this privacy notice. 
    • Right of access: You may request a copy of the personal data we process about you and receive information about the processing, including any cross-border transfers and safeguards. 
    • Right to rectification: If your personal data are inaccurate or incomplete, you have the right to have them corrected. In such cases, we will inform relevant recipients of your personal data, where possible and not disproportionately burdensome for us. You also have the right to be informed of who those recipients are. 
    • Right to erasure (“right to be forgotten”): Under certain circumstances, you may request that we erase your personal data, for example if they are no longer necessary for the purposes for which they were collected or if you withdraw your consent. However, legal obligations may require continued storage. If we erase your personal data, we will inform relevant recipients of your personal data, where possible and not disproportionately burdensome for us. You also have the right to be informed of who those recipients are. 
    • Right to restriction of processing: You may request that we restrict the processing of your personal data, for example if you contest their accuracy or if the processing is unlawful but you object to erasure. In the event of restriction, we may only store the data, process them with your consent, or process them in order to establish, exercise, or defend legal claims. We will inform you when the restriction is lifted. 
    • Right to data portability: Where we process your personal data based on consent or a contract as the legal basis, you have the right to receive them in a structured, machine-readable format and to have them transferred to another data controller, where technically feasible. 
    • Right to object: You may object to our processing of your personal data where it is based on legitimate interest as the legal basis. We may only continue the processing if we can demonstrate compelling legitimate grounds that override your interests. You always have the right to object to processing for direct marketing purposes, which means that we must immediately cease such processing. 
    • Right not to be subject to automated decision-making: You have the right not to be subject to decisions based solely on automated processing, including profiling, where such decisions significantly affect you. Exceptions apply where the decision is necessary for a contract or required by law. In such cases, you have the right to request human intervention in the decision. We do not make any automated decisions, with or without profiling. 

  1. 12. HOW TO EXERCISE YOUR RIGHTS

You may contact us using the contact details provided at the end of this privacy notice if you wish to exercise any of your rights under the GDPR. Exercising your rights is free of charge, unless your request is repetitive, unfounded, or excessive, in which case we are entitled to charge a reasonable fee or refuse the request. 

In order to ensure that we handle your request correctly, we may need to verify your identity. We normally respond to your request within one month, but in the case of complex matters or a high workload, the response time may be extended by up to two additional months. In such cases, we will inform you of the extension within the first month. 

Please note that certain rights are limited under the GDPR and apply only under specific conditions. If we are unable to comply with your request, we will inform you of the reasons, in accordance with applicable law. 

  1. 13. CHANGES TO THIS PRIVACY NOTICE

We update this privacy notice as necessary to ensure that the information is accurate and up to date. You are responsible for reviewing the latest version, which is always available on our website. If we make material changes that affect how we process your personal data, we will inform you of this where required by law. 

  1. 14. QUESTIONS OR COMPLAINTS

If you have any questions about this privacy notice or our processing of personal data, you are welcome to contact us. We have not appointed a Data Protection Officer (DPO), as our operations are not subject to the requirement to appoint a DPO under Article 37 of the GDPR. Our contact details are as follows: 

    • Postal address: Kråkeslättvägen 8, SE-295 39 Bromölla, Sweden 
    • Telephone number: +46 (0) 456 486 60 

Our opening hours are weekdays excluding public holidays: Monday–Friday, 07:00–15:45 (CET). 

If you are dissatisfied with our processing of your personal data, you may lodge a complaint with the supervisory authority in Sweden, the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY): 

    • Telephone: +46 (0)8 657 61 00 
    • Postal address: Integritetsskyddsmyndigheten, Box 8114, SE-104 20 Stockholm, Sweden 

If you are resident in another country within the EU/EEA, you may also contact the supervisory authority in your country of residence. A list of the supervisory authorities of the Member States can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en