PRIVACY NOTICE
INDISKA 1901 AB
Applicable as of 27 January 2020
At INDISKA 1901 AB we safeguard your personal privacy and strive at all times to maintain a high level of data protection (meaning, for example, that we would never sell your personal data to a third party). Our Privacy Notice explains how we collect and use your personal information (“personal data”). It also describes your rights and how you can exercise them.
We hope you will take the time to read this Privacy Notice in order to understand how our policies protect you, and for your reassurance about how we process your personal data. Please contact us at any time if you have any queries. You may like to use the table of contents below to jump to any sections of particular interest to you.
Aim
The aim of our Privacy Notice is to explain how we collect and use your personal data. We also explain your rights and what to do if you would like to air a grievance or make a complaint.
Objective
Our objective is for you to feel reassured that your privacy is respected and protected and that your data are processed correctly by us. All data will be processed with due care and in accordance with the law.
INDISKA 1901 AB, org. no. 559395-2673, registered at the address Gävlegatan 22, 113 64 Stockholm, Sweden, is the official Data Controller responsible for the company’s data processing.
What are ‘personal data’ and ‘data processing’?
‘Personal data’ means any information directly or indirectly identifiable with a natural person (a physical individual). This means, for example, that photos and audio recordings processed using a computer may be personal data even if no names are mentioned. Encrypted data and various types of electronic identities (e.g. an IP address) are personal data if they can be linked to a natural person (physical individual).
‘Data processing’ means everything done to the data.
Any operation performed on data is a form of processing, whether automated or not. Examples of typical processing operations include collection, recording, organisation, structuring, storage, adaptation or alteration, transmission, and erasure or destruction.
What data do we collect about you as our customer, and for what purpose (why)?
1. In order to process orders/purchases
PURPOSE
In order to process orders/purchases
PROCESSING PERFORMED
- Supply (including notification and contact concerning the deliverables)
- Identification and age verification
- Processing payments (including analysis of payment options, which may involve checking payment records and obtaining credit information from a service provider such as Klarna)
- Address verification with an address provider
- Processing complaints about faulty goods and warranty claims
DATA CATEGORIES
- Name
- National ID number (in countries where this is applicable)
- Contact details (e.g. postal and email address and phone number)
- Payment records
- Payment details
- Credit information from credit rating agencies
- Transaction data (e.g. what items have been ordered, and whether an item is to be shipped to a different address than the billing address)
- User data for “My Page” (members only)
Legal basis: Fulfilment of the formal sale of goods agreement. It is necessary for us to collect these personal data from you in order to be able to fulfil our obligation to you under the formal sale of goods agreement. If these data are not provided to us, we are unable to fulfil our obligation to you, which means we have to refuse to sell to you.
Retention period: This is the length of time we keep your data: until the sale has been completed (including delivery and payment) and then for a period of up to 36 months in order to be able to process any faulty goods complaint or warranty claim.
2. In order to be able to arrange services
PURPOSE
In order to be able to arrange services (e.g. delivery services for various Click & Collect solutions or door-to-door delivery)
PROCESSING PERFORMED
- Reception of bookings, re-bookings and booking cancellations
- Sending out booking confirmations
- Communication concerning bookings
DATA CATEGORIES
- Name
- Contact details (e.g. postal and email address and phone number)
- Any personal preferences or remarks concerning enhanced service provision
Legal basis: Fulfilment of the service agreement. It is necessary for us to collect these personal data from you in order to be able to fulfil our obligation to you under the formal service agreement. If these data are not provided to us, we are unable to fulfil our obligation to you, which means we have to refuse to provide this service to you.
Retention period: Until the service to you has been completed.
3. In order to fulfil our legal obligations
PURPOSE
In order to fulfil our legal obligations
PROCESSING PERFORMED
- Necessary processing to fulfil our legal obligations in order to comply with requirements laid down in law, a court ruling or the decision of a national authority (e.g. the national accountancy act, anti-money-laundering act or regulations regarding product liability and product safety, which may require us to provide statements and information to the public domain and customers concerning product warnings and product recalls in the event of, for example a faulty or hazardous item)
DATA CATEGORIES
- Name
- National ID number (in countries where this is applicable)
- Contact details (e.g. postal and email address and phone number)
- Payment records
- Payment details
- Your correspondence
- Data on time of transaction, transaction location, any defect/complaint
- User data for “My Page” (members only)
Legal basis: Legal obligation. This collection of personal data is required by law. If these data are not provided to us, we are unable to fulfil our legal obligation to you, which means we have to refuse to sell to you.
Retention period: This is the length of time we keep your data: until the sale has been completed (including delivery and payment) and then for a period of up to 36 months.
4. In order to provide customer services
PURPOSE
In order to provide customer services
PROCESSING PERFORMED
- Communication and replying to any queries you make with our customer service (by phone or digital channels, including social media)
- Identification
- Addressing any complaints and support activities (including technical support)
DATA CATEGORIES
- Name
- National ID number (in countries where this is applicable)
- Contact details (e.g. postal and email address and phone number)
- Your correspondence
- Data and time of transaction, transaction location, any defects/complaints
- Technical data on your equipment
- Health data (e.g. allergic reactions and any medical condition you advise us of)
- User data for “My Page” (members only)
Legal basis: Legitimate interest. The processing is necessary in order to serve our and your legitimate interest in us providing customer service.
Retention period: Until the customer service has been completed.
5. In order to manage and honour your participation in an event
PURPOSE
In order to manage and honor your participation in an event (e.g. acknowledging reviews, queries or surveys)
PROCESSING PERFORMED
- Identification and verification of age - Selection of winners and forwarding of any prize (e.g. cash payment or travel bookings)
DATA CATEGORIES
- Name
- National ID number (in countries where this is applicable)
- Contact details (e.g. postal and email address and phone number)
- Your correspondence
- Data and time of transaction, transaction location, any defects/complaints
- Technical data on your equipment
- Health data (e.g. allergic reactions and any medical condition you advise us of)
- User data for “My Page” (members only)
Legal basis: Legitimate interest. The processing is necessary in order to serve our and your legitimate interest in us handling your participation in competitions and/or events.
Retention period: For the duration of the event (including any evaluation).
6. In order to be able to evaluate, develop and enhance our services, products and systems for our clientele in general
PURPOSE
In order to be able to evaluate, develop and enhance our services, products and systems for our clientele in general
PROCESSING PERFORMED
- Adapting our services to make them more user-friendly (e.g. modifying our user interface to streamline the information flow or to highlight features frequently used by customers in our digital channels)
- Compiling data to support enhancements to our goods and logistics flows (e.g. for forecasting our internal purchasing, warehousing and order volumes)
- Compiling data to support development and enhancement of our range
- Compiling data to support development and enhancement of our resource-efficiency from an environmental and sustainability point of view (e.g. by streamlining our internal purchasing and delivery planning)
- Compiling data to support our planning of new store/warehouse openings or store/warehouse closures
- Giving our customers the opportunity to influence our range
- Compiling data to support enhancements to our IT systems in order to enhance security for our business and for our visitors/customers
- Analyses of the data we collect for this purpose. Based on the data we collect (e.g. transaction records, age and gender) you will be sorted into a customer group (or ‘customer segment’) which will then be analysed at an aggregated (grouped) level by means of de-identifiable or pseudonymised data with no linkage to you as an individual. The insights we gain from such analyses will form the basis for the types of products we choose to stock and how we develop “My Page” on indiska.com
DATA CATEGORIES
- Age
- Gender
- Place of residence
- Correspondence and feedback concerning our services and products
- Transaction and user-generated data (e.g. click and visit history)
- Technical data concerning the devices used and their settings (e.g. language settings, IP address, browser settings, time zone, operating system, screen resolution and platform)
- Information on how you interacted with us, i.e. how you used the service, how you signed in, which pages were visited and for how long, response times, download errors, how you access and quit the service etc.
Legal basis: Legitimate interest. This processing is necessary in order to serve our and your legitimate interest in us evaluating, developing and enhancing our services, products and systems.
Retention period: From the time of collection and then for a period of 36 months.
7. In order to be able to prevent misuse of a service or to prevent and investigate any crime perpetrated against our company
PURPOSE
In order to be able to prevent misuse of a service or to prevent and investigate any crime perpetrated against our company
PROCESSING PERFORMED
- Preventing and investigating any instance of fraud or criminal offence (e.g. incident reporting in-store)
- Preventing spamming, phishing, harassment, attempts to unlawfully sign in to a user account or other actions prohibited by law or by our general terms and conditions of sale or membership or services
- Safeguarding and enhancement of our IT systems against attack and intrusion
DATA CATEGORIES
- National ID number (in countries where this is applicable)
- Video recordings from a surveillance camera
- Transaction and user-generated data (e.g. (e.g. click and visit history)
- Technical data concerning the devices used and their settings (e.g. language settings, IP address, browser settings, time zone, operating system, screen resolution and platform)
- Information on how our digital services are used
Legal basis: Fulfilment of our legal obligation (as applicable) or serving our legitimate interest. Where no legal obligation applies, processing is necessary in order to serve our legitimate interest in preventing misuse of a service or to prevent and investigate any crime against the company.
Retention period: From the time of collection and then for a period of 36 months.
8. In order to be able to administer your membership and to generate “My Page”
PURPOSE
In order to be able to administer your membership and in order to be able to generate “My Page”
PROCESSING PERFORMED
- Generation of the sign-in facility
- Verifying your identity and age
- Maintaining accurate and up-to-date details
- Giving you the option of tracking your orders and transaction history
- Giving you the option of saving favourites and accessing similar ease-of-use features
- Managing your customer options (e.g. your profile and your settings)
DATA CATEGORIES
- Name
- National ID number (in countries where this is applicable)
- Contact details (e.g. postal and email address and phone number)
- Transaction history
- Payment records
- Payment details
- Username and password
- Settings concerning your profile and personal preferences.
- Address details via an address supplier
Legal basis: Fulfilment of the agreement concerning membership of our loyalty programme. It is necessary for us to collect these personal data from you in order to be able to fulfil our obligation to you under our loyalty programme membership agreement. If these data are not provided to us, we are unable to fulfil our obligation to you, which means we have to deny you membership.
Retention period: Until your membership is cancelled (manually or automatically due to inactivity over a period of 36 months).
9. In order to be able to manage your points and bonuses
PURPOSE
In order to be able to manage your points and bonuses
PROCESSING PERFORMED
- Recording and calculating your bonus points based on your purchases - Communication concerning your bonuses
- Automatically crediting your bonus to your profile so that you may redeem it against a purchase
- Giving you the option of tracking your orders and transaction history
- Giving you the option of saving favourites and accessing similar ease-of-use features
- Managing your customer options (e.g. your profile and your settings)
DATA CATEGORIES
- Name
- National ID number (in countries where this is applicable)
- Contact details (e.g. postal and email address and phone number)
- Transaction history
Legal basis: Fulfilment of the agreement concerning membership of our loyalty programme. It is necessary for us to collect these personal data from you in order to be able to fulfil our obligation to you under our loyalty programme membership agreement. If these data are not provided to us, we are unable to fulfil our obligation to you, which means we have to deny you membership.
Retention period: Until your membership is cancelled (manually or automatically due to inactivity over a period of 36 months).
10. In order to be able to manage your benefits and offers
PURPOSE
In order to be able to manage your benefits and offers
PROCESSING PERFORMED
- Creating your personal offers and general member offers, personalised new arrivals, product recommendations, inspiration, benefits linked to your membership level and invitations to events
- Analyses of the data we collect for this purpose. We may, for example, look at your transaction history, age, gender, place of residence, stated preferences (concerning products and communication channels) and the results of customer satisfaction or market surveys
- Analyses of the data we collect for this purpose. Based on the data we collect (e.g. transaction history, age, gender and stated preferences) we perform an analysis at individual level which may result in you being assigned to a customer group (customer segment) or are given a unique profile. The insights we gain from the analysis form the basis for your personal offers and personalised benefits, etc. Different members may therefore receive differing benefits and offers
DATA CATEGORIES
- Name
- Username
- Member number
- Member level
- Date of birth/national ID number (in countries where this is applicable)
- Gender
- Contact details (e.g. postal and email address and phone number)
- Place of residence
- Transaction history
- Transaction and user-generated data (e.g. click and visit history) products and services
Legal basis: Fulfilment of the agreement concerning membership of our loyalty programme. It is necessary for us to collect these personal data from you in order to be able to fulfil our obligation to you under our loyalty programme membership agreement. If these data are not provided to us, we are unable to fulfil our obligation to you, which means we have to deny you membership.
Retention period: Until your membership is cancelled (manually or automatically due to inactivity over a period of 36 months).
11. In order to be able to provide a personalized experience of our services
PURPOSE
In order to be able to provide a personalized experience of our services
PROCESSING PERFORMED
- Creating content personalized for you, e.g. in the form of relevant product recommendations, presentation of your specific benefits and offers and other similar features for your ease of use
- Streamlining your use of our services (e.g.in allowing you to save favourites to facilitate future purchases or to remind you of a forgotten /abandoned shopping basket)
- Personal communication based on your behaviour as a member
- Analysis of the data we collect for this purpose. Based on the data we collect (e.g. member level, transaction and click history) we perform an analysis at individual level. The insights from the analysis form the basis for our communication with you and which offers, benefits and information concerning e.g. bonuses that are displayed to you on “My Page”
DATA CATEGORIES
- Name
- Username
- Age
- Gender
- Place of residence
- Membership level
- Transaction history
- Transaction and user-generated data (e.g. click and visit history)
- Stated customer preferences regarding communication channels
Legal basis: Fulfilment of the agreement concerning membership of our loyalty programme. It is necessary for us to collect these personal data from you in order to be able to fulfil our obligation to you under our loyalty programme membership agreement. If these data are not provided to us, we are unable to fulfil our obligation to you, which means we have to deny you membership.
Retention period: Until your membership is cancelled (manually or automatically due to inactivity over a period of 36 months).
12. Where do we process your personal data?
We strive to process your data within the EU/EEA. However, in certain situations, your data may be transferred to, and processed in countries outside the EU/EEA by a company within our group or by another supplier or sub-supplier. Since we are firmly committed to protecting your data at all times, we will take reasonable lawful, technical and organisational measures to ensure that your data are dealt with securely and with an adequate level of protection that is comparable to the level offered within the EU/EEA.
We may transfer or share your information with selected third parties. We take all reasonable legal, technical and organisational measures to ensure that your data are processed securely and with an appropriate level of protection in the event of their transfer to or sharing with such selected third parties.
We may share your information with the following parties or in the following instances:
-
Suppliers and sub-suppliers such as companies within our group
If necessary, we may share your personal data with suppliers or sub-suppliers:- Carriers (logistics companies and freight forwarders)
- Payment solutions (card payment service providers, banks and other payment service providers)
- Marketing (printers and distributors, social media, media agencies or advertising agencies)
- IT services (companies providing systems operations, technical support and maintenance of our IT solutions) in order to be able to fulfil obligations in accordance with our agreement with you and for other purposes as set out in this Privacy Notice
-
Authorities
We may be required to disclose certain information to public authorities such as the Police or the Tax Agency if obliged to do so by law or if you have consented to us doing so. An example of this would be when we as employers have a legal obligation to disclose information under measures to combat money-laundering and the financing of terrorism.
-
Divestment/acquisition
We may be required to disclose your information to a third party:- If we sell or acquire a company or other asset. In such cases we may be required to disclose your personal data to a prospective seller or buyer of such a company or other asset
- If a significant share of our assets is bought up by a third party. Please note that we will never sell your personal data to a third party without your consent. When your personal data are shared with a data processor (a natural or legal person or organisation performing data processing) this will only be for purposes consistent with the purposes for which the information was collected (e.g. in order to fulfil our obligation under the formal sale of goods agreement or under our loyalty programme membership agreement). We screen all data processors to ensure that they are able to provide sufficient personal data security and confidentiality safeguards. We have written agreements with all data processors under which they guarantee the security of the personal data they process and pledge to comply with our security requirements and restrictions and requirements regarding international transfer of personal data
- Entities acting as independent data controllers. We also share your personal data with certain entities that act as independent data controllers. The fact that such an entity acts as an independent data controller means that we are not the ones in control of how the information disclosed to the entity is to be processed
Independent data controllers we share your personal data with are:- Public authorities (the Police, Tax Agency or other public authorities) if we are obliged to do so by law or on suspicion of a legal breach
- Companies that handle general goods transportation (logistics companies and freight forwarders)
- Entities offering payment solutions (card charging entities, banks and other payment service providers)
When your personal data are shared with an entity acting as an independent data controller, the data are subject to that entity’s privacy policy and personal data processing.
13. How long do we retain your data?
We will at no time keep your data on file for longer than necessary for the respective purpose. For details of specific retention periods, please consult the respective purposes. Your right to access your data, have them rectified or erased (deleted).
- Right to access your data You can request a copy of the data we hold on you in order to verify it. You may request a copy free of charge once a year
- Right to rectification You have the right to correct any inaccurate or incomplete information about yourself
- Right to erasure (‘the right to be forgotten’) You have the right to request the erasure (deletion) of your personal data in the event that the information is no longer needed for the purpose for which it was collected
- You object to a balancing of interests and your grounds for objection override our legitimate interest
- You object to processing for purposes of direct marketing
- Your personal data are being processed unlawfully
- The personal data must be erased in order to fulfil a legal obligation we are subject to
- Personal data have been collected on a minor (under the age of 13) of whom you are the legal guardian and collection occurred in the context of an offer via information society services (e.g. social media)
Please bear in mind that we may have the right to deny your request if legal obligations prevent us from promptly erasing certain categories of personal data. Such obligations may be laid down in accountancy and tax legislation, financial services and anti-money-laundering legislation, but also in consumer law. The processing may also be necessary in order for us to be able to ascertain, assert or defend legal claims. In the event that we are unable to meet a request for erasure, we will instead block the personal data from being used for other purposes than the purpose that prevents the requested erasure. However, we may be subject to legal obligations that prevent us from erasing parts of your data immediately. Such obligations may be laid down in accountancy and tax legislation, financial services and anti-money-laundering legislation, but also in consumer law. In such cases, we will block the data that we are obliged to retain from being used for purposes other than our fulfilment of such legal obligations.
14. How do we process national ID numbers (in countries where this is applicable)?
We will only process your national ID number (in countries where this is applicable) when there is a legitimate reason to do so in relation to the purpose, and if it is necessary for reliable identification or for other precautionary reasons. We will at all times minimise use of your national ID number (in countries where this is applicable) insofar as is possible by, where sufficient, using your date of birth number.
Cookies and trackers
We use cookies and tracking solutions in order to provide personalised services to the users of our online services. If you would like to know more about how we use cookies, please feel free to contact us. We have a Data Protection Officer who can provide more detailed information about how we deal with personal data and privacy protection. Call our main number for contact details.
What is the implication of the Swedish Data Protection Authority being the supervisory authority?
The Swedish Data Protection Authority is responsible for supervising legal compliance, which means that anyone who asserts that their personal data are not being lawfully processed may file a complaint with the Swedish Data Protection Authority.
What is the easiest way to contact us about any data protection queries or concerns?
Because we take data protection extremely seriously, we have dedicated staff in our customer service department to deal with data protection specifically. You can contact them at any time at customer@indiska.com.
15. Updates
We reserve the right to make changes to this Privacy Notice. The latest version of the Privacy Notice is always published here on our website. In case of any updates of significance for our personal data processing (such as changes to a stated purpose or personal data categories) or updates that are not of material significance for the processing but which may be of material significance to you, you will receive information on indiska.com and by email (if you have opted to receive email) well in advance of the date on which such updates come into effect. When we release information about updates, we will also explain the content of the updates and how they might affect you.