Background
The SCA Group, including its subsidiaries, (SCA) collects Personal Data on an ongoing basis and uses such Personal Data within SCA’s various businesses. We are committed to transparency in respect of how your Personal Data is handled by us, regardless of whether we have obtained the Personal Data directly from you or if we have collected the data in any other manner.

We undertake the necessary measures to ensure that our processing of your Personal Data is in accordance with applicable laws, rules and regulations governing privacy and data protection as well as in line with established good practice on the market.

In this general Privacy notice we provide a general description of the principles and rules that apply to all processing of Personal Data within SCA’s business.

Further and more detailed information concerning SCA’s processing of Personal Data for certain specific activities where the purpose, legal basis, retention periods or issues regarding the controller responsibility does not follow general principles, is provided in separate documents that cover specific information, as listed below.

Specific information;

- Privacy notice – Corporate customer

- Privacy notice – Supplier

- Privacy notice – Consumer (customer)

- Privacy notice – Marketing

Definition of Personal Data
Personal Data means any information which directly or indirectly, together with other information, can be connected to a natural person. The Personal Data that we process varies depending on the purpose of the processing but will in most cases include contact information (name, address, telephone number and e-mail address).

In the cases where the data subject is e.g. a counterpart in an agreement, we will also process Personal Data relevant for the relationship, such as information for purchases, sales and book keeping, as well as, if required, data concerning real estate.  

Collection of Personal Data
We collect Personal Data that you provide to us voluntarily in connection with you entering into an agreement with us or us initiating or maintaining a business relationship with each other.

Personal Data can also be generated in the course of our business relationship as a result of your activities or the legal requirements that we as a company are subject to.

We also collect Personal Data if you use any forms on our Websites and through our use of cookies on our Websites, which collect information on and from your web explorer.

Information may also be added and updated with information available through publicly available sources, e.g. public registries such as SPAR and the Real Property Register (Sw: Fastighetsregistret). We may also purchase information from companies that compile registries.

Purpose, lawful basis and retention
According to the GDPR all processing shall have a clear purpose. The identified purpose determines and forms the basis for;

- the lawful basis for the processing

- which data that is processed

- which persons that are given access to the data

- what retention periods that shall apply

Further information regarding our purposes for the processing of your Personal Data and the lawful basis for our processing is set our above in the section ”Background” (specific information).

As a general rule we will process your Personal Data during the period that you or the organization that you represent have an active business relationship with us, and thereafter for the period that is necessary to fulfil the purposes of our processing.

Processing for certain purposes is ended and the information deleted shortly after our business relationship has ended. For other processing activities the processing may continue for a longer period, e.g. for the purpose of us fulfilling legal requirements (such as bookkeeping). When our purpose with the processing is fulfilled and further processing is no longer relevant, the Personal Data will be deleted in a secure manner.

Data Controller
The respective company within the SCA Group is the Data Controller for its processing of Personal Data. Different companies within the SCA Group may thus be the Data Controller for processing of your Personal Data, depending on the business area which the processing relates to. The decisive factor for determining which SCA company or companies that is/are Data Controller in a specific case, is which company that determines the purpose and means of the processing (also see further below regarding Data Processors).

Considering the group structure of the SCA Group and the fact that we share several common group functions, there are situations where several SCA companies are joint controllers. To address such situations, SCA has established a joint internal structure for handling its processing of Personal Data, including agreements, for the protection of Personal Data.

Recipients of Personal Data
SCA has, as explained above, several common group functions and your Personal Data may as a consequence thereof be transferred to other companies within the SCA Group.

SCA engages partners and service providers who perform services on SCA’s behalf, such as provision of IT services, marketing services etc. In the course of performing such services the service provider/partner may be gioven access to your Personal Data. These companies are only allowed to process Personal Data in accordance and strict compliance with the Data Processing Agreement entered into with us and in accordance with the specific instructions they receive from us in connection with the execution of such agreement, and thereafter. They are not allowed to use your Personal Data for their own purposes and they are required under law and agreement to protect your Personal Data.

SCA may provide Personal Data to the Police or other authorities if we are required to do so according to law or a decision by a governmental authority for the purpose of safeguarding SCA’s legal interest or to investigate, detect or prevent fraud, other criminal offences or security problems.

In connection with a legal dispute it may be relevant to transfer information which includes Personal Data also to other parties to the dispute.

Protection of your Personal Data
SCA conducts risk analysis concerning processing of Personal Data. Based on the result of such analysis, SCA adopts the appropriate technical and organizational security measures. In respect of all storage platforms and systems that contain Personal Data SCA applies mandatory authorization routines, access control and have clear information owners, all for the purpose of ensuring appropriate protection against unauthorized access, change or erasure.

The measures undertaken by SCA to ensure an appropriate level of security for Personal Data are audited, evaluated and tested on a regular basis, e.g. in relation to the technical development.

Your rights
You have the right to request access to your Personal Data and to receive information about our processing of your Personal Data. You also have the right to request correction of incorrect or incomplete information at any time.

You have the right to, at any time, object to processing of Personal Data which you consider to be unlawful or otherwise not in compliance with the original purpose for the processing. Under certain circumstances (set forth in the GDPR) you have the right to request the restriction of processing of your Personal Data.

You have the right to request the erasure of your personal data under certain circumstances (set forth in the GDPR).

Under certain circumstances (set forth in the GDPR) you have the right to receive your Personal Data that we process in a structured, commonly used and machine-readable format.

A request for the information that we process about you is to be made in writing and [be undersigned by you]. Please specify the categories of Personal Data that you wish to receive and/or which your relationship with SCA is, e.g. employee, supplier etc. SCA may come to ask for further information, e.g. for the purpose of verifying your identity.

Provided that it is technically feasible, you are entitled to request that Personal Data which you have provided to us is transmitted directly from us to another controller.

If you consider that your Personal Data is being processed in violation of applicable data protection laws you are entitled to, at any time, file a complaint with the relevant supervisory authority (in Sweden Datainspektionen).

Contact details
If you have any questions or otherwise wish to communicate with us regarding our processing of your Personal Data you are welcome to contact us. Contact information is set out below.

A request to SCA concerning Personal Data shall be sent to SCA’s data protection manager and the data protection management group via e-mail gdpr@sca.com.

You also have the right to file a complaint with the supervisory authority, see below, if you have any concerns regarding SCA’s processing of your Personal Data;

Datainspektionen

Box 8114, 104 20 Stockholm

telephone: 08-657 61 00

datainspektionen@datainspektionen.se

Changes to this notice

SCA may change and update this privacy notice. In the event of material changes or if existing information is to be processed in any other way than stated herein, SCA will provide information about such changes on this website and SCA’s intranet.

The latest version will always be available on this website and on SCA’s intranet.