Privacy Policy

Introduction

Ethos International acknowledges the importance of data protection and works actively to ensure that Ethos international complies with applicable data protection legislation. Personal data is any information relating to an identified or identifiable natural person and as the Personal Data Controller, Ethos International has a responsibility towards the persons whose personal data we process. This privacy policy describes what personal data we collect, for what purpose, how we treat them, how long they are stored and what lawful basis we use in the different situations. It also describes what rights you have and how to exercise these rights.

Created on 2019-03-26
Data process: Enter into contractsCategories of data 
Purpose: We process data when we enter into contracts with our clients in order to be able to fulfill our contractual obligations.
  • Name
  • Email-address
  • Phone number
Lawful basis: Contract

The processing of data is necessary in order to be able to fulfil our contractual obligations towards our clients.

Storage period: The data is stored for as long as is required by the statutory requirements in the Swedish Bookkeeping Act.
Data process: E-mail Categories of data
Purpose: Ethos International manages incoming e-mails, e.g. to fulfil our contractual obligations towards our clients and to answer questions about our courses and seminars.
  • Name
  • Email-address
  • Phone number
Lawful basis: Legitimate interests

There is a legitimate interest in being able to receive and send e-mail in order to be able to conduct business. This interest outweighs the interest of the registered person.

Storage period: Personal data in e-mails is processed only for as long as it is needed to fulfil the purpose of the processing. E-mails are only archived if there is a legal basis, e.g. if the e-mail related to an ongoing case. Once the purpose of the storage is fulfilled, the e-mail must be deleted.
Data process: TrainingCategories of data
Purpose: In connection to courses or seminars, Ethos International processes personal data when people register as participants.
  • Name
  • Email-address
  • Title
Lawful basis: Legitimate interest

There is a legitimate interest in being able to administer our courses and seminars as part of our business that outweighs the interests of the registered person.

Storage period: Data collected in connection with our courses and seminars is saved in order to allow us to customize future offers to our clients. It is always possible to deregister by using the opt-out function in our e-mails.
Data process: WebsiteCategories of data
Purpose: On our website, we use cookies to improve our visitor’s browsing experience and the functionality of our website. Cookies are a small text file that is sent from our web server and is stored on the visitor’s web browser or device and which stores the visitor’s user preferences. You can read more about cookies in our cookie policy (Swedish).
  • Permanent cookies
  • Session cookies
Lawful basis: Legitimate interest

Cookies are necessary to use our website. Users can adjust their cookie settings to limit the storage of cookies. This can affect the functionality of the website.

Storage period: Permanent cookies are stored for a longer period of time, but no more than 24 months. Session cookies are stored temporarily on the computer and are deleted as soon as you close the page.
Data process: MarketingCategories of data
Purpose: Ethos International offers both free and fee-based courses and seminars within sustainable business. To market our business, Ethos International collects personal data for people who may be interested in receiving information about the services we offer. These are sometimes collected from a third party.
  • Name
  • Email-address
  • Title
Lawful basis: Legitimate interest

Ethos International has a legitimate interest in processing data in order to market our business as long as the processing of data does not restrict the recipient’s personal integrity. The personal data collected, names and e-mail addresses, belong to people in key positions at companies that can be expected to carry out, or be interested in developing, work within sustainability. These recipients can be considered to have an interest in the services Ethos international offers, based on their work title and workplace, they are therefore people who can expect e-mails of this kind. All recipients can easily and immediately deregister from our e-mails at any time by clicking a link in the e-mail, i.e. opt-out.

Storage period: Personal data is only processed for as long as it is needed to fulfil the purpose of the processing. If the opt-out function is used, the data is immediately deleted.
Data process: Social mediaCategories of data
Purpose: We post photos from courses and events on our social media platforms, e.g. LinkedIn, to update stakeholders about our business.
  • Photo
  • Name
Lawful basis: Legitimate interest

Ethos has a legitimate interest in informing stakeholders about our business that outweighs the interests of the people in the photos. Course participants or other individuals who appear in a photograph are always informed that we may publish photos. Any person may always use their rights in accordance with the Data Protection Regulation if they oppose the processing of their data.

Storage period: The data is stored for as long as it is needed to fulfill the purpose of the processing.

How we share the data we collect, international transfers

Only persons who need to process the data for the above-stated purposes have access to your personal data. Ethos International’s operations and our own IT systems are located within the EU/EEA. Ethos International assures that all transfers or other processing of personal data take place within the EU/ESA or to and from countries that guarantee an adequate level of protection in accordance with the Data Protection Act and the EU Commission, eg. Privacy Shield for treatment in the United States.

Personal Data Processors

A data processor is a company that processes data on our behalf and according to our instructions. We have data processors who help us with:

  • IT services
    • Authorities to the extent required by legal requirements, e.g. the Swedish Tax Agency
    • Financial accounting

Data processors only process personal data for purposes consistent with the purposes for which we have collected them. This is always regulated in a Personal Data Processing Agreement.

For how long do we store personal data?

Personal data is not stored for a longer period than is necessary with regard to the purposes for which the data is processed. As soon as the purpose of the processing is fulfilled, the data will be deleted, unless Ethos International is obliged to save the personal data in accordance with requirements laid down by law.

Ethos International only collects personal data for specific and legitimate purposes, which are described in this policy. If personal data is processed for other purposes, they are compatible with the original purposes.

How is your personal data protected?

Ethos International has taken appropriate technical and organisational security measures to protect your personal data. Examples of technical security measures we have taken include customised IT-systems, firewalls, encrypted hard drives, regular backups, and developed protection through, for example, antivirus, antimalware and spam filters.

Appropriate organisational security measures we have taken include password-protected folders when needed, regular updates of passwords for computers and systems, establishing an IT-policy and training of all staff in the IT-policy.

Be aware that Ethos international may change these technical and organisational security measures as needed.

We regularly overview our security policies and processes to ensure that the systems we use are safe and secure.

Your choices and rights

The rights of the data subject when Ethos International processes their data are briefly described below:

The right to be informed:

Data subjects have the right to be informed about the collection and use of their personal data. Data controllers must give data subjects specific privacy information about:

  • the business, including contact information
  • the data processing activities carried out
  • the length of time data is stored
  • the rights available to them in respect of processing
  • the right to lodge a complaint

The right of access

Data subjects have the right of access to personal data. If demanded, the data controller must provide a copy of the personal data that is being processed and for which purposes.

The right to rectification

Data subjects can ask data controllers to erase or rectify inaccurate or incomplete data.

The right to erasure, “the right to be forgotten”

Individuals have the right to ask controllers to delete their data if:

  • the data is no longer needed for the original purpose,
  • the processing is based on consent and the data subject withdraws it,
  • the data subject exercises their right to object to processing, and the controller can’t override their objection,
  • the data subject objects to the processing for the purpose of direct marketing.

The right to restrict processing

The data subject can ask the controller to restrict processing their personal data if, for example, they believe their data is not accurate. The data controller should stop processing until they have verified the accuracy of the data.

The right to object to processing

If the data controller relies on lawful bases of legitimate interests for processing, individuals can object to such processing. The data controller may have to cease processing unless they can demonstrate that the controller has compelling legitimate grounds for processing which override the interests, rights, and freedoms of the individual.

Direct marketing

As a data subject, you always have the right to resign from direct marketing. Direct marketing refers to all types of outreach marketing measures (e.g. through e-mail or post).

Marketing measures where an individual has actively chosen to contact us to learn more about our services does not constitute direct marketing.  

Training

Ethos International will provide appropriate training for its employees. The training should provide the necessary knowledge of the GDPR and this Policy. The training should be provided to all new employees and then be repeated annually.  

Contact

If you have questions about how we process personal data, please contact us at gdpr@ethosinternational.se.       

You have the right to know if Ethos International processes your personal data, the types of personal data that are processed as well as receive a copy on request. You also have the right, in some cases, to get incorrect personal data about you corrected and deleted. You also have the right to object to personal data about you being processed and requesting that the processing be limited. Please note that limiting or deleting your personal information may mean that we cannot keep in touch with you. In certain circumstances, you also have the right to obtain personal information about you that you have provided us, in a machine-readable format and to have information transferred to another data controller.

The Swedish Data Protection Authority is the authority that is responsible for the implementation and compliance of the data protection regulation in Sweden. Anyone who feels that their personal data is being processed in an incorrect manner can always submit a complaint to the Data Protection Authority.

Ethos International may adjust this privacy policy to update how we process personal data as needed. The latest version is always available on our website www.ethosinternational.se.