Privacy Notice – Haypp Group

Privacy Notice – Haypp Group

Updated: 16 June 2021

In this privacy notice (the “Notice“) we describe how we collect, use, and share your personal data when using Haypp Group’s website (hayppgroup.com), Haypp Group’s digital channels, when you communicate with us and when you participate in events and other activities that we arrange.

Personal data means any information that, directly or indirectly, identify you, for example your name or your IP address.

We are committed to your privacy. We take measures to ensure that your personal data is protected and that our use of personal data complies with applicable regulations and laws and our internal procedures and routines.

1. WHO IS COVERED BY THIS NOTICE?

This Notices covers:

  • Users of this website (com) and Haypp Group’s digital channels, for example our channels and feeds on social media.
  • Contact persons of a supplier or a partner to us.
  • Related persons of an employee that works for us.
  • External persons who contact or otherwise communicate with us and are not covered by the categories above.

This Notice does not cover other group companies’ use of personal data relating to users of their websites or their customers for example to manage orders and subscriptions. For further information on respective group company’s use of personal data in this regard, please see the relevant group company’s privacy notice on its website. The table in section 2 below outlines the group companies and their respective websites.

2. WHO IS RESPONSIBLE FOR THE USE OF YOUR PERSONAL DATA?

The Haypp Group group company that you interact with is responsible for the use of your personal data. In this Notice “we“, “our” and “us” refer to the relevant company that is responsible for the use of your personal data.

In the table below, we have outlined the companies that are covered by this Notice and their respective websites. Please see section 10 below for contact information to each company.

Websites

Company Website
Haypp Group AB (reg. no. 559075-6796) hayppgroup.com
Haypp AB (reg. no. 559174-2738) haypp.com
SLF Innovation ApS (CVR no. 394 098 79) northerner.com/eu_de northerner.com/uk
Snusbolaget Norden AB (reg. no. 556801-3683)  snusbolaget.se snusbrev.se snusmarkt.ch nettotobak.com
Snushjem.no AS (reg. no. 919 649 585) snus.com snushjem.no snuslageret.no

3. WHICH PERSONAL DATA DO WE COLLECT?

We only collect the personal data that we need. We collect and process the following categories of personal data, but which personal data that we collect about you in particular depends on how you interact with us:

  • Identity information. Information that makes it possible to identify you, for example your name.
  • Contact information. Information that makes it possible to contact you, for example your address, e-mail address and telephone number.
  • User generated information. Information regarding your activity and use of our websites, digital channels, and services, for example clicks and visits and your behaviour when using the websites and our digital channels.
  • Profile information. Information regarding your title, and name and address to the company that you work for.
  • Communication. Contents of communication with us, for example contents in e-mail communication or the responses you provide when participating in a survey.
  • Picture, video and audio material. Information such as your picture or voice that has been photographed or recorded, for example a photograph, or a video or audio recording.
  • Order information. Information about orders for goods and services from suppliers, for example the product or service, price or fee, delivery date or assignment period.
  • Technical information. Technical information about the device that you use when visiting our websites and digital channels, for example type of device, version of browser and operating system.

4. FROM WHERE DO WE COLLECT PERSONAL DATA?

We collect personal data from the following sources:

  • Yourself. When you use our website and other digital channels, contact us or communicate with us, we collect the personal data that you provide to us.
  • Group companies. The companies within the Haypp Group collaborate with each other and therefore shares information for example in connection with communication.
  • Partners. We collect personal data about you from partner companies that we collaborate with, for example to carry out an event or similar activity.
  • Social network platforms. If you visit our channels or feeds on social media, we collect the personal data that you provide to us when using these channels.
  • Publicly available sources. We may collect personal data about you from publicly available sources, for example websites and public records.
  • External persons. We collect personal data about you that external persons provide to us, for example in connection with communication or an event or similar activity.
  • Employees. We may collect your personal data from employees that work for and who provide your personal data to us, for example in connection with communication.

5. WHY DO WE USE YOUR PERSONAL DATA?

Below we explain the purposes with our use of personal data and provide examples of processing activities carried out for each purpose. Please note that not all processing activities may apply to you. Which processing activities that you are covered by depend on how you interact with us.

To read more about which categories of personal data, which legal basis that we rely on for the use of your personal data for each purpose and for how long your personal data is stored, please see our detailed information on our use of personal data.

Manage the relationship with suppliers and partners

If you are a contact person of a supplier or a partner to us, we use your personal data to manage the supplier relationship or partnership, for example to register you as a contact person, manage invoices and agreements and to communicate for the same purpose.

Manage orders of goods and services

To manage orders of goods and services from suppliers, we use, where necessary, your personal data for this purpose if you are a contact person for the supplier, for example to manage requests for proposals (RFPs), submit orders, and to communicate for the same purpose.

Follow-up and evaluate the relationship with suppliers and partners

We use, where necessary, personal data about contact persons of suppliers and partners to follow-up and evaluate the supplier relationship or partnership.

Respond to questions and inquires

If you contact us, for example by e-mail or phone, with a question or inquiry, we use the personal data that you share with us to respond to your question or inquiry.

Communicate about us, our business, and our services

We use your personal data to communicate about us, our business and our services in various channels. You can at any time unsubscribe from our communications by clicking on the unsubscribe link in the communication or by contacting us.

Communication between employees and external persons

We use your personal data, where applicable, in connection with communication, for example by e-mail, between employees and external persons.

Provide newsletter

We use your personal data to provide our newsletter, for example to send out the newsletter and manage your subscription. You can at any time unsubscribe from the newsletter by clicking on the unsubscribe link in the newsletter or by contacting us.

Follow-up and analyse the business

We use your personal data to compile reports on an aggregated level and statistics to follow-up and analyse the business. We do not profile your personal data for this purpose.

Document the business

We use your personal data, where necessary, to document the business, for example to manage and store agreements, decision documents, minutes and presentations.

Carry out events and other activities

If you participate in an event or another activity that we arrange, we use your personal data to carry out the event or activity, for example to register your participation, to communicate with you regarding the activity and, where applicable, publish information regarding the event on our website and in our digital channels.

Carry out surveys

If you choose to participate in a survey that we carry out, we collect the personal data that you provide in connection with the survey. Your opinions about our business and services are important to us. You can unsubscribe from such communications at any time by clicking on the unsubscribe link in the mailing or by contacting customer service.

Develop and improve the business

We use your personal data when we carry out analysis on an aggregated level to develop and improve the business, our business methods and business strategies. We do not profile your personal data for this purpose.

Communicate in case of accidents, sickness, or similar incidents

If you are a related person of an employee, we use your personal data to, where necessary, communicate with you in case of accidents, sickness or similar incidents regarding the employee, including storing your contact details in our in case of emergency register.

Follow-up and analyse the use of this website and our digital channels

It is important for us to understand how this website and our digital channels are used. We therefore use your personal data for this purpose, for example when we collect and analyse visitor and user statistics on how our website and digital channels are used.

Enable functionality on this website

To enable functionality on this website, for example to remember your settings, we use where necessary your personal data. This in order to provide you with a better user experience on the website.

Ensure technical functionality and security

We use your personal data to ensure necessary technical functionality and security of this websites and our IT systems, for example for security logging, error handling, and backups.

Manage and defend legal claims

If needed, we use your personal data to manage and defend legal claims for example in connection with a dispute or court proceeding. For this purpose, we share personal data, when needed, with other recipients, please see next section 6 below.

Fulfill legal obligations

To fulfil our legal obligations, if necessary, we will use your personal data, for example, in order to fulfil accounting or data protection obligations. For this purpose, we may share certain information with other recipients. Please see next section 6 below for more information.

6. WHICH RECIPIENTS DO WE SHARE PERSONAL DATA WITH?

Below we describe which recipients that we share your personal data with. Which recipients we share your personal data with depends on how you interact with us. Unless we have stated otherwise below the recipient is responsible (data controller) for its own use of your personal data.
To read more about why and based on which legal bases, we share your personal data with different recipients, please see our detailed information on our use of personal data.

We share personal data with:

  • Service providers. To process personal data for the proposes described in this Notice, we share personal data with service providers that we have engaged. These service providers provide, for example, IT services (e.g. storage), and communication services (which enable us to send you communications). When the service providers process personal data on our behalf, they act as data processors for us, and we are responsible for the processing of your personal data. They must not use your personal data for their own purposes and are contractually and legally obliged to protect your personal data.
  • Group companies. The companies with the group collaborate and therefore share personal data with each other, for example in connection with communication.
  • External persons. When we communicate with external persons, for example via e-mail, we share the personal data that you yourself or employees share with the external person.
  • Other recipients. If needed, we share your personal data with other recipients for the following purposes:
    • to manage a merger or sale of the business,
    • to manage and defend legal claims and rights,
    • to fulfil legal obligations,
    • to respond to a request, and
    • to protect and ensure the safety of our staff.

Examples of recipients are external advisors, public authorities, courts, law enforcement, and potential buyers and sellers should we sell the business.

7. WHICH RIGHTS DO YOU HAVE?

You have certain right rights under applicable data protection laws in relation to the personal data that we have collected about you.

You have the right to:

  • Request access to and a copy of your personal data.
  • Request rectification of your personal data that is incorrect or incomplete.
  • Withdraw your consent to our use of your personal data that is based on your consent.
  • Request erasure of your personal data in some circumstances, but not in cases where we, for example, are legally obligated to keep your personal data.
  • Unsubscribe from communications which you for example can do by clicking on an unsubscribe link in the communication.
  • Request restriction of your personal data in certain circumstances and you can then, at least for a certain period of time, prevent us from using your personal data for other purposes that for example to manage and defend a legal claim or to comply with legal obligations that we are subject to.
  • Object to the processing of your personal data that is based on our or another party’s legitimate interest for reasons related to your specific situation and if we cannot show that we have a compelling reason for our use of personal data we will stop using your personal data for the relevant purpose.
  • Transfer your personal data (data portability) under certain circumstances by requesting a copy of your personal data that you have provided to us in a structured format that you can transfer to another recipient.

In order to exercise your rights, please contact us. Please see section 10 below for contact details.

 

8. WHERE WE PROCESS PERSONAL DATA

We endeavour to store your personal data within the EU. However, in certain cases we transfer personal data with recipients outside the EU/EEA, for example service providers engaged by us.

To ensure that the personal data is protected, we ensure that there are adequate safeguards in place with the service providers that process your personal data outside the EU/EEA in light of the laws of the receiving country, for example data transfer agreements which include standard data protection clauses for transfers of personal data in addition to, if needed, supplementary measures.

For more information on the safeguards that we have taken to protect personal data, please contact our data protection officer, please see section 10 below for contact details.

9. UPDATES TO THIS NOTICE

We regularly update this Notice. This in order to ensure that the Notice reflects our use of personal data from time to time. As an example, we will update this Notice if we decide to collect additional categories of personal data or if we intend to use collected personal data for additional purposes.

We will in such case notify you in advance by appropriate means, for example by showing a message on this website or by e-mail. The latest version of the Notice is always available on this page and the date the Notice was last updated is stated above.

10. ANY QUESTIONS?

If you have questions about this Notice, our use of your personal data or if you wish to exercise your rights, please contact us. Please see contact details below.

We have also appointed a data protection officer whose responsibility it to review that we comply with applicable data protection regulations and laws. You can contact our data protection officer by e-mail to privacy@hayppgroup.com or by post to Haypp Group AB. Mark your letter with “data protection officer”.

11. Unsatisfied

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your country. Below we have outlined information on the data protection authority that is responsible for supervising our use of personal data in the countries that our group companies are established. Contact details for each data protection authority can be found on the data protection authorities’ websites.

Data protection

Country Data protection authority Website
Denmark Datatilsynet datatilsynet.dk
Norway Datatilsynet datatilsynet.no
Sverige Swedish Authority for Privacy Protection (IMY) imy.se

DETAILED INFORMATION ON OUR USE OF PERSONAL DATA

Why and how we use personal data

Please find below detailed information regarding our use of personal data, including the categories of personal data used, the legal basis for the use and for how long the personal data is stored.

Personal data

Purpose Personal data Legal basis Storage period
Manage the relationship with suppliers and partners
  • • Communication
  • • Contact information
  • • Identity information
  • • Order information
  • • Profile information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of managing the relationship with suppliers and partners. Personal data is stored for this purpose as long as there is an active relationship and for a period of ten (10) years thereafter to satisfy our legitimate interest of managing and defending legal claims. The relationship is active if we have had contact during the last twelve (12) months.
Manage orders of goods and services
  • • Communication
  • • Contact information
  • • Identity information
  • • Order information
  • • Profile information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of managing orders of goods and services.   Performance of a contract. If the agreement is concluded with a private business, the processing is carried out to fulfil the agreement with the business or to take steps at the request of you before entering into such an agreement. Personal data is stored for this purpose as long as it is necessary to manage the order and for a period of ten (10) years thereafter to satisfy our legitimate interest of managing and defending legal claims.
Follow-up and evaluate the relationship with suppliers and partners
  • • Communication
  • • Contact information
  • • Identity information
  • • Order information
  • • Profile information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of follow-up on and evaluating our relationships with our suppliers and partners. Personal data is stored for this purpose for a period of 27 months calculated from the date of collection. Statistics and reports on an aggregated level which do not include any personal data are stored until further notice or until deleted.
Respond to questions and inquires
  • • Communication
  • • Contact information
  • • Identity information
  • • Order information
  • • Profile information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of responding to questions and inquiries. Personal data is stored for this purpose for a period of 18 months calculated from the date of the last communication in the same conversation or matter. Personal data published in digital channels, for example in our social media feeds is, as a starting point, retained until further notice.
Communicate about us, our business, and our services
  • • Communication
  • • Contact information
  • • Identity information
  • • Picture, video and audio material
  • • Profile information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of communicating about us, our business, and our services. Personal data is stored for this purpose as long as there is an active relationship and for a period of twelve (12) months thereafter for the same purpose. Personal data published in digital channels, for example in our social media feeds is, as a starting point, retained until further notice.
Communication between employees and external persons Communication between employees and external persons Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of our employees and external persons communicating. Personal data is stored for this purpose for a period of twelve (12) months calculated from the date of the last communication in the same conversation or matter and for a period of ten (10) years thereafter to satisfy our legitimate interest of managing and defending legal claims. Personal data published in digital channels, for example in our social media feeds is, as a starting point, retained until further notice.
Provide newsletter
  • • Contact information
  • • Identity information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of providing our newsletter to you when you have registered for the newsletter. Personal data is stored for this purpose until further notice or until you unsubscribe from the newsletter.
Follow-up and analyse the business
  • • Identity information
  • • Profile information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of follow-up on and analysing the business. Personal data is stored for this purpose for a period of 27 months calculated from the date of collection. Statistics and reports on an aggregated level which do not include any personal data are stored until further notice or until deleted.
Document the business
  • • Communication
  • • Contact information
  • • Identity information
  • • Picture, video and audio material
  • • Profile information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of documenting the business Personal data is, as a starting point, stored until further notice for this purpose.
Carry out events and other activities
  • • Communication
  • • Contact information
  • • Identity information
  • • Picture, video and audio material
  • • Profile information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of carrying out the event, or the activity in question. Personal data is stored for this purpose during the time the activity is carried out and for a period of 13 months calculated from the date of the activity to satisfy our legitimate interest of follow-up on the participation, evaluate the activity and for planning potential future activities. Thereafter the personal data will be anonymised. Statistics and reports on an aggregated level which do not include any personal data are stored until further notice or until deleted.
Carry out surveys
  • • Communication
  • • Contact information
  • • Identity information
  • • Profile information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of carrying out surveys for the purpose of collecting your opinions about our business and our services. Personal data is stored for this purpose during the period the survey is carried out and for a period of three (3) months thereafter to compile the responses in a report. Thereafter the personal data will be anonymised. Statistics and reports on an aggregated level which do not include any personal data are stored until further notice or until deleted.
Develop and improve the business
  • • Identity information
  • • Profile information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of developing and improving the business. Personal data is stored for this purpose for a period of 27 months from the date of collection. Statistics and reports on an aggregated level which do not include any personal data are stored until further notice or until deleted.
Communicate in case of accidents, sickness, or similar incidents
  • • Identity information
  • Communication
  • • Contact details
  • • Profile information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of recording and storing your information in our emergency register and to communicate with you in case of an accident, sickness or similar incident. Personal data is stored for this purpose until the employee states otherwise, but no longer than until the end date of the individual’s employment or assignment.
Follow-up and analyse the use of this website and our digital channels
  • • Identity information
  • • Technical information
  • • User generated information
Consent. The processing is carried out based on the consent that you provide when accepting our use of cookies and similar technologies for the same purpose. For information on how long your personal data is stored for this purpose, please see our information on our use of cookies. Statistics and reports on an aggregated level which do not include any personal data are stored until further notice or until deleted.
Enable functionality on this website
  • • Technical information
Consent. The processing is carried out based on the consent that you provide when accepting our use of cookies and similar technologies for the same purpose. For information on how long your personal data is stored for this purpose, please see our information on our use of cookies. Statistics and reports on an aggregated level which do not include any personal data are stored until further notice or until deleted.
Ensure technical functionality and security
  • • Relevant categories of personal data
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of ensuring technical functionality and security of this website and our IT systems. Personal data is stored for the same period as stated in relation to each relevant purpose of the processing. Personal data in logs is retained in order to satisfy our legitimate interest of troubleshooting and incident management for a period of 13 months from the date and time of the log entry. Personal data in backups are stored for a period of 13 months from the date of the backup.
Manage and defend legal claims
  • • Only the categories of personal data needed for managing and defending a legal claim in the individual case
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of managing and defending legal claims. Personal data is stored for the period required in order for us to manage and defend the legal claim in the individual case.
Fulfill legal obligations
  • • Only the categories of personal data are necessary for fulfilling the relevant legal obligation.
Fulfil legal obligation. The processing is necessary in order to fulfil legal obligations that we are subject to. Personal data is stored for such period that is necessary in order for us to fulfil each legal obligation that we are subject to and for a period of ten (10) years thereafter to satisfy our legitimate interest of managing and defending legal claims and for the period necessary to manage such a claim.

Why and with whom we share personal data

Please find below detailed information regarding which categories of personal data we share with other recipients and the legal basis for the transfer.

Common recipents

Recipient Purpose Personal data Legal basis
Group companies Communication between employees and external persons
  • • Contact information
  • • Identity information
  • • Picture, video and audio material
  • • Profile information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of our employees and external persons communicating.
External persons Communication between employees and external persons
  • •Communication
  • • Contact information
  • • Identity information
  • • Picture, video and audio material
  • • Profile information
Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of our employees and external persons communicating.

Other recipients

Purpose Personal data Legal basis
Manage a merger or sale of the business Only the personal data that is necessary for this purpose is shared with the recipient. Legitimate interest. The processing is necessary in order for us to satisfy our and the buyer’s legitimate interest of completing the sale or merger.
Manage and defend legal claims Only the personal data that is necessary for this purpose is shared with the recipient. Legitimate interest. The processing is necessary in order for us to satisfy our legitimate interest of managing and defending legal claims.
Fulfil legal obligations Only the personal data that is necessary for this purpose is shared with the recipient. Fulfilling a legal obligation. The processing is necessary in order for us to comply with our legal obligations.
Respond to a request Only the personal data that is necessary for this purpose is shared with the recipient. Legitimate interest or to fulfil a legal obligation. To the extent that we are obligated to respond to a request, personal data is used to fulfil this legal obligation. Otherwise, the processing is based on a balance of interests where the processing is necessary in order to satisfy our and the requester’s legitimate interest in responding to the request.
Protect and ensure the safety of our staff Only the personal data that is necessary for this purpose, for example to notify an incident to law enforcement. Legitimate interest. The processing is necessary in order to satisfy our legitimate interest of protecting and ensuring the security of our staff.