What counts as personal data and what is processing of personal data?
Personal data is defined as any type of information that can be attributed, whether directly or indirectly, to a natural, living person. For example, images and sound recordings processed on a computer may be personal data even if no names are mentioned. Encrypted data and various types of electronic identities (e.g. IP addresses) are personal data if they can be linked to natural persons. Every action taken with personal data constitutes an instance of processing, irrespective of whether the action is automated or not. Common types of processing include collection, registration, organisation, structuring, storage, treatment, transfer and deletion.
Who is responsible for the personal data we collect?
Sandberg / Murray AB, corporate identity no. 556960-4316, with addresses at Artillerigatan 29, 114 45 Stockholm is the data controller for the company's processing of personal data.
You can read about what APPLETREES uses your personal data for and why below.
When you shop at APPLETREES, your personal information is saved with the order. In order for you to change the information:
please contact us at firstname.lastname@example.org
Delivery (including notification and contacts regarding the delivery).
Identification and age verification.
Payment handling (including analysis of possible payment solutions).
Handling complaints and warranty claims.
We process the following data:
Personal identity number
Contact details (e.g. address, email and phone number)
Credit reports from credit report companies
Purchase information (e.g. item ordered or if the item is to be delivered to another address)
Legal basis: Execution of the purchase agreement. Such collection of your personal data is required in order for us to fulfil our obligations under the purchase agreement. If the data is not submitted, it will not be possible to meet our commitments, and we will be forced to refuse your purchase.
Retention period: Until the purchase has been completed (including delivery and payment) and for 36 months thereafter for the purpose of handling any complaints and warranty claims.
Handling required for compliance with the company's legal obligations pursuant to statute, court order or regulatory decision (e.g. the Swedish Bookkeeping Act, the Swedish Anti-Money Laundering Act or product liability and product safety provisions, which may require that communication and information be provided to the public and customers concerning product alarms and product recalls in case of e.g. defects or products hazardous to health).
For this purpose we process the following:
Contact details (e.g. address, email and phone number)
Details regarding purchase date, place of purchase, any defect/complaint
Legal basis: Legal obligation. This collection of your personal data is required by law. If the data is not submitted, it will not be possible to meet our legal obligation and we will therefore be forced to refuse your purchase.
Storage period: Until the purchase has been completed (including delivery and payment) and for 36 months thereafter, or for up to seven years for data processed in accordance with the Swedish Bookkeeping Act.
Communication and responding to any questions put to customer service (by phone or through digital channels, including social media).
Identification and questions concerning user accounts.
Investigating any complaints and support cases (including technical support).
Questions and advice about and ahead of purchases, questions about products, return management, order modification and similar issues.
We process the following data:
Contact details (e.g. address, email and phone number)
Details regarding purchase (date, place of purchase, any defect/complaint)
Legal basis: Legitimate interest, and explicit consent in cases where we process sensitive data. Processing is necessary in order to cater to both our own and your legitimate interest in the handling of customer service cases.
Storage period: 36 months after the customer service case has been closed.
Prevention and investigation of potential fraud or other offences. Prevention of junk mailing, phishing, harassment, attempted illegal user account logon or other actions prohibited by law or under our terms of purchase, membership or service. Protecting and improving our IT environment against attack and intrusion.
For this purpose we process:
Personal identity number
Purchase and user-generated data (e.g. click and visit history)
Technical data relating to the devices used and their settings (such as language setting, IP address, browser settings, time zone, operating system, screen resolution and platform)
Details about how our digital services are used
Legal basis: Compliance with legal obligation (if any) or legitimate interest. In the absence of a legal obligation, the processing is necessary in order to cater to our legitimate interest in preventing abuse of a service or in order to prevent, deter and investigate crimes against the company.
Storage period: From the time of collection and for a period of 36 months thereafter.
Where someone has provided contact details for references during the recruitment process, we save only their names, telephone numbers and email addresses. We keep the data until the recruitment process is complete.
Which sources do we retrieve your personal data from?
In addition to the data you provide us yourself, or which we collect from you based on your purchases and how you use our services, we may also collect personal data from others (referred to as third parties). The data we collect from third parties are as follows:
Address data from public records in order to be certain that we have the correct address details for you
Credit rating data from credit ratings agencies, banks or credit report bureaus
Who may we share your personal data with?
Personal data assistants. Where required to, and in order for us to be able to offer our services, we share your personal data with companies serving as what are referred to as personal data assistants. A personal data assistant is a company that processes the information on our behalf and according to our instructions. We have personal data assistants that assist us with:
1) Transports (logistics and freight companies)
2) Payment solutions (acquiring companies, banks and other payment service providers)
3) Marketing (print, social media, media agencies or advertising agencies)
4) IT services (companies that handle the necessary operation, technical support and maintenance of our IT solutions)
When your personal data is shared with personal data assistants it is purely done for purposes consistent with the reasons for which we collected the information (for instance in order to fulfil our obligations under the purchase agreement). We run checks on all personal data assistants to ensure that they are able to provide sufficient guarantees as to the security and confidentiality of personal data. We have written agreements in place with all personal data assistants under which they guarantee the security of the personal data processed and it is compulsory for them to comply with our security requirements and with restrictions and requirements concerning the international transfer of personal data.
Companies that are independent data controllers. We also share your data with certain companies that are independent data controllers. The fact that the company is an independent data controller means that we do not control how the information submitted to the company is to be processed. Independent data controllers with whom we share your personal data are as follows:
1) Government authorities (the police, the Swedish Tax Agency or other authorities) if we are required to do so by law or in the event of a suspected crime
2) Companies that provide general goods transportation (logistics and freight companies)
3) Companies that offer payment solutions (acquiring companies, banks and other payment service providers)
Where do we process your personal data?
We always strive to ensure that your personal data is processed within the EU/EEA, and all of our own IT systems are located within the EU/EEA. For purposes of system support and maintenance however, we may be forced to transfer the information to a non-EU/EEA country, for instance if we share your personal data with a personal data assistant that is, whether in its own capacity or through a subcontractor, established in or stores information in a non-EU/EEA country. In these cases the assistant may only examine the information of relevance to the purpose (such as log files).
Regardless of the country in which your personal data is processed, we take all reasonable legal, technical and organisational measures to ensure that the level of protection is the same as that within the EU/EEA. In cases where personal data is processed outside the EU/EEA, the level of protection is guaranteed either by a decision of the EU Commission to the effect that the country in question ensures an adequate level of protection, or through the application of what is referred to as appropriate safeguards. Examples of appropriate safeguards include an approved code of conduct in the recipient country, standard contract clauses, binding internal company rules or Privacy Shield. Feel free to contact us if you wish to receive a copy of the safeguards that have been implemented or information about where they have been posted.
How long do we save your personal data for?
We will never save your personal data for longer than necessary for the respective purpose. See more about the specific storage periods under the respective purpose.
What are your rights as a data subject?
Right of access (referred to as a ‘register extract’). We are always open and transparent about how we process your personal data, and if you wish to gain deeper insight into the personal data that we process about you in particular, you may request access to the data. The information is provided in the form of a register extract, specifying the purpose(s), categories of personal data, categories of recipient, storage periods, information about where the information was collected, and the occurrence of automated decision making.
Please remember that if we receive a request for access, we may request additional information in order to ensure effective handling of your request, and to ensure that information is disclosed to the right person.
Right to rectification. You may request that your personal data be rectified if the data is incorrect. Within the scope of the stated purpose, you also have the right to supplement any incomplete personal data.
Keep in mind that if you would like to delete your customer data, please contact email@example.com
You have the right to withdraw a consent you have given us at any time. A consent to send newsletters, for example.
Right to be forgotten. You may request erasure of personal data we process about you if:
The data is no longer necessary for the purposes for which they were collected or processed
You object to a balancing of interests we performed on the basis of a legitimate interest and your reason for objecting outweighs our legitimate interest
You object to processing for purposes of direct marketing
The personal data is being processed in an unlawful manner
The personal data must be erased in order to comply with a legal obligation to which we are the subject in question
Personal data has been collected about a child (under age 13) for whom you have parental responsibility, and the data collection occurred in connection with the offering of information society services (e.g. social media)
Keep in mind that we may have the right to deny your request if legal obligations prevent us from immediately erasing certain personal data. This obligation derives from bookkeeping and tax legislation, banking and anti-money laundering legislation, but also from consumer rights legislation. The processing may also be necessary for us to establish, assert or defend legal claims. Should we be unable to accommodate a request for erasure, we will instead block the personal data from use for purposes other than the purpose precluding the requested erasure.
Right to restriction. You are entitled to request that our processing of your personal data be restricted. If you dispute the correctness of the personal data that we process, you may request restricted processing during the period we require in order to verify whether the personal data is correct. If we no longer need the personal data for the defined purposes, but you do need them in order to be able to establish, assert or defend legal claims, you may request that we subject the data to restricted processing. This means that you may request that we refrain from erasing your data. If you have objected to the balancing of a legitimate interest that we have performed as the legal basis of a purpose, you may request restricted processing during the period we require in order to verify whether our legitimate interests outweigh your interests in having the data erased.
If data processing has been restricted in accordance with any of the above situations, we may only, beyond the act of storage, process the data in order to establish, assert or defend legal claims, in order to protect someone else's rights, or if you have given your consent.
Right to object to a certain type of processing. You are always entitled to avoid direct marketing and to object to any processing of personal data based on a balancing of interests.
Legitimate interest: In cases where we rely on a balancing of interests as the legal basis for a purpose, you have the opportunity to object to the processing. In order to continue processing your personal data after such an objection, we must be able to refer to a compelling legitimate interest in the processing in question that outweighs your interests, rights or freedoms. Otherwise, we may only process the data in order to establish, exercise or defend legal claims.
Direct marketing (including analyses performed for direct marketing purposes): You have the option to object to your personal data being processed for direct marketing. Such an objection also includes the analysis of personal data (referred to as profiling) performed for direct marketing purposes. Direct marketing refers to all types of marketing outreach (e.g. via mail, email and SMS). Marketing actions are where you as the customer have actively chosen to use one of our services or have otherwise sought us out to learn more about services do not count as direct marketing (such as product recommendations or other features and offers in My Account).
If you object to direct marketing, we will discontinue the processing of your personal data for that purpose, and will cease every type of direct marketing action as well. You may change this by changing the settings in My Account, by using the unsubscribe link in marketing mailings, or by contacting customer service.
Right to data portability. If our right to process your personal data is based either on your consent or on the performance of an agreement with you, you are entitled to request that the data concerning you and which you have submitted to us be transferred to another data controller (referred to as data portability). A prerequisite for data portability is that the transfer must be technically possible and can take place in automated form.
How do we handle personal identity numbers?
We will only process your personal identity number if clearly justified with reference to the purpose, if necessary for secure identification, or if there is some other noteworthy reason. We always minimise the use of your personal identity number to the greatest extent possible by using your birth registration number instead, wherever sufficient.
How is your personal data protected?
We use IT systems in order to shield confidentiality, privacy and access to personal data. We have implemented special security measures in order to protect your personal data against unlawful or unauthorised processing (such as unlawful access, loss, destruction or damage). Only those persons who actually need to process your personal data in order for us to be able to fulfil our specified purposes have access to them.
What are cookies and how do we use them?
Cookies are small alphanumeric text files that are served by our web server and stored on your browser or device. At appletrees.se, we use the following cookies:
1) Session cookies (a temporary cookie that expires when you close your browser or device)
2) Permanent cookies (cookies that remain on your computer until you remove them or they expire)
3) First-party cookies (cookies placed by the website you visit)
4) Third-party cookies (cookies placed by a third-party website. We primarily use them for analytics, such as Google Analytics)
5) Similar techniques (techniques that save information to your browser or device in a manner similar to cookies)
Yes! Your browser or device allows you to change the settings regarding the usage and scope cookies. Go to your browser settings or device settings to learn more about how to adjust the settings for cookies. Examples of parameters you can adjust include blocking all cookies, only accepting first-party cookies, or deleting cookies when you close your browser. Keep in mind that some of our services may not work if you block or delete cookies. You can read more about cookies in general on the Swedish Post and Telecom Authority website, pts.se.
What does it mean that the Swedish Data Protection Authority is the supervisory authority?
The Swedish Data Protection Authority is responsible for monitoring implementation of the law, and anyone who believes that a company is handling personal data improperly may file a complaint with the Swedish Data Protection Authority.
What is the easiest way to contact us with questions about data protection?
You can always pose your questions to customer relations at firstname.lastname@example.org