2. Personal data and data processing
Any information relating to an identified or identifiable natural person is considered personal data. Names, phone numbers, photos and IP-addresses could be personal data. Bookings, behaviors and orders can constitute personal data as well if they together with other data are relatable to a person. Actions taken with data are data processing, for example storing, collecting, changing, erasing and distributing.
2.1. Special categories of data
Stureplansgruppen will sometimes process special categories of data. Special categories, amongst other things, include data regarding health and union memberships and are considered worthy of extra protection. Stureplansgruppen may handle bookings where somebody has an allergy, which may require processing data regarding health. Stureplansgruppen may also process data regarding union memberships, related to employment. Such processing only takes place if data protection laws and labor laws permit or require it.
3. Data controller
The data controller is responsible for the data processing and decides why and how personal data is processed. In most cases it is the mother company, Stureplansgruppen AB, that is the controller. In other cases, daughter companies may be controllers themselves. It is then the daughter companies that decide how and why the data is processed. In other cases, a third party may decide which data is processed and why. In that case Stureplansgruppen AB is a data processor and processes data on behalf of the controller. It is also possible for Stureplansgruppen AB to be a joint controller with the third party, meaning Stureplansgruppen AB and the third party jointly decide on the data processing.
4. Data processors
To be able to deliver its services, Stureplansgruppen uses data processors. This means that Stureplansgruppen is the controller and decides which personal data that is processed and why but outsources parts of the processing. In these instances, Stureplansgruppen is responsible for the processing but uses others to be able to deliver the services. Stureplansgruppen always enters into data processing agreements with data processors to ensure a high level of data protection.
5. Stureplansgruppen’s data processing
Stureplansgruppen and our data processors always have a legal basis for processing personal data. Often, it is required for the performance of a contract, but it may also occur after consent, if it is required for legal claims or if there is a legal requirement for the processing. Stureplansgruppen may also process personal data if we have a legitimate interest. The legitimate interest then outweighs the registered person’s interest of Stureplansgruppen not processing their personal data. Marketing to guests who previously have been in contact with Stureplansgruppen, may occur after a balancing of interests. As a registered person, it is easy to oppose processing based on a legitimate interest.
A compilation of Stureplansgruppen’s data processing follows below. Stureplansgruppen strives to process as little personal data as possible. All categories of personal data are therefore not processed on each occasion.
5.1. Communication and administration
Stureplansgruppen processes personal data for administration and communication with guests, co-workers, services providers and suppliers. The purpose is to handle bookings, employments and administering the business.
Names, e-mails, addresses, phone numbers, bookings, food preferences, allergies.
The processing is necessary for the performance of our contracts and supplying our services.
The data is usually provided by the registered person when entering into contracts or making reservations.
To be able to handle the administration and paying of wages as well as contacting employees, Stureplansgruppen needs to process employee personal data.
1. Names, personal identity numbers, e-mails, addresses, phone numbers, possible relatives, account numbers, employer’s certificates, pays lips, days off.
2. Statements of earnings and deductions.
1. The processing is necessary for the performance of the employment contracts.
2. As an employer, Stureplansgruppen has a legal obligation to provide the Swedish tax agency with the statements of earnings and deductions for its employees.
1. The data is usually provided by the registered person when entering into the contract or during the contractual relationship. Pay slips are generated in Stureplansgruppen’s wage system and employer’s certificates are created by the HR-department.
2. The data is provided by the wage system and is based on what is registered in accordance with the employee’s wage and employment rate.
Stureplansgruppen processes personal data in its Digital Channels to market its services.
Names, e-mails, photos.
The processing takes place after a balancing of interests or consent.
The personal data is usually derived from the registered persons when they sign up for mailing lists or from companies within the company group which have had contact with the registered persons and they have accepted marketing. Photos are sometimes taken by photographers contracted by Stureplansgruppen.
Stureplansgruppen processes personal data to manage payments.
Names, e-mails, card numbers, invoice numbers, phone numbers, amounts, place of business, transaction and/or order details.
The processing is necessary for the performance of contracts. Stureplansgruppen may contractually be obliged to supply services or goods but also to ensure payment goes through.
The data is provided by the registered persons when making the reservation or payment.
5.5. Guest surveys
To improve our services, we send out requests to participate in guest surveys.
Names, e-mails, answers.
The processing takes place after a balancing of interests.
The data for sending the requests is provided by the registered persons themselves or by a company in the company group. The answers from the surveys are provided directly from the registered person.
5.6. Memberships in membership clubs
Stureplansgruppen processes personal data to administrate the members in its membership clubs. The data is used to direct marketing and offers to our guests and sometimes their birthdays. We also collect data regarding favorite drinks and snacks to develop our concepts and improve our service. Phone numbers are used for marketing and communicating opening-hours and such via text messages. If a person does not become a member all their data is deleted.
Name, e-mail, address, phone number, occupation, favorite drink, favorite snacks.
The processing is either necessary for the performance of contracts but may also take place after a balancing of interests.
The data comes from the registered persons themselves when applying for memberships.
5.7. Stureplansgruppen’s applications
Through Stureplansgruppen’s applications it is possible to use guest lists and book tables. This requires personal data to be processed.
Name, Facebook-account, profile pictures, e-mail addresses, phone numbers, gender, age.
Depending on the personal data processed, the processing is either necessary for the performance of a contract or is motivated by a balancing of interests.
The data comes from the registered person when registering or from Facebook when verifying themselves.
5.8. Handling claims
To handle potential legal claims such as complaints or legal proceedings, Stureplansgruppen may need to process personal data.
Names, identity numbers, addresses, e-mails, phone numbers, account numbers, courses of events, locations.
The processing takes place after a balancing of interests.
The data can come from the registered persons as well as authorities and other actors such as, but not limited to, insurance companies.
5.9. Technical data
Too enhance the user experience in the Digital Channels, Stureplansgruppen may collect technical data.
IP-addresses, cookies, browser information, unite IDs.
Depending on which kind of technical data that is processed, the processing takes place after a balancing of interests or consent.
The data comes from the registered persons themselves when using the Digital Channels.
6. Actors which Stureplansgruppen may share data with
6.1. Companies within the company group.
Stureplansgruppen AB is the mother company of the company group and manages most of the company group’s administration. The companies in the company group cooperate regarding bookings and marketing. The companies within the company group may therefore share data with the mother company and each other and process personal data for each other.
6.2. Service providers
To provide our services, we use various service providers for IT-solutions such as networks, storage and e-mail. The service providers are only allowed to process personal data in accordance with Stureplansgruppens explicit instructions and cannot process the data for their own purposes. All the service providers are bound by law and contracts to protect personal data.
6.3. Payment recipients and providers of payment services
When processing payments, Stureplansgruppen may share data with the payment services provider, the payment recipient and the banks of the parties.
6.4. Other recipients
Stureplansgruppen may in certain cases share personal data with other recipients. Most notably authorities due to legal requirements or concerning legal claims. Personal data may also be shared with potential buyers or sellers of the company group.
7. Technical and organizational measures
Stureplansgruppen cares about our guests and co-workers integrity and take appropriate technical and organizational safety measures in order to protect personal data from unauthorized access, change or destruction.
8. Where does Stureplansgruppen process data?
Stureplansgruppen’s goal is to process all data within EU/EEES. Some service providers may however process data outside EU/EES. In such cases we secure that the data is protected by using contracts which require the same level of protection as the data protection legislation of the EU.
9. For how long is the personal data saved?
Stureplansgruppen processes personal data as long as there is a relationship with the registered person and a time afterwards, if there is a legal basis for the processing. If there is no reason to process the personal data, the data is erased.
10. Rights of data subjects
Stureplansgruppen wishes to remind you of the rights which GDPR grants you.
10.1. Right of access
You have the right to ask for confirmation whether we process your personal data or not. If we process your personal data, you have the right to know which data we process and how.
10.2. Right to rectification
If your personal data is incorrect or incomplete, you have to ask it to be corrected.
10.3. Right to erasure (“right to be forgotten”)
You have the right to request, and under certain circumstances, have your personal data erased. This does not apply if we by law are required to continue the processing.
10.4. Restriction of processing
You have the right to require that the processing of your personal data is restricted.
10.5. Complaining to a supervisory authority
You have the right to lodge complaints with the supervisory authority if you are dissatisfied with our data processing.
10.6. Opposing processing with a legitimate interest as a legal basis
You have the right to oppose our processing which uses a legitimate interest as a legal basis.
10.7. Opposing direct marketing
You have the right to oppose the processing of your personal data for direct marketing purposes.
10.8. Data portability
You have the right to receive copies of the personal data we have of you in a structured, commonly used and machine-readable format.
10.9. Revoking consent
If we use your consent as a legal basis for processing your personal data, you always have the right to revoke your consent.
To exercise your rights or for questions, contact Stureplansgruppen.
Data controller: Stureplansgruppen AB, Swedish company registration number 556530-0331
Postal address: Box 557 19, 114 83, Stockholm
Telephone: +46 8 545 076 00