Name: Trust Anchor Group AB
Business ID: SE559058200201
Visiting address: Blekholmsterrassen 36, 11164 Stockholm, Sweden
Contact person for the register
Trust Anchor Group AB, firstname.lastname@example.org
Name of the register and data subjects
Trust Anchor Group AB’s user register.
Trust Anchor Group’s (“TAG”) user register is used in connection with TAG’s services (electronic mailbox and any Additional Services).
For the sake of clarity:
TAG serves as the controller for data concerning the Users of the Service. The sender organisation serves as the controller with regard to the creation of electronic documents and their transmission to the User. In such cases, the sender organisation is responsible for personal data processing. TAG serves as the personal data processor on behalf of the sender and processes personal data in accordance with the instructions provided by the sender organisation.
What is personal data?
Personal data includes all data that can be connected to a live natural person directly or indirectly. Examples of personal data include name, email address, telephone number, postal address, personal identity code and IP address. The register consists of personal data.
Legal basis and purpose of personal data processing
Personal data content of the register:
Personal identity code
Mobile phone number
Information collected about the use of services (such as sign-in information)
The data source for personal data are strong digital authentication, Population Information System of the Population Register Centre and User self when entering data and using the Service. Also TAG can be the data source in connection with using the Service and sending email to TAG and in connection with each sign-in.
TAG may continuously update the User’s personal identity code, name and postal address by checking it against the Population Information System of the Population Register Centre to ensure that the personal data is up to date and accurate.
The purpose to process personal data is to identify the User unequivocally as the User of the Service. Unambiguous identification of the user is important to ensure that electronic documents are delivered to the right person, which is essential for privacy protection. This means that TAG and the Sender use personal data to identify the recipients of electronic documents. Identification takes place by TAG comparing Users’ personal data and to the personal data of the recipients of documents transmitted by the Sender’s. Also Sender can do this identification by comparing the personal data of the document’s recipient with a list of some personal data element of TAG’s Users.
Personal identity code is used to request your name and address information from the Population Register Centre.
Personal data may be also used to verify that the data subject is who they claim to be, to implement security questions and other security measures, for example.
Your email address serves as your user ID and is used to identify you when you sign in to the Service. Your mobile phone number is used to send you a one-time password each time you sign in to the Service. This is called two-factor authentication, and its purpose is to ensure the security of your user account.
TAG may use email address and mobile phone number when informing the User about important matters related to the Service, such as new electronic documents and terms and conditions. In terms of security, it is necessary for TAG to have connection to both email address and mobile phone number so that TAG can inform the data subjects when they have new documents to process in the Service (however, the data subjects can opt out of email notifications about unread documents and unprocessed payments through the Service). Please note that some of the communication related to the Service, such as amendments to the terms and conditions, cannot be refused.
Names are used in communication to make TAG’s services more personal. This means, for example, addressing the recipient at the beginning of the message: “Hello, X”.
IP addresses are stored in log files in TAG’s system for 45 days to ensure that TAG can perform the necessary troubleshooting, defend against attacks and dangerous situations and further develop the Service (mainly in terms of security).
We need your device ID to send push notifications to your mobile device. The device ID is used for fingerprint login. The device ID may be used for product development related to the Service (mainly in terms of security).
Other information collected about the use of services (such as sign-in information) is processed to maintain and further develop the Service.
The legal basis is the agreement between the User and TAG (in the context of registration and the acceptance of TAG’s general terms and conditions) and legitimate interest (motivated by TAG’s strong need to defend against attacks and dangerous situations and to continuously improve the Service and its security and TAG’s strong need to notify the User that they will receive electronic documents sent to the Service by a new Sender). The processing of personal identity code is based on the User consent on processing comparable to the activities referred to in section 29 (2) of the Data Protection Act.
Personal data protection
TAG’s employees have been provided with basic information about data protection, and TAG seeks to ensure, through its operations, that personal data is processed appropriately. The databases in which personal data is stored are protected by means of firewalls, passwords and other technical measures. Backup copies of the databases are made on a regular basis. The databases and their backup copies are stored in locked and guarded facilities. The databases can be accessed only by employees whose duties require access to personal data. The employees processing personal data are bound by a non-disclosure obligation.
How long will personal data be stored?
TAG has clear guidelines and practices for deleting personal data. This means that personal data will be stored only for as long as there is a basis for its storage – that is, for as long as its purpose of use so requires.
For some of the personal data that will be processed, the storage periods are affected by statutory regulations and security considerations.
Personal data for which the legal basis is an agreement will be processed for as long as you use the Service.
If the use of the Service is interrupted or discontinued, all personal data that TAG has collected concerning you will be removed from the Service forty-five (45) days after you have closed the Service (see the general terms and conditions for the Service). This time period has been selected to enable the User to transfer and store their documents elsewhere and to give them time to have their documents sent to another channel.
Personal data that TAG processes concerning the data subject in connection with customer service will be stored for up to 180 days. This data storage is necessary for TAG to be able to help the data subject and to monitor matters related to customer service.
Population Information System log data:
Personal identity codes that TAG processes in connection with services will be stored in the Population Information System log data for five (5) years. This data storage is necessary for TAG to be able to detect, monitor, manage and rectify security measures related to personal data.
Personal data processed in connection with services will be stored in application logs for forty-five (45) days after the Service has been closed. Application logs are used only internally at TAG.
Who has access to personal data?
We process personal data with utmost accuracy and care. We respect everyone’s right to personal data protection. TAG never sells personal data to third parties or otherwise exposes it to personal data breaches. Furthermore, TAG does not disclose or otherwise use personal data for purposes other than those mentioned above.
Personal data is processed only by employees whose duties require them to process personal data
TAG implements all necessary legal, technical and organisational measures to ensure that personal data is processed securely, with an appropriate level of protection. This concerns TAG internally, in addition to third parties with whom TAG cooperates. Personal data can be accessed only by employees who need to process personal data to fulfil the purposes mentioned above. All employees processing personal data are bound by an appropriate non-disclosure obligation.
TAG’s subcontractors and companies belonging to the same group of companies as TAG
In providing the Service, TAG may use subcontractors and other companies belonging to the same group of companies. Subcontractors provide TAG with information technology services, for example. Subcontractors and companies belonging to the same group of companies as TAG may process personal data on behalf of TAG. In such an event, TAG is obligated to ensure that the party in question processes personal data in accordance with the data protection legislation and only for the purpose that TAG communicates to the data subject in accordance with the table above. The transfer of personal data requires that the organisations receiving and processing the personal data have entered into an agreement with TAG regarding the lawful processing of personal data.
Population Registration Centre
TAG may check your personal data against the state personal data register (Population Information System of the Population Register Centre) to ensure that the personal data TAG stores about the data subject is up to date and accurate.
TAG may disclose personal data to the authorities, such as the police, if required by law to do so.
Where is the personal data processed?
TAG usually processes personal data in the country where the user resides. In certain circumstances, however, the technical implementation of the Service may require personal data to be processed in another EU or EEA country and exceptionally even in a non-EU or non-EEA country. If TAG needs to use a subcontractor in a non-EU or non-EEA country, TAG ensures that the personal data is processed lawfully, by means of contract arrangements in accordance with the European Commission’s standard contractual clauses, for example.
TAG will not engage in automatic decision-making or profiling based on your personal data.
What are the data subject’s rights?
If you so wish, you may contact TAG for more information about personal data processing or to exercise your rights related to personal data processing. To do so, please contact TAG at email@example.com
Your rights concerning personal data processing:
You have the right to obtain information about the collection and processing of your personal data. Personal data processing must be transparent.
You have the right to access your personal data, meaning that you are entitled to obtain confirmation from TAG as to whether or not TAG is processing personal data concerning you. You are also entitled to obtain a copy of the personal data TAG has collected about you. In your request, please specify clearly what data you wish to obtain. The data is free of charge and will be sent to you as a letter to TAG, or by some other electronic means, without undue delay, within one (1) month. If you have several requests or your request is complicated, the time limit may be expanded by two months. The extension of the time limit must be justified to you. If TAG is unable to provide you with the requested data, TAG has the obligation to explain the justifications.
You have the right to request that your personal data be rectified. It is important that the personal data processed by TAG concerning you be accurate. If your telephone number, email address or other contact details change, or if you notice that we have inaccurate, erroneous or insufficient information about you, you have the right to request that we rectify the data.
In certain circumstances, you have the right to request that your personal data be erased and the “right to be forgotten” without undue delay. For example, if the data is no longer necessary for the purpose for which it was collected, you have the right to be forgotten. However, this right cannot be exercised if TAG is required by law to store some of your personal data. If you request that your personal data be erased, TAG will erase all personal data concerning you that can be erased. However, TAG will erase your personal data without request once there no longer are legal or other obligations for its storage.
In certain circumstances, you have the right to request that TAG restrict the processing of your personal data. For example, personal data processing may be restricted if you have requested that we rectify your data and it is taking us a long time to fulfil your request. In such an event, we will restrict the processing of your personal data until we have fulfilled your request.
In certain circumstances, you have the right to transfer your personal data from one system to another. This means that you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and to transfer the data to another controller. You have the right to have your personal data transferred directly to another controller only if this is technically possible.
In certain circumstances, you have the right to object to the processing of your personal data, meaning that you have the right to request that your personal data not be processed at all. You are entitled to this right if the personal data processing is based on a legitimate interest (see above for more information about such cases). In your request, please specify what you object to in terms of processing.
TAG will respond to your request within one (1) month of receiving it, unless TAG has specific reasons to extend the response time. If necessary, TAG may ask the sender of the request to verify their identity and to specify the request further. The measures related to the request will be implemented without delay after the response, unless otherwise stipulated. TAG may refuse your request based on the applicable law.
Where can I file a complaint?
If you believe that TAG is processing your personal data in violation of the applicable data protection legislation, we want you to inform us about this. You can contact TAG at firstname.lastname@example.org. You also have the right to file a complaint with the Office of the Data Protection Ombudsman. For more information, visit the website of the Office of the Data Protection Ombudsman