Introduction

Sensys Gatso Group AB and its subsidiaries (hereafter SGG) are committed to provide high quality services and products to our customers and stakeholders for which we; use, need, collect, and process privacy sensitive information to achieve our purpose in “Making Traffic Safer”

This policy outlines our continued efforts and obligations how we manage, process, protect and secure specific Personal Data or Privacy Sensitive information in our day to day business operations and how we comply with the European General Data Protection Regulation (GDPR).

Our commitment to privacy and personal data protection

  • We understand, have experience and promote the globally spread and accepted privacy principles.
  • We protect the confidentiality, integrity and availability of Personal Data, privacy sensitive data and other information regardless of its origin (internal or external). 
  • We are committed to comply with privacy and information security regulations when we process Personal Data, regardless to which world region or country the regulation applies. (e.g. Europe, Australia, United States, Middle East etc.)
  • Where processing means but is not limited to; collect, use, disclose, store, secure, analyze, distribute and dispose of Personal Data by any automatic or manual method or system with a legitimate goal and purpose. 
  • To comply with the above we have adequate information security policies, systems and controls in place with the purpose to protect the confidentiality, integrity, and availability of all (personal) data processed within our systems or by our people.

Why do we process Personal Data

Personal Data is processed by SGG with the following goals:

1) fulfill our purpose in “Making Traffic safer”.

2) provide and manage TRaffic enforcement as a Service (TRaaS).

3) run our company in an effective way compliant with; 

   a) legal, business and accountancy regulations, 

   b) general business rules and methods applicable or mandatory for a stock listed company. 

4) to provide or use a service under contract.

What’s the purpose for processing personal data

Personal Data is processed with the following purposes supporting our legitimate business for;
1) marketing and sales purposes to provide information to our customers.
2) managing TRaaS solutions under customer contract as a processor. 
3) corporate governance, internal and external communication, security, registration, monitoring and Human Resources purposes, where people can reasonably expect such Personal Data is used or disclosed within our company as part of the agreement(s) people have with SGG, for example; employees, customers or suppliers.  

In all other cases where we collect Personal Data, we will when appropriate and possible, explain to the people why we are collecting data, for what purpose, and how we plan to use it, and obtain consent. This applies for example to our public websites, newsletters, external surveys, etc.

What kind of personal data is collected

SGG collects Personal Data from various kinds of sources in different ways with the goal to maintain and establish legitimate business and to achieve our purpose. 

SGG collects and processes Personal Data;
• To run legitimate business operations where the data collected includes but is not limited to; names, addresses, phone numbers, email addresses, employee information, job application data, login credentials, website data and cookies (e.g. www.sensysgatso.com),
• as part of and needed to; deliver, test, commissioning, service and maintaining traffic enforcement systems (as a service) for our customers as part of our day to day legitimate business operations or as part of a processing such data under contract. During these activities the following data may be collected and processed; plates, location data, faces, addresses as part of car-advertisements, 
• from (potential) customers, suppliers, contractors or other interested parties,  as needed or required for; business communications, to conclude and perform an agreement/contract or to comply with regulations or requirements,
• in order to be able to efficiently communicate; 
- with customers, suppliers and other stakeholders,
- to send or request commercial business information, 
- to arrange the transport and shipping of goods, 
- about financial information,
- about other aspects needed for legitimate business arrangements.

What we do with direct marketing

We use personal data for marketing purposes, as we have a legitimate interest in using personal data provided to us to be able to inform known and potential customers and stakeholders. This with the goal to promote and sell our products and services as part of our commercial activities. 

If a person subscribes to our newsletter, a consent and authorization is granted to store and use this provided personal data with the goal to inform an interested person by mail of our products, services and company news.

When we disclose Personal Data

Personal Data collected and processed by SGG is and shall not be disclosed to stakeholders or people which are not involved, however Personal Data is disclosed to others when;
• mandatory required or authorised by law.
• mandatory to comply with business, financial and accountancy regulations.
• requested by authorised government departments, including the justice department.

In all other cases Personal Data shall only be disclosed after consent and approval of the person(s) involved and authorized by the responsible manager.

How do we secure Personal Data

Collected Personal Data is stored in a secure and controlled manner, where SGG takes all reasonably and adequately actions and measures to protect the Personal Data from misuse, loss, unauthorized access, modification, disclosure or any other compromise.

Access to Personal Data and related or linked information we process, is strictly limited to those persons who process, use or view such sensitive information on a “need to know” and/or legitimate basis to fulfill the task or job under their responsibility.

How long do we retain Personal Data

When Personal Data is no longer needed for the purpose for which it was collected, all reasonable steps to delete, destroy, or permanently de-identify (pseudonymisation) this Personal Data are taken. However, most Personal Data is or may be stored for a longer period of time to comply with regulatory and legal obligations. Which in that case gives us a legitimate reason(s) to retain such data according (legally) specified retention periods. 

We will retain personal data of business stakeholders for a term of seven years after the end of the financial year in which the legitimate business agreement, contract or service is performed. 

This seven year period corresponds with the mandatory minimum retention period we need to keep our records available for tax, accountancy, customs authorities and other legal purposes. We will remove personal data when no longer needed, becomes irrelevant to the business, serves its purpose and/or when legal retention periods are due. However, personal data may not be deleted and retained for a longer period when required by law, government, official authority or contract.

Who has access to Personal Data

Access to Personal and privacy sensitive data is strictly limited within SGG. 

The persons whose data is processed by SGG, has the right to; 
• inspect, correct, limit, object, delete or transfer the data we process.

SGG will cooperate with a person invoking a right, to the extent possible, in relation to the business purposes and  goals. 
However, if Personal Data is processed by SGG;
• under contract, as part of the services we provide to a customer, access to Personal Data is strictly prohibited for the requester unless specifically authorized, in writing, by the responsible controller (customer) of the Personal Data.

• for legitimate business purposes, as described, maybe not all rights can be invoked as SGG has other mandatory obligation to comply with for which processing of personal data is needed.

Access to or a request to invoke a right regarding processed Personal Data can be requested by submitting a Data Subject Access Request (DSAR) and/or by contacting the SGG Data Protection Officer (see below). 

In order to protect Personal Data, we may require identification from the requester before releasing information. SGG will not charge any fee for access requests, but may charge an administrative fee for providing a copy of or a report about the requested Personal Data.

What we do about the quality of Personal Data

SGG highly values that processed Personal Data is and remains up to date and integer. 

We will take all reasonable actions to ensure that the Personal Data we process is; accurate, complete and up-to-date. If a person observes that information we use or process is not up to date or is inaccurate, please notify SGG as soon as pos

When do we share data with third parties

SGG only collects Personal Data when needed for its legitimate organisational purposes and does, in principle,  not share this data with other parties.

However, on some occasions we may have to provide information to, or let the Personal Data be processed by third parties. It may be needed to share personal data to a person, customer, supplier or other interested parties that provide a service, supply parts, materials or products to SGG or who performs selected activities and process data under our control. But data is only shared when agreed (with consent), under contract or when mandatory required.

Furthermore SGG uses external server space, cloud services and applications for the processing of (parts of) our sales, development, and supply records and our records of business relations. Personal data may be included in these records and can therefore be provided to a third party service provider under our control. We do not sell any collected Personal Data under our control to any third party.

What we do with special information

SGG does not process or store special personal data or information on any media or systems owned by SGG. Special information can provide an indication of a person's ethnic origin, political opinions, membership of a political association, sexual preference, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record, genetic,  biometric or health information.

In some cases SGG stores and processes special information but only when;
• Needed to comply with legal and/or business regulations.
• Required or authorised by law.
• With consent of the involved.

Special information is that cases strictly controlled and can only be accessed by a few authorized employees (e.g. Human Resources).

What kind of cookies do we use

Our company website www.sensysgatso.com uses cookies, which are saved on the website visitor’s device as a small text file. A cookie can be either a session cookie or a cookie that is stored for a longer period. 

The session cookie is deleted when the web browser is closed, while a permanent cookie is kept so the website visitors can use the website as we intend. This can include, for example, language choice or other preferences being saved to optimize the website during visitor’s next visit. 

Information collected via cookies does not include any personal information; it is only used to establish the visitor’s patterns in the use of our web services. When it comes to behaviour no IP addresses are saved either. Accordingly, as a website visitor, information about you can never be linked to your identity.

Cookies are used to count and report visitor numbers and traffic. We use so-called third-party cookies from other companies to conduct market surveys and measure web traffic.

When can you Opt-In, Opt-Out or object

For our services SGG uses Opt-In and Opt-Out options. 

To use a SGG service a person may need to provide Personal Data to be granted authorization by SGG to use the service. (Opt-In). This provided personal data is only used for the intended goal(s).

If a person no longer wants or needs to use the SGG service, the person can always Opt-Out using the “unsubscribe“ options of the service or by requesting this by contacting SGG in writing. 

Besides the described options, people have the right to object against processing of their Personal Data (right to forget). If so, please notify SGG to take action and grant the request (see the contact section below). Granting a request may depend on collecting and processing purpose of the Personal Data.

What we do in case of a Personal Data Breach

In case of a data breach where Personal Data or related data is intentionally or unintentionally; lost, stolen, illegally processed, altered, unauthorized accessed, distributed, or is compromised by any other reason or this cannot be reasonably excluded, this will be investigated and reported. 

All SGG employees have the obligation to report any Personal Data breach or incident to the Data Protection Officer (DPO), according our Reporting data leak incidents policy. This also applies when a breach or incident is observed by people outside SGG and reported to an employee. 

The DPO starts an incident investigation and reports the incident to management and if needed to the supervising authorities. The investigation will always be done with utmost care, independence and confidentiality. If a person or a group of persons is involved in the incident, feedback about the incident is provided by SGG when needed or reasonably possible. When a reported Personal Data incident does not involve SGG but a third party, SGG takes up our social responsibility and will inform the party about the observed breach or incident within reasonable time and possibility.

Who is the SGG privacy contact

Personal Data control and privacy protection is of utmost importance to SGG. Therefore, to promote privacy protection, advice and consult for stakeholders, SGG has assigned a Data Protection Officer (DPO) role. The DPO is the main contact for people, data subjects, authorities, management and other stakeholders regarding privacy and personal data topics, for a Data Subject Access Request (DSAR) or to report a (personal) data breach.

Any person who wants to invoke a privacy right, report a data breach, has a request or complaint related to Personal Data can contact SGG via:

privacy@sensysgatso.com

The DPO independently monitors; Personal Data processing, compliance with this privacy and it’s related policies and regulations. When a person disagrees with or wants to appeal a DPO answer, investigation or decision, the CEO may be consulted or contacted with the request to mediate in the matter.

What are our rights

Intellectual property rights

All material on our websites, including texts, images and brands, as well as the design and graphic profiles, are property of Sensys Gatso Group AB or our partners. All use, other than that required to use the website, or copying by you as a user requires Sensys Gatso Group AB’s written approval. All use in breach of these terms and conditions may result in legal proceedings.

Liability

Sensys Gatso Group AB accepts no liability and provides no guarantees for the quality, functionality or availability of our websites or its content. Additionally, where we provide a reference to a third party we accept no liability for the material or content of the third party’s website.

Governing law 

In the event of disputes arising from the terms and conditions of Sensys Gatso Group AB, Swedish law shall apply with the exception of its conflict-of-law rules, with Jönköping District Court as the first court instance.

Why we publish this policy

This Privacy Policy is published to inform and be transparent to interested parties and stakeholders about why we need and collect, how we process and manage personal data from; (possible) customers, partners, suppliers, contractors, other relations and employees.

When we update this policy

This Privacy Policy is part of our certified Information Management System and may be changed or improved when needed, on request of management or when needed as results of audit and control programs. If the policy is updated it is made available and published at the earliest convenience.