privacy policy

1 Validity

The entire Combitech Group.

2 Purpose
Combitech is committed to data protection and to proactively address and correct business practices that lead to, or potentially could lead to, violations of individuals’ privacy and breaches of applicable data protection and privacy laws.

Combitech will always comply with data protection and privacy laws applicable where Combitech operates. For companies established within the European Union (EU) and the European Economic Area (EEA) this means that they must comply with the requirements of the EU General Data Protection Regulation (GDPR) and any supplemental national laws. Companies established outside the EU and EEA must comply with national data protection and privacy laws applicable where they operate.

The purpose of this document is to set out the rules and procedures to be applied when
processing personal data, and to lay out certain rights of the individuals whose personal data are being processed by Combitech. Should applicable national laws conflict with this
document the more stringent requirements prevail.

3 Key concepts
3.1 Personal data
Personal data are any information relating to an identified or identifiable individual. An
individual might be able to be identified, directly or indirectly, in particular by reference to his name or social security number, an online identifier, location data, or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural, or social identity.

Examples of personal data are name, address, email address, phone number, IP address,
gender, work title, CV, salary, interests, health information, marital status, and log-in details.

3.2 Processing
Processing is the legal term for handling personal data whether or not by automated means. It includes a variety of activities performed on personal data such as collection, recording, organisation, storage, adaptation, using, transmitting, and erasure.

3.3 Data subjects
Data subjects are individuals whose personal data are being processed. Combitech processes personal data of various categories of data subjects such as current and former employees, consultants and business contacts.

3.4 Controller and processor
When a company processes personal data and does so on its own initiative, determining the purposes and means of the processing of personal data, it acts as a “controller”. Combitech typically acts as a controller when processing employee personal data and business contact data.

When two or more companies jointly determine the purposes and means of the data
processing this is referred to as joint controllership. For instance, if two Combitech entities jointly determine the purposes and means for a specific processing operation they are deemed joint controllers.

When a company processes personal data on behalf of another company and according to its instructions, it acts as a “processor”. Combitech’s suppliers frequently act as processors of Combitech. Moreover, Combitech sometimes acts as a processor when providing services to its customers.

4 Combitech’s obligations
4.1 Principles for processing of personal data
Combitech’s processing of personal data shall be based on the following principles:
 a) Lawfulness, fairness and transparency: The processing of personal data by an entity must be justified on a legitimate basis and it must be clear for the individual that
personal data related to the individual are being processed, the identity of the entity doing that and for what purpose.

b) Purpose limitation: The obligation to ensure that the purpose for the processing of personal data is specified, explicit and legitimate and that the personal data are not processed beyond this purpose.

c) Data minimisation: The obligation to ensure that the personal data processed are adequate, relevant and limited to what is necessary for the purpose.

d) Accuracy: The obligation to ensure that the personal data processed are accurate, kept up-to-date and to take every reasonable step to correct inaccurate data or erase it.

e) Storage limitation: The obligation to ensure that personal data are not stored for a longer period than is necessary for the purposes for which the personal data are
processed, which means that entities processing personal data must have visibility of its processing activities, established retention periods and/or periodic review
processes.

f) Integrity and confidentiality: The obligation to process personal data in a manner which ensures appropriate security and confidentiality of personal data and prevents
unauthorised access (such as hacker attacks) or accidental loss of data.

g) Accountability: Entities processing personal data must be able to demonstrate that they are in compliance with the obligations set out above.


4.2 Lawfulness of processing
Combitech may only process personal data if a legal ground applies, such as:

a) Consent: The data subject has agreed to the processing. Consent must be freely given, specific, and informed.

b) Legal obligation: Combitech must process the personal data to fulfil a legal obligation (e.g. submitting tax income information to tax authorities).

c) Performance of a contract: The processing of personal data is necessary for Combitech to fulfil its obligations in a contract that it has entered into with the data
subject (e.g. retaining bank account details to pay a salary under an employment contract).

d) Legitimate interest: Combitech may process personal data when it is necessary for the purpose of its, or a third party’s, legitimate interests (e.g. keeping a database of
information on customers or business partners, or collecting the names and phone numbers of emergency contacts for its employees). However, the legitimate interest must always outweigh the fundamental rights and freedoms of the data subjects,
including their right to privacy.

e) Other: There are other rare grounds on which personal data may be processed, namely the protection of the vital interests of the data subject or tasks carried out in the public interest.

5 Data subjects’ rights
Data subjects should be empowered with information and choices about how Combitech
processes their personal data in order to protect their privacy. Under the GDPR, data subjects have the following rights:

a) Transparency: The right to receive clear and accessible information about Combitech’s processing of personal data.

b) Access rights: The right to obtain a copy of their own personal data.

c) Right of rectification: The right to have inaccurate or incomplete data corrected.

d) Right to object to certain processing activities: The right to cease direct marketing activities, and other processing in the absence of an overriding interest.

e) Right against automated decision-making: The right to be excluded from certain automated decision-making processes made without their consent.

f) Right to restriction of processing: The right to confine the use of their personal data to limited purposes.

g) The “right to be forgotten”: The right to have personal data deleted in limited circumstances.

h) Right to data portability: The right to have their personal data handed over to a new entity.

For further information on how Combitech processes personal data of Combitech employees and contractors please contact info@combitech.se.

6 Procedures for Combitech’s processing of personal data
6.1 Introduction
Prior to altering an existing data processing activity or initiating a new data processing
activity the mandatory procedures set out in this section 6 must be adhered to. Any deviation from these procedures must be managed and duly reported in accordance with the deviation procedure described in section 6.4.

6.2 Combitech processing personal data as a controller
When Combitech processes personal data as a controller the following procedure applies. Any alteration of an existing system (or application etc.) or introduction of a new system involving the processing of personal data shall be subject to the Saab Legal Analysis for Systems Handling Personal Data.

 (Legal Analysis). The Legal Analysis reflects the key legal requirements of the GDPR
applicable to controllers and is an integrated part of [Saab’s accreditation process].
In certain situations, Combitech will process personal data in a manner which will not be subject to the accreditation process. The introduction or alteration of any such data processing activity shall be subject to the Legal Analysis.

The purpose of the Legal Analysis is to ensure that processing of personal data within Combitech will meet applicable legal requirements for processing of personal data, assist Combitech in identifying compliance gaps, and guide Combitech in selecting remedial actions to close any compliance gaps.
A Combitech company not subject to the GDPR can modify the Legal Analysis to ensure compliance with data protection and privacy laws applicable to its data processing activities.

For further guidance on this procedure, please seek advice from the relevant data protection officer (DPO) or data protection manager (DPM).

6.3 Combitech processing personal data as a processor
When Combitech processes personal data as a processor the following procedure applies.

Any alteration of an existing system (or application etc.) or introduction of a new system involving the processing of personal data shall be subject to the Legal Analysis. The Legal Analysis reflects the key legal requirements of the GDPR applicable to processors and is an integrated part of [Saab’s accreditation process].
In certain situations, Combitech will process personal data in a manner which will not be subject to the accreditation process. The introduction or alteration of any such data processing activity shall be subject to the Legal Analysis as a separate process.

The purpose of the Legal Analysis is to ensure that processing of personal data within Combitech will meet applicable legal requirements for processing of personal data, assist Combitech in identifying compliance gaps, and guide Combitech in selecting remedial actions to close any compliance gaps.

A Combitech company not subject to the GDPR can modify the Legal Analysis to ensure compliance with data protection and privacy laws applicable to its data processing activities.

For further guidance on this procedure, please seek advice from the relevant DPO or DPM.

6.4 Deviation procedure
Any deviation from the procedures set out in section 6.2 or 6.3 shall be subject to the prior
approval of the relevant DPO. The DPO may seek guidance from the Data Protection Council where appropriate.

7 Guidance and seeking advice
Further guidance on data protection compliance is available in Saab’s Data Protection Portal [link] which includes a selection of practical guidelines and templates. For questions on the processing of personal data seek advice from the relevant DPO or DPM.