Privacy Policy
1. Privacy Policy Scope
1.1 This privacy policy describes how Position Green AB, Reg. No. 559006-5834, (”Position Green”, ”us”, ”we” or “our”), manage and process your personal data as part of our business, for example in relation to you as a user (“User” meaning former, current and potential user of our platform (the “Platform”)), or as a visitor to our official website. What kind of processing (which is a generic term in the EU Data Protection Regulation (“GDPR”) for operations which is performed on your personal data) that we carry out regarding your personal data depends on the context in which you come into contact with us, and in which capacity you act.
1.2 Position Green has developed and provides the Platform with the same name. The Platform aims to help organizations collect, manage, visualize, and report environmental and sustainability data. With the help of the Platform the organizations will achieve an easier, smarter, and more efficient way to manage their sustainability and environmental data reporting.
1.3 Privacy protection is a matter of a prioritization for us at Position Green. That is why it is important for us to protect your personal data and to make sure that the data is processed in correct and legal ways. We process personal data lawfully, fairly and transparently. We only process personal data for legitimate purposes, we limit the collection of personal data to what is necessary for accomplishing such specified purposes. We ensure personal data is accurate and keep it up to date. We apply storage limitations only storing personal data for as long as it is necessary for the purpose which the personal data are processed for. Where possible, we adapt integrity, confidentiality and availability with techniques such as pseudonymisation and encryption.
Legal basis of processing
1.4 In this privacy policy, we describe what different types of personal data we may process, for what purposes we process it and on what legal basis. We also describe our process practices, with whom we may share your personal data as well as what options and what rights you have in relation to our processing. We kindly ask you to thoroughly read through this privacy policy and to make sure that you fully understand its content.
Position Green as personal data controller
1.5 Kindly note that this privacy policy refers to such processing of personal data of which Position Green is considered the personal data controller. This implies that Position Green is responsible for the processing of your personal data that is conducted within our business, including our website. This also implies that you should contact us with any questions or concerns you might have, or if you wish to use any of the rights you have, in relation to our processing of your personal data.
1.6 To be able to use the Platform you need to register personally. Position Green is the personal data controller for the personal data processing necessary with the purpose of providing you access to the Platform.
2. Personal Data Processing
Personal data refers to data that can be attributed to you. You are not obliged to disclose any personal data to us. If you, on the other hand, decide to allow us to take part of your personal data we may process personal data that can be attributed to you in accordance to below:
2.1.1 User account on the platform
Why do we process your personal data?
We process your personal data to administrate your user account and to ensure that the Platform is safe and reliable, to ensure the quality of reported data and to monitor the data that you report in the Platform.
We will process the personal data we obtained directly from you upon creation of your user account. We only process personal data that is necessary for providing you with your user account. If you decide to not disclose any personal data, this may result in you not being able to use the Platform to its full extent, or at all. If you, as a User include personal data in the data that you report in the Platform, we will also process such personal data. However, if we have not specifically asked for such personal data and such personal data are superfluous, we will erase, pseudonymize or anonymize the personal data.
We may contact you to carry out surveys regarding e.g. your experience in interacting with our services.
We also use cookies on our platform. For more information about the cookies we use, please see https://www.positiongreen.com/cookie-policy/.
Which personal data do we process?
We will process account information that you register for your account in the Platform, including your name, phone number, email address, working title in the registered company, photo as well as possible personal settings. We will also process personal data about your activity on the Platform, e.g., that you as a User has registered on the Platform and what such registered data consist of.
What is the legal basis to process your personal data?
We process your personal data on the legal bases of legitimate interest and to be able to perform under a potential contract with you.
It is in our legitimate interest to process your personal data as a part of your user account, to be able to administrate your user account, to ensure that the Platform is safe and reliable, to ensure the quality of the reported data, to perform surveys regarding the Platform and to be able to monitor the data that you report in the Platform. More information about how we have performed the assessment of our legitimate interest and the balancing of interests, please see Section 2.2.
You have the right to object to our processing based upon legitimate interest. More information about your right to object can be found in section 6.6.
For how long do we process your personal data?
In regard to you as a user of the Platform we process your personal data for as long as you are a registered user of the Platform. When you as a user of the Platform no longer are linked to a customer account we will remove your personal data after a maximum of 15 months, to be able to ensure the quality of reported data and traceability in the Platform.
2.1.2 Customer Relationships
Why do we process your personal data?
We process your personal data to administer our customer relationship with you and for marketing of our services to you. We process your personal data to ensure that you as a customer and/or User get as much value as possible from our services. We process your personal data when you contact us, e.g. via our contact form on the website or via LinkedIn, to be able to answer you.
Which personal data do we process?
When you contact us e.g. via our contact form on the website or via LinkedIn, we process contact details such as your name, email address, and phone number; as well as information about the employer, organization, its address and your title. If you include any other personal data when you contact us, we will also process such personal data.
We also collect and process information about your usage of our services and the feedback you give us. This information helps us to understand your needs and wishes and to be proactive in our offering to you e.g. training, or how to develop features to make the Platform more user friendly.
What is the legal basis to process your personal data?
We process your personal data on the legal bases of legitimate interest and to be able to perform under a potential contract with you.
It is in our legitimate interest to provide as much value as possible from our services and to be able to assist you if you have any questions or give us any feedback. To be able to do that, we may need to process your personal data. More information about how we have performed the assessment of our legitimate interest and the balancing of interests, please see Section 2.2.
You have the right to object to our processing based upon legitimate interest. More information about your right to object can be found in section 6.6.
For how long do we process your personal data?
We will process your data for as long as we have an ongoing customer relationship with you. If we have not had any ongoing customer relationships with you in one year, we will remove your personal data. This means that we may continue to process your personal data if we have outstanding obligations to you or if we by any other reason is prevented from erasing the personal data e.g. for fulfilling a legal obligation.
2.1.3 Website visitors
Why do we process your personal data?
We process your personal data to administrate your usage of our website and to provide website functionality. We also process your personal data to be able to troubleshoot if a possible problem would occur with the website. Further, we process your personal data in order to manage marketing efforts and to get insight in user behaviour on our website, to be able to provide you with relevant information and marketing.
Which personal data do we process?
Data regarding website usage (cookies), such as IP-address, type of browser and what version, operating system, referring website address (the site you last visited before you entered our website), time of the server request as well as possible connection to your LinkedIn account. To be able to process some of these personal data, we use cookies on our website. For more information about the cookies we use, please see https://www.positiongreen.com/cookie-policy/.
What is the legal basis to process your personal data?
For such personal data that is processed to administrate our website and to provide website functionality, we process your personal data on the legal basis of our legitimate interest to be able to provide our website. More information about how we have performed the assessment of our legitimate interest and the balancing of interests, please see Section 2.2.
You have the right to object to our processing based upon legitimate interest. More information about your right to object can be found in section 6.6.
Regarding such personal data that we use for administrating your usage, to get insight in user behaviour and to manage marketing efforts, we will ask for your prior consent by asking if you accept cookies allowing such tracking, when you enter our website. Thus, we process such personal data on the legal basis of your consent. For more information please see our cookie policyhttps://www.positiongreen.com/cookie-policy/. You can withdraw your consent at any time. More information about your right to withdraw your consent can be found in section 6.8.
For how long do we process your personal data?
Such personal data that is processed on the legal basis of our legitimate interest will be processed during your visit of the website and is stored for three months thereafter.
Such personal data that is processed on the legal basis of your consent will be processed for as long as we have your consent (i.e. until you withdraw your consent). More information about your right to withdraw your consent can be found in section 6.8.
2.1.4 Marketing activities
Why do we process your personal data?
When you request information from us, e.g. a demo or webinar information, or when you subscribe to our newsletter, we process your contact information to be able to provide you with the requested information and/or newsletters.
Which personal data do we process?
When you request information from us, or subscribe to our newsletter, we process your name, e-mail address and phone number that you provide us with.
What is the legal basis to process your personal data?
We will obtain your consent before we send you newsletters, provide you with a demo or you receive webinar information. You can withdraw your consent at any time. More information about your right to withdraw your consent can be found in section 6.8.
For how long do we process your personal data?
Your personal data will be processed for as long as we have your consent (i.e. until you withdraw your consent). More information about your right to withdraw your consent can be found in section 6.8.
2.1.5 Customer account
Why do we process your personal data?
We process your personal data to register you as a customer according to the terms agreed including e.g. billing period, billing information, contract renewal, contract start. We also process these personal data so that we can manage and deliver the services that you order from us, and to administrate your payments to us.
Which personal data do we process?
We process your name, e-mail, phone number, delivery details and payment details.
What is the legal basis to process your personal data?
We process your personal data to be able to perform under the contract with you.
For how long do we process your personal data?
We keep your personal data as long as we need to fulfil our legal obligations. Invoice documentation is stored in accordance with applicable legislation.
2.2 How have we performed the assessment of the balance of interests when the legal basis for processing your personal data is our legitimate interest?
For certain purposes, we process your personal data and rely on our legitimate interest as the legal basis for the processing. In assessing the legal basis, we rely on a balancing of interests test by which we have determined that our legitimate interests of the processing override your interest and your fundamental right not to have your personal data processed. We have expressed our legitimate interest in the section above. Please contact us if you want to read more about how this test has been performed. Our contact details can be found in section 8.
3. Personal Data Storage
We will store your personal data for as long as it is necessary to achieve the purpose of the processing.
Insofar as your personal data is no longer necessary to achieve the purpose of the processing, or the processing for any reason is no longer allowed, the personal data will be anonymized or erased.
4. Who has access to your data?
4.1 Suppliers and subcontractors
Data subject and categories of personal data
As a data subject having e.g. customer relationships with us or as a visitor of our website we may disclose your personal data to certain suppliers and subcontractors, e.g., companies working with IT- and cloud services. Personal data that may be shared with such recipients are your name, email address, employer, organization, its address and your title.
Purpose and legal basis
We have agreements with other companies that perform certain services on our behalf and we may need to disclose data to such companies in order for them to provide the relevant service or support. In such cases, we have a legitimate interest of being able to give such companies necessary access. If the sharing of your personal data is necessary to fulfill that interest, and that interest overrides your right not to have your data processed, sharing may take place on the legal basis of legitimate interest. The recipients will only gain access to your personal data to the extent necessary for them to fulfil their mission, but they may not share or use the data for other purposes. In this case data processing agreements are in place with the recipients to ensure that your personal data is being processed in accordance with this privacy policy.
Recipients
The suppliers and subcontractors are mainly based within the EU/EEA. However, in limited situations, data may be transferred to the US. In such situations, Position Green has entered into relevant standard contractual clauses regarding the transfer and has put in place additional safeguard mechanisms, as applicable.
4.2 Group companies
Data subject and categories of personal data
If you e.g. are a customer or a User we may disclose your personal data to companies within Position Green Group. Personal data that may be shared with such recipients are your name, email address, employer, organization, its address and your title.
Purpose and legal basis
This sharing of personal data may be required for us to provide our services to you. If the sharing of your personal data is necessary to fulfil that interest, and the interest overrides your right not to have your data processed, the sharing may be carried out on the legal basis of legitimate interest. In this case joint controllership agreements are set up to ensure that your personal data is being processed in accordance with this privacy policy and relevant data protection laws.
Recipients
The companies within Position Green Group are based both within and outside EU/EEA in countries such as Sweden, Norway and US.
In situations where data is transferred to the US, Position has entered into relevant standard contractual clauses regarding the transfer and has put in place additional safeguard mechanisms, as applicable.
We and the companies within Position Green Group have a joint responsibility for the processing of the personal data disclosed between the companies. You can turn to us or any of these companies to exercise your rights under Section 6, regarding the processing of the personal data disclosed between the companies.
4.3 Companies independently responsible
We may share your personal data with companies that are independently responsible for personal data processing. In such cases, the receiving party is responsible for the processing of the personal data.
5. Transfer of data
The transfers described above may be made to recipients in Member States of the EU/EEA as well as to third countries whose legislation may differ from the rules for data protection within the EU/EEA. In the case of transfers to such third countries, we will take appropriate measures to ensure that your personal data are adequately protected.
We will ensure that appropriate safeguards are put in place by ensuring that at least one of the following conditions is met in each such transfer.
| Safeguard and description thereof | Which countries we transfer personal data to on the basis of the specific safeguard |
| Adequate level of protection according to art. 45 GDPRThe European Commission has decided that certain countries outside the EU/EEA have a sufficiently high level of security. This means that personal data can be transferred there without any further action having to be taken with regard to the transfer itself (beyond what applies under the GDPR in general). A list of which countries are included can be found here. | N/A |
| Standard contractual clauses according to art 46.2 GDPRSince only a few countries are considered to have an adequate level of protection, the most common measure to ensure sufficient protection in the event of a transfer outside the EU/EEA is to annex the EU Commission’s Standard Contractual Clauses pursuant to Implementing Decisions 2001/497/EC, 2010/87/EU or 2021/914/EU, without any changes or amendments in conflict with the clauses. In these cases, we also assess whether there are laws in the recipient country that affect the protection of your personal data. Where necessary, we take technical and organizational measures so that your data remain protected during the transfer to the relevant country outside the EU/EEA.If you want to read these Standard Contractual Clauses in their entirety, you can download them via the European Commission’s website (under the heading Standard contractual clauses for international transfers (Word)). | The US |
| Binding Corporate Rules according to art. 47 GDPRIn some cases, a group may have established, and gotten approved by the competent supervisory authority, Binding Corporate Rules, to ensure adequate protection of transfers between the Group’s companies. | N/A |
Right to obtain a copy – If you would like to receive further information about transfers to countries outside the EU/EEA, or if you would like to receive a copy of the safeguard we have used, you can contact us using the contact details set out in section 8 below.
6. Your rights
6.1 Right to be informed
You have the right to be informed about how we process your personal data. In this privacy policy, we generally describe what personal data is processed by us in different contexts. If you want to know more about whether we process your personal data, and to what extent it is done, you can contact us as described above and request information about what personal data we process.
6.2 Right to get access
We can also provide you with a copy, a so-called register extract, of the personal data processed by us. In the register extract, we provide information about e.g. which categories of personal data are processed, what the personal data are used for, how long the data will be stored, with whom the personal data has been shared and where the data come from.
6.3 Right to rectification
We strive to always have accurate personal data about you and to update them when necessary. If you discover that we process inaccurate data about you, you have the right to contact us as described above to have these corrected. You also have the right to ask us to complete incomplete data if this is relevant based on the purposes for which your data are processed, by providing us with additional information.
6.4 Right to erasure (“right to be forgotten”)
You have the right to request the erasure of your personal data. However, this right is not absolute. Certain conditions must be at hand in order for us to erase your data. For example, you may have the right to have data erased if they are no longer necessary for the purposes for which they were collected, if you withdraw your consent or if you object to us using your data for direct marketing.
The right to erasure is also limited in the event that an exception applies to the data in question. For example, we have the right to retain the data if it is necessary for establishing, exercising or defending legal claims.
6.5 Right to restriction of processing
You can request that the processing of your personal data should be restricted, for example if you do not think that the information we have about you is correct or if you believe that the processing is unlawful. Such request can also be made during the time we investigate whether our legitimate interests override your interest of privacy when you object to the processing (see more about this under right to object above).
6.6 Right to object
You always have the right to object to our processing if the legal basis for the processing (this is stated in the various processing operations above in section 2.1) is that it is necessary for purposes relating to our legitimate interest.
If you object, we do not have the right to process the data anymore, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or if it is needed for the establishment, exercise or defense of legal claims. If we consider that we have such legitimate grounds, or if the data are needed for the establishment, exercise or defense of legal claims, we will notify you of this, and the reasons for such assessment.
You can also object to your personal data being processed for marketing purposes (including profiling if this is included as part of this). If you do so, we will cease the processing for these purposes.
6.7 Right to portability
You have the right to receive your personal data concerning, that you have provided to us (in case the legal basis for our processing is consent or performance of an agreement), in a structured, commonly used and machine-readable format. However, this presupposes that the processing takes place by automated means (i.e. not in physical form on paper). If technically possible, and you wish to do so, we may also transmit such personal data to another data controller..
6.8 Right to withdraw consent
You can withdraw the whole or part of the consent you have given at any time, with effect as from the withdrawal (i.e. the processing of personal data that we have carried out before the withdrawal will not be affected). In the case of direct marketing via e-mail, a withdrawal can be carried out through a link attached in each such e-mail.
6.9 Right to lodge a complaint with a supervisory authority
You can lodge a complaint to the Swedish Authority for Privacy Protection (or with another supervisory authority) if you believe that our processing of your personal data is not in accordance with applicable legislation.
6.9 Requirements for exercising your rights
To protect your privacy, we may (if necessary) require you to prove your identity when you contact us to exercise your rights.
We handle your request to exercise your rights promptly. Your request will normally be answered within one month from the date the request was received by us. Only in the case of an unusually complicated request, or if we have received a large number of requests, the response time may be extended by up to two months. If an extension of the response time is decided upon, you will be notified of it.
7. Amendments and Changes of this privacy policy
7.1 We may make amendments or changes to this privacy policy. If we do so we will publish the updated policy on our website. Therefore, we advise you to regularly read through the privacy policy.
8. How do you exercise your rights?
8.1 If you want to apply any of the rights or if you have questions regarding privacy, you are welcome to contact us at privacy@positiongreen.com . You can read more information about your rights at https://www.imy.se/en/organisations/data-protection/this-applies-accordning-to-gdpr/the-data-subjects-rights/
*This privacy policy is effective from the 14th of February 2023. Updates made since last version: New outline and clarification of the privacy notice document