SBSC’s Privacy Notice

Version: 2023-12-06

SBSC cares about your personal integrity and strives at all times to maintain a high level of data protection. For instance, we would never sell your personal data to another company for marketing purposes. This Privacy Policy explains how we collect and use your personal information. It also describes your rights and how you can exercise them. We want you to feel secure when you provide us with your personal data. We are constantly taking the steps we consider necessary to protect your personal data. All processing of personal data takes place based on applicable law. And you should always feel free to contact us with any questions you may have.

1. Who is responsible for the personal data we process?

Svensk Brand- och Säkerhetscertifiering AB (SBSC), company registration no. 556199– 0143, Rosenlundsgatan 40, 118 53 Stockholm, is the personal data controller for the company’s processing of personal data.

We sometimes make changes to our privacy policy. The most recent version of the policy is always available on our website at https://sbsc.se.

2. What is personal data and what is processing of personal data?

Personal data is every type of information which may be directly or indirectly related to a natural person. For example, pictures and sound recordings processed in a computer may constitute personal data even if no name is ever mentioned. Encrypted data and various types of electronic identities (e.g. IP numbers) are personal data if they can be associated with natural persons.

Processing of personal data is everything which occurs with the personal data. Irrespective of whether processing is automated or not, every measure taken with personal data constitutes processing. Examples of typical processing are collection, registration, organisation, structuring, storage, adaptation, transmission and erasure.

3. What personal data do we process, for what purpose (why) and on what legal basis?

When you become our customer

We store some of your personal data in order to administer your certificates, deal with certification matters in our client portal and send relevant information.

The personal data stored by us:

  • Names
  • Contact information (e-mail addresses and telephone numbers)
  • Invoicing addresses (when invoicing companies/organisations, we also store the company registration number and, in the event the customer is registered abroad, we also store the VAT registration number)
  • Usernames and passwords
  • Your profile settings
  • Your communications with us
  • Information regarding your exam bookings (applies only for certification of individuals)
  • Personal ID no. (applies only to certification of individuals or Swedish sole proprietorships)
  • Any summary/resume about yourself which you have provided, position, type of organisation

The processing we carry out:

  • Registration and identification for log-on administration
  • Maintenance of correct and updated information
  • Collection of e-mail addresses for sending newsletters and to provide you with information regarding training/courses and other services relating to your certification or other relevant information and offers
  • Publication of certificates and contact information (including company registration numbers) on sbsc.se in order to market your certificate to end-customers

Legal basis: The processing of your personal data is necessary in order to be able to meet our commitments as a certification company. The legal basis of our processing of personal data is the performance of agreements. Information is saved during the application and certification period. The information is purged 5 years after the certificate expires. Personal data is stored in the invoicing system in accordance with the Swedish Bookkeeping Act.

When you sign up for a course or an event

When you sign up for an activity arranged by us, we must be able to manage your booking and any payment. The collection of your personal data is necessary in order for us to be able to meet our commitments when you book a course or attend an event arranged by us.

The personal data stored by us:

  • Names
  • Contact information (e.g. addresses, invoicing addresses, e-mail addresses and telephone numbers)
  • Invoicing and payment information, where applicable
  • Dietary requests which are regarded as sensitive personal data
  • Other information provided by you, e.g. certification numbers, where applicable

The processing we carry out:

  • Maintenance of correct and updated information
  • Registration in our event system
  • Registration of invoicing information in our accounting system (where necessary)
  • Collection of e-mail addresses so you can receive your booking confirmations and other information regarding the booking
  • Sending relevant information and offers

Legal basis: The processing of your personal data is necessary in order for us to be able to administer your bookings. The legal basis of our processing of personal data is the performance of agreements. When you sign up, you also receive information regarding the manner in which we process your personal data. In the event we collect your dietary preferences, this is regarded as information regarding your health and thereby constitutes sensitive information about which we will inform you when you sign up and consent to this processing in the consent you provide when you register. Your stated dietary preferences are subsequently anonymised before they are sent to the course venue. The information is saved for a period of 12 months in our events booking system. The personal data is stored in our invoicing system in accordance with the Swedish Bookkeeping Act. If you have stated any desires regarding special foods or other additional information, this is saved only in the relevant booking.

When you participate in our courses and events

We will notify you in the registration completed by you for the course or event that, among other things, we will take pictures or record videos at the event. This includes photography, live broadcasts and recording for adaptation and publication in marketing and information material on social media.

Examples of personal data we store: Images, videos and sound recordings (for internal and external use).

Legal basis: We process your personal data on the basis of our legitimate interest in arranging and administering events or courses, and publish photographs and live broadcasts on social media and on SBSC’s website where SBSC’s legitimate interest is to provide information regarding our activities, our events, and to meet our contractual obligations. Your personal data is saved as long as necessary for the administration of

the event or course, normally up to one year. Images, videos and sound recordings which may be used for marketing and information materials are processed for a longer period of time.

If we publish the images on our social media channels, this means in such case a transmission of personal data to a third country, the U.S. You may learn more about what this involves under the heading “Where do we process your personal data?”.

Fulfilment of legal obligations and compliance with laws

We process personal data in order to fulfil SBSC’s legal obligations. This may involve necessary administration in order to fulfil the company’s legal obligations in accordance with legal requirements, judgments by courts of law or decisions by government authorities. Examples of processing which may occur for this purpose include the storage of invoicing data in order to fulfil our obligation in accordance with the Swedish Bookkeeping Act.

Legal basis: Legal obligation.

4. Where do we obtain your personal data?

In addition to the information you provide to us, we may also collect information from our owners, industry registers and the like. Reports regarding alleged improper marketing normally does not contain the personal data which, in accordance with Recital 14 of the General Data Protection Regulation is covered by the GDPR.

5. With whom might we share your personal data?

Personal data processors. In the event it is necessary for us to be able to offer our services, we share your personal data with companies which are our so-called personal data processors. A personal data processor is a company which processes the information on our behalf and in accordance with our instructions, e.g. cloud service providers or the like. The personal data processors are obliged to comply with SBSC’s instructions and do not have a right to release the personal data to any other party or to use such data for purposes other than that covered by SBSC’s instructions. The personal data processors are also obliged to take certain technical and organisational steps in order to protect your personal data.

Cooperation partners. In a number of cases, e.g. in order to be able to organise events, we share some personal data with cooperation partners for the event.

Personal data may also be released where required by law, ordinance or decision by a government authority.

6. Where do we process your personal data?

We strive at all times to ensure that your personal data is processed within the EU/EEA and that all of our own IT systems are situated in the EU/EEA.

If you interact with us on social media, this entails a transmission of your personal data, e.g. your image and your name, to a third country outside the EU/EEA area, specifically to the US. This takes place automatically when you are active on social media platforms which cannot accordingly be influenced by SBSC. The transmission takes place in accordance with applicable privacy protection legislation, including the GDPR.

However, the GDPR is not applicable in such third country, which may involve an increased risk to privacy regarding, among other things, the possibility available to government authorities in third countries to obtain access to your personal data and your possibility to exercise control over your personal data. The transmission is necessary in order for you to be able to contact us via social media. The transmission between us and the social media services is based on standard contractual clauses and is supplemented with technical and organisational protections.

7. What are your rights as a data subject?

You are entitled to obtain information regarding the manner in which we process your personal data which is provided by us through this Privacy Policy. More information regarding this right is available at the website of the Swedish Authority for Privacy Protection at the following link: The Swedish Authority for Privacy Protection's (IMY) You have several rights in accordance with the Swedish Data Protection Regulation. If you wish to exercise your rights or have any questions, you may contact us at gdpr@sbsc.se

A request for erasure of personal data simultaneously entails your termination of pending applications for certification or valid certificates since we cannot process them without simultaneously processing your personal data.

8. How do we protect your personal data?

There is always a risk involved in disclosing personal data via the Internet. No IT system is entirely safe from intrusion. SBSC regularly takes the security measures which we consider necessary in order to protect the confidentiality, accessibility and accuracy of personal data.

9. Contact the Swedish Authority for Privacy Protection (IMY)

The Swedish Authority for Privacy Protection is the supervisory authority responsible for monitoring the application of the legislation. If you believe that SBSC is processing personal data incorrectly in violation of applicable law, you can file a complaint with the Authority.

10. What is the easiest way for you to contact us with questions regarding data protection?

If you have any questions regarding processing of personal data at SBSC, you can turn to our Data Privacy Officer:

gdpr@sbsc.se or by post:

GDPR Data Privacy Officer
Svensk Brand- och Säkerhetscertifiering AB Rosenlundsgatan 40
S-118 53 Stockholm, Sweden

11. Information regarding cookies

Our website uses so-called “cookies”. Cookies are small text files which are stored on a visitor’s computer and which, among other things, save personal settings and make it possible to follow what the visitor is doing on the website.

Some cookies are necessary in order for the website to function properly, e.g. so that you remain logged-in to the website until you choose to log-out. The necessary cookies are session-based and cease to apply when you log-out and leave our website.

Other cookies can be chosen by you and, since SBSC cares about your integrity, they are not used unless you first consent to such use.

SBSC prepares statistics regarding the number of visitors, the number of times individual pages are read, from which web addresses the visitors come, and which search engines and search words are used in order to reach our website. The purpose is to provide us with an understanding of how we can improve our website. Thus, we collect information regarding domain name, web browser and operating system, the time you visited our website and from where you ultimately linked in.

Keep in mind also that we are entitled to deny your request in the event there are legal obligations which prevent us from immediately erasing certain personal data. These obligations are derived from, for example, bookkeeping and tax legislation or banking and money laundering legislation. In addition, processing may also be necessary in order for us to be able to establish, assert or defend legal claims.

In the event we are prevented from fulfilling a request for erasure, we will instead block the personal data from being able to be used for purposes other than the purpose which prevents the requested erasure.

12. Note

According to Recital 14 of the General Data Protection Regulation, the Regulation does not cover the processing of personal data concerning legal persons, e.g. information regarding the name of and type of legal person or contact information. This processing of personal data which concerns matter administration including contact information with the customer (the company) may therefore fall outside the area of application of the General Data Protection Regulation.