Privacy policy Hulténs

PRIVACY POLICY

Introduction

This privacy policy explains how Hulténs I Sverige AB, company registration number 556920–4836 (from now referred to as ‘Hulténs’ and referred to as ‘we’, ‘our’ and ‘us’), processes personal data. References to ‘you’ and ‘your’ refer to the data subject whose personal data we process.

Here we have compiled information about, among other things, what Personal Data we Process, why the Processing takes place and where the Personal Data is stored. We also describe who Personal Data may be shared with, what rights the Data Subjects have under the GDPR and other information about our Processing of Personal Data. This privacy policy covers all types of Personal Data, in both structured and unstructured data.

Your personal privacy is very important to us and we process all personal data that we have access to with care and do not share personal data with unauthorised parties. All our processing of personal data is carried out in accordance with the GDPR (and SCC where applicable).

We review the content of this privacy policy at least once a year and as necessary to ensure that the information is accurate and up to date. The latest version is always published on the Website.

Definitions

The following terms shall have the meanings set out below, both when used in the plural and in the singular:

Website: www.hultens.com

Customer: A person who orders Products from Hulténs.

Products: The Products sold by Hulténs at any given time.

Product page: A page on the Website relating to a Product, with information such as the Product's price, product description, stock status, delivery time, etc.

Payment service provider: An entity that, among other things, processes payments from Customers or performs invoicing on behalf of Hulténs.

Personal data: Any information that, directly or indirectly, alone or in combination with other information, can be linked to an identified or identifiable living individual is Personal Data according to the GDPR. Common examples of Personal Data are: name, telephone number, address, email address, user ID, credit card number, vehicle registration number, IP address, etc.

Registered: The natural person who can be identified through the Personal Data.

Processing: Processing of Personal Data can take place in various ways. Everything that happens to Personal Data, whether automated or otherwise, is a form of Processing. Processing can take place through a single action or through a combination of different actions. Examples of common Processing of Personal Data include storage, deletion, sharing, importing, registration, copying, collection, organisation, use, adjustment, destruction, etc.

Data controller: The person who determines the purpose of a particular Processing of Personal Data and how the Processing is to be carried out is, according to the GDPR, considered to be the Data Controller. Natural persons, legal persons, public authorities, institutions or other bodies may be Data Controllers.

Data processor: According to the GDPR, anyone who processes personal data on behalf of a data controller, in accordance with the controller's instructions, is considered a data processor.

Third party: A third party means anyone other than the Data Controller (and the persons authorised to Process Personal Data), Data Subjects or the Data Processor (and the persons authorised to Process Personal Data). A third party may be a legal entity or a natural person, institution, authority or other body.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

SCC: Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or any later updated version.

Any other GDPR-related terms not defined here shall have the same meaning in this privacy policy as set out in Article 4 of the GDPR.

Data controller

Hulténs is the Data Controller for all Processing of Personal Data carried out by us or on our behalf, to the extent that we determine the means and purposes of the Processing (in accordance with the principle of accountability).

For example, Hulténs acts as Data Controller when we register you as a customer in the internal systems we use within the scope of our business, or when Hulténs processes your Personal Data to fulfil obligations under the purchase agreement, such as delivering the ordered Products to you.

Our Processing of Personal Data is carried out in accordance with the GDPR (and SCC where applicable) and the fundamental principles of data protection.

How we obtain access to Personal Data that we Process

The most common way we receive your Personal Data is when you:

enter into an agreement with us (e.g. purchase agreement, etc.),

Categories of Personal Data we Process

In accordance with the principle of data minimisation, we only Process Personal Data that is adequate, necessary and relevant to fulfil the purposes for which it was collected.

We primarily process the categories of Personal Data listed below that we may have access to when you contact us, enter into an agreement with us or use/visit our Website:

Identification data: first name, last name, personal identification number or equivalent.
Contact details: telephone number, email address, address, social media user ID.
Other Personal Data: any other Personal Data that is provided to us, such as that included in a message sent to us.

Purpose and legal basis for the processing of Personal Data

In accordance with the principle of purpose limitation, we only process Personal Data for specific, explicitly stated and legitimate purposes. In addition, all Processing is legally based in accordance with the provisions of the GDPR.

We process Personal Data primarily on the basis of one of the following legal grounds: Agreement, Consent, Balancing of Interests, or Legal Obligation.

In some cases, it is optional for you to provide your Personal Data to us. However, if you do not provide your Personal Data, we may not be able to provide the requested support or handle the matter.

You may also need to disclose your Personal Data in order to enter into an agreement with us, to have the Products you have ordered delivered to you, or for us to fulfil our legal or contractual obligations. Unless otherwise stated, you will not suffer any negative legal consequences if you do not provide your Personal Data to us.

When the Processing of your Personal Data is based on your consent, you have the right to withdraw your consent at any time, without this affecting the lawfulness of the Processing based on the consent before it was withdrawn.

When the Processing of Personal Data is based on a legitimate interest as a legal basis, our assessment is that the Processing does not constitute an infringement of your right to privacy and integrity. We have come to this conclusion after weighing up, on the one hand, what the Processing in question means for your interests and right to privacy and, on the other hand, our legitimate interest in the Processing in question. However, we never Process sensitive Personal Data based on a balancing of interests as a legal basis.

Below you can read more about the legal basis and purpose of the processing of personal data.

When you visit the website:

The website uses cookies. We may obtain information about your use of the website through, among other things, web analytics and/or traffic measurement providers through cookies, if you consent to this. The use of non-essential cookies only takes place if you give your consent. You can withdraw your consent at any time (without this affecting the lawfulness of the Processing carried out on the basis of the consent before it was withdrawn). In addition, you can manage the storage of cookies yourself via your browser settings. Legal basis for the Processing: Consent.

You can read more information about how we use cookies on the Website in our cookie policy: https://www.hultens.se/information/cookiepolicy.

When we are contacted via email, telephone, social media or contact forms:

We may contact you, and you may contact us, via email, telephone or social media, in which case we will have access to your Personal Data as provided in connection with such contact. For example, we may have access to the following Personal Data: first name, last name, telephone number, email address, social media user ID (if applicable), message content and other information you provide to us.

In our opinion, both we and you have a legitimate interest in the Processing of Personal Data, so that we know who we are talking to and can keep in touch regarding the matter.

We also believe that the processing is necessary for a purpose related to a legitimate interest, and that your interest in protecting your personal data does not outweigh this interest, and that the processing in question does not infringe on your fundamental rights and freedoms.

The provision of Personal Data to us is voluntary, which means that it is not a statutory or contractual requirement or a requirement necessary to enter into a contract with us, and you are not obliged to provide the Personal Data, but the possible consequences of not providing such data are that we will not be able to handle the matter.

Legal basis for the above Processing: Balancing of interests.

You can also contact us by sending us a message via the contact form on the Website. We will then have access to the following Personal Data belonging to you: first name, surname, telephone number, email address, and the information you include in the message/free text field. The provision of Personal Data to us is voluntary. Before sending the message to us, you give your active consent to our Processing of your Personal Data in accordance with the above by ticking a box for approval. Legal basis for the Processing: Consent.

When you complete a purchase via the Website:

When you purchase Products via the Website, we gain access to your personal data that you provide in connection with the purchase process. We Process Personal Data belonging to you in order to fulfil the purchase agreement regarding the order of Products. If the customer is a business customer, we Process Personal Data belonging to the business customer's representative/signatory. Legal basis for the processing: Agreement.

We need to process the following Personal Data in order to deliver the Products ordered, handle any right of withdrawal, returns, delivery, etc.: name/company name, personal identity number/organisation number, telephone number, email address, contact person. The provision of Personal Data to us is necessary for us to enter into a purchase agreement with each other. The possible consequences of not providing such information to us are that we will not be able to fulfil the purchase agreement. Legal basis for the processing: Agreement.

Payment is made via the payment solutions integrated into the Website and provided by Payment Service Providers. The information you register in the Payment Service Provider's payment solution will also be shared with the Payment Service Provider. You are responsible for reading the Payment Service Provider's terms and conditions and privacy policy.

If you purchase Products via the Website as a consumer, the Payment Service Provider is Klarna AB or Qliro AB.

If you purchase Products via the Website as a business customer, the Payment Service Provider is Svea Bank AB (publ) (‘Svea’). By using Checkout, the Customer agrees to Svea's terms and conditions as set out in the link below (‘Checkout Terms’), including the special terms and conditions attached to the Checkout Terms: https://cdn.svea.com/webpay/sv-SE/SE_Checkout_villkor.pdf. More information about Svea is available on their website: https://www.svea.com/se/sv/start/.

Categories of personal data processed in connection with purchases made via the Website: Order ID, order history, delivery address (e-mail), cancelled orders, completed orders. This information is processed by us every time you place an order via the Website so that we can offer you a good service. We also process the information to improve the Website. In our opinion, both we and you have a legitimate interest in the Personal Data being processed for the purposes stated above, and that the Processing is necessary for a purpose related to a legitimate interest, and that your interest in the protection of your Personal Data does not outweigh this. Our assessment is that the Processing in question does not infringe on your fundamental rights and freedoms. Legal basis for the Processing: Balancing of interests.

Payment information: Payment method, pseudonymised credit/debit card information. We need to process this information in order to track the payments you have made and link them to your orders, to enable delivery of the order and to fulfil our contractual obligations under the purchase agreement. Legal basis for the processing: Agreement.

Accounting records: We process and store invoices, receipts and other accounting records that we are required to process and store in accordance with applicable legislation, such as the Accounting Act (1999:1078) and the requirements of the Swedish Tax Agency. Accounting documents and verifications may in some cases contain Personal Data, such as name, address, order information and any other contact details for the Customer. Such data is stored for as long as required by law. Legal basis for processing: Legal obligation.

When your user account for the Website is created:

Your user account for the Website is created automatically when you make your first purchase via the Website. You will then receive an automatically generated password in the welcome message, which you can use to log in to your user account with the email address you provided when completing your purchase.

Through your user account, you can view your order, change your delivery address and other registered information, view your previous orders, etc. If you have a user account or have written a comment on the Website and would like to know what personal data we process about you, we can provide you with an export file containing your personal data upon request.

Upon request, we will delete the personal data we process about you. However, this does not apply to any personal data that we are required to retain for legal, administrative or security purposes.

In our opinion, you have a legitimate interest in the processing of your personal data by us for the above purpose. The processing is necessary for a purpose related to a legitimate interest, and your interest in the protection of your personal data does not outweigh our legitimate interest. Our assessment is that the Processing in question does not infringe on your fundamental rights and freedoms.

Legal basis for the above Processing: Balancing of interests.

When you receive newsletters from us:

If you have purchased Products via the Website, we may send newsletters to the email address you provided in connection with the purchase, which we believe may be of interest to you and for marketing our Products. In our opinion, both we and you have a legitimate interest in the Processing of Personal Data for the above purpose. The processing is necessary for a purpose related to a legitimate interest, and your interest in the protection of your Personal Data does not outweigh our legitimate interest. Our assessment is that the Processing in question does not infringe on your fundamental rights and freedoms. Legal basis for the Processing: Balancing of interests.

You may also agree to receive newsletters from us before making any purchase of Products via the Website by registering your email address for that purpose via the Website. Legal basis for the processing: Consent.

If you no longer wish to receive newsletters or marketing from us via email, you can object to this at any time by clicking on the unsubscribe link at the bottom of each email. You may withdraw your consent at any time, without this affecting the lawfulness of the processing based on the consent before its withdrawal.

If you unsubscribe from the newsletters, you will be removed from the email list of newsletter recipients, but your email address will remain in the database with a block on receiving newsletters. The purpose of this is to ensure that you do not receive multiple newsletters from us. In our assessment, both we and you have a legitimate interest in the Personal Data being processed for the above purpose. The processing is necessary for a purpose related to a legitimate interest, and your interest in the protection of your Personal Data does not outweigh this interest. Our assessment is that the processing in question does not infringe on your fundamental rights and freedoms. Legal basis for the processing: Balancing of interests.

If you want your email address to be deleted from the block list, you can contact us by email and request this. You are hereby informed that if your email address is deleted from the block list, you may receive newsletters from us again if you or someone else registers your email address to receive newsletters again.

Other purposes for our processing of personal data:

If we are required by law, court order or official decision to process certain personal data, the processing will be based on legal obligation as the legal basis. In such cases, the Processing will only take place to the extent necessary for us to fulfil our legal obligations, and we will only Process necessary Personal Data for as long as required by law (in accordance with the principle of storage minimisation).

Based on our legitimate interest, we may process Personal Data to:

protect our rights and property,
carry out direct marketing of our Products,
ensure the technical functionality of the Website,
carry out anonymous performance measurements regarding the use of the Website and the sale of the Products.

Storage location and storage period

We strive to store all Personal Data that we Process within the EU/EEA, in accordance with the principles of integrity and confidentiality. If Personal Data is stored in a country outside the EU/EEA, we will ensure that such storage location ensures an adequate level of protection in accordance with the provisions of the GDPR and SCC.

Identification details, contact details and financial details belonging to Customers will be stored for up to seven (7) years after a purchase has been made via the Website. This is stored so that we can handle any complaints, claims and returns in accordance with the consumer protection legislation in force at any given time, and to be able to match a payment against a receipt during the period we are required to store such accounting records in accordance with the legislation applicable at any given time.

As a general rule, personal data is stored for as long as it is necessary to fulfil the purposes for which it was collected. When the personal data no longer needs to be stored for the purposes for which it was collected, it is either deleted (erased) or anonymised, in accordance with the principle of storage minimisation.

We follow internal guidelines and written procedures regarding the deletion and logging of deleted Personal Data to ensure that the Processing of Personal Data is carried out in accordance with the GDPR.

Transfer of Personal Data

Personal Data that we Process is not shared with unauthorised persons. However, we may transfer Personal Data to someone else, such as authorities, if it is necessary to prevent, detect, prevent or investigate criminal activity, to protect our interests and our property, if we are required to disclose the information under applicable law, etc.

We may also share personal data with contracted data processors for purposes such as:

safeguarding our legal interests;
fulfilling our contractual and legal obligations;
detecting and preventing technical, operational or security problems; and
providing, improving and maintaining the website (software maintenance).

Examples of service providers we use are: web developers, document management systems, shipping companies, etc.

Before we share any Personal Data with such service providers, we enter into a Data Processing Agreement with them in accordance with the provisions of the GDPR (or SCC if the Data Processor is located in a country outside the EU/EEA). This is done to ensure the secure and correct Processing of Personal Data.

We may transfer Personal Data to supervisory authorities, other public entities, legal advisors, external consultants and partners, in accordance with applicable data protection legislation, if this is done to enable us to fulfil legal obligations or to fulfil our legitimate interests.

In the event of a merger or acquisition of our company, Personal Data may be transferred to third parties involved in the merger or acquisition.

We have determined that we have a legitimate interest in Processing Personal Data for the purposes set out above, and that our legitimate interest does not override your right to privacy and integrity. Legal basis for Processing: Balancing of interests.

Technical and organisational security measures

We take and implement various technical and organisational security measures with a focus on the privacy of the Data Subjects. The measures are intended to protect against intrusion, misuse, loss, destruction and other changes that may pose a risk to privacy (in accordance with the principle of privacy and confidentiality).

Below are examples of some of the security measures we take and implement:

We have established internal procedures with instructions regarding the processing of personal data that our staff must follow. These include internal procedures for the deletion of personal data and the handling/documentation of personal data incidents.
Internal procedures and policies are reviewed regularly, at least annually and as necessary.

We have appointed a contact person for personal data matters who reports directly to the company's senior management.
Our staff are obliged to maintain confidentiality regarding, among other things, Personal Data Processed within the scope of our business.
Access to databases, IT systems and parts of the IT infrastructure and network requires a password.
We follow the seven basic data protection principles in all processing of personal data. The principles are documented in our internal procedures.

Data subjects' rights under the GDPR

If we process your personal data, you have various rights under the GDPR regarding our processing of your personal data. Below are the privacy rights you have as a data subject with regard to our processing of your personal data:

Right to information: You have the right to obtain information about our collection and use of your personal data when your personal data is processed by us. This privacy policy has been drawn up to provide you with information about our processing of personal data. You also have the right to obtain information about the processing upon request. In certain cases, we must also inform you if a personal data breach affecting your personal data occurs, such as a data breach.
Right of access: You have the right to obtain information about whether we Process your Personal Data, as well as the right to access your Personal Data that we Process and information about how the Personal Data is used. If we Process your Personal Data, you have the right to obtain a copy of the Processed Personal Data in the form of a register extract (a summary of the Personal Data we Process about you).
Such a copy is free of charge, but if you request copies on a regular basis, we are entitled to charge an administrative fee. You also have the right to obtain information about, among other things: the categories of Personal Data we Process, the purpose of the Processing, the time limit for the Processing, how we have collected the Personal Data, who has had access to the Personal Data, etc. The purpose of the register extract is to enable you to check the legality and accuracy of the data. However, this does not mean that you have the right to obtain the documents containing the Processed Personal Data.
Exceptions to the right of access: There may be situations where the disclosure of certain information would be detrimental to other persons, or where other legislation or other exceptions prevent the disclosure of certain information or register extracts. In such situations, we are not permitted to disclose the information in question, and there may therefore be information about you that you are not entitled to access.

Right to rectification: We are responsible for ensuring that the Personal Data we Process is accurate and up to date. However, Personal Data may be inaccurate or incomplete. If we Process Personal Data about you that is inaccurate or incomplete, you have the right to contact us to have your Personal Data corrected. After we have corrected the information, we will notify you of this, provided that it is not too burdensome for us.
Right to erasure: We will erase your Personal Data at your request. This is also known as the ‘right to be forgotten’. In addition, there are other occasions when we will erase your Personal Data that we Process.
For example, when: it is no longer necessary for the purpose for which it was collected, when the legal basis is consent and you withdraw your consent, when you object to direct marketing, if the Processing is not lawful, etc.
You have the right to withdraw your consent at any time (however, this does not affect processing that has previously been carried out based on your consent). When we delete Personal Data at your request, we will inform you after the deletion has been carried out, provided that this is possible and not too burdensome for us.
Exceptions to the right to erasure: However, we have the right to continue processing your personal data, and thus not erase the personal data despite your request, if the processing is necessary for: a) to satisfy the right to freedom of expression and information, b) to fulfil a legal obligation, c) to perform a task carried out in the exercise of official authority or in the public interest, d) to defend, establish or assert legal claims, e) archiving purposes in the public interest or for statistical, historical or scientific purposes, or f) for reasons of public interest in the area of public health.
Right to restriction: In certain cases, you have the right to request that our processing of your personal data be restricted. This means that the personal data may only be processed in the future for the limited purpose. Examples of situations where this right applies to you are if the personal data we process is incorrect and you ask us to correct it. In addition, we will inform you when the restriction ceases. The right to restriction also applies specifically in the following situations:
Processing of personal data that is no longer necessary: If we no longer need to process certain personal data, we will, as a general rule, delete the personal data, but if you do not want us to delete it, for example because you want to be able to request the data in the future, or if you need it for a legal claim such as in a dispute, you can request restriction of our processing of the personal data.

Pending appeal: If you have objected to our processing of your personal data and we are investigating the matter, you have the right, pending verification of the appeal, to request that we do not process the personal data in question.
Disputing the accuracy of personal data: If you have invoked your right to rectification and dispute the accuracy of certain Personal Data about you that we Process, you have the right, during the period we assess the matter and your dispute, to request that we do not Process the Personal Data in question.
Right to transfer your personal data: You have the right to request that we transfer your personal data to you or another third party. This right is also known as the right to data portability. Upon your request to transfer your personal data, we will provide your personal data in a structured, commonly used, machine-readable format.
You are hereby informed that this right only applies if the processing of personal data is carried out automatically, and only if our processing is carried out to fulfil an agreement to which you are a party or is based on your consent. However, the transfer of personal data to another company will only take place if it is technically feasible.
Right to object: You have the right to object when your Personal Data is Processed to perform a task in the public interest, as part of the exercise of official authority, or when it is Processed after a balancing of interests.
If you object on this basis, we will cease processing unless our interests override your interests, rights and freedoms. In such cases, we will inform you of the balancing of interests we have carried out and our interests.
If we process your Personal Data for direct marketing purposes, you have the right to request that we cease processing your Personal Data for that purpose. In such cases, we will also inform you when we have deleted the Personal Data if you so request.
Rights when decisions are made automatically: In short, automated decisions involve processing that is automatic, for example through algorithms, where personal data is processed to assess and analyse personal characteristics of an individual.
Automated decisions may have legal consequences for the Data Subject or affect the Data Subject in other significant ways, and if so, the Data Subject has the right not to be subject to the automated decision. If an automated decision has been made, with or without profiling, you have the right to return to have the automated decision reviewed or to contest it.

How to exercise your rights

You are welcome to contact us using the contact details provided below if you wish to exercise any of the above rights regarding your Personal Data that we Process.

It is free of charge to exercise your rights, provided that your requests are not excessive, repetitive or manifestly unfounded. In such cases, we have the right to charge a reasonable fee for handling your request or to refuse to comply with your request.

Before we process or respond to your request, we may ask you for additional information if necessary to confirm your identity.

We will inform you of our handling of your request without delay and at the latest within one month of receiving the request. If the request is complex or if, for example, we have received a large number of requests, this period may be extended by a further two months. In such cases, we will notify you of the extension within the first month after receiving your request.

If we are unable to comply with your request due to applicable legislation or other exceptions, we will notify you of this and inform you of the reasons why we are unable to comply with your request within the limitations imposed by law.

Personal data breaches

According to the GDPR, a personal data breach is a security incident that has resulted in the destruction, loss, alteration or unauthorised disclosure of Processed Personal Data. An incident may be intentional or unintentional, for example through negligence or due to a crime (data intrusion, etc.).

Supervisory authorities are independent public authorities. Each country within the EU has appointed its own supervisory authority to handle GDPR-related matters. In Sweden, the supervisory authority is the Swedish Data Protection Authority (IMY).

We comply with the provisions of the GDPR regarding the handling, reporting and documentation of personal data breaches. When required by the GDPR, we will report any personal data breaches to the IMY within 72 hours and notify the Data Subjects affected by the personal data breach.

Changes

The content of this privacy policy may be updated from time to time without prior notice. For example, if it is necessary to clarify something, due to changes in legislation or if our processing of personal data changes.

The latest version is always published on the Website and is available to the public. You are responsible for reading the content of this privacy policy and keeping yourself informed of any changes.

Questions or complaints

If you have any questions or concerns, or are dissatisfied with our processing of your personal data, you are always welcome to contact us.

Our company and contact details are as follows:

Company name: Hulténs I Sverige AB.

Company registration number: 556920–4836.

Address: Meteorvägen 4, 245 34 Staffanstorp.

Email: support@hultens.se

Telephone: +46 46-250 252.

Data Protection Authority (IMY)

Name: Data Protection Authority (IMY).

Telephone: + 46 8-657 61 00.

Email: imy@imy.se.

Postal address: Data Protection Authority, Box 8114, 104 20 Stockholm.