Arevo Privacy policy

Policy for personal data management – Arevo AB

Introduction and purpose

The purpose of this policy is to ensure that Arevo handles personal data in accordance with the EU's

General Data Protection Regulation (GDPR) and describes how we at Arevo collect, use and protect

your personal data.

The policy covers all processing where personal data is handled.

Application and Revision

The CEO is responsible for ensuring that the processing of personal data complies with this policy.

The policy must be established by the board and updated as necessary.

The CEO is responsible for maintaining the process of updating the policy as a result of new and

changed regulations.

This policy is applicable to the company's board members, CEO, employees and contractors affected

by our operations.

Organization and responsibility

The CEO has overall responsibility for the content of this policy and that it is implemented and

complied with by the business.

The CEO may delegate responsibility and implementation to the appropriate person in the company.

All employees are responsible for acting in accordance with this policy and what it aims to ensure.

Concepts and abbreviations

Concept Meaning

Personal data Personal data is any kind of information that can be directly or indirectly

attributed to a physical person who is alive.

Registered The person who can be directly or indirectly identified through the

personal data in a register.

Personal data processing An action or combination of actions concerning personal data -

regardless of whether they are performed automatically or not - such as

collection, registration, organization and structuring.

Personal data processing

Every personal data processing must take place according to the following principles:

• Legality• Purpose limitation

• Task minimization

• Correctness

• Storage minimization

• Privacy and confidentiality.

The personal data the company will process about you as an employee consists of name, address,

social security number, contact details for relatives, salary and account details. Otherwise, we may

process e-mail address, grades, certificates, education and work experience, photography, test

results, health checks and drug test results.

The company may also need to process sensitive personal data about you, such as information about

your health. For example, health data may need to be processed in order for us to fulfill our

obligations as an employer.

In the event that you agree to be photographed or that you leave a photograph of yourself without a

request from us, you agree to us processing such photograph.

The company also needs to collect and store contact information to be able to fulfill agreements and

legal requirements or to be able to submit quotes and keep in touch with customers in ongoing

assignments

The company will not collect more information than we need to provide our services to you.

Our data processing is continuously documented in the GDPR register

Follow-up and evaluation of our handling of personal data must take place annually.

Saving of personal data

How long personal data is saved depends on which personal data it is and the purpose of its

processing. As a general rule, personal data relating to:

- employment contract, as long as the employment lasts and ten (10) years thereafter;

- information about business events, such as information about time sheets, participants,

assignments, salary, invoice, declarations, financial statements, during the contract period and for

ten (10) years thereafter

- control data, until our pension commitment ends.

Sharing of personal data

When required, we may disclose your personal data to third parties, such as suppliers for payroll

administration, technical support, operation of IT systems or external testing companies.

We will also disclose personal data that we are obliged to according to applicable law, court orders or

if such disclosure is otherwise necessary to participate in a legal investigation.In the event that we are subject to a reorganization, merger or sale, we may transfer personal data to

the relevant third party, provided that the third party undertakes to process the personal data in

accordance with this Privacy Policy.

We will not sell or distribute personal data to third parties.

Outside the EU/EEA

Parties to whom we may disclose personal data may be located outside the European Economic

Cooperation Area, EEA, which means that personal data may be transferred to countries outside the

EEA. In such cases, we will take measures to ensure that the personal data continues to be protected

and also take the necessary measures to legally transfer personal data to countries outside the EEA.

The data subject's rights

As a registered user, you have the right to receive information about the personal data we process

about you and information about the scope and purpose of such processing, free of charge, after a

written and signed application has been sent to us. You as an individual also have the right to request

that we erase or correct your personal data at any time, as well as the right to withdraw a given

consent and notify that you object to continued processing of your personal data. Such rights only

apply when personal data processing is not covered by another legal basis, such as tax legislation,

accounting law, labor legislation and the like.

Incidents

Any incidents concerning personal data that we process must be reported without delay, and

notified to the Data Protection Authority within 72 hours at the latest, as well as other necessary

measures taken due to the incident.

Personal data controller

Arevo AB Organization number 556995–8423

Address: Box 4095, 904 03 Umeå

Contact person: Niklas Åström

e-mail address: niklas.astrom@arevo.se