PRIVACY POLICY

  1. GENERAL
     
    1. This privacy policy always applies, unless otherwise agreed in writing, for the processing of personal data performed by CarbonCloud AB reg.no 559091-0716, (“CarbonCloud”).

    2. Concepts in this privacy policy, e.g. “data controller”, “data subject”, “personal data”, “processing”, “data processor”, “standard contractual clauses” and “supervisory authority”, shall have the meaning ascribed to them in Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”) or otherwise in the, where applicable, unless the circumstances distinctly require another order of interpretation.

    3. This privacy policy serves to assure that CarbonCloud processes personal data in accordance with applicable privacy laws and regulations.

    4. Below follows a description of how CarbonCloud processes personal data as well as information regarding the rights of the data subjects and how the data subjects can get in contact with CarbonCloud and/or exercise its rights.


  2. CHANGES TO THE PRIVACY POLICY

    • CarbonCloud may at its sole discretion make changes to this privacy policy. CarbonCloud undertakes to inform affected data subjects of any material changes to the privacy policy. 


  3. OBJECTIVES AND LEGAL BASIS FOR CARBONCLOUD’S PROCESSING OF PERSONAL DATA

    1. The main purpose of CarbonCloud’s processing of personal data is to enable CarbonCloud to offer its services in full, provide information about the services and market the services. CarbonCloud may however also process personal data due to a legal obligation (e.g. when CarbonCloud must save the data according to accounting rules), or in order to defend CarbonCloud against legal claims.

    2. The collection and processing of personal data in order to provide, market, or inform about CarbonCloud’s services is made on the legal basis of either the data subjects approval, a contractual obligation between the data subject and CarbonCloud (or CarbonCloud’s principal if applicable), or an existing legal obligation for CarbonCloud (or CarbonCloud’s principal if applicable). Exceptions are made for cases where prior consent is not possible for practical reasons, the processing of the data is permitted by law, and when CarbonCloud has a legitimate interest in processing the personal data (e.g. for marketing, follow-up of the services, or for exercising or defending CarbonCloud against legal claims) according to a so-called balance of interests.

    3. The collection and processing of personal data in order to comply with legal obligations or in order to defend CarbonCloud against legal claims is made on the legal basis of the legal obligation or a balance of interests.

    4. CarbonCloud does not process any sensitive personal data regarding the data subject without the express consent of the data subject (either to CarbonCloud or CarbonCloud’s principal if applicable).


  4. SHARING OF PERSONAL DATA TO THIRD PARTIES

    1. CarbonCloud will not share personal data with any third party in any other way than what follows from this privacy policy, unless CarbonCloud is given prior consent from the data subject, or unless CarbonCloud is obliged to do so following the applicable regulations or unless the personal data is shared in connection with an ongoing legal-, administrative- or recovery procedure in which the data subject and CarbonCloud are both parties.

    2. CarbonCloud may use subcontractors for the processing of personal data (so-called personal data assistants). CarbonCloud may also need to use the subcontractor’s services to store personal data. CarbonCloud will always limit such subcontractors’ access to personal data to the minimal amount needed for CarbonCloud to still be able to reach the objective of the processing of the personal data.

    3. CarbonCloud requires all subcontractors to (i) protect personal data in accordance with this privacy policy and (ii) not use or disclose personal data for any purpose other than to provide the agreed-upon services to CarbonCloud.


  5. STORING OF PERSONAL DATA

    1. All personal data stored by CarbonCloud is stored locally with CarbonCloud, or on an external server provided by CarbonCloud’s personal data assistant in the EU/EEA.
    2. Personal data will not be stored for any longer than necessary, with regards to the objective of the processing, and taking into account CarbonCloud’s legal obligations regarding accounting regulations etc.
    3. CarbonCloud regularly deletes personal data which is no longer needed with regard to the objective of the processing, in accordance with the applicable regulations in force at any time.

  6. TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EES

    1. CarbonCloud will not transfer personal data to countries outside the EU/EEA. Should CarbonCloud need to do so in the future, e.g. due to CarbonCloud choosing a digital service provider based in a country outside the EU/EEA, CarbonCloud will only transfer personal data if the receiving country has an adequate level of protection according to applicable laws and regulations.


  7. THE RIGHT TO REQUEST INFORMATION
    1. The data subject has a right to request and obtain, free of charge, information regarding what personal data, relating to such data subject, is being processed, at any time, by CarbonCloud (a so-called register extract).

    2. If a data subject wishes to know if CarbonCloud processes any personal data about the data subject, he or she can send a written request to CarbonCloud in accordance with section 16 below. In the request, the data subject needs to indicate specifically what kind of information the data subject is interested in receiving (unless the data subject is interested in receiving information about all personal data being processed). That way, CarbonCloud can provide the data subject with information that is relevant.
    3. If a data subject repeatedly sends requests for extracts from the register, CarbonCloud may charge a fee or, in some cases, in accordance with statutory law, refuse to comply with the requests.

    4. The extract from the register will be sent to the data subject within 30 days from the time CarbonCloud received the request. If the extract is extensive and CarbonCloud needs more time or if CarbonCloud for some reason cannot comply with the data subject’s request, CarbonCloud will without undue delay notify the data subject thereof.


  8. THE RIGHT TO RECTIFICATION
    1. In order to fulfill its obligations to always have accurate and relevant personal data, CarbonCloud systematically works with its registers and updates personal data where necessary.

    2. If a data subject notices that the personal data CarbonCloud processes are incorrect or if CarbonCloud lacks important personal data, the data subject has the right to have their personal data corrected.

    3. CarbonCloud normally performs simple data corrections without consideration, but in some cases CarbonCloud may need to consider the data subject’s request. CarbonCloud will not approve the data subject’s request if it is impossible or requires an unreasonable amount of work.
    4. In the event that personal data is changed at the data subject’s request, CarbonCloud will inform any subcontractors and partners that process the personal data about the change. Upon written  request by the data subject, CarbonCloud will also inform the data subject about to whom the corrections have been submitted


  9. THE RIGHT TO ERASURE

    1. A data subject has the right to request that CarbonCloud erases personal data when:

      1. they are no longer needed for the objectives for which they have been collected and for which they are being processed;
      2. CarbonCloud processes personal data on the legal basis of consent and the data subject withdraws said consent;
      3. CarbonCloud processes personal data for direct marketing and the data subject opposes the continued processing for this objective;
      4. CarbonCloud processes personal data on the legal basis of a balance of interests and there are no legitimate interests that outweigh the data subject’s interest;
      5. CarbonCloud does not process personal data in accordance with applicable regulations;
      6. It is required that personal data is erased in order to fulfill a legal obligation; or
      7. there is another relevant legal basis for the data subject’s request to erase the personal data.

    2. CarbonCloud has the right to refrain from erasing personal data if CarbonCloud needs to retain it in order to fulfill a legal obligation, to be able to make legal claims against a data subject, or in defense against legal claims from a data subject.

    3. When CarbonCloud receives a data subject’s request regarding erasure, CarbonCloud will conduct an assessment in order to evaluate if there are reasons to erase the personal data. The data subject will then be informed about CarbonCloud’s assessment. If the personal data is erased at the data subject’s request, CarbonCloud will also instruct suppliers and third-party partners, to which personal data has been transferred, that the personal data are to be erased.


  10. THE RIGHT TO RESTRICTION OF PROCESSING

    1. A data subject has the right to request the restriction of CarbonCloud’s processing of personal data when:

      1. the data subject has disputed the accuracy of the personal data, during the time CarbonCloud has the opportunity to check whether the personal data is correct;
      2. the processing is illegal, and the data subject opposes that the personal data is deleted and instead requests a limitation of its processing;’
      3. CarbonCloud no longer needs the personal data for the purposes of the processing, but the data subject needs the personal data to be able to determine, enforce or defend legal claims; or
      4. the data subject has objected to processing in accordance with section 12 below, when awaiting information on the legitimacy of whether CarbonCloud’s interests outweigh the interests of the data subject.

    2. Restriction of processing implies that the personal data will be marked, so that they in the future may only be processed for certain limited purposes.


  11. DELETION OF PERSONAL DATA

    1. Personal data will not be retained for any longer than is necessary with regard to the objective of the processing, and CarbonCloud will otherwise delete personal data in the manner that follows applicable regulations.

    2. If a data subject requests that personal data shall be deleted, CarbonCloud will delete or de-identify the personal data no later than 30 days from the reception of the request. This is provided that the personal data are not required to be saved in order for CarbonCloud to fulfill its legal obligations or to be able to exercise its legal claims.


  12. THE RIGHT TO WITHDRAW CONSENT AND OBJECT TO PROCESSING

    1. A data subject has the right to object to CarbonCloud’s processing of personal data which CarbonCloud processes on the legal basis of a so-called balance of interests.

    2. If a data subject wishes to exercise the right to object to the processing, the data subject needs to specify in writing which processing the data subject objects to.

    3. In the event of an objection by a data subject, CarbonCloud may only continue to process the personal data if CarbonCloud can show that there are compelling and entitling reasons for why the personal data must be processed, and provided such reasons outweigh the data subject’s interests.

    4. If personal data is processed for direct marketing, a data subject always has the right to object to the processing at any time.


  13. THE RIGHT TO DATA PORTABILITY

    1. If a data subject has provided their personal data to CarbonCloud, the data subject may, in some cases, be entitled to extract his or her personal data in order to, for example, move them to another company.

    2. In order for a data subject to be able to use his or her right to so-called data portability, the data subject’s request must relate to personal data that the data subject themselves has provided to CarbonCloud and which CarbonCloud processes with the consent of the data subject or to fulfill an agreement with the data subject.

    3. The right to data portability does not apply when CarbonCloud’s processing of the data subject’s personal data is based on a balance of interests or a legal obligation for CarbonCloud. The right to data portability does not apply when data portability is technically difficult to implement.


  14. THE RIGHT TO COMPLAIN

    1. A data subject has the right to complain about CarbonCloud’s processing of personal data.

    2. CarbonCloud kindly asks that any data subject who wishes to complain initially contacts CarbonCloud, so that CarbonCloud can address the complaint and assist the data subject in the best way possible.


  15. SECURITY

    1. CarbonCloud undertakes to implement all appropriate technical and organizational security measures, that are required in accordance with applicable regulations, to ensure a high level of security, appropriate to the risks of the processing of personal data, and to protect personal data from accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of, or access to, processed personal data.

    2. Upon written request by a data subject, CarbonCloud will inform the data subject about which security measures are being implemented for the personal data of the data subject.


  16. CONTACT INFORMATION

    1. If a data subject wishes to exercise their rights under this privacy policy, a request shall be made in written form and sent to CarbonCloud by email to hello@carboncloud.com.

    2. If the data subject has any questions about this policy or CarbonCloud’s personal data processing, the data subject can contact CarbonCloud by email at hello@carboncloud.com.