Privacy Notice

RostiPrivacy Policy

Table of content

  1. 01Introduction
  2. 02Data controller
  3. 03Processing of your personal data
  4. 04Your rights
  5. 05To whom may we transfer your personal data?
  6. 06When may we transfer your personal data to countries outside the EU/EEA?
  7. 07How do we protect your personal data?
  8. 08Changes
  9. 09Questions

We value your privacy and the purpose of this information is to describe to you how Rosti Group AB or the Rosti entity you are in contact with (“Rosti”) process your personal data in a legal, suitable and safe manner and what rights you have when you or the company or organization you represent request or buy our services and/or products, when you or the company or organization you represent provide your services and/or products to us, when you are a representative of a potential customer of Rosti, when you visit our website or when you are in contact with us.

If you have any questions or if you want to exercise any of your rights, you are most welcome to contact us at [email protected].

Rosti Group AB, reg. no 556308-9456, having its registered address at Västra Varvsgatan 19, 211 77 Malmö, Sweden or the subsidiary you are in contact with, is data controller for the processing of personal data in accordance with this information.

In the table below, you can find information about our processing of your personal data. We describe the purpose of the processing, i.e., why we process your personal data. For each purpose, we also specify which categories of personal data we may process to achieve the purpose, the legal basis for the processing, and for how long we will process the data.

Purpose Categories of personal data Legal basis Retention period
To provide services and/or products that you as a customer have requested. Contact details, such as name and email address, business card title, role, information regarding your employer and place of work and answers from our customer survey, if provided.

Billing information.

Information about agreements between Rosti and your employer.

Login information to our website.

 Fulfillment of the agreement with you or the compa-ny/ organization you represent. During the contract period and the following 12 months. Contact details will be processed for as long as we have a business relationship.
To be able to administer our contractual relationship with you or the compa¬ny/ organi¬za¬tion you represent regarding services and/or products you provide us. Contact details, such as name and email address, business card title, role, information regarding your employer and place of work and answers from our customer survey, if provided.

Billing information and information from invoices.

Information about your services and/or products we have bought or are considering buying.

 Fulfillment of the agreement with you or the company/ organization you represent.

Legal obligation, if the information from invoices is necessary to process for fulfillment of Rosti’s obligations regarding accounting.

 During the time we have an ongoing business relationship with you and 12 months after the last purchase or contact, or depending on what is stated in the business agreement.

Contact details are retained if it is not unlikely that the information will become relevant.

Seven years.
To comply with applicable legislation, such as accounting legislation or the Act on the Protection of Persons Reporting Irregularities. Billing information.

Information about agreements between Rosti and your employer.

Information included in a report on irregularities submitted to us.

 Legal obligation. Seven years.

A maximum of two years after the end of a follow-up of a report.
For handling any potential warranty or complaint issues. Contact details, such as name and email address, business card title, role, information regarding your employer and place of work and answers from our customer survey, if provided.

Information about agreements between Rosti and your employer.

Correspondence.

 Fulfillment of the agreement with you or the compa-ny/ organization you represent. During the warranty period and the following 12 months.
To safeguard and protect the legal interests of Rosti. Contact details, such as name and email address, business card title, role, information regarding your employer and place of work.

Correspondence.

Information about the agreement between Rosti and your employer.

 Rosti bases such processing of your personal data on the legitimate interest of Rosti to protect and assert its rights in the event of a dispute. The personal data will be processed until the legal process is completed, if applicable.
To be able to market our services and/or products as well as our business through channels such as mailings, website, special offers, and via social media. Contact details, such as name and email address, business card title, role, information regarding your employer and place of work and answers from our customer survey, if provided, information on marketing you have received and interacted with.

Information about agreements between Rosti and your employer.

Information about your device, such as IP address, when you visit our website.

Any social media usernames.

 For the processing of your personal data, we use the legal basis of legitimate interest, where our legitimate interest is to be able to market our services/products and our business. If you have given your consent to certain marketing, we will base our processing of your personal data on the legal basis consent. You can withdraw your consent at any time. 12 months after the end of our business relationship.

Contact details are retained if it is not unlikely that the information will become relevant.
To be able to provide customer service. Contact details, such as name and email address, business card title, role, information regarding your employer and place of work and answers from our customer survey, if provided.

Information about agreements between Rosti and your employer.

 Fulfillment of the agreement with you or the company/ organization you represent. 24 months after the end of our business relationship.
To enable general customer and supplier care (quality work, statistics, market and customer/ supplier analysis, as well as business, method, and product development). Contact details, such as name and email address, business card title, role, information regarding your employer and place of work and answers from our customer survey, if provided.

Information about agreements between Rosti and your employer.

 For such processing of your personal data, we use the legal basis of legitimate interest, where our legitimate interest is to be able to develop our business. Ten years from the date of completion of the assignment.
To maintain and develop the website. IP-address and behavior on the website. The processing of personal data carried out when the use of cookies on the website is consented to. See Cookie Policy.
To be able to rehire/recruit. Please see ”Privacy Notice Recruitment” for more information on processing during the recruitment process. Name, social security number, contact details, information you have provided in application documents and during interviews, information about work permit if applicable. For such processing of your personal data, we use the legal basis of legitimate interest, where our legitimate interest is to evaluate your qualifications and personal characteristics in connection with recruitment decisions. In connection with employment, we need to know if the requirements for employment and work in the country where you apply for a job in are met. For such processing, we use the legal basis of legal obligation, as we have an obligation to inform the competent authority about your employment. The personal data collected during the recruitment process will be stored until the recruitment process is completed and the position is filled, and for an additional period of two years thereafter.

We only process personal data that is necessary to achieve the purposes stated above and only for the time necessary to achieve those purposes. Exactly which personal data we process about you depends on how you as a customer or supplier have come into contact with us and which of our services and/or products we provide to you or the company you represent, or which of your services and/or products you provide to us.

To enable Rosti to comply with the legal obligations arising from applicable legislation or to safeguard our legal interest, we may keep the personal data for a longer period than stated above. However, personal data is never processed longer than necessary or legally required for each purpose.

In addition to the personal data that you provide to us or that we collect from you, we may also collect personal data from third parties. These third parties may vary from time to time but may include providers of address information from public records.

When asked to provide personal data to us, you can choose not to do so. If you choose not to provide us with personal data that is necessary for us to fulfil our commitments to you, it may lead to us being unable to fulfil such commitments.

You are entitled to receive information regarding our processing of your personal data. Below is a summary of the rights that you can exercise by contacting us.

Right to access

You have the right to request information about the processing of your personal data, free of charge. You also have the right to receive a copy of the personal data we process about you. This request should be made in writing to us, with a clarification of which information you wish to access. We will respond to your request as soon as we can. If we cannot meet your request for access to the information you are requesting, we will provide a justification for this. The copy of your personal data will be sent to your registered address, unless otherwise agreed with you in writing.

Right to rectification

The main responsibility for ensuring that the personal data we process is correct lies with Rosti as the data controller. If you inform us that the personal data you have provided is no longer correct, we will promptly correct, block, or delete such personal data.

Right to erasure

You have the right to request that Rosti deletes your personal data without undue delay. Personal data shall be deleted in the following cases:

  1. If the personal data is no longer necessary for the purpose for which it was collected;
  2. if you have withdrawn your consent and the processing is based solely on consent as a legal basis;
  3. if the processing is for direct marketing purposes and you object to the processing of your personal data for this purpose;
  4. if you object to the processing of your personal data based on a legitimate interest and your interest outweighs ours;
  5. if your personal data has not been processed in accordance with applicable data protection legislation; or
  6. if deletion is required to comply with a legal obligation.

There may be obligations that prevent us from immediately deleting all of your personal data. These obligations are imposed by applicable legislation, such as accounting regulations. If certain personal data cannot be deleted due to legislation, we will inform you of this and ensure that the personal data can only be used for the purpose of fulfilling such obligations and not for any other purposes.

Right to restriction

You have the right to request that Rosti temporarily restrict the processing of your personal data. Such a restriction may be requested in the following cases:

  1. If you believe that the personal data we have about you is not correct and that you have requested correction in connection with that;
  2. when the processing carried out regarding your personal data is not in compliance with applicable data protection legislation, but you still do not want your personal data to be deleted but instead restricted; and
  3. when we no longer need your personal data for the purposes of our processing but we need it to establish, assert or defend a legal claim.

If you object to the processing of your personal data, the use of the personal data may be restricted while an investigation is being conducted. When restricting your personal data, Rosti will only store your personal data and will seek your consent for any further processing.

Right to data portability

You have the right to request that, in the event we process your personal data with your consent or to fulfil a contractual obligation with you, we provide all personal data that we process regarding you and that is processed in an automated manner, in a machine-readable format. This can, for example, be an Excel file or a CSV file. If technically possible, you also have the right to request that we transfer your personal data to another data controller.

Right to object

You have the right to object to our processing of your personal data if the processing is based on our legitimate interest. In these cases, Rosti will ask you to specify which processing you object to. If you object to any processing, we will only continue processing your personal data if we have legitimate interests that outweigh your interests. We will always inform you of this.

Right to withdraw consent

If we process your personal data based on your consent, you have the right to withdraw your consent at any time. To withdraw your consent, you can contact us using the contact information below.

Right to submit a complaint

If you have a complaint regarding Rosti’s processing of personal data, you can contact us at [email protected], or the supervisory authority in the member state where you have your place of residence or where the alleged breach has been conducted to file a complaint. The current supervisory authority in Sweden is the Swedish Authority for Privacy Protection. Their contact details are the following:
Webpage: https://www.imy.se/en/
Phone: 08-657 61 00
E-mail: [email protected]

Only those individuals at Rosti who need access to your personal data in order to perform their job duties will have access to the personal data.

To provide certain services, we use selected third parties. The sharing of your personal data with third parties is based on the same purposes and legal bases as they were collected for. Rosti takes technical and organizational measures to ensure that your personal data is handled in a safe and secure measure. Below are the categories of recipients with whom your personal data may be shared:

Suppliers and subcontractors: Rosti uses third-party suppliers to manage parts of its business, such as companies that deliver technical support, management of IT systems and marketing services. Rosti may share personal data with these suppliers when they perform services on behalf of Rosti. When Rosti uses such suppliers, it enters into a data processing agreement and takes other appropriate measures to ensure that your personal data is processed securely.

Banks and other companies that Rosti collaborates with: Rosti also shares your personal data with other independent data controllers such as banks and partners. These recipients are independent data controllers for their processing of your personal data.

Companies within the group of companies: Rosti may share your personal data with other companies within the same group of companies, if it is necessary to fulfil the purposes stated in this information.

Social media: Rosti uses social media. When using social media, your personal data is collected and processed by these companies. Kindly see each company’s privacy policy for more information.

Courts, authorities, and other public bodies: Rosti will also disclose your personal data if required by law, government decision or court order, or if we, as a company, reasonably believe that the disclosure is necessary to protect Rosti’s rights.

Rosti will not sell your personal data to third parties without your prior approval. We may transfer your personal data to a buyer/investor or potential buyer/investor in connection with a restructuring, sale or other transfer of all or part of Rosti’s shares, assets or our business. Before such transfer, we will take measures to ensure that the receiving party processes your personal data in a manner consistent with this information.

As an international company and group of entities, Rosti will, if necessary, transfer personal data to our entities and suppliers located outside the EU/EEA. In such a third country, the GDPR does not apply. This means that you do not automatically have the same rights and protection for your personal data as the GDPR guarantees. We protect your personal data by either basing the transfer on an adequacy decision by the European Commission or by taking on appropriate security measures, such as entering into the European Commission’s standard contractual clauses in combination with organizational and technical protective measures, to ensure that your personal data continue to be protected during and after the transfer. You can read more about which countries are considered to offer an adequate level of data protection on the European Commission’s website here. You can find more information regarding the standard contractual clauses here.

We conduct a risk assessment before any transfer takes place, and we implement technical and organizational protection measures to ensure an appropriate level of protection. We transfer as few personal data as possible and anonymize the personal data before the transfer, whenever possible. For more information on which protection measures we take on in individual cases, please contact us.

The following recipients outside the EU/EEA might receive your personal data:

Companies within the group of companies: Rosti is an international group of companies. It is therefore possible that your personal data is transferred to a company within the group of companies located outside EU/EEA. This will only occur when necessary to perform the services you have requested from Rosti. Any transfers between the companies within the group of companies is regulated and suitable security measures are taken on in order to protect your personal data. Rosti has entities located in the UK, China, the US, Malaysia and Turkey.

Suppliers and subcontractors: We may share your personal data with suppliers and subcontractors located outside the EU/EEA. This may, for example, include providers of IT services. Here, we list our suppliers and subcontractors outside the EU/EEA.

Microsoft Office 365: When using Microsoft Office 365, your personal data will be processed by Microsoft Corporation. When Microsoft receives your personal data, it may be transferred to the United States. You can read more about their processing of personal data here.

You can read more about Microsoft’s transfers to third countries and about the standard contractual clauses here.

Social media: When you visit, appear on, or otherwise use Rosti’s channels on social media, your personal data is also collected and processed by the company that owns the social media platform. In connection with these companies receiving personal data through Rosti’s channels, the personal data may be transferred to, among other places, the United States.

Facebook: By using the services, your personal data is processed by Meta Platforms Ireland Ltd. You can read more about the processing of personal data here.

You can read more about Meta’s transfers to third countries and the standard contractual clauses here.

LinkedIn: By using the services, your personal data is processed by Microsoft Corporation. You can read more about Microsoft’s processing of personal data here and more about their transfers to third countries here.

To protect your privacy, detect, prevent, and mitigate the risk of attacks, etc., Rosti takes a variety of technical and organizational information security measures. Rosti also takes measures to protect your personal data from unauthorized access, misuse, disclosure, alteration, and destruction. Rosti ensures that access to your personal data is only given to personnel who need it to perform their duties and that they observe confidentiality.

We may make updates or changes to this information from time to time due to changes in applicable laws or regulations, or due to changes in our personal data handling procedures. We will notify you of any material changes that affect your personal information.

If you have any questions regarding this information or the processing of personal data, you are most welcome to contact us [email protected].

This information was updated 23 January 2025