We process personal data for various purposes. The purposes for which we process your personal data depends, among other things, on the relationship you have with us and how you interact with us. Put simply, we process personal data to:
Further below you will find more information about our processing of personal data. In the information, we describe, for example, the specific purposes for which we process personal data and with what legal basis, who is response (is the controller) for the processing of personal data, with which external recipients we share personal data and how long we store personal data.
You have certain rights in relation to your personal data according to data protection regulations. For more information about your rights and how to exercise these rights, please see the Information about your rights in the information about our processing of personal data below.
If you have any questions regarding our processing of personal data, please feel free to contact us.
You can e-mail our contact person on the following address GDPR@soyagroup.com, or write a letter to:
Soya Group AB
Box 17086
SE-104 62 Stockholm
Last updated: February 2025
You have the right to receive information about how and why we process personal data. In this information about our processing of personal data, we therefore describe what personal data we process and why, and what rights you have in relation to your personal data under the General Data Protection Regulation (GDPR).
This information about our processing of personal data consists of two parts:
Personal data means any information that, directly or indirectly, relates to an identified or identifiable individual. Examples of personal data include your name, e-mail address, or the IP address that your device uses.
Processing means any action taken in relation to personal data, for example collection, storage and transmission. Each processing of personal data must be carried out for a specific purpose. We outline further below for which purposes we process personal data.
This information covers you who:
Soya Group AB, company registration number 556062-4372, (”Soya Group”, “we”, “us”) is responsible (is the controller) for the collection and processing of your personal data as described in this information, unless otherwise is stated. Contact details to us can be found further down in Section 12 of this information.
Soya Group provides certain services within the group. When Soya Group is involved in the same processing of personal data that a group company carries out for a joint purpose, Soya Group is a joint controller together with the relevant group company for the processing. For more information regarding which processing of personal data that Soya Group together with the relevant group companies, where applicable, is jointly responsible for, please see our detailed information about our processing of personal data. This information is also available in each group company’s own information on processing of personal data. For information about which group companies that are a part of the Soya Group group of companies, please see this page.
Soya Group and the relevant group companies have entered into a mutual arrangement pursuant to Article 26 of the GDPR to allocate the responsibility between the parties and to ensure the protection of your personal data when we are jointly responsible for the processing of your personal data together with a group company. You have the right to receive information on the essence of this arrangement. In such cases, you are welcome to contact us, please see contact details in Section 12 below. The content of this information also reflects this arrangement.
The personal data that we collect is mainly collected directly from yourself when you provide your personal data to us, for example when we interact with you or when you otherwise communicate with us.
We also collect, where necessary, personal data from other sources:
Below we describe for which purposes we process personal data. For which purposes we process your personal data may vary depending on, among other things, your relationship with us and how you interact with us. We have therefore divided the information for which purposes we process personal data into different sections depending on the relationship you have with us, for example if you are a contact person or if you use our website and other digital channels.
Please note that in many cases we collect and process your personal data for several parallel purposes, for example to manage the relationship with you, but also to communicate with you, for example for marketing purposes. If you have several different relationships with us, we also collect and process your personal data for several different purposes.
For more information on which categories of personal data that are being processed for each purpose. which legal basis that we rely on for the processing, and for how long the personal data is stored for each purpose, please see our detailed information about our processing of personal data. You can also click on each purpose below to go directly to the detailed information for the relevant purpose.
If you are a contact person of a customer, supplier or business partner of ours, we process your personal data to:
The purposes for which personal data is processed also apply, where applicable, to potential customers, suppliers and business partners of ours.
If you visit and use our website and our digital channels, such as our social media pages, we process your personal data to:
If you are a Soya veteran, we process your personal data to:
In relation to all categories of individuals stated above and other external persons, we process personal data to:
If you apply for a position with us, we process your personal data to:
If you are a reference person of a job applicant applying for a position with us, we process your personal data to:
If you visit our office or workplace, we process your personal data to:
If you are registered as an in case of emergency contact of an employee or other person that works for us, we process your personal data to:
We share, where necessary, your personal data with the following recipients:
The recipients with whom we share your personal data depends, among other things, on the relationship you have with us and how you interact with us.
We also transfer personal data to service providers that we have engaged when necessary for the purposes for which we process personal data as described in this information. Examples of service providers are external IT suppliers and communication service providers.
The services providers which process personal data on our behalf and in accordance with our instructions act as data processors in relation to us. These service providers may not process your personal data for their own purposes and are legally and contractually obligated to protect your personal data in the same way as we do.
We store your personal data within the EU/EEA.
In certain cases, we transfer your personal data to recipients in third countries outside the EU/EEA, for example to service providers that we engage in such third countries, or group companies and business partners in third countries.
In order to ensure an essentially equivalent level of protection for your personal data when transferred (or otherwise made available) to recipients in third countries outside of the EU/EEA, which do not provide an adequate level of protection, we normally use the EU Commission’s adopted standard contractual clauses for international transfers according to decision 2021/914 and implement – in light of the law and practices of the third country – necessary supplementary measures to ensure an essentially equivalent level of protection of the personal data transferred. This to ensure that you personal data is protected regardless of where it is processed.
We also rely on so-called adequacy decisions issued by the European Commission where personal data is transferred to countries and recipients covered by such decision, please see the European Commission’s website for more information on which countries that are covered by an adequacy decision. As an example, we rely on the EU-U.S. Data Privacy Framework for transfers to service providers in the United States that are certified under the framework, please see the framework website.
For more information on the safeguards that we have taken to protect your personal data, please contact us, please see contact details in Section 12 below.
You have certain rights in relation to the processing of your personal data under the GDPR.
You have the right to:
You also have the right to:
Please note that certain rights only apply in certain situations, and that there are several exceptions to certain rights. For more information about your rights under the GDPR, please see the information available on IMY’s website.
We do not carry out any automated individual decision-making that produces legal effects or otherwise significantly affects you
If you wish to exercise your rights, please see the contact information in Section 12 below.
If possible, please use the e-mail address that you may have registered with us or used when you have been in contact with us. This makes it easier to handle your request.
We will respond to your request as soon as possible and normally within one month of receiving your request. However, if your request is complex or if you have made multiple requests, we may need additional time to process your request. In such a case, we will inform you of this and the reason for the extension no later than one month from the date we received your request.
If for any reason we are unable to comply with your request, in whole or in part, we will inform you of this and the reason why we are unable to comply with your request. You will receive such information within one month from the time we receive your request. If you have submitted your request electronically, for example by contacting us by e-mail, we will respond to the request electronically, unless you request otherwise.
When you make a request to exercise your rights, we need to confirm your identity to ensure that you are no other than who you claim to be. This is to avoid, for example, us disclosing personal data to someone unauthorised or wrongly deleting personal data.
If we do not have sufficient information to confirm your identity, we may request that you provide additional information about yourself to confirm your identity. We only request the information that is reasonable and necessary to confirm your identity. The time to respond to your request will begin once we have confirmed your identity.
We use cookies and similar technologies on our website. This to, among other things, collect statistics in order to better understand how the website is used. This enables us to develop and improve the website in order to create a better user experience.
In our cookie notice, which you can find by clicking on the icon at the bottom left of the page, you can find more information about which cookies we use on the website, for what purposes and what choices you have made in relation to the use of cookies on the website.
If our processing of personal data changes, for example if we collect and process personal data for new purposes, collect additional categories of personal data or share your personal data with additional recipients than outlined in this information, we will update the information. At the top of this information, you can see when the information was last updated.
| Version | Comment | Access to version | ||
| 1.0 | The first version of this privacy notice. | The version that you are currently reading is the latest version. |
You are welcome to contact us if you have any questions about this information, how we handle your personal data or if you want to exercise your rights.
Soya Group AB, 5560524372
Address: Box 17086, SE-104 62 Stockholm
E-mail: GDPR@soyagroup.com
In this detailed information about our processing of personal data, we describe the categories of personal data that we process for each purpose, the legal basis on which we rely for the processing and how long personal data is stored for each purpose. We also describe the recipients (as separate data controllers) with whom we share personal data for each purpose.
Further down in the information, you will find more detailed information about the categories of personal data that we process, with examples of the types of personal data that fall under each category.
In connection with procurements and to prepare and manage the purchase of goods and services, we process your personal data, for example to register you as a contact person, to send out and respond to requests for tender documents or to send out or respond to requests for tenders, as well as to negotiate and enter into agreements on the purchase of goods and services.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest of preparing and managing the purchase of goods and services. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling, that the processing is within a contact person’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients:
|
| Storage period: Personal data is stored for this purpose during the procurement process. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data to manage the relationship with the company or organization you work for or represent, for example to register you as a contact person, handle invoices and to communicate with you for the same purpose.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in managing the relationship with customers, suppliers and partners. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling, that the processing is within a contact person’s reasonable expectations and that the impact on you is deemed to be limited.
| External recipients:
|
| Storage period: Personal data is stored for this purpose as long as there is an active relationship with the company or organization that you work for or represent. Personal data about potential customers, suppliers and partners is stored for the duration of the interaction and otherwise for a period of twelve (12) months from the time of collection. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data to handle orders for goods and services from customers and suppliers, for example to register an order and to handle order confirmations and complaints.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in handling orders for goods and services from customers and suppliers. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling, that the processing is within a contact person’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients:
|
| Storage period: Personal data is stored for this purpose until the order is registered and managed, including to manage any complaints. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data in order to provide services and goods to the company or organization that you work for or represent, for example to provide you with access to the service, to deliver and, where applicable, install the goods in question, as well as to communicate with you for the same purpose.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in providing ordered services and goods to our customers in accordance with agreements entered into. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling, that the processing is within a contact person’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients:
|
| Storage period: Personal data is stored for this purpose for the duration of the delivery of the service or goods and until we have fulfilled our contractual obligations. | ||
| Controllership: Soya Group is the sole controller of the processing of personal data for this purpose. | ||
We process your personal data to carry out analysis to obtain insights on an overall level, for example to better understand how our services and products are used. This helps us to develop and improve our business, business strategies and practices.
We do not carry out profiling as a part of the processing of personal data for this purpose, since we are not interested in your specific behaviour or interests.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in carrying out analysis to obtain insights. This enables us to develop and improve our business and our business strategies and methods. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a contact person’s reasonable expectations and that the impact on you is deemed to be limited, especially when analyses are carried out at an overall level. | External recipients:
|
| Storage period: Personal data is stored for this purpose for a period of 27 months from the time of collection. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data to follow up and evaluate sales, for example to compile statistics on ordered services and products. We do not carry out any profiling of personal data as part of the processing of personal data for this purpose.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in following up and evaluating sales. This enables us to evaluate our sales strategies, among other things. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a contact person’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose for a period of 27 months from the time of collection. | ||
| Controllership: Soya Group is the sole controller of the processing of personal data for this purpose. | ||
We process your personal data to follow up and evaluate the relationship with the company or organisation you work for or represent, for example to compile statistics on orders for goods and services, and to communicate with the company or organisation for which you work for the same purpose. This is to better understand how the relationship between us and the company or organization you work for works and develops.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in following up and evaluating the relationship with our customers, suppliers and business partners. This allows us to better understand how the relationship between us and the company or organisation you work for works and develops. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a contact person’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients:
|
| Storage period: Personal data is stored for this purpose for a period of 27 months from the time of collection. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data to provide offers and marketing in various channels, for example via e-mail or on social media.
We do not carry out any profiling of personal data as part of the processing of personal data for this purpose. However, we may tailor which audiences that may receive a particular offer or marketing to ensure that the content is relevant to you.
You can always unsubscribe from our communications by clicking on the unsubscribe link in the e-mail or by contacting us.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in providing offers and marketing. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a contact person’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose for as long as there is an active relationship with the company or organization you work for or represent and for a period of twelve (12) months thereafter. If there is no relationship, personal data will be stored for this purpose for the duration of the interaction and otherwise for a period of twelve (12) months from the time of collection. The above applies unless you have previously objected to our processing of your personal data for marketing purposes. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data to conduct sales meetings, trainings and product demonstrations, for example to register your participation, carry out the activity and to communicate with you about the activity.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in carrying out sales meetings, trainings and product demonstrations. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a contact person’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose during the activity being carried out. | ||
| Controllership: Soya Group is the sole controller of the processing of personal data for this purpose. | ||
We process your personal data to follow up and evaluate the use of our website and digital channels. This is to better understand how our website and our digital channels are used. This is to enable us to develop and improve our website and our digital channels to provide you with a better user experience. For this purpose, we use cookies and similar technologies that enable us to analyze visitor and usage statistics.
Categories of personal data:
| Legal basis: Consent (Article 6(1)(a) of the GDPR). The processing relies on the consent you provide by accepting the use of cookies and similar tracking technologies on the website for the same purpose. | External recipients: No external recipients. |
| Storage period: Information on how long cookies and similar tracking technologies, including personal data, are stored for this purpose can be found in the information on cookies on the website. | ||
| Controllership: Soya Group is the sole controller of the processing of personal data for this purpose. | ||
We process your personal data to enable functionality on our website, including basic functionality, such as providing the content of the website in an efficient and secure manner, and to remember the settings you have made on the website, which change how the website functions or is displayed.
Categories of personal data:
| Legal basis: Consent (Article 6(1)(a) of the GDPR). The processing relies on the consent you provide by accepting the use of cookies and similar tracking technologies on the website for the same purpose. Legitimate interest (Article 6(1)(f) of the GDPR). To the extent that the processing of your personal data is necessary to enable strictly necessary functionality, such as providing the content of the website in an efficient and secure manner, the processing is carried out on the basis of our legitimate interest for the same purpose under a balancing of interest test. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling, the processing is within a user’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients: No external recipients. |
| Storage period: Information on how long cookies and similar tracking technologies, including personal data, are stored for this purpose can be found in the information on cookies on the website. | ||
| Controllership: Soya Group is the sole controller of the processing of personal data for this purpose. | ||
We process your personal data to communicate about our business, services and products, for example to provide you with information about our services and products if you have provided your contact details on our website.
You can always unsubscribe from our communications by clicking on the unsubscribe link in the email or by contacting us.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in communicating about our business, services and products. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a user’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose for as long as there is an active relationship with the company or organization you work for or represent and for a period of twelve (12) months thereafter. If there is no relationship, personal data will be stored for this purpose for the duration of the interaction and otherwise for a period of twelve (12) months from the time of collection. The above applies unless you have previously objected to our processing of your personal data for marketing purposes. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data to communicate and interact with you in our digital channels, for example if you comment on our posts, write on our pages, or otherwise mention us on social media.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in communicating and interacting with you in our digital channels. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a user’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose until further notice. | ||
| Controllership: Soya Group is the sole controller of the processing of personal data for this purpose. | ||
We process your personal data to follow up and evaluate campaigns that you have interacted with in our digital channels, for example if you have clicked on a marketing message or an advertisement on an external website or in social media.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in following up and evaluating marketing campaigns that we carry out. This is so that we can better understand how our marketing campaigns are performing. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a user’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose for the duration of the campaign and for a period of three (3) months thereafter in order to compile the responses in a report. After that, your personal data will be deleted or de-identified. | ||
| Controllership: Soya Group is the sole controller of the processing of personal data for this purpose. | ||
We process your personal data to manage the registration of you as a Soya veteran in our internal records, including to communicate with you for the same purpose. We need to register you as a Soya veteran in order to fulfil other purposes for which we process Soya veterans’ personal data.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in managing your registration as a Soya veteran. This so that we can fulfill the other purposes for which we process Soya veterans’ personal data. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a Soya veteran’s reasonable expectations and that the impact on you is deemed to be limited. Personal identity number: Personal identity number is processed for this purpose, as it is necessary to ensure that the right person is registered as a Soya veteran. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose until further notice. | ||
| Controllership: Soya Group and the relevant group company are joint controllers for the processing of personal data for this purpose. | ||
We process your personal data to communicate about you as a Soya veteran, for example in posts on our intranet.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in communicating about you as a Soya veteran. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a Soya veteran’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients:
|
| Storage period: Personal data is stored for this purpose for a period of two (2) years from the date of the communication. Personal data published in our digital channels, such as on our intranet, our website and on our social media pages, is generally stored until further notice. | ||
| Controllership: Soya Group and the relevant group company are joint controllers for the processing of personal data for this purpose. | ||
We process your personal data to manage art lotteries if you participate in such lotteries within Konstföreningen, for example to register your participation and communicate who has won the lottery in our internal channels.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in managing art lotteries in which you participate. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a Soya veteran’s reasonable expectations and that the impact on you is deemed to be limited, especially when you voluntarily participate in such lotteries.
| External recipients:
|
| Storage period: Personal data is retained for this purpose for the duration of the art lottery, including for the time necessary to communicate who has won the relevant lottery. | ||
| Controllership: Soya Group and the relevant group company are joint controllers for the processing of personal data for this purpose. | ||
As a Soya veteran, you have the opportunity to use our staff facilities, such as cabins and apartments. We therefore process your personal data to manage your booking of a staff facility, for example to register your booking and communicate with you about the booking. If you have made a booking of a staff facility, we also process your personal data to manage the queue system for booking staff facilities, for example to place you in the booking queue.
Categories of personal data:
| Legal basis: Performance of a contract (Article 6(1)(b) of the GDPR). The processing of your personal data is necessary to fulfill with the applicable booking terms and conditions for staff facilities. | External recipients:
|
| Storage period: Personal data is stored to manage your booking during the time of your booking. Personal data for managing the queue system is stored for as long as you are placed in the booking queue. | ||
| Controllership: Soya Group and the relevant group company are joint controllers for the processing of personal data for this purpose. | ||
As a Soya veteran, you can access our internal channels, such as the intranet. We therefore process your personal data to manage your access to our internal channels, such as your user account and authentication using your user account.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in managing access to our internal channels, such as our intranet. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a Soya veteran’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose until further notice. | ||
| Controllership: Soya Group and the relevant group company are joint controllers for the processing of personal data for this purpose. | ||
Depending on how you interact with us, we process your personal data to communicate about us and our business in different channels, for example to inform you about things that happen in our business via e-mail or on social media.
You can always unsubscribe from our communications by clicking on the unsubscribe link in the email or by contacting us.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in communicating about us and our business. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within the reasonable expectations of the individuals concerned and that the impact on you is deemed to be limited. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose for as long as there is an active relationship with the company or organization you work for or represent and for a period of twelve (12) months thereafter. If there is no relationship, personal data for this purpose is stored for the period of the interaction and otherwise for a period of twelve (12) months from the time of collection The above applies unless you have previously objected to our processing of your personal data for marketing purposes. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data to better understand how you interact with our communications. This is done through tracking techniques that enable us to analyze open and click statistics in relation to communications.
Categories of personal data:
| Legal basis: Consent (Article 6(1)(a) of the GDPR). The processing of your personal data collected from your device relies on the consent you give by registering for communications on our website. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose for a period of twelve (12) months from the time of collection. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data to carry out meetings, events and similar activities, both digital and physical meetings and events, for example to register your participation, carry out the activity and communicate with you about the activity.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in carrying out meetings, events and similar activities. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within the reasonable expectations of the individuals concerned and that the impact on you is deemed to be limited. Special categories of personal data: We only process information about any food allergies on the basis of your explicit consent that you provide separately, for example in connection with registration. | External recipients:
|
| Storage period: Personal data is stored for this purpose during the time that the meeting, event or activity is carried out. If the activity is recorded to document the meeting for traceability, the recording is stored, as a starting point, until further notice. If the recording is published in our digital channels to communicate about us and our business, the recording will also be stored, as a starting point, until further notice. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
If you participate in marketing or communications that we carry out and give your consent to this, we will process your personal data to manage your participation, for example to register your participation and to collect and process your personal data in marketing or communication. Your personal data can thus be used in presentation material and in our digital channels, including on social media.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in managing participation in marketing or in other communications that we carry out. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within the reasonable expectations of the individuals concerned and that the impact on you is deemed to be limited, especially when you have given your acceptance to participate. Personal identity number: Personal identity number is processed for this purpose, as it is necessary to ensure that the right person has given their acceptance. | External recipients:
|
| Storage period: Personal data is stored for this purpose for the duration of the marketing or communication effort. Personal data in material published in our digital channels is, as a rule, stored until further notice. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
If you have participated in an activity that we have carried out, we process your personal data to follow up and evaluate the activity, for example to compile statistics on the number of participants in the activity and to plan future activities.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in following up and evaluating completed activities. This to, among other things, better understand how we can improve future activities. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within the reasonable expectations of the individuals concerned and that the impact on you is deemed to be limited. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose for a period of twelve (12) months from the time of the relevant activity | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data to answer questions and requests when you contact us.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in responding to questions and requests when you contact us. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within the reasonable expectations of the individuals concerned and that the impact on you is deemed to be limited. | External recipients:
|
| Storage period: Personal data is stored for this purpose for a period of twelve (12) months from the time when the case was closed or the last communication in the same matter. | ||
| Controllership: Soya Group is the sole controller of the processing of personal data for this purpose. | ||
We process your personal data to carry out surveys, for example to decide which target group should receive the survey, what questions should be included in the survey, to send out surveys and to collect and analyse the results of a survey.
Your opinions about our business and services are important and necessary for us to enable us to develop and improve our business and services. Where necessary to conduct the specific survey, we also process personal data that we have previously collected (for example, to manage the relationship with the company or organization you work for or represent) for this purpose.
You can always unsubscribe from our survey communications by clicking on the unsubscribe link in the email or by contacting us.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in conducting surveys. This enables us to develop and improve our business and services. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within the reasonable expectations of the individuals concerned and that the impact on you is deemed to be limited. | External recipients:
|
| Storage period: Personal data is stored for this purpose for the duration of the survey and for a period of three (3) months thereafter in order to compile the responses in a report. After that, your personal data will be deleted or de-identified. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data to provide your newsletter, for example to register you in our list of recipients and to send you the newsletter. You can receive our newsletter either by signing up for the newsletter or if you or the company or organization you represent have a relationship with us.
You can always unsubscribe from our communications by clicking on the unsubscribe link in the email or by contacting us.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in providing newsletters to you. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within the reasonable expectations of the individuals concerned and that the impact on you is deemed to be limited, especially if you have signed up for the newsletter yourself. | External recipients: No external recipients. |
| Storage period: If you have signed up for the newsletter, your personal data will be stored for this purpose and until you unsubscribe from the newsletter. If you have not signed up for the newsletter, but you receive the newsletter because you or the company or organization you work for or represent have a relationship with us, your personal data will be processed for this purpose for as long as there is an active relationship and for a period of twelve (12) months thereafter. The above applies unless you have previously objected to our processing of your personal data for marketing purposes. | ||
| Controllership: Soya Group is the sole controller of the processing of personal data for this purpose. | ||
We process your personal data to manage the recruitment process, for example to receive and review your application documents (such as CV and cover letter),to evaluate your application and to communicate with you during the recruitment process.
Categories of personal data:
| Legal basis: Performance of a contract (Article 6(1)(b) of the GDPR). The processing is necessary in order to take steps at your request before entering into a possible employment contract. Legitimate interest (Article 6(1)(f) GDPR). To the extent that you have not requested a specific action or where a group company is involved in the processing, the processing is necessary to satisfy our legitimate interest in managing the recruitment process. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a job applicant’s reasonable expectations and that the impact on you is deemed to be limited, especially when you have voluntarily applied for the position in question. Special categories of personal data: Any special categories of personal data that you voluntarily provide in connection with the recruitment process, for example in application documents, we process on the basis of your explicit consent that you give in connection with the provision of such personal data. Personal identity number: Personal identity number is processed for this purpose, as it is necessary to ensure that the right person is covered by the recruitment process. | External recipients:
|
| Storage period: Personal data is stored for this purpose during the recruitment process and for a period of 26 months thereafter in order to manage and defend legal claims. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
When necessary, for example because of the position you have applied for, we process your personal data to carry out and document a background check about you. We use external background check companies for this purpose. These are separate controllers for their own processing of your personal data in order to carry out and document the background check. The background check company shares a report with us once the check is completed, which we review as part of the recruitment process.
If we intend to carry out such a background check as part of the recruitment process, we will inform you of this and obtain your acceptance to the checks.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to carry out and document background checks within the framework of a recruitment process. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a job applicant’s reasonable expectations and that you voluntarily agree to participate in the background check as part of the recruitment process. Personal identity number: Personal identity number is processed for this purpose, as it is necessary to ensure that background checks are carried out in relation to the right person. | External recipients:
|
| Storage period: Personal data is stored for this purpose during the recruitment process and for a period of 26 months thereafter in order to manage and defend legal claims. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
As a part of the recruitment process, we carry out various types of personality and ability tests if necessary. If it becomes necessary to conduct such tests as part of the recruitment process, we will inform you of this and obtain your acceptance to the tests.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to carry out personality and ability tests as part of the recruitment process. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a job applicant’s reasonable expectations and that you voluntarily agree to participate in the test as part of the recruitment process. | External recipients:
|
| Storage period: Personal data is stored for this purpose during the recruitment process and for a period of 26 months thereafter in order to handle and respond to legal claims. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing | ||
If you have applied for a position with us or have participated in a recruitment process, we process your personal data to follow up and evaluate the recruitment process, for example to produce reports and statistics on the number of applications per position.
| Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in following up and evaluating the recruitment process. This enables us to develop and improve our recruitment process. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a job applicant’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose during the recruitment process and for a period of twelve (12) months thereafter. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
If we ask if we can save your application documents after a recruitment process and you give your acceptance to this, we process your personal data to facilitate future recruitment, for example to be able to evaluate whether your profile is suitable for a future position and to contact you if a recruitment need arises that fits your profile.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in facilitating future recruitment should a recruitment need arise that fits your profile. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a job applicant’s reasonable expectations and that the impact on you is deemed to be limited, especially if you have accepted that the personal data is processed for this purpose. Special categories of personal data: Any special categories of personal data that you voluntarily provide in connection with the recruitment process, for example in application documents, we process on the basis of your explicit consent that you give in connection with the provision of such data. Personal identity number: Personal identity number is processed for this purpose, as it is necessary to ensure that the right person has given their acceptance. | External recipients:
|
| Storage period: Personal data is stored for this purpose for a period of twelve (12) months after the recruitment process for the position you have applied for has been completed and for each additional twelve-months’ period thereafter for which you have accepted that your information is kept. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
If you are a reference person of a job applicant who applies for a position with us, we process your personal data to carry out reference checks as a part of the recruitment process, for example to communicate with you and collect your assessment of the job applicant.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in carrying out reference checks within the framework of a recruitment process. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the processing is within a reference person’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients:
|
| Storage period: Personal data is stored for this purpose during the recruitment process and for a period of 26 months thereafter in order to handle and respond to legal claims. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
If you visit our offices and workplaces, we normally need to register your visit. We then process your personal data to handle visitor registration and to provide visitor badges. This is for your safety and the safety of our employees, for example if an incident occurs and to ensure that no unauthorized persons are on our premises.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in managing visitor registration for your safety and that of our employees. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling, the processing is within a visitor’s reasonable expectations and that the impact on you is deemed to be limited. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose during your visit and for a period of ten (10) days thereafter. | ||
| Controllership: Soya Group and the relevant group company are joint controllers for the processing of personal data for this purpose. | ||
We use camera surveillance (without sound recording) in connection with our offices and workplaces. This is to prevent, detect and investigate crimes, as well as for your and our employees’ safety, for example if an incident occurs. There are clear signs indicating whether an area is covered by camera surveillance.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in preventing, detecting and investigating crime and for security. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling and that the processing is within a visitor’s reasonable expectations. Special categories of personal data: Any special categories of personal data or personal data relating to offences (criminal data) in image material are only processed if it is necessary to manage and exercise a legal claim, for example to prepare a police report or if the material is needed in a legal process. | External recipients: No external recipients. |
| Storage period: Camera surveillance material is stored for up to five (5) weeks from the time of recording, after which the material is deleted or replaced. In an individual case, the camera surveillance material may be stored for a longer period of time if it is necessary, for example, to investigate an incident, file a police report or if the material is needed in a legal process. | ||
| Controllership: Soya Group and the relevant group company are joint controllers for the processing of personal data for this purpose. | ||
We process personal data in order to register you as an in case of emergency contact of an employee and to communicate with you in the event of an accident, illness or similar emergency involving the employee concerned.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in communicating with you as an in case of emergency contact of an employee in the event of an accident, illness or similar emergency involving the employee concerned. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling, that the processing is within an in case of emergency person’s reasonable expectations and that the impact on you is deemed to be limited. In the assessment, we have also taken into account that it is probably in your interest that we contact you in connection with an accident, illness or similar event concerning the employee concerned. | External recipients: No external recipients. |
| Storage period: Personal data is stored for this purpose until the employee or person who works for us notifies us otherwise, but no later than until employee’s employment is terminated or the assignment for the person who works for us is terminated. | ||
| Controllership: Soya Group and the relevant group company are joint controllers for the processing of personal data for this purpose. | ||
We process personal data that you and others share with us in connection with internal and external communication in the course of the business, for example when our employees communicate with each other and external persons via e-mail to perform their work tasks.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in our employees communicating internally and externally in their work in order to perform their duties. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling, that the processing is within the reasonable expectations of the individuals concerned, and that the impact on you is deemed to be limited. | External recipients:
|
| Storage period: Personal data is retained for this purpose for a period of two (2) years from the date of the last communication in the same conversation or correspondence. If the communication is made for some other purpose as stated in this information, for example to manage the relationship with customers, suppliers and business partners, the communication is stored for the storage period specified for the purpose in question. | ||
| Controllership: Soya Group is the sole controller of the processing of personal data for this purpose. | ||
We process your personal data when it is necessary to document decisions, including supporting information for decisions, in the course of the business, for example in connection with internal and external meetings or otherwise when employees perform their duties. This is to ensure that there is traceability for the decisions made in the business.
Categories of personal data:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in ensuring traceability in the business with regard to the decisions made in the business. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling, that the processing is within the reasonable expectations of the individuals concerned, and that the impact on you is deemed to be limited. Personal identity number: Personal identity numbers are processed, if applicable, if necessary to ensure and verify that the right person has participated in a particular decision. | External recipients:
|
| Storage period: Personal data is stored for this purpose until further notice. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
In the event that all or part of our business is sold, or otherwise transferred or restructured, we process your personal data when it is necessary for this purpose. Should the business be transferred to a buyer, your personal data would also be transferred or disclosed to the buyer. In such a case, the buyer would be responsible (a controller) for its subsequent processing of your personal data and that the processing takes place for the same purposes as stated in this information, unless you receive other information in connection with the transfer.
| Categories of personal data: Categories of personal data concerned that are necessary to manage the sale or restructuring of all or part of the business in the individual case. | Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in managing a sale or restructuring of, where applicable, all or part of the business. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling, that the processing is within the reasonable expectations of the individuals concerned, and that the impact on you is deemed to be limited. | External recipients:
|
| Storage period: Personal data is stored for this purpose for the time necessary to manage the sale or restructuring in the individual case. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data when it is necessary to manage, defend and exercise legal claims in an individual case, for example in connection with a dispute or a court process.
| Categories of personal data: Categories of personal data concerned that are necessary to manage and respond to the legal requirement in the individual case. Normally, the following categories of personal data are covered:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in managing, defending and exercising legal claims in an individual case. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling and that the processing is within the reasonable expectations of the individuals concerned. Special categories of personal data: Any special categories of personal data or personal data relating to criminal convictions and offences (criminal data) are processed only if it is necessary for this purpose. Personal identity number: Personal identity number is only processed if it is necessary for this purpose. | External recipients:
|
| Storage period: Personal data is stored for this purpose for the period necessary to manage, defend or exercise the legal claim in the individual case | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data to ensure the technical functionality and security of our IT systems, for example in connection with backups, to ensure that there are appropriate authorisation and access controls in place and in case of error handling.
| Categories of personal data: All categories of personal data specified in relation to other purposes.
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in ensuring the technical functionality and security of our IT systems. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling, that the processing is within the reasonable expectations of the individuals concerned, and that the impact on you is deemed to be limited. Special categories of personal data: Any special categories of personal data or personal data relating to criminal convictions and offences (criminal data) are processed on the basis of the same legal basis as set out in relation to the respective relevant purposes outlined in this information. Personal identity number: Personal identity number is processed with the same legal basis as stated in relation to the respective relevant purpose outlined in this information. | External recipients: No external recipients. |
| Storage period: Personal data is stored for the same period as stated for other purposes in this information. Personal data in logs for troubleshooting and error and incident management is stored for a period of 13 months from the time of the log event. Personal data in backups is stored for a period of 13 months from the time of the backup. | ||
| Controllership: Soya Group and the relevant group company are joint controllers for the processing of personal data for this purpose. | ||
If you use our internal reporting channel (whistleblower channel) to make a report or if you are otherwise covered by a report submitted by someone else, we process your personal data to manage the report, including to receive and assess the report, communicate with relevant persons, provide feedback to the reporting person, and conduct an investigation of the report to determine whether the content of the report is correct or not.
Categories of personal data:
| Legal basis: Legal obligation (Article 6(1)(c) of the GDPR). The processing is necessary to fulfil the obligation to have an internal reporting channel under the Whistleblower Act (2021:890). Legitimate interest (Article 6(1)(f) of the GDPR). To the extent that the processing is not carried out on the basis of a legal obligation under the Whistleblower Act, the processing is necessary to satisfy our legitimate interest in receiving and handling reports submitted in our internal reporting channel for the purpose of investigating any breaches of public interest. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, especially considering that the legitimate interest is compelling. Special categories of personal data: When the processing is covered by the obligation to have an internal reporting channel under the Whistleblower Act, any special categories of personal data are processed in order to fulfil a substantial public interest. To the extent that the processing is not carried out to fulfill the obligation to have an internal reporting channel under the Whistleblower Act, special categories of personal data are only processed if it is necessary to manage, defend and exercise legal claims. Any personal data relating to criminal convictions and offences (criminal data) is only processed when it is necessary to comply with our obligations under the Whistleblower Act, or if the processing is not carried out on the basis of the Whistleblower Act, only if it is necessary to manage, defend or exercise a legal claim in an individual case or when the processing takes place as a part of the applicable exception on reporting serious breaches. Personal identity number: Personal identity number is processed, where applicable, when necessary for the same purpose. | External recipients:
|
| Storage period: Personal data is stored for this purpose for the duration of the investigation of the report and up to a period of two (2) years thereafter from the conclusion of the case. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data when it is necessary for us to comply with our legal obligations, such as accounting requirements and the rules of the GDPR.
| Categories of personal data: Categories of personal data concerned that are necessary to manage and respond to the legal requirement in the individual case. Normally, the following categories of personal data are covered:
| Legal basis: Legal obligation (Article 6(1)(c) of the GDPR). The processing of your personal data is necessary to comply with our legal obligations. Personal identity number: Personal identity number is processed, where applicable, when necessary for the same purpose. | External recipients:
|
| Storage period: Personal data is stored for this purpose for the time necessary for us to comply with the respective legal obligation to which we are subject. As an example, personal data is stored in accounting material for seven (7) years calculated from the end of the calendar year in which the relevant financial year ended in accordance with the Accounting Act (1999:1048). | ||
| Controllership: Soya Group is the sole controller of the processing of personal data for this purpose. | ||
We process your personal data when it is necessary to respond to legal requests from public authorities, such as law enforcement, tax authorities and other regulatory authorities.
| Categories of personal data: All categories of personal data necessary to respond to and evaluate the request in the individual case. Normally, the following categories of personal data are covered:
| Legal basis: Legal obligation (Article 6(1)(c) of the GDPR). When we are required by law or regulation to respond to a legal request, your personal data is processed in order to comply with our legal obligations. Legitimate interest (Article 6(1)(f) of the GDPR). If there is no explicit legal obligation for us to respond to a request from a public authority or if we need support in responding to requests from external advisors and we assess that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, we rely on our legitimate interest in relation to the processing of personal data on the basis of such a balancing test. Personal identity number: Personal identity number is processed, where applicable, when necessary for the same purpose. | External recipients:
|
| Storage period: Personal data is stored for this purpose for the time necessary to respond to the request, and for a period of ten (10) years thereafter in order to document and be able to show that the request has been answered. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
We process your personal data when it is necessary to manage, investigate and document incidents involving our employees, other persons and our assets, for example to file a police report or report an incident to the relevant authority, including law enforcement authorities.
| Categories of personal data: All categories of personal data that are necessary to protect and ensure the safety of our employees and assets in the individual case. Normally, the following categories of personal data are covered:
| Legal basis: Legitimate interest (Article 6(1)(f) of the GDPR). The processing of your personal data is necessary to satisfy our legitimate interest in protecting and ensuring the security of our employees and assets. Our assessment is that this legitimate interest outweighs your interests and fundamental rights and freedoms in relation to the processing of personal data, taking into account that the legitimate interest is compelling and that the processing is within the reasonable expectations of the individuals concerned. Special categories of personal data: Any special categories of personal data or personal data relating to criminal convictions and offences (criminal data) are processed only if it is necessary for managing, defending or exercising a legal claim in an individual case. Personal identity number: Personal identity number is processed, where applicable, when necessary for the same purpose. | External recipients:
|
| Storage period: Personal data is stored for this purpose for the time necessary to investigate the incident and take the necessary measures in relation to the incident, such as filing a police report or filing a report with another relevant authority. Personal data included in decisions or the basis for decisions is stored until further notice for traceability. | ||
| Controllership: Soya Group is, as a general rule, the sole controller of the processing of personal data for this purpose. When Soya Group and the relevant group company jointly decide on the processing of personal data in specific cases for this purpose, Soya Group and the relevant group company are joint controllers for the processing. | ||
| Category of personal data
| Examples of types of personal data covered by the category |
| Image and audio material | Video, photographs, audio recordings, streaming video and audio (for example, in digital meetings) |
| Communication
| Content of e-mails or other correspondence, published posts and comments in digital channels
|
| Contact information | Address, email address, phone number |
| Competence information | Education, professional experience, language skills, certifications |
| Digital behaviour information | Clicks and visits to the website and in our digital channels, settings and preferences when using functionality on the website and in our digital channels |
| Identity information
| Name and other information that identifies you |
| Log information | Log event, date and time of log event |
| Order information | Type of order or order, time, price and discounts, order history |
| Profile information | Title, role, username or social media account, the company or organisation you work for or, if you are a job applicant, such as gender, age, current position, information about current and previous employers or clients, and marital status |
| Technical information | Type of device, IP address, browser type and version and operating system |
| Test information | Test results, time of test, type of test |