Privacy Policy

This privacy notice is effective from May 25th, 2018, and was last updated January 16, 2024.

Scope and purpose

This Policy has been adopted in order to assist in establishing and maintaining an adequate level of personal data privacy in the collecting, processing, disclosing and cross-border transfer of personal data, i.e. any information that relates to an identified or identifiable living individual (“Personal Data”) including that relating to current, past and prospective OX2 personnel, clients, investors, contractors, business associates and other stakeholder of the OX2 group.

OX2 AB’s (org.nr 556675-7487) and all its subsidiaries’ (hereinafter jointly referred to as “OX2”) processes and activities are performed with the objective to ensure that your privacy and integrity are protected, that your privacy is respected and that your personal information is processed correctly. We take responsibility to ensure that Personal Data processed by OX2 is used only for initial purposes and is protected against accidental or unlawful destruction, loss, use, or alteration and against unauthorized disclosure or access.

All processing of Personal Data by OX2 is carried out in accordance with applicable privacy legislation.

This Policy only applies to Personal Data which is processed by or on behalf of a OX2 and is or was processed at any time by or on behalf of OX2 in a jurisdiction which is either:

(i) in the EU or EEA; or

(ii) not in the EU or EEA, but is a jurisdiction which imposes similar restrictions on the use or extra-territorial transfer of Personal Data;

This Policy should not conflict with applicable national laws in the jurisdictions in which an OX2 company operates and the Policy shall be so construed wherever possible. In the event of any conflict between this Policy and any applicable national laws, the provisions of the relevant law shall govern. In this event, the relevant OX2 company shall immediately notify the OX2 General Counsel.

International data transfers by OX2 Group companies with registered offices in Europe

In addition to applying the below Key principles, in the event that any OX2 company with registered office within European Economic Area (EEA) transfers your Personal Data outside the EEA, we ensure that your data is protected in a manner which is consistent with the GDPR (EU 2016/679). Therefore, and if required by applicable law, we take the following measures:

We share your Personal Data with affiliated companies outside the European Economic Area only if they have implemented our Binding Corporate Rules (“BCR“) for the protection of Personal Data.

We transfer Personal Data to external recipients outside the European Economic Area (EEA) only if the recipient has (i) entered into EU Standard Contractual Clauses with us, or (ii) implemented Binding Corporate Rules in its organization. You may request further information about the safeguards implemented in relation to specific transfers by contacting us.

Who is responsible for your personal information?

OX2 AB is OX2 Group’s main data controller. In addition, subsidiaries of OX2 AB can also be data controllers (including “joint-controllers”) and process Personal Data as described in this Privacy Policy. Your relationship with OX2 will determine which of our group companies that have access to and processes your Personal Data, and which of our group companies are the data controller(s) responsible for the personal information.

Key principles

In handling Personal Data as a controller OX2 will apply the following key principles:

1. Transparency: OX2 will provide individuals with information about how we process their Personal Data to the extent necessary to ensure that processing is fair.

2. Purpose limitation: OX2 will only process Personal Data for the purposes

(iii) set out in any notice made available to the relevant individuals;

(iv) as required by law; or

(v) where consented to by the relevant individuals.

3. Data quality and proportionality: Personal Data should be kept accurate and where necessary, up to date. The Personal Data OX2 hold must be adequate, relevant and not excessive for the purposes for which they are processed and should only be retained for as long as necessary for the purposes of the relevant processing.

4. Sensitive Data: Where OX2 process sensitive Personal Data, we will take such additional measures (e.g., relating to security) as are necessary to protect such Personal Data in accordance with applicable law.

5. Data minimization: Where OX2 retain Personal Data, we will do so in a form identifying or rendering an individual identifiable only for so long as it serves the purpose(s) for which it was initially collected or subsequently authorized, except to the extent permitted by applicable law; and

6. Information transfer and compliance: Within OX2, Personal Data may be transferred outside the country in which it was collected, including countries outside of the EEA, for legitimate business activities in accordance with applicable law. In addition, in accordance with applicable law, the OX2 may store Personal Data in facilities operated by OX2/or third parties on behalf of OX2 outside the country in which the data was collected. Nevertheless, Personal Data must not be transferred to another country unless the transferor has assurance that an adequate level of protection is in place in relation to that Personal Data as required under applicable law. In the case of each, an adequate level of protection is created by the Group Data Sharing Agreement which each OX2 group company shall abide by. OX2 will ensure that where Personal Data is transferred to third parties outside of OX2 for processing (for example to OX2’s service providers to support OX2’s business), that this is only done where the personal information is adequately protected. OX2 companies will achieve this by entering into written agreements with third parties which impose obligations that reflect the requirements of this policy.

Security

To protect your Personal Data against accidental or unlawful destruction, loss, use, or alteration and against unauthorized disclosure or access, we use adequate physical, technical and organizational security measures. Any disclosure of Personal Data is always in according to legal obligations, practices and standard procedures.

Your rights

The GDPR grants you as an individual specific rights in relation to your Personal Data. In particular, and subject to the legal requirements, you may be entitled to

Obtain from us confirmation as to whether or not Personal Data concerning you are being processed, and where that is the case, access to the Personal Data;
Obtain from us the correction of inaccurate Personal Data concerning you;
Obtain from us the erasure of your Personal Data;
Obtain from us restriction of processing regarding your Personal Data;
Data portability concerning Personal Data, which you actively provided;
Object, on grounds relating to your particular situation, to further processing of Personal Data concerning you; and
Withdraw your consent to our processing of your Personal Data

How and when do we process your personal information?

The purpose of the processing	Description of the processing activities	Categories of Personal Data obtained
Supplier and stake- holder relationship management To administer our supplieror stakeholder relationshipto fulfil our contract with you	Collection, recording, structuring, storage, use, disclosure by transmission, erasure or destruction.	Name, contract details (such as address, e-mail, address, phone number),

The purpose of the
processing

Description of the
processing activities

Categories of Personal
Data obtained

Supplier and stake-
holder relationship
management

To administer our
supplieror stakeholder
relationshipto fulfil
our contract with you

Collection, recording,
structuring, storage,
use, disclosure by
transmission, erasure
or destruction.

Name, contract details
(such as address, e-mail,
address, phone number),

Lawful basis of the processing: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subjects prior to entering into a contract (article 6.1 b GDPR).

Automated decision-making, including profiling (if applicable): No

Categories of recipients: OX2 AB (org.nr 556675-7487) and/or relevant subsidiary(ies)

The retention periods: We will save your Personal Data as long it’s necessary for the performance of a contract which the data subject is party (article 6.1 b GDPR).

The purpose of the processing	Description of the processing activities	Categories of Personal Data obtained
Business relationship In the context of the business relationship with us we process the Personal Data for the following purposes: Communicating with Business partners about our products and services (e.g., responding to inquiries or request providing you with information). Planning, performing and managing the contractual relationship with you as Business partner. Maintaining and protecting the security of our products and services, preventing and detecting security threats, frauds or other criminal activities. Ensuring compliance with legal obligations (such as record keeping obligations, compliance background checks and our policies or industry standards. Solving disputes, enforce our contractual agreements and to establish, exercise or defend legal claims.	Collection, recording, structuring, storage, use, disclosure by transmission, erasure or destruction.	In the context of the business relationship with us, we may process the following categories of Personal Data of customers and contact personas (prospective) customers, suppliers, vendors and partners (each a “Business partner”: Contact information such as full name, contact information. Organizational information including job position and company name. Contractual data such as data necessary for processing fraud preventions. Further information necessarily processed in a project or contractual relationship with us provided by the Business partner, such as Personal Data relating to orders placed, payments made, requests and project milestones. Personal Data collected from publicly available resources, credit agencies and information that are legally required for Business partner compliance screenings such as date of birth, nationality, place of residence, ID-numbers, identify cards and information about relevant and significant litigation or other legal proceedings against Business partners.

The purpose of the
processing

Description of the
processing activities

Categories of Personal
Data obtained

Business relationship

In the context of the
business relationship with us
we process the Personal
Data for the following
purposes:

Communicating with
Business partners about our
products and services (e.g.,
responding to inquiries or
request providing you with
information).

Planning, performing and
managing the contractual
relationship with you as
Business partner.

Maintaining and protecting
the security of our products
and services, preventing
and detecting security
threats, frauds or other
criminal activities.

Ensuring compliance with
legal obligations (such as
record keeping obligations,
compliance background
checks and our policies or
industry standards.
Solving disputes, enforce
our contractual agreements
and to establish, exercise or
defend legal claims.

Collection, recording,
structuring, storage,
use, disclosure by
transmission, erasure
or destruction.

In the context of the
business relationship with
us, we may process the
following categories of
Personal Data of customers
and contact personas
(prospective) customers,
suppliers, vendors and
partners (each a “Business
partner”:

Contact information such
as full name, contact
information.

Organizational information
including job position and
company name.

Contractual data such as
data necessary for
processing fraud
preventions.

Further information
necessarily processed in a
project or contractual
relationship with us
provided by the Business
partner, such as Personal
Data relating to orders
placed, payments made,
requests and project
milestones.

Personal Data collected
from publicly available
resources, credit agencies
and information that are
legally required for Business
partner compliance
screenings such as date of
birth, nationality, place of
residence, ID-numbers,
identify cards and
information about relevant
and significant litigation or
other legal proceedings
against Business partners.

Lawful basis of the processing: Processing is necessary for the performance of a contract to
which the data subject is party or in order to take steps at the request of the data subjects prior
to entering into a contract (article 6.1 b GDPR) and for the purposes of the legitimate interest
pursued by us a data controller (article 6.1 f GDPR).

More specific: To provide our products and services: Contract performance (article 6.1 b GDPR); Legitimate interest (article 6.1 f GDPR).

To bill your use of our products and services: Contract performance (article 6.1 b GDPR); Legitimate interest (article 6.1 f GDPR).

To verify your identity: Contract performance (article 6.1 b GDPR); Legitimate interest (article 6.1
f GDPR).

To fulfil your requests or instructions: Contract performance (article 6.1 b GDPR); Legitimate interest (article 6.1 f GDPR).

When necessary to enforce the contractual agreement, to establish and preserve legal claims or defense, to prevent fraud or other criminal activities: Compliance with legal obligations (article 6.1 c GDPR); Legitimate interest (article 6.1 f GDPR).

Automated decision-making, including profiling (if applicable): No

Categories of recipients: OX2 AB (org.nr 556675-7487) and/or relevant subsidiary(ies)

The retention periods: We will save your Personal Data as long it’s necessary in compliance with
the initial purpose and applicable legal obligations.

The purpose of the processing	Description of the processing activities	Categories of Personal Data obtained
Invoicing To handle payment transactions for our products and services	Collection, recording, structuring, storage, use, disclosure by transmission, erasure or destruction	Billing information (such as name, address, purchased product or service), transaction history.

The purpose of the
processing

Description of the
processing activities

Categories of Personal
Data obtained

Invoicing

To handle payment
transactions for our
products and services

Collection, recording,
structuring, storage,
use, disclosure by
transmission, erasure
or destruction

Billing information
(such as name, address,
purchased product or
service), transaction
history.

Automated decision-making, including profiling (if applicable): No

Categories of recipients: OX2 AB (org.nr 556675-7487) and/or relevant subsidiary(ies)

The retention periods: We will save your Personal Data as long it’s necessary in compliance with applicable legal obligation.

The purpose of the processing	Description of the processing activities	Categories of Personal Data obtained
Cookies and online identifiers or other tracking technologies We have an interest in making our websites operate efficiently, providing account related functionalities, understanding how you interact with our websites and what service you are interested in.	Collection, recording, structuring, storage, use, disclosure by transmission, erasure or destruction	We use cookies or other tracking technologies to monitor how you interact with our websites.

The purpose of the
processing

Description of the
processing activities

Categories of Personal
Data obtained

Cookies and online
identifiers or other
tracking technologies

We have an interest in
making our websites
operate efficiently,
providing account
related functionalities,
understanding how
you interact with our
websites and what
service you are
interested in.

Collection, recording,
structuring, storage,
use, disclosure by
transmission, erasure
or destruction

We use cookies or
other tracking
technologies to
monitor how you
interact with our
websites.

Lawful basis of the processing: The data subject has given consent to the processing of his or her Personal Data for one or more specific purposes (article 6.1 a GDPR).

Automated decision-making, including profiling (if applicable): No

Categories of recipients: OX2 AB (org.nr 556675-7487) and/or relevant subsidiary(ies)

The retention periods: We will save your Personal Data as long it’s necessary for the initial purpose. You control and/or delete cookies as you wish – for details, see our cookie policy.

The purpose of the processing	Description of the processing activities	Categories of Personal Data obtained
Advertisement and marketing We disclose information about our products and services with the purpose to market our products and services to individuals who consent to receive such information.	Collection, storage, use, disclosure by transmission, erasure or destruction	E-mail address

The purpose of the
processing

Description of the
processing activities

Categories of Personal
Data obtained

Advertisement and
marketing

We disclose information
about our products and
services with the purpose
to market our products
and services to individuals
who consent to receive
such information.

Collection, storage, use,
disclosure by transmission,
erasure or destruction

E-mail address

Lawful basis of the processing: The data subject has given consent to the processing of his or her Personal Data for one or more specific purposes (article 6.1 a GDPR). You can withdraw your consent to our marketing at any time by contacting us.

Automated decision-making, including profiling (if applicable): No

Categories of recipients: OX2 AB (org.nr 556675-7487) subsidiary(ies)

The retention periods: As long as we have your consent to provide you with information and marketing.

Further information for OX2 Group's employees

Further information and privacy notices are available in the OX2’s intranet (OX2 intranet access is required).

Complaints, questions and additional information

To express a concern, raise a question, make a complaint, or to obtain additional information about the processing of Personal Data by OX2, the concerned individual should contact the Local Legal Counsel or the General Counsel (“the Data Privacy Organization”) for the relevant OX2 company in the first instance.

Besides contacting the Data Privacy Organization, you always have the right to approach the competent data protection authority in your country with your request or complaint.

Your Competent Data Protection Authority

Besides contacting our Data Privacy Organization, you always have the right to approach the competent Data Protection Authority with your request or complaint:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) (Estonia)

Tatari 39
10134 Tallinn
Tel. +372 6828 712
E-mail: info@aki.ee
Website: http://www.aki.ee/

Agencia Española de Protección de Datos (AEPD) (Spain)

C/Jorge Juan, 6
28001 Madrid
Tel. +34 91 266 3517
Fax +34 91 455 5699
E-mail: internacional@aepd.es
Website: https://www.aepd.es/

Swedish Authority for Privacy Protection (Sweden)

Box 8114, 104 20 Stockholm, Sweden
Tel. +46(0)8-657 61 00
E-mail: imy@imy.se
Website: http://www.imy.se/

Datatilsynet (Denmark)

Carl Jacobsens Vej 35
2500 Valby
Tel. +45 33 1932 00
E-mail: dt@datatilsynet.dk
Website: http://www.datatilsynet.dk/

Office of the Data Protection Ombudsman (Finland)

P.O. Box 800
FI-00531 Helsinki
Tel. +358 29 56 66700
Fax +358 29 56 66735
E-mail: tietosuoja@om.fi
Website: http://www.tietosuoja.fi/en/

Commission Nationale de l'Informatique et des Libertés – CNIL (France)

3 Place de Fontenoy
TSA 80715 – 75334 Paris, Cedex 07
Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00
Website: http://www.cnil.fr/ https://www.cnil.fr/en/contact-cnil

Garante per la protezione dei dati personali (Italy)

Piazza Venezia, 11
00187 Roma
Tel. +39 06 69677 1
Fax +39 06 69677 785
E-mail: segreteria.stanzione@gpdp.it
Website: http://www.garanteprivacy.it/

Urząd Ochrony Danych Osobowych (Personal Data Protection Office) (Romania)

ul. Stawki 2
00-193 Warsaw
Tel. +48 22 531 03 00
E-mail: kancelaria@uodo.gov.pl, dwme@uodo.gov.pl
Website: https://uodo.gov.pl/

Download the privacy policy in PDF