Personal data policy

The personal data policy generally applies to the processing of personal data within Subtopia and exists to explain what kind of data Subtopia processes, why and how.

1. Background

Subtopia, which is a part of Upplev Botkyrka AB, processes Personal Data in the course of its everyday activities. This privacy policy applies generally to all processing of Personal Data at Subtopia, and is intended to explain which kinds of data Subtopia processes, and why. Personal Data are processed within Subtopia’s administrative and booking systems. Personal Data are also processed through Subtopia’s digital platforms, social media channels, and the website (collectively referred to as “Digital Channels”). This privacy policy applies to our employees, vendors, customers, renters of our premises, visitors, and guests.

2. Personal Data and Processing of Personal Data

Personal Data refers to any piece of information that is directly or indirectly, in combination with other pieces of information, associated with a living, natural person. Names, telephone numbers, pictures, and IP addresses can all be personal data. Bookings, behaviours, and orders can also be personal data, assuming that they can be linked to a certain person along with other data. Actions taken in regard to Personal Data are defined as Processing of Personal Data, and can include their storage, collection, alteration, erasing, and distribution.

2.1. Special categories of Personal Data

Occasionally, Subtopia processes special categories of Personal Data. For instance, data concerning an individual’s health or union membership are treated as special, and require extra protection. In order to process a booking where it is important to note that somebody has a certain allergy, for example, would require us to process Personal Data related to an individual’s health. This kind of processing is only to be performed with explicit consent. Union membership can also be processed in employment contexts, assuming this is required by labour laws.

3. Data Controller

The Data Controller is the individual who is responsible for the processing of Personal Data, and who determines why and how Personal Data are to be processed. In most cases, Subtopia will act as Data Controller. In other cases, Upplev Botkyrka AB will act as Data Controller. In certain cases, a third party will determine which Personal Data are to be processed, and why. In these cases, Subtopia acts as Data Processor, and will process the personal data on behalf of the Data Controller.

4. Data Processors

Subtopia uses Data Processors for the delivery of our services. This means that Subtopia acts as Data Controller, and determines which Personal Data are to be processed, and why, but that we outsource various aspects of this processing. These could be related to IT solutions, such as storage or booking systems, for instance. In these cases, Subtopia controls the processing, and assumes responsibility for it, but enlists the aid of other vendors to deliver our services. Subtopia will always have data processing agreements in place with any Data Processors used, to ensure that all data will enjoy a high degree of protection.

5. Subtopia’s Processing of Personal Data

Subtopia, and the Data Processors we use, will always have legal grounds for any processing of Personal Data. Usually, this will mean that the processing is necessary in order for us to enter into a contract, but it can also mean that our processing is based on consent, is required in order to protect our own legal rights, or is based on our legal obligations. Subtopia can also process personal data when there is a legitimate interest to do so on our part. In these cases, this legitimate interest will be considered to take precedence over the interest of the Data Subject not to have their Personal Data processed by Subtopia. For example, marketing to visitors who we have previously been in contact with will occur after the relative merits of these conflicted interests have been weighed. However, Data Subjects will always have be offered a simple method for opting out of such processing of Personal Data.

What follows is a summary of Subtopia’s processing of Personal Data. Subtopia strives to process as few pieces of Personal Data as possible. For this reason, all categories of Personal Data will not be processed on every occasion.

5.1. Information and Administration

Subtopia processes Personal Data for the purposes of administration and communication with our guests, visitors, renters of our premises, employees, and suppliers. The purpose of this is to manage our bookings, enrolments, hirings, applications, and contracts, as well as to administer our various activities.

Personal Data
The following kinds of Personal Data may be processed in communications and administrative systems, although not necessarily all at once: names, email addresses, addresses, phone numbers, bookings, food preferences, allergies, and personal identity numbers.

Legal Grounds
The processing is necessary in order for us to fulfil our contractual obligations and deliver our services, or has been deemed legitimate after a weighing of conflicting interests.
The Origins of the Data
The data are provided by the Data Subjects themselves, when they make bookings, submit enrolments, submit applications, and sign contracts.

5.2. Employment Relations

In order to administer, pay wages to, and contact our employees, Subtopia has to process the Personal Data of said employees.

Personal Data
Names, email addresses, addresses, phone numbers, people to contact in case of an emergency, bank account numbers, employer’s certificates, payslips, absences.
Statements of earnings and tax deductions, income statements.

Legal Grounds
This processing is necessary for the fulfilment of our employment contracts, as well as for administrative purposes and for paying wages.
As an employer, Subtopia has a legal obligation to provide the Swedish tax authorities with statements of earnings and tax deductions for all employees.

The Origins of the Data
The data are provided by the Data Subjects, and submitted to us at the time of signing the contract, or during the time when employment is in effect. Payslips are generated by Subtopia’s wage payment system, and employer’s certificates are generated by employers.
The data is supplied by the wage payment system, and is based on what has been registered regarding the employee’s wages and employment rate.

5.3. Marketing

Subtopia uses Personal Data to market our services through Digital Channels, as well as in mailings pertaining to offers and other information.

Personal Data
Names, email addresses, and, in some cases, pictures.

Legal Grounds
The legitimacy of the processing is based either on consent or on the weighing of interests.

The Origins of the Data
The data are provided by the Data Subjects, taken from lists of participants (only in cases of communications about similar events), or taken from web sites (only email addresses linked to employment and workplaces).
Pictures are taken by Subtopia or by photographers commissioned by Subtopia. Consent for the use of photographs is granted either directly, to Subtopia, or indirectly, via the photographer. For individuals under the age of 18, consent must be given in writing by a legal guardian.

5.4. Payments

Subtopia processes Personal Data in order to manage our payments.

Personal Data
Card numbers, invoice numbers, personal identity numbers, names, email addresses, phone numbers, amounts, points of sale, transaction times, order details.

Legal Grounds
In order to trade services and goods, and fulfil our contractual obligations by receiving payment or ensure that we can make our own payments, Subtopia needs to process Personal Data associated with payments.

The Origins of the Data
The data are provided by the Data Subject at the time when they make their payment, booking, or application.

5.5. Customer Surveys and Statistics

To improve our services, Subtopia carries out anonymised customer surveys (where the responses cannot be linked to specific individuals). Personal Data are also collected in order to account for the visitor statistics that Subtopia is contractually obligated to provide our owners.

Personal Data
Names, email addresses, postal codes

Legal Grounds
Processing occurs based on a weighing of interests, and in order to fulfil our contractual obligations to our owners.
The Origins of the Data

The data from our surveys are provided by the Data Subjects themselves, at the times when they make their bookings or applications. The survey responses are submitted directly by the Data Subjects, and are anonymised.

5.6. Processing Claims

Subtopia may be legally required to process Personal Data in order to process complaints and claims, or assist in legal proceedings.

Personal Data
Names, personal identity numbers, addresses, email addresses, phone numbers, account numbers, sequences of events, location data.

Legal Grounds
This processing is required in order to secure Subtopia’s legitimate interest to determine, assert, and exercise our legal rights.

The Origins of the Data
These data can be provided by the Data Subjects, but also by government agencies or other parties, such as insurance companies.

5.7. Cookies etc.

Subtopia may collect technical data to enhance the user experiences in our Digital Channels.

Personal Data
IP addresses, cookies, web browser details, machine IDs.

Legal Grounds
Depending on which kind of technical data are being collected, this processing will occur based either on a weighing of interests or on consent.

The Origins of the Data
The data are provided by the Data Subjects upon their use of the Digital Channels.

6. Recipients Subtopia may Share Data with

6.1. Parent Company

Subtopia is a part of the public company Upplev Botkyrka. In some cases, Subtopia may share Personal Data with Upplev Botkyrka AB, and the two organisations may process Personal Data on each other’s behalf. This mainly relates to the administration of finances and contracts.

6.2. Service Vendors

In order to deliver our services, Subtopia uses various vendors, for example, for IT-solutions such as networks, storage services, and email services. These vendors are only permitted to process Personal Data in accordance with Subtopia’s specific instructions, and may not process the data for any purposes of their own. Further to this, they are all obliged by law and other agreements to safeguard Personal Data.

6.3. Payees and Payment Service Vendors

When payments are made, Personal Data may be shared with the payment service vendor, the payee, and the banks used by both parties.

6.4. Other Recipients

In some cases, Subtopia may also share data with other recipients, mainly government agencies requiring access to the data for purposes of legal compliance or as required by various legal proceedings. Personal data may also be shared with potential buyers and sellers of the entirety or parts of the company.

7. Technical and Organisational Measures

Subtopia cares about the privacy of our customers, visitors, renters of our premises, and employees, and takes appropriate technical and organisational security measures to safeguard Personal Data against unauthorized access, alteration, distribution, or deletion. Among other measures, we have put routines and access restrictions in place to prevent unauthorized access.

8. Where Does Subtopia Process Personal Data?

Subtopia’s ambition is for all processing of personal data to occur within the EU/EEA region. However, certain vendors may process personal data in locations outside the EU/EEA region. In these cases, to ensure that the data are always protected and that safety measures are always in place, we will implement agreements requiring protections equivalent to those put forth in the EU regulations.

9. How Long are Personal Data Retained?

Subtopia processes Personal Data for the duration of our ongoing relationship with the Data Subject, and for some time thereafter, as long as there is legal ground for this retention. Once there is no longer any reason for us to process Personal Data, they will be erased.

10. Rights

Subtopia would like to remind you of the rights afforded by the GDPR directive to individuals whose Personal Data are processed.

10.1. Access to Personal Data

As a Data Subject, you are entitled to request that we confirm whether we are processing your Personal Data or not. If we are, you are further entitled to obtain an extract from our register, so that you can see which details about you we are processing.

10.2. Corrections

If a detail is incorrect or incomplete, you are entitled to request that it be amended.

10.3. Withdrawing Consent

If we are processing your Personal Data, and your consent constitutes the legal ground for this processing, you are entitled to withdraw your consent at any time, effective from that point onwards.

10.4. Objections to Processing Related to Direct Marketing

Data Subjects are entitled to object to processing of their Personal Data related to direct marketing purposes. This is most easily done by unsubscribing from mailings, by clicking the “unsubscribe link” in the mailing or contacting us.

10.5. The Right to Lodge Complaints with Supervisory Authorities

Data Subjects also have the right to lodge complaints directly with supervisory authorities. In such cases, the supervisory authority in question is obliged to investigate the matter.

10.6. Objecting to Processing Based on Subtopia’s Legitimate Interests

As a Data Subject, you are entitled to object to the processing of your Personal Data based on legitimate interests, assuming there are circumstances in your specific case that warrant this. If you object to such processing, and there are binding and legitimate reasons which take precedent over your objection, we are, however, entitled to continue our processing.

10.7. Deletion of Data

Data Subjects are entitled to request that their data be deleted, and in some circumstances this request must be complied with. An exception to this would be when the law requires us to retain the data.

10.8. Restriction of Processing

Data Subjects are entitled to request that the processing of their Personal Data be restricted.

10.9. Data Portability

Data Subjects are further entitled to receive copies of their Personal Data.

If you should wish to execute any of these rights, or have any questions, please contact Subtopia.
Data Controller:

Subtopia, 556767-7876

Address: Rotemannavägen 10, 14557 Norsborg


Phone: 08-599 07500