Your trust is important to us. That's why we take your privacy issues very seriously. We have drawn up this policy so that you can feel confident that we are processing your Personal Data. The policy clarifies how we work to ensure your rights and privacy.
1.1 OUR PRINCIPLES
We process your Personal Data in accordance with the following principles.
- Freedom of choice: The starting point when we process your Personal Data is that it belongs to you. We will, as far as possible, endeavour to have you decide whether you wish to share your Personal Data with us.
- Proportionality: We do not collect more Personal Data than we need to provide you with our services. We do not process more Personal Data than is necessary for the purpose and always aim to use only the least privacy-sensitive data.
- Transparency and security: We inform you about how your personal data is processed. We have systems and procedures in place to protect your personal data as far as possible against unauthorised access, alteration, destruction or disclosure.
- Compliance with legal requirements: We will ensure that your personal data is processed in accordance with applicable law.
2. Data controller.
JCDecaux is the Data Controller for JCDecaux's processing of your Personal Data. We are therefore responsible for ensuring that your Personal Data is processed in accordance with applicable law.
3. Collection and purpose.
3.1 HOW DO WE COLLECT YOUR PERSONAL DATA?
We collect your Personal Data when you register on our website. The data we process are those you have provided us with.
3.2 WHAT PERSONAL DATA DO WE PROCESS?
We only process personal data when we have a lawful basis, and we always aim to use the least privacy-sensitive Personal Data. Examples of the Personal Data we process are:
- contact information
- Date of birth (full personal identity number may, but need not, be provided)
- debit card information
- Images of individuals in advertising campaigns or uploaded via DIY on our website
3.3 LEGAL BASIS
We process your Personal Data on a number of different lawful grounds. We process some of your Personal Data in order to perform the contract you have entered into with us and to provide the contracted service. When you enter into a contract with us, you consent to us processing your Personal Data to the extent set out in the contract and in this Policy. We also process some of your Personal Data with your consent. Wherever possible, we try to obtain your consent before we start processing your Personal Data. You consent to us processing your Personal Data in connection with your acceptance of our terms and conditions. We never take your consent for granted. You therefore have the right to withdraw your consent at any time. We will then no longer process your Personal Data or obtain new ones, provided that it is not necessary for the performance of our obligations under the contract or by law. Please note that withdrawing consent may mean that we cannot fulfil our obligations to you.
Where the processing of your Personal Data is necessary to fulfil a legitimate interest, we may process some of your Personal Data following a balancing of interests. If our interest in using the Personal Data outweighs the need to protect your privacy, we may process such Personal Data without obtaining your explicit consent. If you object to our processing, we will rebalance our interests and then decide whether our interest outweighs our consent or whether we should stop processing.
3.4 FOR WHAT PURPOSES DO WE PROCESS PERSONAL DATA?
We process your Personal Data for various purposes. The main purposes of our processing are:
- In order to provide our contracted services and the administration thereof
- For the distribution of information from JCDecaux regarding the loan bike system
- For securing payment for loaner bicycle subscriptions
3.5 WITH WHOM DO WE SHARE PERSONAL DATA?
Together with our group companies, we have a system for storing Personal Data. It is therefore necessary for us to transfer your Personal Data to our group companies. We may also disclose your Personal Data to third parties when necessary for the performance of contracts or after you have given your explicit consent.
Some of the operators we work with are based outside the EU/EEA. It may therefore be necessary for us to transfer personal data to such countries. Where we transfer personal data to a country outside the EU/EEA, we will always establish the necessary agreements and ensure to the maximum extent possible that your personal data is processed in a secure manner.
We never transfer personal data to countries outside the EU/EEA unless it is in compliance with the General Data Protection Regulation. This may be the case, for example, if the country to which your personal data is transferred meets the requirements of the Commission for an adequate level of protection, or if you have given your explicit consent. Such transfers may also be permitted if it is necessary for the performance of our contract with you.
If we transfer your personal data to a country outside the EU/EEA, we will take the necessary safeguards. Nevertheless, there is always some risk involved in transfers. We only work with reputable operators outside the EU/EEA, which means you can feel confident about any transfers.
We may also disclose your Personal Data when we have an obligation to do so under applicable law, when required to do so by a public authority, to protect our legal interests or to detect or prevent fraud.
Where we disclose your Personal Data to third parties, we will establish the necessary agreements and ensure to the maximum extent possible that your Personal Data is processed in a secure manner.
3.6 HOW LONG DO WE KEEP PERSONAL DATA?
We do not retain Personal Data longer than is necessary to fulfil the purposes for which the Personal Data was collected. We will delete your Personal Data at your request, or otherwise after termination of your subscription. The Personal Data we process must be adequate, relevant and not excessive in relation to the purposes for which it is processed.
We do not collect Personal Data for indefinite future needs, nor do we process Personal Data that is so old that it is irrelevant to the original purposes for which it was collected.
4. Privacy and Security.
We take the protection of your Personal Data seriously. We have established procedures and working practices that we constantly review to ensure that your Personal Data is handled securely. We have taken, and will continue to take, the necessary organisational and technical security measures to maintain a high level of security for your Personal Data.
Only employees and other persons within our organisation who need the personal data to perform their duties have access to it.
Our security systems are designed with your privacy in mind and provide a high level of protection against intrusion, destruction and other changes that could put your privacy at risk. We have several IT security policies in place to ensure that your Personal Data is treated securely.
5. Your rights.
RIGHT OF RECTIFICATION
We are obliged to ensure, as far as possible, that the Personal Data we process is accurate and up to date. You who are registered with us have the right to contact us and have incorrect data corrected. You also have the right to supplement any missing data that is relevant to the content. If data is corrected at the request of the data subject, we must also inform those to whom we have disclosed the data that it has been corrected. However, this does not apply if this would prove impossible or would involve an excessively onerous effort.
RIGHT TO ERASURE
Data subjects have the right to request the erasure of their Personal Data, sometimes referred to as the "right to be forgotten".
We delete the data in the following cases:
- If the data is no longer needed for the purposes for which it was collected
- If the processing is based on the data subject's consent and the data subject withdraws the consent
- If the processing is for direct marketing purposes and the data subject objects to the processing
- If the data subject objects to the processing following a balancing of interests and there are no legitimate grounds overriding the data subject's interest
- If the Personal Data has been processed unlawfully
- If erasure is required to comply with a legal obligation
If data is erased at the request of the data subject, those to whom we have disclosed the data will be informed that it has been erased. However, this does not apply if this would prove impossible or would involve an excessively onerous effort.
There are exceptions to the right to erasure and the obligation to inform others. If the Personal Data is necessary for the exercise of other important rights, such as the right to freedom of expression and information, to comply with a legal obligation or to perform a task in the public interest, we do not need to erase it.
RIGHT TO RESTRICTION OF PROCESSING
In certain cases, data subjects have the right to request that the processing of Personal Data be restricted. Restriction means that the data is marked so that it may only be processed for certain limited purposes in the future.
The right to restriction applies, inter alia, when the data subject considers that the data are inaccurate and has requested rectification. In such cases, the data subject may also request that the processing of the data be restricted while the accuracy of the data is being investigated.
When the restriction ends, the data subject must be informed.
You who have Personal Data registered with us may have the right to obtain and use this Personal Data elsewhere. We have an obligation to facilitate such a transfer of Personal Data. This is subject to the condition that we process the Personal Data on the basis of the data subject's consent or for the performance of a contract with the data subject, and only in respect of Personal Data provided by the data subject.
RIGHT TO OBJECT
In certain cases, data subjects have the right to object to our processing of their Personal Data. The right to object applies when Personal Data is processed for the performance of a task carried out in the public interest, in the exercise of official authority or following a balancing of interests.
If the data subject objects to the processing in such cases, we as the controller may only continue to process the data if it can be shown that there are compelling legitimate grounds for processing which override the interests, rights and freedoms of the individual or if the processing is for the establishment, exercise or defence of legal claims.
The data subject always has the right to object to his or her Personal Data being used for direct marketing purposes. Such an objection can be made at any time. If an objection is made to direct marketing, the Personal Data may no longer be processed for such purposes.
You have the right to access Personal Data that has been collected about you.
In order for us to send you an extract from the register containing your Personal Data, we need to know who you are. You should therefore provide proof of your identity when requesting a register extract. We do this for your own security. Your extract will be provided to you in electronic form unless you request otherwise.
RIGHT TO COMPLAIN
The data subject has the right to complain about the processing of Personal Data if he or she considers that it is being processed in breach of the GDPR. If you wish to complain, you may do so to the Data Protection Inspectorate.
You have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of the processing that was based on your consent before it was withdrawn.
6. Information for you as a registered user.
Where reasonably practicable or required by applicable law, we will provide you, at the time of collection or recording of your Personal Data, with (i) specific information about the purpose of the processing of your Personal Data, (ii) the identity of the controller, (iii) the identity of any third party to whom the data may be disclosed, and (iv) other information that may be necessary to ensure that you can exercise your rights.
7. Policy update.
This policy may be updated from time to time. If we make significant changes, we will notify you by email or by notification the next time you log in to your account. By continuing to use our Services after you receive such notice, you agree to the updates to this Policy to the extent permitted by law. If you do not accept the changes, you have the right to terminate the agreement.
We encourage you to periodically review this policy for the latest information on our privacy practices.
If you have any questions regarding this policy, the processing of your Personal Data, or wish to exercise any of your rights such as requesting a record extract, please contact us.
JCDecaux Sverige AB Box 13138 , 10303 Stockholm
Customer Centre: JCDecaux Sverige AB, Customer Service, Box 13138, 10303 Stockholm
Opening hours: 08.00 - 17.00 every weekday except public holidays.
Telephone 08-474 83 00
E-mail address: [email protected]