Padlock on computer keyboard. Network Security, data security and antivirus protection PC

Privacy Notice

Introduction

This Privacy Notice gives information regarding collection, processing, storage and sharing of personal data in AFRY Group. AFRY AB, corp. no 556120-6474 with the Swedish Companies Registration Office is the AFRY group’s main data controller. In addition, subsidiaries of AFRY AB can also be data controllers (including as “joint-controllers”) and process personal data as described in this Privacy Notice. Your relationship with AFRY will determine which of our group companies have access to and processes your personal data, and which of our group companies are the data controller(s) responsible for the personal information.

Personal data processed by AFRY is typically collected from you and, where necessary, also from third parties. Such third parties include mainly your colleagues or other people who recommend to contact you in connection with a specific assignment, job or co-operation. Your information can also be collected indirectly e.g. via cookies.

Personal data is shared between the companies in the AFRY Group where needed for our business purposes, in accordance with applicable data protection legislation. Personal data that is being processed electronically by AFRY will mainly be stored on servers located in EU/EEA. In case of local systems outside the EU/EEA, the personal data is usually stored in the respective country.

Since AFRY operates globally and has customers and projects worldwide, personal data is transferred and processed by AFRY subsidiaries and trusted suppliers and business partners outside of EU/EEA in certain situations. Personal data is shared with third party service providers, such as IT service providers, subconsultants, lawyers and other external professional advisors. Personal data is shared with AFRY’s business partners to the extent it is required for AFRY’s fulfilment of any actual or potential contracts or if it is required by law or pursuant to any order of court or other competent authority or tribunal or by any applicable stock exchange regulations.

Any international transfer of personal data out from the EU/EEA will be subject to appropriate security measures and all reasonable steps to ensure that the personal data is protected and maintained in accordance with this Privacy Notice and applicable data privacy laws. This includes relying on an suitable mechanism for data transfer under Chapter V of the GDPR, including, inter alia, adequacy decisions and appropriate safeguards, and, where necessary, supplementary measures required. If you wish to receive a copy the appropriate safeguards taken by us or information regarding where these safeguards have been made available, please contact us by using the contact details stated below.

In accordance with applicable data protection legislation, subject to some conditions and exceptions, you for example have the following rights:

The right to information about and access to your personal data;
The right to withdraw consent;
The right to have your personal data corrected or updated;
The right to erasure of your personal data (‘The right to be forgotten’);
The right to restriction of processing of your personal data;
The right to object to certain processing of your personal data;
The right to data portability.

Your rights can be exercised by sending an email to privacy@afry.com.

You have a right to lodge any complaints regarding AFRY’s compliance with data protection laws with the appropriate supervisory authority.

In case of any questions regarding the privacy and security of the personal data that is being processed by AFRY, and which companies within AFRY are data controllers, please send an email to privacy@afry.com or contact our Data Privacy Manager at:

AFRY AB
Att: Data Privacy Manager
SE-169 99 Stockholm, Sweden

1. Employees

1.1 Categories of personal data concerned

The following data is collected on employees for global and local purposes. The needed information will slightly vary in different countries based on the local legislation. 

Identification related personal data such as: full name, national ID, gender, marital status, date of birth and nationality.  

Contact information such as: home address, e-mail and phone information, emergency contact information.

General employment contract related data such as: organizational information , contract class, weekly hours, start date, termination date / expected end date (for temporary and external contracts), base cost, internal price, compensation information and incentive plan, HR contact person.

Payroll / taxation related additional data such as: bank name, account number, account holder name, deposit type and BIC, information about employee's children (only when required by local legislation), health information as required by local law (e.g. sick leave information), union memberships, taxation information, salary deductions, employment number, worked hours, type of absence/leave, holidays, social security information, mother's maiden name (only when required by local legislation), language knowledge, currency. 

Benefits (phone, company car etc.) related information such as: benefit details, driver's logbook. 

Training related information such as: training / course information, duration. 

Professional information (CV) such as: name, photo, job title, work/project experience, education, language skills, country of permanent residency, professional association, learning history, publications, organizational information, profile picture, utilization, connections, courses, competences.

Travel related data where necessary: credit card number, passport copy, information of received vaccination.

Employees on International Transfer data such as: work permit, dependent information (name, relationship, social security system, assignment insurance, date of birth). 

Access and facility control: The following data is collected on employees and people visiting AFRY premises in Sweden and Finland. Identification related personal data such as: full name, photo, employer, host, time for entry and departure. Camera monitoring with recording time and place.

Financial information for invoicing purposes such as: employee categories, category rates, salary rate, cost center, status (active/inactive), required time, location, overtime.

IT related information:

Communications and usage: Network connectivity, internal websites visited and applications used.
Data subjects are grouped for different purposes such as e-mail delivery lists and lists to grant access.
Back-ups: All AFRY systems are back-upped regularly. The back-ups contain all information included in AFRY systems.

1.2 The purposes and legal basis of the processing activities

Each company of AFRY Group processes personal data of their own employees as a data controller in context of the employment relationship. Further, each company of AFRY Group processes personal data of all AFRY employees as a separate data controller in context of client assignments and other common projects between group companies.

The purpose for processing the data is

Contractual necessity, e.g. in case of
- Administration of the employment relationship, pension and insurance
- Report and pay employer contributions and tax deductions, provide salary specifications and employer declarations and provide control information to the Swedish Tax Agency and to you as an employee.
- Pay compensation for sick leave and report illness relevant authorities.
Legal obligations of the employer, e.g. in case of
- processing of sensitive data such as health related data or social security related information which will only be processed when required by laws
- Meet the rules on notice period and order and other employment related laws
- Fulfil our accounting obligation according to the accounting related laws
AFRY's legitimate interest, e.g. in case of
- Making offers to clients
- Allocating resources to client projects and assignments
- Organizing business travel
- Assurance of safety at AFRY’s premises
- Ensuring the smooth and data secure operation of AFRY’s business.

Regarding the legitimate interests mentioned, AFRY has evaluated that the risk for the individual is less significant than the advantage for AFRY when processing this data, e.g. because no sensitive data is processed based on this purpose and because the processed data as well as the access rights are limited to the amount and type strictly necessary.

1.3 Routines for storage and erasure

AFRY will store the personal data as long as required

to fulfil the agreement which we have with you, e.g. to pay your salary and the related social security costs during and shortly after your employment;
to fulfil the purpose for which the data was initially collected, e.g. in case of international travelling to ensure we can correctly allocate the related costs shortly after the travel;
by applicable laws, e.g. for the payment of pensions, holiday pay, the issuance of work certificates, service certificates and references to other employers and for accounting purposes;
to be able to efficiently respond to possible claims from clients, business partners or similar which may arise during your employment and the applicable statutory period after the assignments where you have worked with us have been completed;
by our internal policies e.g. regarding data security, ethics and compliance and data management; e.g. in case of access and facility control only for a very limited amount of time needed to ensure the security of our premises.

2. Customers

2.1 Categories of personal data concerned

Customer contact information such as: Full name, email address, telephone, postal address, customer company, business sector.

Contacts' responses to AFRY's marketing.
Information provided by the client via web forms, e.g. during registration to AFRY's marketing event.
Payment/invoice related information such as: company and company number, Payment & Banking information, full name of the invoice approver, job title, remuneration ID.

Back-ups: All AFRY systems are back-upped regularly. The back-ups contain all information included in AFRY systems.

2.2 The purposes and legal basis of the processing activities

Each company of AFRY Group processes personal data of all AFRY’s customers as a separate data controller.

AFRY collects and processes personal data based on its legitimate interests, e.g. in case of

entering into and performing business contracts with you, or the company you work for;
engaging with other business partners;
marketing AFRY and its services and products;
to deliver professional services and products, including contracting, project management, planning of work and allocation of resources;
to conduct business planning and development, strategical reviews and statistical evaluation;
to issue and process invoices and payments;
to maintain a safe, secure and efficient use of internal information, ensure that business critical information and other assets are safe and protected;
to maintain good health and safety practices;
to investigate and prevent fraud, misconduct, infringements or other violations of legal rights and obligations;
to manage disputes and complaints, i.e. compensation claims, and to ensure compliance with legal obligations that AFRY are otherwise subject to.

2.3 Routines for storage and erasure

AFRY will store the personal data as long as required

to fulfil the agreement which we have with you or your employer during the agreement period and shortly thereafter e.g. to ensure that all fees, tasks and resources are correctly allocated;
to fulfil the purpose for which the data was initially collected, e.g. marketing related material will be deleted when we no longer consider you as a potential customer;
by applicable laws, e.g. for accounting purposes;
to be able to efficiently respond to possible claims from clients, business partners or similar which may arise during the contractual relationship and the applicable statutory period after the assignments where you have worked have been completed;
by our internal policies e.g. regarding data security, ethics and compliance and data management e.g. in case of access and facility control only for a very limited amount of time needed to ensure the security of our premises.

3. Partner network and subconsultants

3.1 Categories of personal data concerned

The personal data that may be collected depending on your relationship with AFRY include:

Basic personal data and contact information such as: full name, date of birth/personal identification number, e-mail address, nationality, gender, address, phone number country of residence;
Networker Company data (when applicable): Company name, VAT number, homepage, F-tax verification (timestamp & performed by);
Performing and planning work such as availability, information supporting quality assurance process and applications for available assignments, picture, searchable CV data that may be communicated to AFRY Customers;
Business administration such as: ID number in AFRY system, AFRY sales responsible, working time, travel expenses, contact information to next of kin;
Personal data needed for access to AFRY´s IT-systems and networks;
Security such as: picture used for keycards within AFRY or externally and when needed other personal data necessary for security reasons.
Financial information such as: category rates, salary rate, supervisors, department, cost center, status (active/inactive), contract type, section, required time, location, bank account number for salary payments, flexi hours, overtime.
Payment/invoice related information such as: company and company number, Payment & Banking information, full name of the invoice approver, job title, remuneration ID.
Back-ups: All AFRY systems are back-upped regularly. The back-ups contain all information included in AFRY systems.
Travel related data where necessary: credit card number, passport copy, information of received vaccination.
Access and facility control: The following data is collected on employees and people visiting AFRY premises in Sweden and Finland. Identification related personal data such as: full name, photo, employer, host, time for entry and departure. Camera monitoring with recording time and place.

3.2 The purposes and legal basis of the processing activities

Each company of AFRY Group processes personal data of their own partners and subconsultants as a data controller in context of the co-operation agreements. Further, each company of AFRY Group processes personal data of all AFRY partners’ and subconsultants’ as a separate data controller in context of client assignments and other common projects between group companies.

AFRY processes partners’ and sub-consultants’ personal data based on:

contractual necessity, e.g. in case of

entering into and performing business contracts with you;
to issue and process invoices and payments;
to deliver professional services and products, including contracting, project management, planning of work and allocation of resources.

its legitimate interests, e.g. in case of

entering into and performing business contracts the company you work for;
engaging with other business partners;

to deliver professional services and products, including contracting, project management, planning of work and allocation of resources;
to conduct business planning and development, strategical reviews and statistical evaluation;
to issue and process invoices and payments;
to maintain a safe, secure and efficient use of internal information, ensure that business critical information and other assets are safe and protected;
to maintain good health and safety practices;
to investigate and prevent fraud, misconduct, infringements or other violations of legal rights and obligations;
to manage disputes and complaints, i.e. compensation claims, and to ensure compliance with legal obligations that AFRY are otherwise subject to.

.Regarding the legitimate interests mentioned, AFRY has evaluated that the risk for the individual is less significant than the advantage for AFRY when processing this data, e.g. because no sensitive data is processed based on this purpose and because the processed data as well as the access rights are limited to the amount and type strictly necessary.

The legal base for the processing of data of a person registering to AFRY’s Partner Network is consent given at time of registration in AFRY systems as well as fulfilment of obligations in the contracts when performing assignments for AFRY.

3.3 Routines for storage and erasure

AFRY will store the personal data as long as required

to fulfil the agreement which we have with you or your employer during the agreement period and shortly thereafter e.g. to ensure that all fees, tasks and resources are correctly allocated;
to fulfil the purpose for which the data was initially collected, e.g. in case of international travelling to ensure we can correctly allocate the related costs shortly after the travel;
by applicable laws, e.g. related to accounting;
to be able to efficiently respond to possible claims from clients, business partners or similar which may arise during the contractual relationship and the applicable statutory period after the assignments where you have worked have been completed;
by our internal policies e.g. regarding data security, ethics and compliance and data management e.g. in case of access and facility control only for a very limited amount of time needed to ensure the security of our premises.

4. Employee candidates

4.1 Categories of personal data concerned

Contact information such as: Full name, e-mail address, private telephone number, address.

Professional information (CV) related data such as: photo, job title, work/project experience, education, language skills, professional association, publications.

Other data not requested by AFRY but provided by the person.

Back-ups: All AFRY systems are back-upped regularly. The back-ups contain all information included in AFRY systems.

Access and facility control: The following data is collected on employees and people visiting AFRY premises in Sweden and Finland. Identification related personal data such as: full name, national ID, photo, employer, host, time for entry and departure. Camera monitoring with recording time and place.

4.2 The purposes and legal basis of the processing activities

Each company of AFRY Group processes personal data of their own candidates as a data controller in context of the employment relationship. Further, other companies in AFRY Group processes personal data of candidates where relevant for the recruitment, e.g. when applying to international positions.

AFRY collects and processes personal data due to legal obligations and/or legitimate interest of AFRY. Some of the data is processed based on consent of the candidate (e.g. data not required but still received in the CV or application letter). The legitimate interest of AFRY in this is to find best possible employees to open positions. Regarding the legitimate interests mentioned, AFRY has evaluated that the risk for the individual is less significant than the advantage for AFRY when processing this data, e.g. because no sensitive data is processed based on this purpose and because the processed data as well as the access rights are limited to the amount and type strictly necessary.

Applicant information is shared within AFRY’s Human Resource function and its other business functions (e.g. line management in relation to specific positions) to determine how well the application fits the position the employee candidate have applied for, or possible future postings. Additionally, the application data will be viewed together with additional information the applicant provides AFRY during the recruitment process (e.g. interviews, assessments, references). If applicant becomes an employee, the data is retained and used for personnel administration including the establishment of a personnel record or other employment related purposes.

4.3 Routines for storage and erasure

AFRY will store the personal data as long as required

to comply with your consent regarding storing your data to be taken into account for possible future open vacancies;
to fulfil the purpose for which the data was initially collected, i.e. during the recruitment process;
by applicable laws, e.g. regarding discrimination in recruitment process;
to be able to efficiently respond to possible claims from clients, business partners or similar which may arise during the contractual relationship and the applicable statutory period after the assignments where you have worked have been completed;
by our internal policies e.g. regarding data security, ethics and compliance and data management e.g. in case of access and facility control only for a very limited amount of time needed to ensure the security of our premises.

Candidates from Austria and Germany can also review details of local AFRY candidate policies here.

AFRY Austria Informationen zum datenschutz (DE)

AFRY Austria Informationen zum datenschutz (EN)

AFRY Germany Informationen zum datenschutz (DE)

5. Service providers and similar business partners

5.1 Categories of personal data concerned

Contact information such as: Full name, email address, telephone, postal address, company, business sector

Payment/invoice related information such as: company and company number, Payment & Banking information, full name of the invoice approver, job title, remuneration ID.

Back-ups: All AFRY systems are back-upped regularly. The back-ups contain all information included in AFRY systems.

Access and facility control: The following data is collected on employees and people visiting AFRY premises in Sweden and Finland. Identification related personal data such as: full name, national ID, photo, employer, host, time for entry and departure. Camera monitoring with recording time and place.

5.2 The purposes and legal basis of the processing activities

Each company of AFRY Group processes personal data of their own service providers and other business partners as a data controller in context of the co-operation agreements. Further, each company of AFRY Group processes personal data of all AFRY service providers’ and other business partners’ as a separate data controller when co-operation with the said company is needed.

AFRY processes service providers’ and other business partners’ personal data based on

contractual necessity, e.g. in case of

entering into and performing business contracts with you;
to pay invoices and payments;
to receive services and products.

its legitimate interests, e.g. in case of

entering into and performing business contracts with you, or the company you work for;
engaging with other business partners;
to deliver professional services and products, including contracting, project management, planning of work and allocation of resources;
to conduct business planning and development, strategical reviews and statistical evaluation;
to issue and process invoices and payments;
to maintain a safe, secure and efficient use of internal information, ensure that business critical information and other assets are safe and protected;
to maintain good health and safety practices;
to investigate and prevent fraud, misconduct, infringements or other violations of legal rights and obligations;
to manage disputes and complaints, i.e. compensation claims, and to ensure compliance with legal obligations that AFRY are otherwise subject to.

5.3 Routines for storage and erasure

AFRY will store the personal data as long as required

to fulfil the agreement which we have with you or your employer during the agreement period and shortly thereafter e.g. to ensure that all fees, tasks and resources are correctly allocated;
to fulfil the purpose for which the data was initially collected, e.g. to ensure that we buy sufficient type and amount of services all the time;
by applicable laws, e.g. regarding accounting;
to be able to efficiently respond to possible claims from clients, business partners or similar which may arise during the contractual relationship and the applicable statutory period after the assignments where you have worked have been completed;
by our internal policies e.g. regarding data security, ethics and compliance and data management e.g. in case of access and facility control only for a very limited amount of time needed to ensure the security of our premises.

6. Shareholders

7. Visitors to our website afry.com

7.1 Categories of personal data concerned

Cookies give us information on your IP address and how and when you have used the website such as market site selection, AFRY web pages visited, etc.

Back-ups: AFRY.com is backed-up regularly.

Please see more about our use of cookies in How we use cookies.

7.2 The purposes and legal basis of the processing activities

Each company of AFRY Group processes personal data received on their own website as a data controller. Further, each company of AFRY Group processes personal data of website visitors as a separate data controller when co-operation with the said visitor is needed.

AFRY processes the personal data due to its legitimate interest, e.g. in case you want to gain access to specific content, attend a hosted event, respond to a survey, or request communications about specific areas of interest. Regarding the legitimate interests mentioned, AFRY has evaluated that the risk for the individual is less significant than the advantage for AFRY when processing this data, e.g. because no sensitive data is processed based on this purpose and because the processed data as well as the access rights are limited to the amount and type strictly necessary.

We may also process your personal data to send you promotional materials or communications regarding services provided by entities within the AFRY Group that we believe may be of interest to you. Your consent for such marketing will be asked separately when you provide your personal information. You may at any time request that we discontinue sending you emails or other communications generated in response to your provision of personal information.

7.3 Routines for storage and erasure

AFRY will store the personal data as long as required

to fulfil the purpose for which the data was initially collected, e.g. regarding some essential cookies: during one session which the visitor browses in afry.com;
by our internal policies e.g. regarding data security, ethics and compliance and data management, e.g. back-ups will be stored for a relatively short amount of time to ensure the data security of afry.com.