for Business Partners and their representatives

Welcome! 

In this privacy policy we describe how we comply with the General Data Protection Regulation (GDPR) when we process personal data of our business partners and their representatives.  With this term we mean the people who do business with us as sole traders, or are employed by or otherwise work for or through a company that conducts business with us.

If you do not belong to this category, you will find the relevant information concerning your case in connection to where this privacy policy is available.

‍

Data Controller

We operate all over the world, but we are domiciled in Sweden. Our name, corporate ID-number, physical address and e-mail is: Bambuser AB (org. nr 556731 - 3126) Regeringsgatan 55, 111 56 Stockholm, Sweden. 

e-mail: info@bambuser.com 

For the sake of clarity, the terms “we, us, our” etc. in this privacy policy always refer to this company.

‍

Data Protection Officer

Of course we have a DPO. To get in touch, send an e-mail to: dpo@bambuser.com or write a letter to the address stated above.

‍

Legal ground 

The link between us and all of our Business Partners and their representatives is business. Regardless of what our business with you is about, it is based on a contract. That contract has either been concluded directly with you, or with the company that you represent.

This in turn means that from the GDPR point of view, if the contract is concluded with you as a sole trader, our legal ground for processing your personal data is to enter into and to perform that contract. And, if the contract is concluded with the company you represent, our legal basis for processing your personal data is both our and that company's legitimate interest in entering into and fulfilling the contract. Since you would not be able to perform your professional role if we did not process the personal data in question, we consider that the processing does not violate your fundamental rights and freedoms. The balancing test between our legitimate interest and your fundamental rights and freedoms is therefore in favour of the processing.

‍

Purpose for processing and categories of data

We have two purposes for processing your personal data. Firstly, to ensure that a proper and binding contract is drawn up. Secondly, to ensure that both we and our contractual partner receive and perform what has been agreed, in the manner agreed.

The categories of personal data that we process in order to fulfill these purposes are name, professional role and contact data; invoicing and payment data; log-in information, on-boarding and support questions,  and videos or pictures you choose to provide in our Services.

Exactly what data is processed in your case depends on your professional function.
‍

You can read more about how we process the data and what different categories of data we will process here.

‍

Tools/suppliers we use that have the possibility to store personal data and how we use them.

We use TrueDepth to identify the app user's face with the front camera, in order to be able to add a virtual background during the video call. We do not store or transfer any frames/images or videos to TrueDepth when doing this. 

‍

Camera surveillance at our Swedish office

If you visit us in Stockholm, we want you to know that our entrance doors are under camera surveillance. 

The reason for this processing is to prevent and investigate crime and unathorized access. The legal ground is our legitimate interest in keeping our office safe from undesired visits. Since the scope of processing is very narrow and you would be an invited and desired guest if you should visit us, the balancing test shows that the processing does not violate your fundamental rights and freedoms and that our legitimate interest carries more weight. Thus, the indicators are in favour of the processing. The video is deleted after 12 months, unless it is part of an ongoing investigation. 

We present this as a separate point, because it concerns a completely different subject matter compared to all other processing in our relation.

‍

We only share your data with those we have to

We do not sell your personal data, nor do we give it away. We only share it with our processors. They are necessary to keep the technique rolling, which we need in order to keep our business rolling. Our processors do not use your personal data for any purpose of their own. This is governed by the data protection agreement that we always establish with our processors. If governmental or other authorities ask for your data, we only share it if there is a legal obligation to do so. 

‍

Retention period

We store your data as long as we do business with each other, which hopefully is a very long time. Should the business relation be discontinued, for one reason or another, we will keep financial and contractual data for ten years. There are two reasons for this length of period. First, according to Swedish accounting laws, documentation regarding financial transactions must be kept for seven years. Secondly, the statute of limitations in Sweden says ten years for business-to-business relations. The data in your Bambuser Live Video Services account will be deleted thirty days after termination of contract.

‍

Your rights

You are always free to get in touch with us and ask what personal data we have about you. You may ask for their rectification or erasure, that the processing should be restricted or ceased and that your data should be transferred to somebody else. We will do what you ask us to do, provided that no other laws or rules prevent us. In any case, we will get back to you and reply to your demand and we will tell you what measures we have taken and on what grounds. We use automatic reply functions, but no automated decisions and no profiling

‍

Transfers to third countries

We keep the maximum of our personal data processing within the EU/EES, but this is not always possible. If it is necessary, either in order to enter into the contract with you or to perform according to its provisions, then we may transfer data to third countries. For the same reasons, it may also be necessary to store data in third countries. The legal ground for such transfers is either article 49.1(b) GDPR , if the contract is concluded directly with you, or article 49.1(c) GDPR if the contract is concluded with the company you represent. In the latter case, we consider that the agreement is concluded in your interest, as you would lose professional functions without this agreement. 

Just to clarify, if we have concluded a data protection agreement (DPA) with you or the company you represent, then that DPA decides how the personal data we process on your behalf is handled. Because if we are bound by a DPA, then we are your processor in that relation which means that this privacy policy does not at all apply there. 

About changes to this privacy policy

This privacy policy is a dynamic document, which means that it will change if the way we do business changes. Should this happen, then the new privacy policy will replace the old one with immediate effect. Since it can neither be considered to be a legal obligation nor meaningful in any other way, we will not communicate such a change of privacy policy in any other way than to publish the new privacy policy here. 

‍

The right to lodge a complaint

We believe that the way we process personal data complies with the GDPR. Should you be of another opinion, we would appreciate it if you tell us what you believe is wrong. You are also free to lodge a complaint with the Swedish supervisory authority, Integritetsskyddsmyndigheten, IMY. If it is more convenient to you, you may lodge your complaint with another supervisory authority. 

‍

This privacy policy was last updated on the 25th of October, 202.