GDPR – your privacy

Your privacy is important for us at Vasakronan. On this page, you will find information about Vasakronan’s processing of personal data.

When you provide your personal data, you are placing your trust in us. We take this seriously. It is important for us that you feel comfortable with how we process your personal data. On this page, you can find information about which parts of your personal data we process, why we process it, how we process it, the lawful basis we have for processing it and how long we save your data.

Our main principles

Vasakronan AB (publ), Corp. Reg. No. 556061-4603, (“Vasakronan”) is the controller for all wholly owned subsidiaries that are part of the Vasakronan Group. In the processing of personal data, Vasakronan complies with General Data Protection Regulation (GDPR) and other supplementary data protection rules.

Vasakronan has an internal privacy policy, based on the GDPR and other data protection rules. The internal privacy policy applies to all of the Vasakronan Group’s operations and all of its employees. Vasakronan also has a register containing all of the Group’s personal data processing. If you require additional and/or more specific information in addition to what is stated on this page, you are welcome to contact us.

This information applies in general. In some cases, more specific information is provided in a separate contract or in another manner for other forms of involvement with the Vasakronan Group. Such information is intended to supplement, and where appropriate, amend the information below. You can find directed information under the separate headings below.

Data Protection Policy

Direct access to:

Tenants/customers, suppliers and partners

Other offers

If you contact us regarding other matters

Are you in our register?

Contact information

Tenants/customers, suppliers and partners

Collection

The personal data processed by Vasakronan is often collected from you directly in conjunction with a contract being signed or through some other contact with the Vasakronan Group.

Vasakronan will also collect personal data from your employer, bank or credit reference agency if you, for example, sign a lease with us. To ensure that information is updated, Vasakronan also continuously collects personal data from generally available sources, such as from public and private registers. Vasakronan may also collect personal data from generally available sources, such as public and private registers, to obtain information both of a general and of a specific nature regarding potential tenants, stakeholders and other partners.

Categories of personal data

The personal data relating to you that we process includes your name, contact details such as phone number, address and e-mail address, personal identity number (if required for secure identification), IP address, corporate registration number, financial status, location information, account information and any other data in accordance with what is stated in applicable agreements or information.

Purposes

The main purpose of Vasakronan’s processing of personal data, such as contact details, is to be able to meet its obligations and exercise its rights in accordance with agreements, to take measures requested before or after an agreement has been signed, and to meet the requirements placed on Vasakronan by law, other regulations or rules and official decisions.

Other purposes include maintaining ongoing management and maintenance of premises and properties, which includes maintaining communication with contacts at the tenants’ premises.

We use contact information to communicate news or other important information such as safety messages in or around our properties and to process matters and troubleshooting in general.

In certain cases, if so required, personal data is processed to exercise legal claims.

Lawful basis

The lawful basis for processing personal data is, in many cases, that the data is necessary to fulfil a contract that you are party to or to take action at your request in conjunction with or before signing such a contract.  If the contracting party is an individual firm or private person, the contract itself provides the lawful basis for the processing.

It is with the support of legitimate interests that personal data concerning representatives or contact persons is processed to administer the contracts that Vasakronan has with other legal entities.

A lawful basis for processing is also to meet legal obligations or protect Vasakronan’s legal interests in accordance with, for example, the act on renting of own property or the bookkeeping act. Additional purposes and lawful bases can be stated through specific information or contracts. For more information, refer to the corresponding heading.

Provision of data

Personal data is provided to other companies with whom the Vasakronan Group collaborates, within and outside the EU and EEA. Personal data may also be provided to government agencies to which companies in the Vasakronan Group are obliged to submit data.

For more information about the categories of company that process the different types of personal data and any transfers to a third country, refer to each specific heading below. If Vasakronan provides your data to recipients outside the EU and the EEA, appropriate security measures are taken to ensure that your rights and freedoms are protected by, for example, entering into standard contractual clauses or another measure in accordance with the applicable contract terms and conditions and the applicable data protection rules at any given time. Refer to the information under each headline.

Vasakronan shares contact information with Vasakronan’s suppliers through a Customer Relationship Management system, Microsoft Dynamics, which uses cloud services to provide its services – which currently entails transferring data to the US. According to a decision from the European Commission, the US has an adequate level of security for personal data.

Vasakronan also shares names, e-mail addresses and, as necessary, personal identity numbers with our electronic signature supplier, Scrive AB. Services from Scrive AB use the Amazon Web Services cloud service, which transfers data to the US. According to a decision from the European Commission, the US has an adequate level of security for personal data.

Deletion of data

Your personal data will not be stored for a time longer than necessary for the purpose for which it is used. This means, for example, that personal data is stored as long as agreements, other commitments or legal requirements pertaining to you are applicable. Additionally, personal data may be stored for marketing purposes, statistics, market and customer analyses, etc., for a period of up to two years after the end of the contractual relationship. If we do not have any ongoing contract with you, and have not had any contact with you for a period of one year, Vasakronan will delete your personal data. Vasakronan has specific deletion procedures for personal data processing. The procedures are described in Vasakronan’s register.

Particular for Vasakronan’s residential tenants

Fastighetsägarna Sverige AB (the Swedish Property Federation) has prepared a guiding document concerning the processing of personal data in the lettings market. Vasakronan complies with these and regards them as good practice in the market. The guidelines are available on the Swedish Property Federation’s website: www.fastighetsagarna.se

Vasakronan’s external housing managers (Savills Förvaltning AB in Stockholm, Fastighetssnabben AB in Uppsala and Lifra AB in Malmö) receive personal data regarding residential tenants. Vasakronan has sighed data processor agreements with all external housing managers.

Camera surveillance

Vasakronan processes images and films within the context of camera surveillance in and around Vasakronan properties. Passers-by in the areas that are under surveillance are included in the processing. Vasakronan’s purpose of camera surveillance is to maintain order, safety and security, to support legal claims and to prevent or detect crime and accidents. The lawful basis for all camera surveillance is a legitimate interest according to a balance of interests. This assessment has been documented in a register that covers every camera in Vasakronan’s property portfolio. As a rule, camera footage is deleted after 30 days.

The recipients of camera surveillance footage comprise Vasakronan’s partners and, in case of incidents, insurance companies and authorities tasked with preventing or detecting crime and/or accidents.

Vasakronan follows the Swedish Authority for Privacy Protection’s guidance for camera surveillance, www.imy.se.

Access systems

Vasakronan processes personal data, including name and/or location information, during visits and access to shared spaces as well as in the case of visits to tenants’ premises for the primary purpose of replacing physical keys. Data is also processed in order to perform technical maintenance and troubleshooting, or to exercise a legal claim if a property has experienced disturbances, damage or ongoing extensive theft. The purpose behind visitor registration, in addition to safety and security, is to maintain statistics regarding premises and properties, and to optimise their use and operation. The legal grounds for visitor registration and access systems also comprises a legitimate interest for Vasakronan to process the personal data according to a balance of interests.

To prevent undue infringements of personal privacy, access to and use of the log is generally limited. As a general rule, Vasakronan’s entry and visitor systems are deleted after a maximum of two weeks.

Those included in the processing are employees/tenants of Vasakronan, visitors to Vasakronan, Vasakronan’s customers and suppliers.

Vasakronan’s entry system suppliers, primarily Accessy, comprise the recipients of entry data. Accessy uses the Microsoft Azure cloud service, which transfers data to the US. According to a decision from the European Commission, the US has an adequate level of security for personal data.

Vasakronan has conducted an impact assessment regarding data processing within the framework of the visitor and access systems.

ID06 and construction site checks

Personal data, in the form of name and time of entry and exit, are processed through the use of the ID06 system at workplaces where Vasakronan maintains electronic personnel registers. The lawful basis for the processing is legal obligation.

The Swedish Tax Agency can request this data.

Sensor data

Vasakronan also collects personal data in the form of IP and MAC addresses as well as attendance and location information within and around the properties from suppliers that provide sensors/meters, cloud services and similar systems in and around Vasakronan properties.

Vasakronan processes this personal data with the aim of providing Wi-Fi, analysing attendance and footfall, and managing bookings of resources. Location information is also used to provide visitor registration and reception services, and to optimise and streamline service offerings, resource utilisation, resource distribution and property operations.

Vasakronan’s supplier partner is Idun Real Estate Solutions AB, Corp. Reg. No. 559016-1245, for the above purposes and the parties have signed a processor agreement. Idun Real Estate Solutions AB uses Microsoft Azure to provide its services, which means data is transferred to the US. According to a decision from the European Commission, the US has an adequate level of security for personal data.

Other offers

Arena and Sergel Conference

Vasakronan processes personal data, such as contact information, employees and representatives for the companies that are customers (members or event guests) at Arena or Sergel Conference. This is to, for example, fulfil and administer contractual rights and obligations. Personal data required to administer contracts with legal entities is processed with a balance of interests as the lawful basis. If the contracting party is an individual firm or private person, the contract is based on the lawful basis for the processing.

Other purposes include maintaining ongoing management and maintenance of premises and properties, which includes maintaining communication with contacts at the companies that are Arena or Sergel Conference customers. Through Vasakronan’s system suppliers in Wi-Fi passwords, access management, resource bookings and resource optimisation, Vasakronan also processes personal data on a consolidated basis to offer services to Arena or Sergel Conference members’ users and tenants’ employees as well as to visitors and event guests.

Vasakronan can process personal data on a consolidated/aggregate level through our supplier Accessy AB in order to invoice in accordance with actual resource utilisation. In the event that Vasakronan, within the framework of the latter purpose above, shares personal data with Arena or Sergel Conference members, the Arena or Sergel Conference member company in question will have responsibility for this personal data after receiving it.

If you are invited to Arena in the capacity of a visitor, Vasakronan processes your contact information to administer your visit, mainly to provide you with access to Wi-Fi and the premises, and to process communication between us with a legitimate interest as a lawful basis.

Vasakronan collaborates with Flowpass AB to provide a platform whereby businesses can book meeting rooms and purchase day passes (“day passes”) to an Arena via Flowpass’s digital platform. The parties are separate personal data controllers for the processing of personal data within the framework of the collaboration. Resources, services and goods can be invoiced through the app, in which case the user’s name is processed as a reference. Vasakronan’s suppliers for payment services are Svea Bank AB and Payer Financial Services AB. For this transaction, the legal basis is fulfilling Vasakronan’s legal obligations and, if necessary, exercising a legal claim.

Spaceflow mobile and web application users

Vasakronan offers its customers and those who work at Vasakronan’s properties a service in the form of a mobile and web application called Spaceflow, referred to below as a “customer app.” As a user, under certain conditions you have the right to request and transfer your personal data from the customer app. The data processed in the customer app includes your name, e-mail address and phone number. If you so choose, you can add information such as job and interests. Vasakronan is the controller and has a processor agreement with Spaceflow that includes the following purposes, where processing is based on legitimate interests:

  • Registering event guests’ bookings via Spaceflow since the name of the booking party is processed as a reference for the booking.
  • Communication between Vasakronan and the user. This can include, for example, information about what’s happening at the property and in the surrounding area. It can also pertain to suggestions that users can choose to send to Vasakronan via the customer app. Communication between active users in a community is also included. “Community” here refers to voluntary participation in a network of people working in the same property or area.
  • Marketing and offers of services related to Vasakronan, Vasakronan Arena, the property and the area, offered by Vasakronan and/or other parties.
  • Offers and the provision of services from Vasakronan’s business partners and third-party providers. This includes, but is not limited to, access to Wi-Fi, visitor management and access to spaces within Vasakronan’s properties as well as booking resources, goods, services and day passes within Vasakronan Arena, conference arrangements, etc., concierge services and other services available at any given time for customers and/or individuals who work at Vasakronan’s properties. Examples of system suppliers who use personal data, and who have signed processor agreements with Vasakronan, within the framework of these purposes include Netgraph AB, Accessy AB and Flowscape AB.
  • Analysis of how resources are used for the purpose of optimising the property’s use and operation to meet Vasakronan’s and the users’ needs and interests as well as to improve energy efficiency.

Other tasks can be managed in the customer app, such as reporting faults, where the personal data provided in order to handle the case is processed. Tasks are processed in order to fulfil and administer rights and obligations pursuant to leases and member contacts for co-working operations at Vasakronan Arena. The legal basis in these cases are legal obligations and legitimate interests for Vasakronan in its capacity as a property owner and co-working actor.

Orders of resources, services and goods can be invoiced through the app, in which case the user’s name is processed as a reference. Vasakronan’s suppliers for payment services are Svea Bank AB and Payer Financial Services AB. For this transaction, the legal basis is fulfilling Vasakronan’s legal obligations and, if necessary, exercising a legal claim.

Vasakronan shares user personal data with Spaceflow s.r.o., Corp. Reg. No.: 11397230 and with the Group that Spaceflow belongs it, owned by Hydda AB, Corp. Reg. No. 556761-8961, in order for them to develop their services. In this processing, Spaceflow (either alone or together with each company in the Hydda Group) is the controller. You can find Spaceflow’s Terms of Use and Privacy Policy on their website Privacy policy | Spaceflow and in the customer app.

Spaceflow uses the Microsoft Azure cloud service, which transfers data to the US. According to a decision from the European Commission, the US has an adequate level of security for personal data.

If you would like more information about processing personal data within the framework of the customer app, please contact us. If you use a service in the customer app or Spaceflow that is not provided directly by Vasakronan, the information provided by the respective service provider applies.

Customer Portal

Vasakronan offers tenants within the Vasakronan Group’s property portfolio and members of Vasakronan Arena a customer portal in the form of a web app called the Customer Portal. In the Customer Portal, Vasakronan processes personal data such as contact information for tenants’ and members’ representatives and contact persons to fulfil and administer rights and obligations pursuant to leases and member contacts. The purposes are also to provide membership services for Vasakronan Arena along with news, and property information and services as well as to communicate with contact persons and representatives.

For members and event guests, the purpose is also to allow contact persons to familiarise themselves with their member contracts, administer additional contact persons and members’ invoice information, terminate and sign new agreements and/or leases for Arena offices and to invoice members.

For tenants, the purpose is also to administer leases and rent invoices. The Customer Portal is used for managing cases such as reported faults and providing statistics on reported cases where the personal data provided in order to handle the case is processed.

For event guests, the purpose is to invoice correctly and to administer contact information.

Personal data required to administer contracts with legal entities is processed with a balance of interests as the lawful basis. If the contracting party is an individual firm or private person, the contract is based on the lawful basis for the processing.

The Customer Service is based on a cloud service from Microsoft Azure. In accordance with the agreement between Vasakronan and Microsoft, personal data is transferred to the US. According to a decision from the European Commission, the US has an adequate level of security for personal data.

Bicycle services

Vasakronan processes personal data such as name, address, e-mail, telephone number, invoicing and payment information, and social security number (where applicable), for members and, in the event that members are companies, members’ employees and representatives to fulfil and administer rights and obligations pursuant to member contracts. Other purposes include providing membership services, which includes communication with the members of the concept and, if the member is a company, contact persons and representatives for the concept’s members.

Vasakronan shares personal data with Vasakronan’s operator Bikepath AB, Corp. Reg. No. 559351-5314, which administers membership, access and lockers. These purposes are conducted with a legitimate interest as a lawful basis. Bikepath AB uses systems from the supplier Fortnox AB, Corp. Reg. No. 556469-6291, for invoicing. Bikepath AB also uses administration systems supplied by Microsoft and storage systems supplied by Google Drive. Microsoft and Google are considered to involve the transfer of personal data to the US. According to a decision from the European Commission, the US has an adequate level of security for personal data.

Moreover, Bikepath AB processes names, email addresses and, where applicable, social security numbers with its supplier for electronic signing, Scrive AB. Services from Scrive AB use the Amazon Web Services cloud service, which transfers data to the US. According to a decision from the European Commission, the US has an adequate level of security for personal data.

Personal data required to administer contracts with legal entities is processed with a balance of interests as the lawful basis. If the contracting party is an individual firm or private person, the contract is based on the lawful basis for the processing.

Studio Sergel

Vasakronan processes personal data such as contact information for employees and representatives to fulfil and administer rights and obligations concerning bookings of the Studio Sergel concept. Other purposes include processing and marketing the services that are part of the concept, which comprises communication with stakeholders and contact persons and representatives for organisation that use Studio Sergel. Vasakronan shares personal data with our partner and operator MKTG, who processes the administration and operations of Studio Sergel. These purposes are conducted with a legitimate interest as a lawful basis.

Personal data required to administer contracts with legal entities is processed with a balance of interests as the lawful basis. If the contracting party is an individual firm or private person, the contract is based on the lawful basis for the processing.

Marketing

If you submit contact information (name, telephone number, e-mail address) using the form on Vasakronan’s website, or approve the cookies, this information will be used to contact you to inform you about Vasakronan’s services and offering, as well as to conduct customer research, analysis and product development and to invite you to seminars and similar events.

Vasakronan processes personal data for marketing purposes, statistics, system testing, market and customer analyses, all to provide an overall view of Vasakronan’s customer involvement and satisfaction. In addition, personal data is processed to analyse information about existing and potential tenants, stakeholders and other partners. This processing takes place using a balance of interests as a lawful basis. Images and/or films may be processed such as at events, advertising, communication and marketing through, for example, sending e-mails, digital information signs in properties or in Vasakronan’s mobile applications and on its website.

Vasakronan shares your contact information with Vasakronan’s partners, such as advertising firms and suppliers, when issuing press releases.

Vasakronan’s supplier of systems for marketing, sales and customer service purposes, Hubspot, uses sub-processors as listed on their website HubSpot Sub-Processors Page. According to a decision from the European Commission, the US has an adequate level of security for personal data.

Vasakronan shares your contact information with LinkedIn, Instagram and Facebook if you submit it through forms on these channels. These channels are owned by US companies, which means that personal data is transferred to the US. According to a decision from the European Commission, the US has an adequate level of security for personal data.

If personal data is collected and used for marketing or direct marketing purposes, Vasakronan follows applicable legislation and what is considered to be good practice. Personal data can be used for the marketing of Vasakronan’s own services or those of another party that are closely related to the contractual relationship. In this case, good practice refers to Swedish Data & Marketing Association’s (SWEDMA) rules prepared in collaboration with the Swedish Authority for Privacy Protection.

Cookies

Vasakronan processes online identifiers, such as IP addresses, MAC addresses or the equivalent that are supplied by website visitors. If you would like more information about how Vasakronan processes cookies in conjunction with visiting our website, refer to our Cookie Policy (swedish).

If you contact us regarding other matters

Even if you do not have a contractual relationship with Vasakronan, contact can be made by Vasakronan or yourself through, for example, e-mail regarding various issues or matters. Depending on the reasons for this contact, the personal data you provide during this contact will be stored by Vasakronan for the time that is necessary to manage the issue or matter. In the event any such case arises and insofar as possible, this will be made immediately clear upon contact with Vasakronan. If you would like more detailed information or would like to have any personal data erased, see the link and contact information below.

If you believe that Vasakronan has acted wrongly in relation to your personal data, you can contact the Swedish Authority for Privacy Protection www.imy.se.

Do you want to receive, move or erase your information or withdraw previously given consent?

Using the link below, you can request information about how Vasakronan processes your personal data. When Vasakronan has confirmed your identity and checked whether we are storing your data, you will receive an extract from our register. After this, you may request changes, relocation or removal or your data. You can also withdraw consent provided earlier, Click here

Are you a processor?

Are you a processor in relation to Vasakronan and want to report a personal data breach?

Click here for assistance

Do you have other questions related to Vasakronan and GDPR?

Please feel free to contact Linus Lindström.

Linus Lindström
CTO
073-342 27 55 · 08-566 207 55