Privacy policy
Last updated: July 4, 2023
LBE Privacy Policy
Why and for whom?
At Luthman Backlund Foods Europe AB, organization number 559236-4318, ("LBE", "we", "us", "our") we care about privacy. This means that we respect and safeguard your privacy and your right to control and transparency in the processing of your Personal Data.
This Privacy Policy ("the Policy") is applicable to the processing operations for which LBE is the Data Controller. The Policy describes in general terms the purposes for which we need your Personal Data, the legal basis we rely on and the measures we take to protect Personal Data. We also provide information on how to exercise the rights you have in relation to our processing of your Personal Data.
The policy informs you about our handling of Personal Data in cases where you communicate with us, purchase our products or visit our website www.nicks.se.
Definitions
"Processing" of Personal Data is anything that can be done with a Personal Data, e.g. storing, modifying, reading, disclosing, etc.
"Applicable law" is the legislation applicable to the processing of Personal Data, including the General Data Protection Regulation (GDPR), supplementary national legislation, as well as practices, guidelines and recommendations issued by a national or European supervisory authority.
"Personal Data" is any information that can be linked to an identifiable, living person.
"Data controller" is the company/organization that decides for what purposes and in what way the Personal Data is to be processed and is thus also responsible for ensuring that Personal Data is processed in accordance with Applicable Law.
"Data Processor" is the company/organization that processes Personal Data on behalf of the Controller and may therefore only process the Personal Data in accordance with the Controller's instructions and Applicable Law.
"Data Subject" means the living, natural person whose Personal Data is processed.
"Product" is Food Products.
LBE's personal data responsibility
The information in this Policy covers the Processing of Personal Data for which LBE is the Data Controller, i.e. the Processing for which we determine the purposes (why a Processing is done) and means (in what way, what Personal Data, for how long, etc.). The policy does not describe how we process personal data in our role as Data Processor - i.e. when we process personal data on behalf of our customers.
We sell food products (e.g. chocolate, protein bars or sweeteners) through e-commerce. We therefore need to process your personal data in order to send out the goods you have ordered. We may also use your personal data for marketing purposes by sending out offers and information.
LBE's processing of personal data
We have a responsibility to describe and demonstrate how we comply with the requirements placed on us when we process your Personal Data. This section aims to give you an understanding of the types of personal data we process about you and for what purposes.
Data subjects and retention period
The intended recipients of this Policy are the following groups, whose Personal Data we store in accordance with the criteria below.
-
Potential customers The personal data of potential customers will be stored for the time necessary to determine whether they wish to enter into a contract.
-
Customers Personal data of customers will be stored for the time necessary to deliver products and fulfill legal obligations, such as handling complaints.
Processing and purposes
The main purpose of the personal data processing we carry out is to provide, perform and improve our services to you. There are several reasons why we may need to collect, process and store your data.
We mainly process personal data for the following purposes:
-
Contact and identification data to confirm your identity, verify your details and communicate with you
-
Information about your use of the service or product to improve your customer experience
-
IP address to perform customer analytics and to present content on our site effectively to you and the device you are using
-
Payment information to be able to offer, for example, direct debit and other payment methods
How do we access your personal data?
We collect your personal data in a number of different ways. First, we get access to your personal data:
-
By you providing us with your personal data yourself
-
Through social media e.g. Facebook
-
Through third party analytics technology e.g. cookies
Legal bases
In order for us to be able to process your personal data, we must have a so-called legal basis for the respective processing. In our business, we process your personal data mainly on the following grounds:
Consent - LBE processes your Personal Data after we have received your consent to Processing. Information about the processing is always provided when we ask for consent.
Agreement - The processing is necessary for us to fulfill obligations in a contract between us or to prepare for entering into a contract with the Data Subject.
Balancing of interests - LBE may process personal data if we have assessed that there is a legitimate interest that outweighs the Data Subject's protection of personal privacy and if the Processing is necessary for the purpose in question, e.g. in direct marketing.
If you would like further information about the legal basis(s) for which we process your personal data, you always have the right to request a so-called register extract. Read more under "How to exercise your rights" below.
Your rights
You are the controller of your Personal Data. We always strive to ensure that you can exercise your rights as efficiently and smoothly as possible.
Right of access - You always have the right to receive information about the Personal Data processing that concerns you in a so-called register extract. The register extract shows, among other things, which of your personal data we have stored and for what purposes and on what legal basis. We will only disclose information if we have been able to ensure that it is actually you who is asking for the information.
Rectification - If you discover that the personal data we process about you is incorrect, contact us and we will fix it!
Erasure - Do you want us to forget you completely? You have the right to request the erasure of your Personal Data when it is no longer necessary for the purpose for which it was collected. If we are required to retain your data by law or a contract we have entered into with you, we will ensure that it is processed only for the specific purpose stated in the law or contract. We will then ensure that the data is deleted as soon as possible.
Objection - Do you disagree with us that our interest in processing your Personal Data outweighs your interest in privacy? No problem - in that case, we will review our balancing of interests and check that it still holds. We will, of course, take your objection into account when reassessing whether we can still justify our Processing of your Personal Data. If you object to direct marketing, we will delete your Personal Data immediately without reviewing our assessment.
Restriction - You can also ask us to restrict our Processing of your data:
-
While we are processing a request from you for any of your other rights.
-
If, instead of requesting erasure, you want us to indicate that the data should not be processed for a specific purpose. For example, if you do not want us to send you advertising in the future, we still need to keep your name to know not to contact you.
-
In cases where we no longer need the data for the purpose for which it was collected, provided that you do not have an interest in us keeping the data in order to pursue a legal claim.
Data portability - We can provide you with the data you have provided to us or that we have received from you in the context of entering into a contract with you. You will receive your data in a commonly used and machine-readable format which you can then take with you to another Data Controller.
Withdrawing consent - If you have consented to one or more specific processing(s) of your Personal Data, you have the right to withdraw your consent at any time and thus ask us to cease the Processing immediately. Please note that you can only withdraw your consent for future Processing(s) of Personal Data and not for any Processing that has already taken place.
How to exercise your rights
Contact us at support.eu@nicks.com and we will assist you or go to: https://nicks.se/pages/din-data
Transfer of Personal Data
In order to conduct our business, we rely on others to process Personal Data on our behalf, known as Processors. We always strive to process personal data within the EU/EEA but have Data Processors in the following countries outside the EU/EEA
-
The United States, to which we transfer personal data under the European Commission's standard contractual clauses for third country transfers.
We have entered into Data Processing Agreements (DPAs) with all our Data Processors. The PUB agreement regulates how the Processor may process the Personal Data and what security measures are required for the Personal Data processing.
We may also need to provide your Personal Data to certain designated authorities to fulfill obligations under law or government decisions.
Our categories of Processors
Below are categories of recipients with whom we may share your data:
-
Suppliers of marketing services, e.g. advertising agency for the development of campaigns or supplier for help with mailings by mail or email.
-
Systems to conduct customer analysis and produce statistics to contribute to industry statistics and to improve the customer experience.
Security and safety
LBE has taken appropriate technical and organizational measures to ensure that your Personal Data is processed securely and protected from loss, misuse and unauthorized or unlawful access. Where your Personal Data is shared with Processors, your Personal Data will receive equivalent protection.
Our security measures
Organizational security measures are measures that are implemented in working methods and procedures within the organization. Our organizational security measures are:
-
Internal governing documents (policies/instructions)
-
Login and password management
Technical security measures are measures implemented through technical solutions. Our technical security measures are:
-
Encryption
-
Pseudonymization
-
Access log
-
Secure network
-
Firewall
-
Two-step verification
If we do not keep our promises
If you feel that we are processing your Personal Data incorrectly, even after you have brought this to our attention, you always have the right to lodge your complaint with the Data Protection Authority.
More information about our obligations and your rights can be found on the website of the Authority (https://www.imy.se/).You can also contact the Authority at imy@imy.se.
Changes to this policy
We reserve the right to make changes to this Policy. Where the change affects our obligations or your rights, we will inform you of the changes in advance so that you have the opportunity to consider the updated policy.
Contact us
Please contact us if you have any questions about your rights or if you have any other questions about how we process your personal data: support.eu@nicks.com