GDPR Compliance Policy

Adcyma AB (“we,” “us,” “our”) is committed to ensuring the privacy and protection of personal data. This policy outlines our approach to data protection and sets out the principles we follow in ensuring our services comply with the General Data Protection Regulation (GDPR) (EU) 2016/679. This policy applies to all personal data we process in connection with our identity and access management (IAM) services.

1. Scope

This policy applies to the personal data we process about our customers, website visitors, users of our services, and any third parties whose data we manage. It applies to all employees, contractors, and third-party providers of Adcyma AB who have access to personal data.

2. Data Protection Principles

We adhere to the following principles in relation to the processing of personal data:

  • Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Data Minimization: Personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
  • Accuracy: Personal data must be accurate and kept up to date. Inaccurate personal data must be rectified or deleted without delay.
  • Storage Limitation: Personal data must not be kept for longer than is necessary for the purposes for which the personal data are processed.
  • Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.

3. Lawful Basis for Processing

We ensure that personal data is processed only when there is a lawful basis for doing so. The lawful bases for processing personal data may include:

  • Consent: When individuals, or representatives of companies acting on behalf of individuals, have given clear consent for us to process personal data for a specific purpose.
  • Contractual Obligation: When processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.
  • Legal Obligation: When processing is necessary to comply with a legal obligation.
  • Legitimate Interests: When processing is necessary for our legitimate interests or the legitimate interests of a third party, except where such interests are overridden by the rights and freedoms of the data subject.

4. Data Subject Rights

Under the GDPR, individuals have certain rights regarding their personal data. We ensure that data subjects can exercise the following rights:

  • Right to Access: Individuals can request access to their personal data and obtain information about how it is processed.
  • Right to Rectification: Individuals can request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Individuals can request deletion of their personal data under certain conditions (“Right to be Forgotten”).
  • Right to Restrict Processing: Individuals can request the restriction of processing of their personal data in certain circumstances.
  • Right to Data Portability: Individuals can request to receive their personal data in a structured, commonly used, and machine-readable format.
  • Right to Object: Individuals can object to the processing of their personal data for certain purposes, including marketing.
  • Rights in Relation to Automated Decision-Making and Profiling: Individuals can request human intervention when automated decisions are made about them.

5. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks posed by the processing of personal data. These measures include:

  • Encryption: Personal data is encrypted both in transit and at rest.
  • Access Control: Access to personal data is restricted to authorized personnel only.
  • Data Breach Procedures: We have procedures in place to detect, report, and investigate personal data breaches.

6. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law. Once the retention period has expired, personal data is securely deleted or anonymized.

7. Third-Party Processors

Where we engage third-party service providers to process personal data on our behalf (subprocessors), we ensure that they comply with GDPR standards through data processing agreements. We remain responsible for the processing of personal data by our subprocessors.

Visit www.adcyma.com/agreements/subprocessors for more information about our subprocessors.

8. International Data Transfers

If personal data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place to protect the data, such as:

  • Standard contractual clauses approved by the European Commission.
  • Transfers to countries that have been deemed to provide an adequate level of data protection by the European Commission.

9. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority without undue delay, and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. If the breach poses a high risk to individuals, we will also notify the affected individuals without undue delay.

10. Accountability

We maintain documentation of all processing activities, including the categories of personal data processed, the purposes for processing, and the recipients of personal data. We also conduct data protection impact assessments (DPIAs) when necessary to ensure that new or significantly changed processing activities comply with GDPR requirements.

11. Training and Awareness

We provide regular data protection training to all employees and contractors who handle personal data. This training covers GDPR principles, data subject rights, and security procedures.

12. Changes to this Policy

We may update this GDPR compliance policy from time to time to reflect changes in legal requirements or our practices. Any changes will be posted on our website, and where appropriate, we will notify you of significant changes by email.

13. Contact Information

If you have any questions about this GDPR Compliance Policy or wish to exercise your rights, please contact us:

Effective Date: 2024-09-22

Last Updated: 2024-10-13

Scroll to Top