The Swedish Club Privacy Policy

The Swedish Club, a legal entity incorporated in Sweden with company registration number 557206-5265 and address Box 171, 401 22 Göteborg, is responsible (data controller) for the processing of your personal data as described in this Privacy Policy.

You may contact The Club by sending an email to dataprivacy@swedishclub.com, or by sending mail to The Swedish Club, Box 171, 401 22 Göteborg, should you have any data privacy related questions or should you wish to exercise any of your rights according to GDPR, including but not limited to rectification, restriction of processing and deletion. You may also lodge a complaint with Integritetsskyddsmyndigheten or other relevant authorities.

In the tables below we describe in detail why we process your personal data, what personal data we process, when you need to provide the personal data to us and the legal basis for our processing according to the GDPR. Additionally, you will find information about the duration of our processing of your personal data.

Not all information provided below may be relevant to you, therefore, we have organized it under various headlines for clarity. Please review the sections that correspond to your specific interactions with us.

If you visit our website

When you visit our website www.swedishclub.com, or when you log in to scol.swedishclub.com or scids.swedishclub.com (Charterers’ Declaration), we process the personal data that we receive from you, but also from our cookie providers for the purposes set out below. Do you want to read more about how we use cookies? You find a more detailed description of this in our cookie policy.

To improve our website

What processing we perform	What personal data we process	Our legal basis for the processing
We improve the website (including SCOL and SCIDS) through analytics cookies called “Statistics” in our cookie banner at the website. These cookies collect information on how our website is used. We do this to make the website more intuitive, improve functionality and deliver better content. In order to improve the website, we use analytics services such as Google Analytics. This service uses a random ID to distinguish your device (i.e., your mobile, computer, or tablet) from other visitors and to identify usage patterns on our website. By doing this, we can determine your device as a returning visitor to our website. We are only interested in how visitors interact with us on an overall level. We at The Club do not know who you are and do not make any efforts to find out. No analytics cookies are placed on your device if you have not given your consent for using such cookies.	– An encrypted version of your IP address (we at The Club cannot link this to you as an individual) – Information about how you use the website (e.g. what you click on) – Which area of the country you are using our website from – Information about how many times you have visited the website – Information about your device/browser (for example, your screen resolution) and other information that Google and our other analytics services hold about you (for example, information about the website from which you found us)	Consent Article 6.1 a and 9.2 a in the GDPR You have consented to the processing by giving your consent for analytics cookies. You can withdraw your consent any time on The Club’s website. You can avoid Google Analytics by, for example, downloading and installing this browser program.
Storage period: We process this personal data for a maximum of two years after your visit to our website.
Recipients: In addition to the recipients listed under the heading “Who has access to your personal data?” below, we share your personal data with Google and other analytics service providers listed in our cookie policy.

To provide a functioning website

What processing we perform	What personal data we process	Our legal basis for the processing
We use personal data and cookies and/or similar technologies to ensure that our website (including SCOL and SCIDS) operates in a satisfying and secure manner. This includes among other things to enable you to play a video according to your preferences, to have a functioning search engine, to enable you to login to SCOL or SCIDS, to display interactive maps and correct fonts when you log in to SCOL or SCIDS, and to enable you to read our news magazine online.	– IP-address including which country the internet connection is from – Information about your device/browser (for example, your screen resolution) – A pseudonymised account- ID that identifies you as a unique visitor – Your login credentials to SCOL and SCIDS	Legitimate interest Article 6.1 f in the GDPR Your personal data will be processed based upon that the processing is necessary for our legitimate interest to provide a functioning website.
Storage period: The personal data will be processed during your visit of the website and until you close your browser.
Recipients: In addition to the recipients listed under the heading “Who has access to your personal data?” below, we share your personal data with the service providers listed in our cookie policy.

To remember your choices

What processing we perform	What personal data we process	Our legal basis for the processing
We use cookies and similar technologies to save and remember information about your choices.	– Information about your choices/preferences, e.g. to show videos and similar according to your preferences	Legitimate interest Article 6.1 f in the GDPR Your personal data will be processed based upon that the processing is necessary for our legitimate interest to remember your choices.
Storage period: As a general practice, the personal data will only be used during your visit and for some time thereafter.
Recipients: In addition to the recipients listed under the heading “Who has access to your personal data?” below, we share your personal data with the service providers listed in our cookie policy.

If you attend our events

We receive your personal data from you when you register for or attend our online or offline events, or events that we arrange together with partners.

To arrange events

What processing we perform	What personal data we process	Our legal basis for the processing
– Handle your event registration, including to collect information about food preferences. – Arrange events that you participate in. – Track attendance at events.	– First name, last name – Contact details (email, business phone) – If applicable, information about your role (company, role, office location) – Dietary preference, if applicable – If you communicate via our social media channels, we also process information from your profile on the social media in question (username and any picture you have chosen for your account)	Legitimate interest Article 6.1 f in the GDPR Your personal data will be processed based upon that the processing is necessary for our legitimate interest in inviting you to events that we organise and that we believe are of interest to you, and to administer your participation. Consent Article 6.1 a and 9.2 a in the GDPR If you send sensitive personal data to us, e.g. information about allergies or dietary preferences, we will process this personal data based on your consent. You may withdraw your consent at any time.
Storage period: We will retain your personal data for a period of one year after the event for follow-up purposes.
Recipients: In addition to the recipients listed under the heading “Who has access to your personal data?” below, we share your personal data with event organizers and service providers.

To market our events through photos and videos from the event you participated in

What processing we perform	What personal data we process	Our legal basis for the processing
– Photograph and film during our events, which means that you may appear in images and films or be heard on audio recordings from your visit, e.g. in images that show people in general or mingling images. However, we never take pictures focusing on you as an individual unless you have given your consent. – With your consent, to publish photos and videos at our website and our social media channels for marketing purposes. Your personal data will only be processed for this purpose after you have chosen to participate in the footage. Before and during our events, we clearly inform you about image, film and audio recording. We never want you to be surprised by this – please do not hesitate to ask us if you have any questions about our image, film and audio recordings.	– Images, films and audio recordings in which you as a participant may appear	Legitimate interest Article 6.1 f in the GDPR Your personal data will be processed based upon that the processing is necessary for our legitimate interest of being able to market our events and inform about our business. We will also gather a consent according to Swedish Act on Names and Pictures in Advertising (1978:800).
Storage period: The material will be deleted if you request to be removed, withdraw your consent or otherwise object to the processing.
Recipients: In addition to the recipients listed under the heading “Who has access to your personal data?” below, we share your personal data with third party photographers and event organisers, when we use these.

To contact you for future events and marketing

What processing we perform	What personal data we process	Our legal basis for the processing
– Contact you with invitations to future events. – Market ourselves and our services towards you that have signed up for or participated in an event.	– Name – Position – Email address – Telephone number – Other information you have provided to us	Legitimate interest Article 6.1 f in the GDPR Your personal data will be processed based upon that the processing is necessary for our legitimate interest in contacting and marketing our events and services towards individuals who we believe may be interested in our events and services.
Storage period: You can unsubscribe or object to receiving marketing at any time. If you object to receiving marketing from us, we will keep this on record in our unsubscribe register to avoid sending you further marketing material.
Recipients: We will share your personal data as described under the heading “Who has access to your personal data?” below.

If you participate in our training

We receive your personal data from you if you or your company register for or participate in our training and webinars.

To provide online courses and track your progress

What processing we perform	What personal data we process	Our legal basis for the processing
– Provide e-learning through our training portal. – Track your progress during training.	– First name, last name – Contact details (email, business phone) – Information about your role (company, role, office location) – Courses completed – Progress during training – Information about your contact person at The Club	Legitimate interest Article 6.1 f in the GDPR Your personal data will be processed based upon that the processing is necessary for our legitimate interest in providing training and track our participant’s progress.
Storage period: We will retain your personal data for the duration of your access to our online courses and for a period of two years thereafter for administrative purposes and to provide you with certificates of completion if requested.
Recipients: In addition to the recipients listed under the heading “Who has access to your personal data?” below, we share your personal data with e-learning platform providers.

If you a current or potential Member, correspondent or supplier

If you represent a current or potential Member, correspondent or supplier, we will process the personal data about you that you or your company provides to us.

To enter into an agreement with your company (including due diligence) and manage our relationship

What processing we perform	What personal data we process	Our legal basis for the processing
Discuss and enter into an agreement with your company. Thereafter we process your personal data to administer our relationship with your company (e.g. communicate with our customer, supplier or correspondent and contract management).	– First name, last name – Contact details (business email, business phone) – Information about your job role (company, business unit, role, office location) – Communications with you such as email correspondence – Language preferences (e.g., “prefers to use English”) – Signatures – Other information you may provide, or we may need for the business administration and relationship management purposes	Legitimate interest Article 6.1 f in the GDPR Your personal data will be processed based upon that the processing is necessary for our legitimate interest to negotiate and enter into an agreement with your company and to administrate the agreement.
We process supplier and correspondent personal data to perform due diligence and necessary background checks where such checks are required under our policies.	– Information about supplier representatives collected in connection with potential background checks and supplier due diligence reviews	Legitimate interest Article 6.1 f in the GDPR Your personal data will be processed based upon that the processing is necessary for our legitimate interest to perform due diligence and necessary background checks prior to entering agreements.
Storage period: Your personal data will be deleted if we conclude that we will not enter into an agreement with your company. If your company becomes our customer, supplier, or correspondent, we will store your personal data for the duration of our business relationship and for a period thereafter to evaluate our past and potential future business interactions. If we receive information that you no longer represent the company, we will delete your personal data unless your data is included in email communication, agreements, and similar documentation, which we need to keep in case of a dispute.
Recipients: We will share your personal data as described under the heading “Who has access to your personal data?” below.

If you receive our marketing

We receive your personal data directly from you.

To market our services and improve our newsletters

What processing we perform	What personal data we process	Our legal basis for the processing
If you have shown interest in our services or if your company is a customer to us We market us towards the company you represent, e.g. by mail, email and SMS. This includes e.g. information about new services and invites to events.	– First name, last name – Contact information, such as phone number and email address – Information about which organisation you represent – Your language preference – Information you provide to us during our calls, emails etc	Legitimate interest Article 6.1 f in the GDPR If you have shown interest in our services, your personal data will be processed based on our legitimate interest to market our services towards the company you represent which we consider could be interested in our services or to have a business relationship with us. If your company is one of our customers, your personal data will be processed based on our legitimate interest to provide relevant marketing towards your organization.
If you have chosen to subscribe to our newsletters or magazine Send you newsletters and our magazine.	– Email address	Consent Article 6.1 a in the GDPR We process your personal data based on the consent that you provide when you sign up for our newsletters or magazine.
Improve and develop our newsletters We improve and develop our newsletters by analysing how you open them and what you click on in the newsletter.	– Information about how you open our newsletters and what you click on or interact with – Information about your device – IP-address – Information about when and where you started subscribing to our newsletter	Consent Article 6.1 a in the GDPR We process your personal data based on the consent that you provide when you sign up for our newsletters.
Storage period: We will register you as a potential lead only after you have shown some interest in our marketing efforts, e.g. when your company becomes a customer to us or when you yourself starts to subscribe to our newsletters or magazine. You may choose to not continue receiving marketing or communications from us by following the “unsubscribe” instructions included in each email or SMS. If you have stated that you do not wish to receive marketing from us, we will store such information in an “unsubscribe register” to ensure we do not send any marketing to you, in compliance with marketing legislation.
Recipients: In addition to the recipients listed under the heading “Who has access to your personal data?” below, we share your personal data with newsletter and marketing service providers.

If you are interviewed or participate in any way in our magazine

We receive your personal data directly from you.

Inform about our business

What processing we perform	What personal data we process	Our legal basis for the processing
To inform about our business, we process your personal data if you take part or participate in our news magazine, Triton, such as when you are interviewed or your photo and contact information is published.	If you take part in our news magazine, we process various types of personal data depending on your participation, but typically we will process your: – First name, last name – Position – Contact information – Photo Achievements – Any other information relevant to the article and which you provide to us	Legitimate interest Article 6.1 f in the GDPR The personal data is processed based on our legitimate interest in informing about our business through our news magazine.
Storage period: We will retain your personal data in our news magazine in our archives indefinitely as part of our publication history and for historical documentation purposes.
Recipients: In addition to the recipients listed under the heading “Who has access to your personal data?” below, we share your personal data with publishing service providers and distribution partners.

If you visit our premises

In most cases we receive your personal data directly from you, however, in some situations we may also receive your personal data from the person who you are visiting, to arrange for your visit.

To provide safety and security for us and our visitors

What processing we perform	What personal data we process	Our legal basis for the processing
Give you access to our office and save your visitor tag for reference in the event of a fire or incident.	– First name, last name – Contact details (email, business phone) – Information about role (company, title, office location) – Information about who you are visiting – Visiting times (entrance and exit times)	Legitimate interest Article 6.1 f in the GDPR The personal data is processed based on our legitimate interest to ensure safety and security in our locations and sites.
Storage period: We will store your personal data for the duration of your visit, and then for a period of 24 hours to ensure security and maintain visitor records for safety purposes.
Recipients: We will share your personal data as described under the heading “Who has access to your personal data?” below.

If you or your company have queries, complaints, or similar, and to comply with legal obligations

We receive your personal data from you or your company in the below scenarios.

To handle queries, complaints or similar

What processing we perform	What personal data we process	Our legal basis for the processing
Handle queries, complaints or similar, as well as to defend us against complaints and initiate claims when needed.	We will process the personal data that you provide to us or which we collect in order to handle the matter, i.e. – Name – Information about which organization you represent and position at your company – Contact information, e.g. telephone number and email address – Information concerning your company’s query, complaint or similar	Legitimate interest Article 6.1 f in the GDPR The personal data is processed based on our legitimate interest to handle a question, complaint and/or legal dispute in which you are the representative.
Storage period: We will store your personal data from the initiation of the matter and throughout the duration of any potential dispute.
Recipients: We will share your personal data as described under the heading “Who has access to your personal data?” below.

To comply with marketing legislation

What processing we perform	What personal data we process	Our legal basis for the processing
If you have stated that you do not wish to receive marketing from us, we will store such information in an “unsubscribe list” to make sure we do not send any marketing to you.	– Name – Email address	Legal obligation Article 6.1 c in the GDPR The processing is necessary to comply with legal obligations which we are subject to, i.e., marketing law, which requires us not to send marketing material to individuals who have objected to receiving such marketing. We cannot make sure you will not receive marketing from us without processing your personal data for this purpose. Consequently, you are required to provide us with your personal data.
Storage period: You will be listed in our “unsubscribe list” until further notice.
Recipients: Our email provider will get access to your personal data as it provides the functionality for the unsubscribe-list. The email provider act as processor of your personal data, meaning that they only process your personal data according to our instructions and on our behalf.

To comply with accounting legislation

What processing we perform	What personal data we process	Our legal basis for the processing
We store your personal data in accounting material.	– Name – Payment history – Other information that constitutes accounting records	Legal obligation Article 6.1 c in the GDPR The processing is necessary to comply with legal obligations to which we are subject, i.e. accounting legislation. You need to provide us with this information, otherwise, we will not be able to manage our relationship with your company.
Storage period: We will retain any documents classified as accounting material, along with the personal data they contain, in accordance with the storage period specified by accounting legislation. In Sweden, this means that your personal data will be stored for a period of seven to eight years. Under Swedish regulations we are required to keep accounting material until and including the seventh year following the calendar year in which the fiscal year related to the personal data concludes.
Recipients: We will share your personal data as described under the heading “Who has access to your personal data?” below.

As stated above, we process your personal data based on our ”legitimate interest”. Through a balancing of interests assessment regarding our processing of your personal data, we have concluded that our legitimate interest for the processing outweighs your interests or rights that would otherwise require the protection of your personal data.

As a starting point, your personal data will only be processed by The Club. This means that your personal data will be handled by our employees, but only by the personnel in need of such access to conduct their work.

In the tables above we have listed which recipients that will get access to your personal data in each situation. In addition, we will share your personal data in the following situations:

• Our IT suppliers will get access the personal data and other information when developing and supporting our IT system to ensure good and secure IT operations. These IT supporters only process personal data on our behalf and never on their own behalf.
• The Club consists of several offices but acts as one unit, the office or offices that is relevant for your relationship with The Club will process your personal data.

If you have any questions regarding how we share your personal data or want to know more about who we share your personal data with, please feel free to contact us at the contact details stated at the beginning of this Privacy Policy.

As a general principle, The Club only processes your personal data within the EU/EEA. However, since we are an international marine insurance company with a global presence, we cannot avoid transferring your personal data outside the EU/EEA in the course of our processing activities.

Your personal data will be transferred outside the EU/EEA in the following cases:

• We will transfer your personal data outside of the EU/EEA to our IT suppliers that process personal data as our data processors and according to our instructions. Such transfer only takes place in accordance with applicable data protection legislation, meaning that we will transfer your personal data outside the EU/EEA when we can ensure an appropriate level of protection of your personal data.
• The Club employs staff in its offices located outside the EU/EEA, namely our UK, Hong Kong and Singapore offices. As we collaborate closely within our organization at The Club, our offices outside the EU/EEA will also have access to your personal data if necessary to administrate our relationship with you.
• If you visit and communicate with us on our social media channels (e.g. LinkedIn, Facebook (Meta) and YouTube) or play videos on our website (YouTube) your personal data will be transferred outside the EU/EEA. One reason being that many of these companies are based in the United States.
• If you use our website your personal data may be considered transferred outside of the EU/EEA, since we use service providers such as Google (including YouTube). These parties may transfer your personal data to the United States since they are located there.

If your personal data will be processed outside the EU/EEA, then we will find a transfer mechanism for such processing. We rely on either a decision from the Commission establishing that the country in question ensures an adequate level of protection or appropriate safeguards that ensure that your rights are protected or based on another ground for such transfer in accordance with GDPR.

• When your personal data is transferred to the UK, we and our suppliers rely on an adequacy decision regarding the UK recognized by the European Commission for the transfer of personal data outside of the EU/EEA. An adequacy decision means that the European Commission has assessed that a particular country has an adequate level of protection for your personal data under Article 45 GDPR. You can find the adequacy decision for the UK here.
• We also rely on an adequacy decision regarding most transfers to the US, when our American suppliers are certified under the EU-US Data Privacy Framework. You can find the adequacy decision for the US here. Google are certified under the EU-US Data Privacy Framework. By searching on their company names here, you will be taken to the certificate of the respective company.
• In other cases, we will rely on Standard Contractual Clauses (Article 46.2 c GDPR) for the transfer of personal data outside of the EU/EEA. The use of Standard Contractual Clauses is an effort to provide a safe transfer of your personal data. You can find the Standard Contractual Clauses here. We do for example rely on the European Commission’s standard contractual clauses Module I and II (Article 46.2 c GDPR) together with supplementary measures when transferring personal data to our offices in Hong Kong and Singapore.

If you want to know more about where your personal data will be processed, please feel free to contact us.

In certain situations, we process your personal data after you have given your consent to the processing. Where processing of your personal data in the above tables is based on your consent, you have the right to withdraw your consent at any time by contacting The Club (dataprivacy@swedishclub.com). Please note that this will not affect the lawfulness of the processing undertaken prior to the withdrawal of your consent.

In accordance with the GDPR, you have certain rights that you can exercise to affect how we process your personal data– see below for more information.

If you have any questions regarding your rights or want to exercise any of your rights, please contact us by using the contact details above. You can also find more detailed information about your rights and when they apply at the Swedish Authority for Privacy Protection (IMY).

–          Right to complain – Article 77 of the GDPR

You have the right to lodge a complaint with the competent supervisory authority if you consider that the processing of your personal data violates the GDPR. In Sweden, the competent supervisory authority is the Swedish Authority for Privacy Protection (IMY).

–          Right to withdraw your consent – Article 7.3 of the GDPR

You have the right to withdraw your consent at any time by contacting us. You can always withdraw the consent you give on the website directly on the website.

–          Right of access – Article 15 of the GDPR

You have the right to obtain confirmation as to whether we are processing your personal data or not. You can make a request by contacting us. If we are processing your personal data, you also have the right to obtain a copy of the personal data processed by us as well as information about our processing, such as the purposes of the processing and for how long your personal data is stored.

–          Right to object – Article 21 of the GDPR

You have the right to at any time object to our processing of your personal data for direct marketing purposes (including profiling) and to processing of your personal data that is based on a legitimate interest.

–          Right to rectification of processing – Article 16 of the GDPR

You have the right to have inaccurate personal data concerning you rectified without undue delay. You also have the right to have incomplete personal data completed.

–          Right to erasure (“the right to be forgotten”) – Article 17 of the GDPR

Under certain conditions, you have the right to have your personal data erased by us without undue delay. For example, if you withdraw your consent and there is no other legal basis for the processing or if the personal data is no longer necessary for the purposes for which they were collected or processed.

–          Right to restriction of processing – Article 18 of the GDPR

Under certain conditions, you have the right to request that we restrict our processing of your personal data. For example, if you contest the accuracy of the personal data, or if the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction on the use of the personal data.

–          Right to data portability – Article 20 of the GDPR

If we process your personal data based on your consent, you have the right to receive personal data concerning you. This right applies to personal data that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit those personal data to another controller, where technically feasible.