Castellum’s processing of your personal data

Castellum cares about your privacy and protecting the personal data we process about you. All processing of personal data takes place in accordance with the provisions of the General Data Protection Regulation and other applicable data protection legislation. We present below a description of how we compile, process and share your personal data in connection with administration of the tenancy. This description applies irrespective of whichever company within the Castellum group with which you have your relationship. Note, however, that it is the company which belongs to the region in which the property in which your company leases premises that is the controller for the processing of your personal data, and in this document “we” as well as “Castellum” shall mean the regional company which belongs to the region in which the property in which your company leases premises is located.

Which personal data will be processed?

Castellum compiles and processes the following data: names, telephone numbers, addresses, email addresses, titles, roles, food preferences, authorised signatories, the personal ID numbers of authorised signatories, any additional information which may be disclosed by you in connection with communication with us, income information, loans, credit information and liabilities in relation to tenants who are sole traders, as well as any entry log, entry card/tag and CCTV material (your “personal data”). In certain situations we may also process personal data concerning, e.g. circumstances or information of relevance for our business relationship.

Why do we process your personal data?

Castellum processes your personal data in order to administer our tenancy with your employer (e.g. to ensure performance of obligations in accordance with our lease agreement and for sending rent invoices); to communicate with you (e.g. concerning maintenance of the property in which you work and suchlike); to assess the payment ability of sole traders; to ensure that only authorised persons have access to the property through, e.g. an entry system and CCTV; and to carry out company reporting. Kindly note that CCTV occurs only in certain properties and, in such cases, it is clearly stated that there is CCTV. We will also process your personal data in order to send you news about our operations or to invitations to events (including for organising of such events, e.g. as regards participants, refreshment and food preferences) and in order to send marketing material about our products and services, or such products and services of other companies within the Castellum group, which we believe may be of interest.

We may also process your personal data in conjunction with market communications such as publication of articles, photos, films, on social media (e.g. Facebook, LinkedIn and Instagram) as well as for publication of articles, photos and films for internal use (e.g. on our intranet). If we wish to process your personal data for such a purpose, you will receive separate information about the resulting processing of personal data and to provide us with separate consent to our processing of your personal data for such purpose.

From where do we obtain personal data?

The personal data is compiled directly from you. Information may also be compiled from your employer. In conjunction with credit information, information is compiled from credit information agencies. Information connected to you can also be created internally at Castellum. Castellum can also update the personal data to ensure that Castellum does not process outdated personal data about you. Updating of personal data may, for example, take place with the help of services provided by Bisnode Sverige AB.

Who has access to your personal data?

We have taken appropriate technical and organisational security measures to protect your personal data against, for example, loss and unauthorised access. Only persons at Castellum have access to your personal data and such will be processed only for the purposes stated above.

We may, however, share your personal data with other companies within the Castellum group with the aim of sharing relevant contacts (e.g. for marketing purposes) and transferring knowledge of what has arisen in communication with you, to monitor strategic issues, statistics concerning costs, etc. We may also share your personal data with our providers and other cooperation partners who perform services on our behalf. The personal data you provide to us may primarily be shared with our IT providers, for the supporting and the maintenance of our IT systems, as well as our auditors and our bank.

How long is your personal data stored?

Your personal data will be stored and processed by us no longer than necessary in light of the purpose of the processing, unless there are specific statutory requirements entailing that the data must be stored for a longer period. Your personal data will be stored and processed by us as follows:

  • Personal data which is processed for accounting purposes (e.g. assessment of payment ability of sole traders and as a basis for company reporting) and as tax information – eight years after termination of the lease.
  • Personal data which is processed via communication with you and to administer the tenancy – six months after termination of the lease and an approved inspection.
  • Personal data which is processed to ensure that only authorised persons have access to the property through, e.g an entry system – one month (name and entry card/tag) after termination of the lease and 1 week (entry log) after compilation date.
  • Any CCTV material – for such time as the information is necessary in light of the purpose of the monitoring.
  • Personal data which is processed to administer an event – three months after the completed event.
  • Personal data which is processed to send you news about our operations or invitations to events, or marketing material – for such time as you continue to be a contact person for our tenant.

What right does Castellum have to process your personal data?

The processing of your personal data to administer our tenancy with your employer and to administer entry cards/tags is based on the processing being necessary for the performance of the contract with our tenant and to provide the tenant with the lease object.

The processing of your personal data for the performance of company reports is based on the processing being necessary for our obligation to comply with a legal obligation.

The processing of your personal data in order to communicate with you, to evaluate the payment ability of sole traders, to send you news, marketing material or invitations to events, as well as the processing of an entry log as well as other monitoring of the property, is based on a balancing of interests. Castellum considers that it is entitled to process your personal data since the processing is necessary for purposes which involve Castellum’s legitimate interests.

This is our reasoning

Castellum’s legitimate interest as regards communication with you is to be able to contact you on various issues within the scope of the relationship that exists between you and Castellum, e.g. to communicate regarding maintenance of the property or similar information. Castellum has weighed its legitimate interest against any encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that the risk of encroachment on privacy is restricted since the personal data which is processed cannot be deemed to be particularly privacy-sensitive personal data. The personal data which is processed is also restricted to what is needed to perform the purposes of the processing of the personal data and it is also in your interest to obtain relevant information. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data.

Castellum’s legitimate interest as regards an assessment of payment ability of sole traders is to safeguard our interest before we enter into a business relationship. Castellum has weighed its legitimate interests against any encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that there is a risk of encroachment on privacy, but that the use of the information is so restricted and that Castellum has a strong interest in processing such data in order to protect its business. The personal data which is processed is also restricted to what is needed to perform the purposes for which the processing of the personal data takes place. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data.

Castellum’s legitimate interest as regards the processing of entry logs and any other monitoring of the property is to prevent unauthorised individuals gaining access to the property and to prevent damage or suchlike. Castellum has weighed its legitimate interests against the possible encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that there is a risk of encroachment on privacy, but that the use of the data is so restricted and that there are very few individuals within Castellum who have access to such data that the risk is nevertheless restricted. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data.

Castellum’s legitimate interest as regards the processing of personal data in order to send you news, marketing material or invitations to events is to keep you updated concerning what is happening in our business and to maintain the commercial relationship which has been created and to maintain a continued positive relationship with you as a contact person for our tenant. Castellum has weighed its legitimate interests against the possible encroachment on privacy that Castellum’s processing of your personal data might entail. Castellum makes the assessment that the risk of encroachment on privacy is restricted since you, in your professional capacity, should be able to expect that certain data will be processed for the above-mentioned purposes. The personal data which is processed cannot be deemed to be particularly privacy-sensitive personal data. The personal data which is processed is also restricted to what is needed to perform the purposes for which the processing of personal data takes place. Accordingly, Castellum makes the assessment that Castellum’s interest in processing your personal data is of greater weight and, following such balancing of interests, that it is entitled to process the personal data.

Your personal data is also processed when we save information for, e.g. our bookkeeping (e.g. all payments) and tax information. This processing is based on our obligation to comply with a legal obligation.

What happens if you do not provide your personal data?

It is necessary that you provide the personal data stated above to enable Castellum to contact you and take measures as stated above. If the data stated above which is obtained from you is not provided, the aforementioned measures cannot be taken by Castellum.

Your rights

You are entitled to request access to the personal data that Castellum processes about you. You are entitled to have incorrect personal data about you rectified and may request that personal data be erased. You are also entitled to object to certain processing of your personal data and to request that the processing of personal data be restricted.

If you request that Castellum restricts or erases your personal data, this may have the consequence that Castellum is unable to perform its duties. You are also entitled to request to receive your personal data in a machine-readable format with the aim of transmitting the data to another controller (referred to as data portability).

If you are dissatisfied with the way in which Castellum processes your personal data you may complain to the supervisory authority regarding Castellum’s processing of personal data.

If you have any questions concerning the way in which your personal data is processed, you are welcome to contact Castellum’s data protection team on gdpr@castellum.se.

Controller and contact details to Castellum

The controller in respect of the processing of your personal data is the company stated in the list below which belongs to the region in which the property in which your company leases premises is located:

  • Castellum Mitt AB; reg. no. 556121-9089, Box 1824, 701 18 Örebro
  • Castellum Stockholm AB; reg. no. 556002-8952, Box 1084, 101 39 Stockholm
  • Castellum Väst AB; reg. no. 556122-3768, Box 8725, 402 75 Gothenburg
  • Castellum Öresund AB; reg. no. 556476-7688, Box 3158, 200 22 Malmö