1. INTRODUCTION

This privacy statement covers all necessary information on how Heimstaden collects, processes, shares and retains your personal data connected to your relationship with Heimstaden, in your role as a

We may under certain circumstances also process your personal data by the use of cookies and/or camera surveillance. More information on our use of cookies and camera surveillance is available in our cookie statement and our privacy statement on camera surveillance respectively available on our Website.

Information regarding the processing of your personal data in connection with registration to and conduction of Heimstaden’s general meetings, please see Euroclear's privacy notice for general meetings of shareholders, available at https://www.euroclear.com/dam/ESw/Legal/Privacy_notice_BOSS_final_30112020.pdf

This statement also describes your rights under applicable data protection law and how you can exercise them. You are always welcome to contact us if you have any questions. You can find our contact details at the bottom of this policy.

  1. DATA CONTROLLER

Heimstaden AB, reg. no. 556670-0455, having its registered address on Östra Promenaden 7A, 211 28 Malmö, and, where applicable, the company within Heimstaden’s group of companies from which you rent your accommodation (jointly “Heimstaden”, “we” or “us”) are joint controllers of any processing of your personal data carried out by the companies and/or their subsidiaries. Tenants will find more information in the rental agreement or rental invoice regarding which company, within Heimstaden’s group of companies, that is their landlord.

  1. PROCESSING OF PERSONAL DATA

3.1 Which types of personal data are processed by Heimstaden?

3.1.1 User/visitor of the Website

If you use or visit our Website, we may process the IP address of the device used when visiting our Website and, where applicable, information on your browsing on the Website. If you are a visitor on Heimstaden.com and you have agreed to or not objected to receiving marketing from us by email, we will also process your email address.

3.1.2 Business Partner

The personal data that we may process is, depending on your relationship with Heimstaden and the circumstances in general, your name, telephone number, address, email address, title, personal identity number of signatories for a company, personal identity number and credit rating in relation to Business Partners who are registered as sole traders in Sweden (Sw. enskild firma), material from potential camera surveillance and any additional information which has been provided by you in connection with your communication with us. In some situations, we may process additional types of personal data if deemed necessary in relation to the individual business relationship.

3.1.3 Tenant, subtenant and housing applicant

If you are a tenant or subtenant, we may process the following personal data concerning you: your name, personal identity number, address, telephone number and email address. We also process information on your apartment, for example information on equipment, defects that need be attended to, and any reports on disturbance or other concerns. If you have been granted protected identity (Sw. skyddad identitet) by the Swedish Tax Agency (Sw. Skatteverket), we will process your personal data in accordance with a separate, company-internal policy.

If you are a housing applicant, we may process the following personal data concerning you: your name, telephone number, email address and personal identity number, references and former landlord, information on employment and financial situation, which is needed in order to assess whether you meet the requirements for the apartment you have applied for. If you apply for student housing, we also need a certificate which verifies that you will be studying during the rental period.

If you are the registered guardian (Sw. god man) or administrator (Sw. förvaltare) of a tenant, we may process personal data concerning you contained in the information necessary to administrate the tenancy relation with the current tenant that you are a guardian or administrator for.

3.1.4 Guarantor

If you are a guarantor, we may process personal data concerning you contained in the information provided in the personal guarantee (Sw. borgensförbindelse) issued, such as name, personal identity number and telephone number. In addition, your credit rating may be processed.

3.1.5 Shareholder

If you are a shareholder, we may process different types of personal data concerning you. We process your name, address, telephone number, personal identity number, shareholding (owned-registered or nominee-registered shares), registered number of votes, shareholder assistant, shareholder representative, food preferences and other potential personal data provided by you in connection with your communication with us.

3.1.6 Sensitive personal data

In addition to the abovementioned situations, we may process additional information about you, that you provide to us when contacting our customer service. If the contact is made by telephone, our customer service staff may take notes which include personal data – sometimes sensitive personal data – to the extent deemed necessary to attend to your matter.

We will only process sensitive personal data if you give your consent to it. If your matter requires the processing of sensitive personal data concerning you, we cannot help you unless we have your explicit consent thereto.

In light of the above, we will always ask for your explicit consent before we process sensitive personal data concerning you.

3.2 How are your personal data collected?

Personal data are mainly collected through direct interactions initiated by you, e.g. when you contact us by telephone, email or if you register on our Website where this is possible. Personal data may also be collected from your employer, references and former landlords, official records, municipalities and public authorities, and in some situations from other companies in connection with Heimstaden’s acquisition of real property, in the event that you are or have been a customer of the seller’s.

Heimstaden may also collect personal data concerning you from Euroclear Sweden AB (which manage our share register). If we have a reason therefor, we may collect your credit rating and process the information we receive from the credit-rating agency.

Heimstaden may also need to update the personal data in order not to process outdated personal data about you. These updates may be completed by services provided by Creditsafe i Sverige AB and Bisnode Sverige AB.

3.3 For which purposes do we process your personal data?

3.3.1 User/visitor of the Website

If you are a user or visitor of our Website, we may process personal data concerning you in order to make your visit at our Website as enjoyable and smooth as possible, for marketing purposes, in order to perform website visitor tracking/website traffic analyses, and to ensure that our Website runs in a secure way.

3.3.2 Business Partner

We process personal data concerning you in order to administrate our business relationship with you or the company that you represent (including ensuring the fulfilment of commitments, management, performing follow-up of deliveries, etc.) to enable reviews of the progression of construction work and to ensure that only authorised persons have access to construction sites through, for example, camera surveillance, and to stay in contact with you. We may also process your personal data for the purpose of sending invitations to events to you (including in order to administrate such events, e.g. as regards the number of attendees, food services and food preferences).

3.3.3 Tenant, subtenant and housing applicant

Personal data concerning tenants are mainly processed in order for Heimstaden to perform its duties as landlord, to prepare, administrate and perform concluded agreements and to otherwise operate our management and rental business.

We may also process tenants’ personal data in connection with marketing communication such as publication of posts, pictures, videos, etc. on social media (e.g. Facebook, LinkedIn and Instagram) as well as publication of posts, pictures and videos for internal use (e.g. on our intranet). In the event that we would wish to process your personal data for any of these purposes, you will receive separate information in advance and, where applicable, we will ask for your consent to process your personal data for such a purpose.

In relation to subtenants, Heimstaden processes personal data for the purpose of evaluating the application regarding sublease of an apartment. Heimstaden also processes personal data to the extent necessary to comply with a legal obligation.

Personal data concerning housing applicants are processed for the purpose of administrating housing applications, including assessments of whether you meet the relevant requirements for the apartment applied for.

3.3.4 Guarantor

Personal data that are provided to Heimstaden in a personal guarantee to Heimstaden will be processed by Heimstaden to the extent it is necessary for the administration and performance of the personal guarantee and/or applicable legal obligations.

3.3.5 Shareholder

We process personal data concerning shareholders in order to manage registrations for and the conduction of general meetings (e.g. to check whether a shareholder’s shareholding is directly owned or registered to a nominee shareholder and to take appropriate actions in respect thereof, to administrate the general meeting including food services and food preferences, etc.) and to take any required measures in respect of the share register (e.g. to, upon request of a shareholder, disclose the share register and the information therein). We may also process your personal data for the purpose of communicating news about the company’s business operations, such as interim reports and annual reports, if you have requested to receive such news. In addition, we may process your personal data in order to communicate with you and administrate related matters that you, as a shareholder or contact person for a company that is a shareholder, initiate and which in some cases require that we take further action depending on the subject-matter. If you are a major shareholder, we may, in some situations, also process your personal data by publishing name and shareholding in interim reports, annual reports, on the Website, etc.

In some cases, we may have a reason to process your personal data by publishing pictures in interim reports, annual reports, on the Website, etc. Should we wish to process your personal data for such a purpose, you will receive separate information on the personal data processing that this will entail and, where required, we will ask for your specific consent to process your personal data for this purpose.

  1. LAWFUL BASES FOR THE PROCESSING OF PERSONAL DATA

4.1 Performance of a contract

4.1.1 Business Partner

Processing of personal data for the purpose of managing our business relationship in different ways is carried out in order for us to be able to perform the contract or agreement that our business relationship is based on.

4.1.2 Tenant

Personal data concerning tenants are processed in order for us to comply with our obligations as a landlord under the rental agreement and any applicable law which regulates the tenancy.

4.2 Balancing of interests

4.2.1 General

For processing activities which are based on a balancing of interests, Heimstaden has made the assessment that the processing is necessary for the purposes of Heimstaden’s legitimate interests, and that it does not infringe on your privacy to a large extent.

4.2.2 User/visitor of the Website

Processing of personal data concerning visitors and users of the Website is carried out based on a balancing of interests where Heimstaden’s interests of examining and analysing the traffic on the Website, making your visit on the Website as good as possible and to direct marketing towards you override the potential risks for infringement of your privacy that may arise as a result of these types of processing activities.

4.2.3 Business Partner

Processing of personal data which is not directly connected to the performance of the contract or agreement that our business relationship is based on may be carried out based on a balancing of interests. This includes processing of your personal data for the purpose of contacting you and sending event invitations to you.

4.2.4 Tenant, subtenant and housing applicant

Processing of personal data which is not directly connected to the performance of the rental agreement may be carried out based on a balancing of interests. This includes the development and sale of products and services, distribution of information or newsletters to tenants, offering services through our Business Partners, such as home insurance or, in some cases, camera surveillance in common spaces of properties, within the scope of our rental or administration business. If you do not wish to receive our newsletter, you can deregister either by contacting us using the contact details below, or through the link in the email received.

We process subtenants’ personal data based on our legitimate interests of carrying out a rational assessment of the application for a sublease and administrating our tenancy relationship with the tenant that you rent the apartment from.

When you apply for an apartment, we process your personal data based on our legitimate interest of collecting relevant information about you, in order to allocate apartments within our rental business.

If you are a registered guardian or administrator of a tenant, we process your personal data based on our legitimate interest of administrating the tenancy relationship with the tenant in question.

4.2.5 Guarantor

If you are a guarantor, we process your personal data based on our legitimate interests of preparing, administrating and performing the personal guarantee, or based on a legal obligation.

4.2.6 Shareholder

Processing of your personal data for the purpose of sending you news about our business or invitations to events, as well as any potential publication of information about you in the annual report or similar, is carried out based on a balancing of interests. This also applies to Heimstaden’s management of matters that you, as a shareholder or contact person of a company that is a shareholder, initiate.

4.3 Compliance with a legal obligation

We retain accounting documentation to the extent required by applicable law.

Processing of a shareholder’s personal data for the purpose of administrating the share register is carried out based on a legal obligation.

4.4 Consent

When we process your personal data based on your consent, e.g. when we publish posts, pictures or videos of you on social media or if you have given your consent to receiving marketing by email, you can, at any time, withdraw your consent by contacting us using the contact details below. Such withdrawal can be made in whole or in part.

  1. FOR HOW LONG DO WE RETAIN YOUR PERSONAL DATA?

5.1 General

Your personal data will be retained and processed by us until processing no longer is necessary in respect of the abovementioned purposes, unless the data must be retained for a longer period of time in accordance with a legal obligation.

The information required for our book-keeping (e.g. information about all orders, invoices, rental invoices and payments) and tax documentation must, by law, be retained for at least seven years. Please note that some data are retained for a longer period of time. For example, information pertaining to invoices are retained for longer than seven years, for follow-up purposes.

If we process your personal data based on your consent, we only retain such personal data for as long as we still have your consent thereto.

5.2 User/visitor of the Website

Personal data which are collected via cookies that are used on the Website are retained for different periods of time depending on which type of cookie that collects the information. We do not retain information that has been collected by cookies for a longer period than what necessary for the purposes of the processing. Each Website may have different cookies implemented. More detailed information about which cookies we use on which Website, and their respective retention time, is available in Heimstaden’s cookie statements available on each Website.

5.3 Business Partner

Personal data are, as a main rule, retained until we no longer have a business relationship with the company that you represent, or until you no longer represent the company. Personal data which are processed in order to send you invitations to events are retained as long as you are a contact person for the company that you represent. Personal data which are processed in order to administrate events are deleted no later than three months after the event has taken place.

5.4 Tenant and subtenant

Much of the personal data concerning you, as a tenant or subtenant, are retained during the rental period and until all claims have been finally settled. Electronic logs from electronic booking and key management systems as well as material from potential camera surveillance of public spaces are normally retained for two to four weeks and are deleted on a regular basis during the rental period. If the rental agreement is terminated due to negligence/the tenant’s breach of his or her duty of care (Sw. misskötsamhet), we may retain a note on the reason for your vacating the apartment, for two years.

In connection with the rejection of a sublease application, we immediately delete all personal data concerning the intended subtenant.

If you are a tenant’s registered guardian or administrator, your personal data are retained during the same period as the represented tenant’s personal data.

5.5 Housing applicant

If you are a housing applicant, your personal data are processed only for as long as you wish to remain an applicant. Information on notices of interest of individual rental objects are deleted shortly after the apartment in question has been assigned. If you have not been assigned an apartment, due to that you have not met our tenant requirements, a short description thereof will be retained for three months.

5.6 Guarantor

Heimstaden retains personal data concerning guarantors until the rental agreement, for which the personal guarantee was signed, expires, or for as long as is necessary to monitor potential claims.

5.7 Shareholder

Data concerning your shareholding in Heimstaden are retained, by law, for at least ten years, for shareholding history purposes.

Data processed in order to manage communication with you as well as related matters initiated by you, as a shareholder or contact person for a company that is a shareholder, are retained for as long as the data are relevant in relation to the subject of the communication and/or matter.

Data which are processed in order to send you news are retained as long as you wish to receive such news.

Data which are published in annual reports are retained for at least ten years.

  1. SECURITY MEASURES

Heimstaden has drafted policies and established standards to ensure that the processing of your personal data is carried out in a secure manner. As a main rule, access to personal data is only granted to employees of the company, who need such access in order to carry out their work tasks.

In relation to sensitive personal data, we have established certain access control measures which entail a better protection of your personal data.

Our security systems are developed with a focus on your privacy and they provide high protection against intrusion, deletion and other modifications which could pose risks to your privacy.

We only transfer personal data in accordance with this policy.

  1. TO WHOM DO WE DISCLOSE YOUR PERSONAL DATA?

7.1 General

We may disclose your personal data to other companies in Heimstaden’s group of companies for the purpose of sharing relevant contacts and to pass on information deriving from communications with you, for cooperation when choosing Business Partners, etc.

Heimstaden may also disclose your personal data in order to comply with legal obligations, and they may be disclosed to public authorities when so required by law.

7.2 User/visitor of the Website

Personal data may be disclosed to the suppliers of the tools that we use on the Website for statistics and for marketing purposes, depending on the Website you are visiting. More information is available in Heimstaden’s cookie statements available on each Website.

7.3 Business Partner

To the extent necessary for them to fulfil their obligations, we may disclose your personal data to our Business Partners providing services on our behalf. Collected personal data would first and foremost be shared with our IT suppliers, in order to withhold and maintain our IT systems and, depending on the business relationship, with our accountants and our bank.

7.4 Tenant, subtenant and housing applicant

To the extent they need the personal data to carry out their services, your personal data may be disclosed to our Business Partners in connection with, inter alia, allocation of apartments, customer surveys, debt collection, property maintenance, electricity supply networks, telecommunication, home insurance, external standby disturbance duty, accounting, security and provision of systems. Your personal data may also be disclosed to public authorities or municipalities for crime investigation purposes, reports of disturbances or contract terminations to social services, and housing adaptations. In connection with rental negotiations, your personal data will be disclosed to tenants’ associations. In case of divestment of the property you live in, or in certain cases where you have previously been living, personal data may be disclosed to potential buyers and their advisors.

  1. WHERE DO WE PROCESS YOUR PERSONAL DATA?

As a main rule, your personal data will only be processed within the EU/EEA. In the event that your personal data is transferred to a third country, Heimstaden ensures that necessary safeguards are in place in relation to your personal data. Such safeguards include the application of the European Commission’s Standard Contractual Clauses between Heimstaden and each recipient of the personal data.

  1. YOUR RIGHTS

You have the right to request information regarding what personal data concerning you that we are processing and how they are being used. This information will be delivered in the form of a register extract.

In case the personal data we process about you are inaccurate or incomplete, you can request correction or completion thereof.

To a certain extent, you have the right to “be forgotten”, which means deletion of your personal data processed by us. However, we are entitled to deny such requests under certain conditions, e.g. if we need to process your personal data for compelling reasons.

Under certain conditions, you have the right to request that the processing of your personal data is restricted to certain given purposes.

You have the right to object to any processing of your personal data which is carried out based on our legitimate interests.

You have the right to data portability, which means that under certain conditions you are entitled to receive your personal data in a structured, commonly used and machine-readable format, in order to transmit them to another data controller.

Should you wish to exercise any of the rights mentioned above, please contact us by using the contact details below. When assisting you with such matters, we may ask you for identification to protect your privacy and your personal data.

If you have objections to our processing of your personal data, you can file a complaint with the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten). For more information please visit https://www.imy.se/en/individuals/forms-and-e-services/file-a-gdpr-complaint/ .

  1. CHANGES TO THIS PRIVACY POLICY

We may change the terms of this privacy policy. The latest version of it is available on the Website.

  1. CONTACT DETAILS

If you have any questions related to this privacy policy or if you want to contact us regarding our processing of your personal data, please contact us on dataskyddsforordningen@heimstaden.com