Privacy Notice

Introduction

This Privacy Notice contains information about the Processing of Personal data performed by Europebook AB, incorporated, and registered in Sweden with company registration number 559289-7754, hereinafter referred to as ”Europebook” and referred to as ”we”, ”our”, ”us”. References to ”you” or ”your” refer to the Data subject whose Personal data we Process.

This Privacy Notice covers all types of Personal data, in both structured and unstructured data and it contains information about, among other things:

  • how we Process Personal data;
  • which Personal data we Process;
  • the purpose and legal basis of the Processing;
  • where the Personal data is stored;
  • to whom Personal data may be shared;
  • what rights the Data Subject has according to the GDPR; and
  • other information about our Processing of Personal data.

Your privacy is particularly important to us, and we Process all Personal data with care. All our Processing of Personal data takes place in accordance with the Data Protection Legislation, including the GDPR (and SCC where applicable), as well as with the data protection principles. 

Definitions

The following terms used in this Privacy Notice shall have the meanings set forth below when they are indicated with a capital letter, regardless of whether they are used in the plural or singular, in definite or indefinite form:

Account: refers to an identity in the Application that identifies a User and gives the User access to the Application’s features and functions.

Advertisement Content: refers to all material and information that the Advertisement contains, such as images and text.

Advertisement Post: refers to an Advertisement Post, which has been created by the Advertiser, ant which is or has been published in the Application regarding the sale or purchase of a motor vehicle.

Advertiser: refers to the User who purchases Europebook’s Advertisement Services.

Advertising Fee: means the cost associated with, and fee payable for Europebook’s Advertising Services.

Agreement: means Europebook Terms and Conditions, including Orders incorporated by reference.

Application: refers to the ”Europebook” application for iOS and Android.

Business User: refers to a User who is registered in the Application as an entity/entrepreneur and who uses the Application in connection with its professional or business activities.

Contributions: means any data, content, and information that a User submits to the Application, such as files or chat messages. 

Controller: refers to the person/entity who determines the purpose of a particular Processing of Personal data and how the Processing is to be carried out. Natural persons, legal persons, authorities, institutions, or other bodies may be Personal data Controllers.

Data Protection Legislation: refers to all applicable privacy and data protection laws that are in effect at any given time and that are relevant to a Party relating to the use of personal data, such as for example but not limited to: the codes of practice and guidance applicable to a Party issued by the relevant supervisory or data protection authority; the General Data Protection Regulation ((EU) 2016/679) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426).

Data subject: refers to the natural person who can be identified through the Personal data.

Europebook Terms and Conditions: refers to the at any time applicable Europebook Terms and Conditions and any other terms, rules of procedure and instructions that Europebook provides from time to time.

Fees: refers to all compensation that Europebook is entitled to charge the User for Services provided and/or performed in accordance with the terms, such as Advertising Fees.

GDPR: refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Law: includes Data Protection Legislation as well as any other applicable regulations, laws, ordinances, orders, or codes, of any governmental entity having authority over the Parties or Services.

Non-Europebook Products: means Third party information, services, products, systems, websites, software, directories, networks, databases, and applications, which the Application links to, or that the User connects to or enables integration with while using the Service. 

Order: means the Services the User select during the online ordering process, or Europebook’s sales order that is executed by Europebook and the User (which may be system-generated or manually generated), each of which are incorporated to the Agreement.

Payment Service Provider: refers to a Third party that, among other things, processes payments from Users and/or charges Users on behalf of Europebook.

Personal data: refers to all data that, directly or indirectly, alone, or together with other data, can be linked to an identified or identifiable physical living person. Common examples of Personal data are name, telephone number, address, email address, user ID, etc. 

Private user: refers to a User in the capacity of an individual who uses the Services for private purposes, which has no connection to professional or business activities.

Processing: refers to everything that is made with Personal data, automated or otherwise. Processing can take place through an individual measure or through a combination of different measures, such as but not limited to storage, erasure, sharing, usage, registration, copying, collection, organization, use, adjustment, destruction, etc.

Processor: refers to the one who Processes Personal data on behalf of a Personal data Controller and according to the Controller’s instructions.

SCC: refers to Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or later updated version.

Service: refers to the services provided by Europebook, such as the Advertisement Service, and may also include the Application.

Third party: refers to someone other than the Controller (and the persons who are authorized to Process the Personal data), the Data subject or the Processor (and the persons who are authorized to Process the Personal data). A Third party may be a legal person or a natural person, institution, authority, or other body.

User: refers to the individual or entity who has a registered Account for the Application, such as a Private User or a Business User.

Any other GDPR-related terms not defined herein shall have the same meaning in this Privacy Notice as set forth in Article 4 of the GDPR.

Personal Data Controller 

We are the Controller regarding all Processing of Personal data that is performed by us or on our behalf, insofar as we determine the means and purpose of the Processing (according to the principle of liability). 

Unless otherwise stated in this Privacy Notice, we are the Controller for the Processing described.

Business Users

Each Business User is regarded as a sole Controller regarding its Processing of Personal data that it Processes. If a Private User contacts a Business User through the Application, the Business User is regarded as a sole Controller for its Processing of the Private Users Personal data.

Third-party websites, applications, and integrations

If you provide information to us through a Third-party website or Application, the information you provide may be collected separately by such Third-party that provides that website or Application. Such information is subject to the Third-party’s privacy notices and terms. This means, among other things, that the privacy settings you have made on the Third-party website or Application do not affect our processing of data that we collect directly via our services/Applications/websites. 

There may be links in our Services/Applications/Websites that lead to other Third-party websites, applications, content, or other integrations, which may allow such Third parties to collect or share Personal data about you. We do not control or own such Third-party websites, applications, content or other integrations and we are not responsible for the Processing of Personal data carried out by anyone else or for the privacy rules, notices, or terms of such Third parties. 

For these reasons, we encourage you to pay attention when you leave our Services and to request details of and read the privacy notices and terms of such Third-partis, who may collect and Process Personal data belonging to you.

How we access Personal data that we Process

We may access, collect and Process your Personal data when you for example:

  • enter into an Agreement with us, 
  • create an Account to the Application,
  • contact us or give us feedback, 
  • enter a survey or promotion,
  • request marketing to be sent to you,
  • use and/or access our Services, 
  • provide your Personal data through the Application.

We may also Process your Personal data if it is provided to us by someone else, for example:

  • another User,
  • third-party service providers which you have linked your use of the Application, such as social media accounts,
  • Payment vendors, 
  • Advertising networks, 
  • Analytics providers, 
  • Our business partners.

The information which we receive from such third parties depends on your and our respective relationships with the third-party and their policies. 

Categories of Personal data that we Process

In accordance with the principle of data minimization, we only process Personal data in our capacity as a Controller that is adequate, necessary, and relevant to fulfill the purposes for which it was collected. 

We mainly Process the categories of Personal data listed below: 

  • Identification information: first name, last name, profile picture (optional).
  • Contact information: e-mail address, phone number, address, employer (Business User).
  • User information: User-ID, social media account (optional).
  • Other Personal data: any other Personal data that is provided to us, such as those that are registered in the Application by the User, Advertisement Content, or that is provided to us in a message.

Legal basis and purpose for our Processing of Personal data

In accordance with the principle of purpose limitation, we only Process Personal data in our capacity as Controller for special, explicitly stated, and justified purposes. In addition, all Processing is legal in accordance with the provisions of the GDPR. 

We Process Personal Data primarily with the support of one of the following legal bases:

  1. Contract: means Processing of your Personal data where it is necessary for the performance of a contract to which you are a party or to conduct processing at request before entering such a contract, for example the performance of our agreement to make the Services available. 
  2. Consent: means Processing of Personal data based on your active a voluntarily given consent to it. When data Processing is based on your consent, you have the right to withdraw the consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal.
  3. Legitimate interest: means our business interests in conducting and managing our business to enable us to provide you the best service/product and a secure experience. When a Processing of Personal data is conducted by us based on legitimate interest as the legal basis, our assessment is that the Processing does not constitute an infringement of your right to privacy and integrity. We have come to this conclusion, after having made a balance between on the one hand what the Processing in question means for the Data Subjects interests and right to privacy, and on the other hand the legitimate interest in the Processing in question (our, your and/or a Third-party’s legitimate interest). 
  4. Legal obligation: means Processing of Personal data where it is necessary for compliance with a legal obligation.

You may have to provide your Personal data to be able to enter into an Agreement with us, get the Services you have ordered or to comply with legal or contractual obligations. In some cases, it is optional for you to supply your Personal data to us. However, if you do not provide your Personal data, for instance, we might not be able to provide the requested services or support. Unless otherwise stated, you will not suffer any negative legal repercussions if you do not submit your Personal data.

Below you can read more about the legal basis and purpose of our Processing of Personal data that we conduct in our capacity of Controller. Where appropriate, we have also identified what our legitimate interests are. 

  • When you contact us through e-mail:

We Process your Personal data that we get access to when you contact us through e-mail, such as any Personal data included in the message content. 

The purpose of the Processing is to enable us to know who we are talking to and to stay connected in the matter. 

We have concluded that both we and you have a legitimate interest in the Personal data being Processed by us for the purpose stated above. 

The provision of Personal data for the purpose stated above is not a statutory or contractual requirement, and you are not obliged to provide the Personal data, but the possible consequences of failure to provide your Personal data that we request and/or need in order to respond to you, is that we may not be able to provide you with the support or Application that you request. 

Legal basis for the Processing of Personal data: Legitimate interest.

  • When you complete a purchase of our Services:

When you complete a purchase of our Services through the Application, such as the Advertisement Service, we get access to Personal data that is provided in connection with the purchase process. 

The provision of the above-mentioned information in connection with the purchase is necessary for us to Process, to be able to enter into the purchase Agreement, and for us to be able to charge for the Service. The possible consequences of such information not being provided to us is that we will not be able to enter into the Agreement or fulfill the Agreement. 

Legal basis for the Processing of Personal data: Contract.

  • When we provide access to the Services

In order to register you as a User of and/or provide access to the Services, the following types of data are Processed: username, e-mail address, country. The Processing is necessary for the performance of a contract. It is optional for you to provide your telephone number and profile picture.

Legal basis for the Processing of Personal data: Contract.

  • When we have a legal obligation to the Processing:

If law, court, or authority decision obliges us to Process certain Personal data, the Processing takes place based on a Legal obligation as a legal basis. In such cases, the Processing takes place only to the extent that it is necessary for us to fulfill our legal obligations and then we only process the necessary Personal data, for as long as the law requires it (in accordance with the principle of storage limitation). The Processing is made due to statutory provisions. 

For example, we store invoices, receipts, and other accounting documents that we are obliged to Process in accordance with current legislation, such as the Swedish Accounting Act (1999:1078) and in accordance with the Swedish Tax Agency’s requirements. Accounting documents, invoices and vouchers may in some cases contain Personal data, such as name, address, order information and any other contact information regarding the Service Recipient and/or the Service Recipient’s signatory, contact person, employee etc. Such Personal data is stored for as long as the law requires it. 

If we are obliged by applicable law to notify you about changes to our Privacy Notice or terms, the following types of data are Processed: username, e-mail address. The Processing is necessary to comply with a legal obligation. 

Legal basis for the above-mentioned Processing of Personal data: Legal obligation.

  • Other purposes for our Processing of Personal data 

Based on our legitimate interest, we may process Personal data to:

  • protect our rights and property,
  • make recommendations or suggestions to you about other services available through the Application that may be of interest to you,
  • ensure the technical functionality of the Service,
  • use data analytics to improve our marketing, products/services, partner and user relationships and experiences,
  • collect anonymous statistics, performance measurements, etc. regarding the Application.

We have concluded that we have a legitimate interest in the Personal data being processed for the purposes stated above and that our legitimate interest does not constitute an infringement of your right to privacy and integrity.

Storage location and international transfers

We strive to store all Personal data that we Process in our capacity as a Controller within the EU/EEA-area, in accordance with the principle of integrity and confidentiality. 

If Personal data is transferred to or stored in a country outside the EU/EEA-area, we shall ensure that such a storage site ensures an adequate level of protection in accordance with the provisions of the GDPR and SCC.

Data retention

Personal data that we Process will only be retained for as long as they are reasonably necessary to fulfill the purposes for which they were collected, including for satisfying any legal obligations, such as any tax, accounting, regulatory or reporting requirements. 

When the Personal data no longer needs to be retained, it is either erased, deidentified or anonymized, in accordance with the principle of storage limitation.

Invoices, receipts, and other accounting documents that we Process as a Controller, are stored for up to seven (7) years after payment has been made for the subscription or Services. They may contain identification information and contact information. These are stored for us to be able to manage any complaint matters and to be able to match a payment against an invoice while we are obliged to store such accounting documentation in accordance with current legislation.

If a claim can be made against our company, we can store the relevant Personal data until the statutory limitation period has expired. In the event of an existing dispute, relevant Personal data is stored until the dispute has been settled.

Disclosure of Personal data

We may disclose Personal data to the recipients stated below, to achieve the purposes, set out in the section above regarding “Legal basis and purpose for our Processing of Personal Data”. 

Legal authorities: Personal data may be disclosed to legal authorities in response to legal inquiries or if necessary, to prevent, detect, prevent, or investigate criminal activity and to protect our interests and our property. 

Service providers: We may also disclose Personal data to engaged service providers, for example to:

– safeguard our legal interests,

– fulfill our contractual and legal obligations,

– detect and prevent technical, operational or safety problems, and

– provide, improve, and maintain the Application (software maintenance).

Examples of service providers that we engage in their capacity as our Processors are developers, IT and system administrators, providers of our cloud services, payment method provider, billing system, consultants etc. 

Before we disclose any Personal data to such service providers, we enter into a data processing agreement with them, in accordance with the provisions of the GDPR (alternatively SCC if the Personal data Processor is in a country outside the EU/EEA-area). This is made to ensure a secure and correct Processing of the Personal data.

Other Third parties: We may disclose Personal data to regulatory authorities, other public entities, legal advisors, bankers, external consultants, and partners, in accordance with applicable privacy laws, if it is made for us to comply with legal obligations or in order to fulfill our legitimate interest. 

In connection with or during negotiations of a transfer of company assets, merger, sale, financing or acquisition of all or part pf our business, we may disclose your Personal data to the third parties engaged in the business transaction.

Our disclosure of Personal data in our capacity as a Processor, is regulated by the data processing agreement entered with the Controller in question.

Technical and organizational security measures

We implement technical and organizational security measures with a focus on the integrity of the Data subjects. The measures are intended to protect against intrusion, abuse, loss, destruction, and other changes that may pose a risk to privacy (according to the principle of privacy and confidentiality). Below are examples of some security measures we take and implement:

Organizational security measures

  • Internal routines have been established regarding the Processing of Personal data that all our employees must follow. 
  • All our employees have undertaken an obligation to observe confidentiality regarding Personal data that is Processed within the performance of the work.
  • A contact person for Personal data matters has been appointed, who also responds directly to the company’s top management.
  • We limit access to Personal data to those employees, contractors, agents, and other Third parties who have a business need to know.

Technical security measures

  • Access to databases, IT systems and parts of the IT infrastructure and network requires a password.
  • Processes have been established to assign, monitor, and control access rights regarding access to databases, IT systems and parts of the IT infrastructure and network.
  • Individuals who are authorized to Process Personal data are granted the minimum access rights unless additional authorizations are necessary for the performance of the work.

Data subjects’ rights according to GDPR

Data subjects have, under certain circumstances, the following rights under the GDPR in relation to their Personal data: 

Right to information: You have the right to receive information about our Processing of your Personal data, such as our collection and use of the Personal data. This Privacy Notice has been established to provide you with the information about our Processing of Personal data. In addition, you have the right to receive information about the Processing upon request. In some cases, we will also inform you if there is a Personal data breach that affects your Personal data.

Right of access: You have the right to information about whether we Process your Personal data or not, as well as the right to access your Personal data that we Process and information about how the Personal data is used. If we Process your Personal data, you have the right to receive a copy of the Processed Personal data in the form of a compilation of the Personal data that we Process about you. You also have the right to receive information about, among other things: which categories of Personal data we Process, the purpose of the Processing, the duration of the Processing, how we have collected the Personal data, who has received the Personal data, etc. The purpose of the compilation is for you to be able to check the legality and accuracy of the information. However, this does not mean that you have the right to obtain the actual documents that contain the Processed Personal data.

  • Exemption from the right of access: There may be situations where the disclosure of certain information would entail disadvantages for other persons, that other legislation or other exceptions prevent the disclosure of certain information or extract from the records of Processing activities. In such situations, we may not disclose the information in question and there may therefore be Personal data and/or other information about you that you do not have the right to access.

Right to rectification: We are responsible for ensuring that Personal data that we Process is accurate and updated over time. However, Personal data may be incorrect or incomplete. If we were to process Personal data about you that is incorrect or incomplete, you have the right to contact us to have your Personal data rectified. After we have corrected the information, we will notify you of this, if it is not proved to be impossible or would involve excessive effort.

Right to erasure: We will erase your Personal data at your request if the data is no longer needed for the purposes for which it was collected. This is also called the ”right to be forgotten”. In addition, there are more occasions when we erase your Personal data that we Process. For example, when they are no longer necessary for the purpose for which they were collected, when the legal basis is consent and you revoke the consent, in your objection to direct marketing, if the Processing is not legal, etc. When we erase the Personal data at your request, we will inform you after the deletion has been performed, provided that it is not proved to be impossible or would involve excessive effort.

  • Exemption from the right to deletion: However, we have the right to continue to Process your Personal data, and thus not delete the Personal data despite your request, if the Processing is necessary to: a) satisfy the right to freedom of expression and freedom of information, b) to fulfill a legal obligation, c) to perform a task carried out in the public interest or in the exercise of official authority, d) to defend, establish or assert legal claims, e) archiving purposes of public interest or statistical, historical or scientific purposes, or f) for reasons of public interest in the field of public health.

Right to limitation of Processing: In some cases, you have the right to demand that our Processing of your Personal data shall be limited. This means that the Personal data may only be Processed in the future for certain limited purposes. An example of when this right is applicable to you is if your Personal data that we Process is incorrect and you ask us to rectify it, you may request that our Processing of the Personal data in question shall be limited until the accuracy of the data has been investigated. 

Right to transfer your Personal data: In some cases, you might have the right to request that we transfer your Personal data that we Process to you or any other third party. This right is also called the right to ”data portability”. We hereby inform you that this right only applies if the Processing of Personal data is performed automatically, and only if our Processing takes place to implement an agreement in which you are a party to a contract or based on your consent. Also, the transfer of Personal data to another company only takes place if it is technically possible. If you have the right to data portability, we will at your request to move your Personal data, provide your Personal data in a structured, commonly used, machine-readable format.

Right to object: You have the right to object when your Personal data is Processed to perform a task of public interest, as part of the exercise of authority or when it is Processed after a balancing of interest has been made. If you object to our Processing according to this right, we will cease the Processing, unless our interest outweighs your interests, rights, and freedoms. If this is the case, we will inform you about the balance of interests we have made and our interests. However, if we Process Your Personal data for the purpose of performing direct marketing on the legal basis of legitimate interest, you have an absolute right to request that we discontinue the Processing of your Personal data for that purpose. In such cases, we will also inform you when we have deleted the Personal data, if you request it.

Rights regarding automated decision-making, including profiling: In short, automated decisions are about Processing that is automatic, for example through algorithms, where Personal data is Processed to assess and analyze a person’s personal characteristics. Automated decisions can have legal consequences for the Data subject or affect the Data subject in other significant ways, and if this happens, the Data subject has the right not to be the subject of the automated decision. If an automated decision has been made, with or without profiling, you have the right to have the automated decision reviewed or to challenge it. We do not conduct any form of automated decisions, with or without profiling. 

How to exercise the rights

You are welcome to contact us through the contact information listed below, if you would like to invoke any of the above rights in your capacity of a Data subject, regarding your Personal data that we Process as Controller.

Exercising the rights is free of charge, provided that your requests are not exaggerated, repeated or unfounded. In such cases, we have the right to charge a reasonable fee to process your request or the right to refuse the execution of your request.

Before we process or respond to your request, we may request additional information from you if it is necessary to enable us to verify your identity.

We will inform you of our processing of your request without delay, and no later than within one (1) month after we receive the request. If the request is complex or if, for example, we have received many requests, this time can be extended by another two (2) months. In such cases, we will notify you of the extension within the first month after we receive your request.

If we are unable to comply with your request due to applicable law or other exceptions, we will notify you and inform you of the reasons why we are unable to comply with your request with the limitations imposed by law.

Personal data breaches

According to the GDPR, a Personal data breach means a security breach that has caused Processed Personal data to be destroyed, lost, altered, or obtained by an unauthorized person. A breach can be made intentionally or unintentionally, for example through negligence or due to crime.

Regulatory authorities are independent public authorities. Each EU country has designated its own regulatory authority to handle GDPR-related matters. In Sweden, the Swedish Authority for Privacy Protection (IMY) is the supervisory authority.

We follow the provisions of the GDPR regarding the handling, reporting and documentation of Personal data breaches. When required by the GDPR, we will report Personal data breaches to the supervisory authority within 72 hours and notify the Data subjects affected by the Personal data breach.

Changes 

We review the content of this Privacy Notice as needed and at least once a year, to ensure that the information is up to date and correct. The contents of this Privacy Notice may be updated from time to time, without prior notice. For example, if it is necessary to clarify something, due to changed or new legislation or if our Processing of Personal data changes. 

You are responsible for reading the contents of this Privacy Notice and keeping up to date on any changes. We will provide notice to you in accordance with applicable law if we make material changes. The applicable version is always published on the Application.

Questions or complaints

If you have any questions about this Privacy Notice or our privacy practice, or if you are dissatisfied with our Processing of your Personal data, you are always welcomed to contact us. Below are our company and contact information:

Company: Europebook AB 

Reg. no: 559289-7754

Email address: europebookab@gmail.com

Postal address: Ljungbyvägen 85, 302 56 Halmstad, Sweden.

You also have the right to contact and/or to submit a complaint regarding our Processing of your Personal data to our lead EU Supervisory Authority: The Swedish Authority for Privacy Protection. 

Name: Integritetsskyddsmyndigheten (IMY).

Phone: 08-657 61 00.

Email: imy@imy.se.

Postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm.

You may also direct your complaint or concern to your local data protection authority. 

You can find the different EU Member States Supervisory Authorities through the following link: https://edpb.europa.eu/about-edpb/about-edpb/members_en