Data Privacy
Policy Version: 1
Last Updated: 28th August 2025
Introduction and Data Controller Information
Defensor Group AB (the "Company") respects your privacy and is committed to protecting your personal data in accordance with the General Data Protection Regulation ("GDPR"). This Privacy Policy explains for what purpose and how we collect, use, store, and protect your personal data. This Privacy Policy also explains your rights and how to exercise them.
Should you have any questions about this Privacy Policy or our data processing practices, don't hesitate to contact us via our contact information below.
Data Controller: Defensor Group AB, org. no. 559529-1211
Registered Address: Väpnargatan 8, 114 51 Stockholm
Contact Details: [email protected]
Categories of Personal Data We Process
We collect your personal data directly from you when you contact us, at the beginning and in the course of our ongoing business relationship. We may also obtain your personal data from other sources, such as, public sources, or other third parties.
The Company will take reasonable steps to ensure that the personal data processed is reliable for its intended use, and is accurate and complete for carrying out the purposes described in this Privacy Policy.
We process the following categories of personal data about you:
- Identity data: Fist name, last name, job title
- Contact details: Business email address and telephone number
- Communications data: Records of our correspondence and interactions
- Marketing and communications data: Your preferences in receiving marketing communications
Purposes of Processing and Legal Basis
We process your personal data for the following specific purposes:
Performance of contract with the company you represent
If you represent an organisation with which we have a business relationship, we will process the personal data that you have provided to us or that we have collected about you in the course of that relationship.
Legal basis: The legal basis for our processing of your personal data is our legitimate interest (Article 6(1)(f) GDPR). The processing is necessary for our legitimate interest to maintain and fulfil our obligations in the business relationship.
Marketing of our products and services
We will process your name, email address and information about the organisation you represent to send targeted offers about our products and services to your organisation.
Legal basis: The legal basis for our processing of your personal data is our legitimate interest (Article 6(1)(f) GDPR). The processing is necessary for our legitimate interest in marketing relevant products and services that may be of value to your organisation.
Legal and regulatory compliance
We will process information about transactions between you/your organisation and us for accounting purposes. For this purpose, we may process your personal data, including name, address, telephone number and email address.
Legal basis: The legal basis for our processing of your personal data is that it is necessary for compliance with our legal obligations under e.g. accounting legislation (Article 6(1)(c) GDPR).
Data Retention Periods
The Company will retain personal data for the period necessary to fulfil the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing contractual relationship with the company you represent; (ii) whether there is a legal obligation to which we are subject; or (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
Automated Processing Without Human Intervention
We do not make decisions about you based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Should we consider implementing such automated decision-making systems in the future, we will inform you in advance and provide meaningful information about the logic involved, the significance and potential consequences for you, as well as the measures in place to safeguard your interests, rights and freedoms.
Data Sharing and Recipients
Access to your personal data is restricted to individuals who require such access for purposes outlined in this Privacy Policy. All such individuals are required to protect the confidentiality and security of the data and may only process personal data solely for the relevant and intended purposes.
Whenever personal data is shared and processed on our behalf by a service provider, a data processing agreement has been duly executed to ensure appropriate safeguards and compliance with relevant data protection regulations.
We may also share your personal data with the following categories of recipients:
- Professional Advisors: Accountants, auditors, lawyers, insurers, bankers, and other professional advisors
- Public and Governmental Authorities: Regulatory authorities, law enforcement, public bodies, and judicial bodies
Data Security Measures
The Company has implemented and will maintain comprehensive technical and organisational measures to protect your personal data that are consistent with applicable privacy and data security laws and regulations, including requiring third parties to use appropriate measures to protect the confidentiality and security of personal data.
Third Country Transfers of Personal Data
The Company's fundamental principle is that all personal data processing shall be conducted within the European Union/European Economic Area (EU/EEA). However, under exceptional circumstances, personal data processed by the Company may be transferred to third countries (jurisdictions outside the EU/EEA).
We may transfer your personal data to countries outside the EU/EEA under the following circumstances:
- the transfer is made to a country for which the European Commission has issued an adequacy decision, determining that such country provides an adequate level of protection for personal data; or
- the transfer is subject to appropriate safeguards, including Binding Corporate Rules (BCRs) or European Commission-approved Standard Contractual Clauses (SCCs).
In the event that we transfer your personal data to a country outside the EU/EEA under circumstances other than those specified above (for instance, where such transfer is mandated by applicable law), we shall implement appropriate safeguards to ensure that your personal data remains adequately protected in accordance with applicable data protection legislation. You may request a copy of the safeguards employed at any time.
Data Subjects' Rights
Under data protection laws individuals have certain rights in relation to their own personal data. In summary, these are:
- The right to access their personal data, usually referred to as a data subject access request (DSAR);
- The right to have their personal data rectified;
- The right to have their personal data erased, usually referred to as the right to be forgotten;
- The right to restrict the processing of their personal data;
- The right to portability of their personal data;
- The right to object to the processing of their personal data;
- The right to withdraw previously given consent to the processing of their personal data at any time;
- The right to not be subject to a decision made solely by automated data processing.
The exercise of these rights may be made in writing, including email, and verbally and will be responded by us without undue delay and in any event within one month of receipt of the request. That period may be extended further where necessary, considering the complexity of the matter. We will inform you of any such extension as soon as possible, and at the latest within one month of receipt of the request, together with the reasons for the delay.
How to Exercise Your Rights
To make a data subject rights request, please contact us using the contact details described in section 1.0 "Introduction and data controller information" at the top of this Privacy Policy. You can also file a complaint with the Swedish Authority for Privacy Protection (Swe. Integritetsskyddsmyndigheten) at www.imy.se.
Policy updates and changes
We may update this Privacy Policy from time to time to reflect any changes to the way we process your personal data. The current version will always be available on our website. Any changes become effective when we post the revised Privacy Policy. If changes are significant, we will provide a more prominent notice to let you know what the changes are.