Internal Privacy Policy - Flower
01.
Our Commitment
We, Flower Infrastructure Technologies AB, Reg. no. 559257-5558 (“we” or “Flower”), are committed to processing personal data in a lawful, fair, and transparent manner. We handle all personal data entrusted to us with a high level of care, integrity, and security, and always in accordance with applicable data protection laws.
02.
Introduction
This policy is part of Flower’s overarching data protection framework and complements our General Privacy Policy. It provides further details on how we process personal data in the context of internal operations, with a particular focus on employment and recruitment.
This policy applies to the processing of personal data relating to:
03.
Purpose
The purpose of this policy is to outline:
What types of personal data we collect and process internally regarding employees, job applicants and references;
The legal bases for such processing under the General Data Protection Regulation (“GDPR”) and applicable privacy laws; and
The rights of individuals whose data is processed.
04.
Personal data
Personal data refers to any information that can directly or indirectly identify a natural person.
Examples of personal data include names, addresses, phone numbers and email addresses, but can also include information such as IP numbers or photos combined with other data if the information can be connected to a natural person. Processing of personal data includes any operation which is performed on personal data, such as collection, recording, analysis, adaptation, storage or destruction.
Personal data processed by Flower is typically collected from you and, where necessary, also from third parties. Such third parties include mainly your colleagues or other people who recommend contacting you in connection with a specific assignment or job.
05.
Your rights
In accordance with applicable data protection legislation, subject to some conditions and exceptions, you for example have the following rights:
Right to be informed: You have the right to be informed about how we process your information. We do this through this Privacy Policy and by answering questions sent to us, which you submit by email to privacy@flower.se.
Right to access your data: You may request a copy of your data by email to privacy@flower.se if you would like to know what personal data we process about you. This copy of your personal data can also be supplied in a machine-readable format.
Right to rectification: You have the right to correct inaccurate or incomplete information about yourself which you can do by contacting us via email to privacy@flower.se.
Right to erasure: You have the right to request deletion of your personal data, for example when it is no longer necessary for us to process the data for the purpose it was collected, or when you have withdrawn your consent, which you request by email to privacy@flower.se.
Right to restrict processing of your data: If you believe your information is incorrect or you believe we use your data unlawfully, you have the right to ask us to stop or limit the processing, which you request by email to privacy@flower.se.
Right to lodge a complaint: You have the right to lodge a complaint with your national supervisory data protection authority, the Swedish Authority for Privacy Protection (IMY) (https://www.imy.se/privatperson/utfora-arenden/lamna-ett-klagomal), or with the relevant EU/EEA data protection authority in your country of residence or place of work. If your concern relates to international data transfers, you may also refer your complaint to the European Data Protection Board (EDPB) or another appropriate international data protection body.
Right to opt out: You have the right to opt out of the processing of your personal data for specific purposes by contacting us at privacy@flower.se.
Right not to be subject to any automated decision making: Flower does not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you.
We will respond to your request without undue delay and at the latest within 30 days of receipt. If your request is particularly complex, this period may be extended by up to two additional months, in which case we will notify you of the delay and the reasons for it. Please note that Flower may be required by law to keep some personal data despite your request.
06.
Purpose of Processing Personal Data
This section outlines the purposes for which we process personal data, the corresponding legal bases under the GDPR, and the categories of personal data involved in each case. The purposes may vary depending on the nature of your relationship with us. Below is a general description of the legal bases we rely on when processing personal data:
Contractual necessity: When processing is required to enter into or fulfil an agreement with you. This may include obligations under an employment or consultancy contract.
Legitimate interest: When we, or a third party, have a legitimate and proportionate interest in processing personal data, provided it does not override your rights and freedoms. This can include improving security, managing operations or facilitating communication. If you wish to understand the specific legitimate interest for a particular processing activity see the listed processing activities further below. You are welcome to contact us if you have any questions.
Consent: When we ask for your clear and informed permission before processing your personal data for specific purposes.
Legal obligation: When we are required to process personal data to comply with applicable laws or regulations, such as tax legislation, employment law or safety requirements.
All personal data is processed in accordance with GDPR and other applicable data protection laws, ensuring that your information is handled lawfully, fairly and transparently.
07.
Employees
This section outlines how Flower processes personal data of employees throughout the course of their employment. It includes details on the types of personal data collected, the purposes of processing, and the legal basis under GDPR.
Flower does not collect or process sensitive personal data unless legally required. Employees should avoid sharing such data unless explicitly requested.
Purpose & processing
Legal basis
Categories of personal data
Managing your employment relationship – including contract administration, salary payments, benefits, leave, and employment verification prior to contract signing.
Contractual Necessity
To fulfill obligations under the employment contract or to prepare for entering into one.
Name, phone number, email address, job title, bank details, tax information and employment history.
Supporting internal operations – such as improving workplace efficiency, ensuring facility security, and enabling professional development.
Legitimate Interest
Necessary and proportionate processing that supports business operations while balancing the rights of the employee.
Workplace activity data, system access logs, training records and performance evaluations.
Fulfilling legal obligations – complying with labor, tax, health and safety and regulatory reporting requirements, including processing medical certificates in relation to sick leave.
Legal Obligation
Required by applicable employment, health and tax laws.
Payroll records, tax ID, employment contracts, accident reports, and where applicable and medical certificates related to sick leave.
08.
Employee candidates
This section outlines how Flower processes personal data of job applicants during the recruitment process. It includes details on the types of personal data collected, the purposes of processing, and the legal basis under GDPR.
Personal data is processed based on legitimate interest to ensure a fair and competence-based selection process. Flower does not collect or process sensitive personal data, such as political opinions or medical conditions, and applicants are advised not to include such information in their applications.
Purpose & processing
Legal basis
Categories of personal data
Managing job applications – including registration and handling of applications, conducting interviews, evaluating test results (where applicable) and communicating outcomes.
Legitimate Interest
To ensure a fair and competence-based recruitment process.
Name, email address, address, phone number, job title, CV, cover letter, interview notes and communication records.
Taking and documenting references – where relevant, and in certain cases, contacting references and documenting feedback in written form to assess candidate suitability.
Legitimate Interest
For professional background checks and structured candidate evaluation.
Name and contact details of references, relationship to the candidate and feedback provided.
Retaining candidate information for future opportunities – storing applicant data in a recruitment database after a completed process.
Consent
Only if the candidate has given explicit permission.
Same as in the two rows above, retained for future consideration.
09.
Processing of Personal References
Personal references may be contacted in exceptional cases to verify a candidate’s qualifications, experience and suitability for the role. Flower will only reach out to references with the candidate’s explicit knowledge and consent, and any feedback received is treated with strict confidentiality. Reference data is collected and processed in accordance with the GDPR and is used solely for recruitment-related evaluation and, where relevant, employment verification.
Reference feedback is handled confidentially and is not shared beyond the recruitment team.
References should not be asked to provide sensitive personal data about the candidate, such as health information, political opinions or union memberships.
Purpose & processing
Legal basis
Categories of personal data
Handling of job applications – managing the recruitment process and evaluating candidates for specific or general job positions.
Legitimate Interest
Ensuring a fair and competence-based recruitment process.
Name, job title, employer, connection to the candidate and contact details (phone number, email address).
Verifying candidate qualifications, experience, and suitability – assessing skills and background for the role.
Legitimate Interest
Assessing the candidate’s professional background.
Information shared by the reference about the candidate’s work experience and skills.
10.
How do we handle personal identification numbers?
We will only process your personal identification number when this is clearly motivated given the purpose, required for secure identification or there is another substantial reason. We always minimize the use of your personal identification number to the greatest extent possible. For this reason, you should not state your full personal identification number when registering or interacting with Flower. In connection with applications, you should not provide your personal identification number or date of birth, as this information is neither required nor requested.
11.
How We Protect and Manage Your Personal Data
We use IT systems to ensure confidentiality, integrity and access control of personal data. We have taken security measures to protect your personal data against unlawful or unauthorized processing (such as unlawful access, loss, destruction or damage). Only the people who actually need to process your personal data in order for us to fulfill our stated purposes have access to the data.
Flower retains personal data only for as long as necessary for the purposes outlined in this policy. This includes the duration of the business relationship and a limited period thereafter, as required for legal, regulatory, or operational needs.
Personal data that is being processed electronically by Flower will mainly be stored on servers located in EU/EEA.
Once personal data is no longer required, it is securely deleted or anonymized in accordance with applicable laws and internal policies. In cases where we process your personal data based on your consent or explicit consent, you can at any time revoke this consent, which you do by contacting us at privacy@flower.se.
12.
Camera Surveillance and Privacy Compliance
Flower uses camera surveillance at the entrances of its physical office to enhance security, prevent unauthorized access and deter possible crime. Given the risks associated with the energy sector and the presence of valuable digital equipment, surveillance is one of the proactive and efficient security measures employed to ensure that only authorised individuals have access to the premises and data.
Surveillance data is processed in accordance with GDPR, with restricted access for employees at Flower and a maximum retention period of seven (7) days, after which it is automatically deleted unless required for legal or security investigations. Affected individuals have all applicable rights, and Flower acts as the data controller for such data.
If you have any questions on how your personal data is handled in connection with camera surveillance, you are welcome to contact us at privacy@flower.se.
13.
Service Providers
Flower collaborates with external service providers to support its operations, including functions such as financial administration, recruitment, IT support and security. These providers may process personal data on Flower’s behalf and are engaged as data processors under data processing agreements in accordance with Article 28 of the GDPR.
The types of personal data processed may include contact details, invoicing and payment information, access and log data for security purposes, and other information necessary for the performance of the relevant services. System backups may also contain such data.
All service providers are obligated to implement appropriate technical and organisational measures to ensure the confidentiality, integrity, and security of personal data, in order to comply with applicable data protection laws.
14.
International Data Transfers
We aim to process your personal data within the EU/EEA whenever possible. However, in some cases, your personal data may be processed outside this area - for example, by service providers we work with. Some of our suppliers, or their parent companies or subcontractors, are located outside the EU/EEA. In such situations, we take into account the risk that your data could be accessed from outside the EU/EEA, for instance due to requests from foreign authorities.
If any of the recipients of your personal data are located outside the EU/EEA, this also means that your data may be transferred internationally.
To ensure your personal data remains protected when transferred outside the EU/EEA, we rely on safeguards approved under the GDPR. These include:
Adequacy decisions issued by the European Commission. These confirm that certain countries outside the EU/EEA offer a level of data protection equivalent to that of the EU. For instance, we may rely on the EU-US Data Privacy Framework for transfers to the United States, or the adequacy decision for the United Kingdom.
Standard Contractual Clauses (SCCs) issued by the EU Commission. These are legal agreements entered into with the data recipient, ensuring that your data remains protected according to GDPR standards, and that your rights are upheld.
In addition to these legal mechanisms, we also implement technical and organizational security measures to further protect your personal data in the event of any unauthorized access. The exact measures depend on what is technically possible and effective for each specific transfer.
15.
Data controller
Flower acts as the data controller for personal data processed under this policy. In some cases, subsidiaries of Flower may also act as independent or joint data controllers, where applicable. All such processing is conducted in accordance with the responsibilities set out in this policy and the overarching General Privacy Policy.
If you have any questions or requests, you can always contact us at privacy@flower.se or at:
Flower Infrastructure Technologies AB
Att: Privacy
Katarinavägen 15
116 45 Stockholm