Born cares about your privacy and ensures that your personal information is processed in a safe, correct and legal manner. Born has adopted this privacy policy (the “Privacy Policy”) to inform you about how we process your personal information. If you submit personal information to us at Born in any way, we encourage you to read the Privacy Policy first.

Born is responsible for the processing of personal data within the framework of our operations. Further information on controllership of personal data in connection with the respective personal data processing can be found in section 3. Born is responsible for ensuring that personal data processing is carried out in accordance with applicable data protection rules, including the General Data Protection Regulation. Please see our contact details below.

Born Law KB

Strandvägen 7A

Box 5244, SE-102 45 Stockholm

+46 8-566 119 00

Who is responsible for your personal data?

Born carries out the assignment and therefore is responsible for your personal data. See our contact details in section 2 above. Born is also the controller for the register kept for the purpose of checking and excluding conflicts of interest – you can contact Born if you have any questions regarding this register.

Whose personal data do we process?

Clients: Natural persons who are our clients or who represent/are employed by our clients. This includes partners and beneficial owners.

Counterparties: Natural persons who are counterparties or who represent/are employed by a counterparty. This includes partners and beneficial owners.

Other natural persons who have a connection to an assignment handled by Born, for example representatives of or employees of a partner, or a group company of the client or the counterparty. This may also include employees of companies to be sold or acquired, guarantors, experts, witnesses, employees of public authorities, courts, banks and auditors.

What personal data do we process about you?

As a starting point, we store all the information we receive within the context of the assignment. We usually receive the information directly from you as a data subject or the client. We may also supplement and check the information against sources such as the population register, credit reference agencies and the companies register.

Clients:

If the client is a natural person, we normally process the name, personal identity number, address and contact details, information in communication (oral, e-mail, letter), and all data related to the case/assignment in question, such as the course of events.

If the client is a legal person, the following data are usually processed regarding the client’s employees/representatives: name, role/title, employer/client, contact details, information in communication (oral, e-mail, letter), and all data relevant to the case/assignment in question.

In some cases, data is also collected if the person is someone in a politically exposed position or is closely associated with such a person.

Counterparties:

If the counterparty is a natural person, the same categories of data are usually processed as for a client who is a natural person, see above.

If the counterparty is a legal person, the same categories of data are usually processed as for a client who is a legal person, see above.

Other natural persons:

The categories of data processed depend on the connection to the client case, e.g. name, role/title, employer/client, contact details, information in communication (oral, e-mail, letter). If you are employed by a company that is to be sold or acquired, your personal identity number, information about the employment contract, including income, benefits and other remuneration will also be processed.

Why and on what legal basis do we process your personal data?

We process personal data for the main purposes of providing and conducting legal activities, carrying out client assignments in accordance with the client’s instructions and the laws and guidelines which we are required to comply with as a law firm. Your personal data will only be used to the extent necessary in each individual case to achieve this purpose.

Receiving, administering and performing the client assignment

• Receiving and administering assignment requests
• Confirming the identity of the client and the counterparty
• Verifying that there is no conflict of interest before we accept assignments
• Carrying out the assignment according to the client’s instructions and acting as legal representative for the client
• Communicating with the client, managing meetings
• Managing and administering the assignment and the client relationship, including presenting results of the work, invoicing and handling and assisting with payments/transactions

The processing is carried out on the basis of our legitimate interest (Article 6(1)(f) GDPR) in complying with contractual obligations towards our client and in carrying out the assignment according to the client’s instructions. If our client is a natural person, their personal data will instead be processed on the basis of performance of the contract (Article 6(1)(b) GDPR).

Compliance with obligations that we are subject to

• In some cases, in accordance with the applicable money laundering regulations, we take measures to prevent, detect, investigate or report money laundering or terrorist financing
• For accounting purposes, such as preparing and maintaining accounting records in accordance with the Accounting Act

The processing is necessary in order to comply with legal obligations that we are subject to (Article 6(1)(c) GDPR).

Handling and defending legal claims, as well as safeguarding our rights under law or contract

Where applicable, your personal data will be processed to enable us to

• investigate and respond to a legal claim against Born, for example in the context of a dispute with you or a third party,
• enforce and safeguard our legal and contractual rights, for example in connection with the recovery of claims,
• investigate and ensure that we comply with obligations that we are subject to according to, e.g., money laundering and data protection legislation, etc. and defend ourselves against legal claims in this regard.

The processing is performed on the basis of our legitimate interest (Article 6(1)(f) GDPR) in handling and defending legal claims, as well as in safeguarding our rights under law or contract.

Evaluating our business activities and following up on the client relationship

Personal data are also processed to compile collected statistics on, for example, client type, sales, and to conduct surveys in order to analyse and evaluate business activities. The statistics and reports that are created use personal data in aggregate form and do not identify you as an individual.

The processing is carried out on the basis of our legitimate interest (Article 6(1)(f) GDPR in evaluating, improving and developing our business.

How long do we store your personal data?

We are obliged to retain information related to an assignment for ten (10) years after the case is closed, or for a longer period if necessary. If a situation arises where we need to assert, defend or respond to a legal claim, the personal data may be used for this purpose during the period specified above.

Personal data processed for accounting purposes are stored for seven (7) years. According to current money laundering legislation, we store personal data for five (5) and up to ten (10) years.

Who has access to the data?

Your personal data may be disclosed to and processed by a third party. This may be our employees, service providers such as IT system providers, server and hosting partners, software and support, other legal advisors, auditors, consultants, authorities, and counterparties, etc. Examples of situations where your personal data may be transferred to a third party are when such a measure is required due to law, litigation, request from an authority or decision, at your request or the client’s own request, or when it is required in order to serve an interest that we consider legitimate.

Who is responsible for your personal data?

Born, which the supplier has entered into a contract with. See contact details for us in section 2 above.

Whose personal data do we process?

Natural persons who represent or are employed by a supplier or partner of Born.

What personal data do we process about you?

We usually process the name, role/title, employer/client, contact details, information in communication (oral, e-mail, letter) and in contracts.

Why and on what legal basis do we process your personal data?

We will process your personal data in connection with the contractual relationship between Born and your employer/client. This is necessary in order to administer the contractual relationship and act in accordance with it. It is also necessary to enable Born to use the services or goods purchased in the intended manner. For example, for the purpose of receiving deliveries of the products, using customer support, and handling invoicing. The processing is carried out on the basis of our legitimate interest (Article 6(1)(f) GDPR) in being able to administer the contract, the contractual relationship, in complying with our contractual obligations and in safeguarding our contractual rights.

Where applicable, your personal data may be present on such documentation that we need to store for accounting purposes. The processing is then carried out on the basis that it is necessary in order to comply with a legal obligation (Article 6(1)(c) GDPR) that we are subject to.

Where applicable, your personal data may need to be processed in order for us to assert, investigate, respond to or defend ourselves against a legal claim. For example, in the context of a dispute with your employer. The processing is carried out on the basis of our legitimate interest (Article 6(1)(f) GDPR) in handling and defending legal claims, as well as in safeguarding our rights under law or contract.

How long do we store your personal data?

The personal data is stored as long as the contractual relationship between Born and your employer/client lasts and for a period of three years thereafter.

Who has access to your personal data?

Born, which will use the services or products. The data may also be shared with our other suppliers if it is necessary to achieve certain purposes, for example suppliers of systems, software and cloud services, as well as banking and auditors. If necessary, the data may be disclosed to authorities and debt collection agencies.

Who is responsible for your personal data?

Born is responsible for the personal data processing that is performed when you visit our website and our social media pages.

Whose personal data do we process?

Visitors to Born’s website born.se, and our social media pages.

What personal data do we process about you?

Electronic identification data, but also the data that you actively provide such as your name and e-mail. The collection takes place in connection with your visit to the website. In some cases, we can identify who you are by combining the data we collect with your e-mail address. Your own browser and device settings will affect what data we can collect from your visit. Please also read our Cookie Policy.

Why and on what legal basis do we process your personal data?

Born’s website and digital channels are communication channels through which we can provide information about our business, our lawyers, events and seminars that we organise or have attended. The channels also make it possible for interested parties to contact us, sign up for newsletters and events/seminars.

Your personal data are processed in order to enable the use of the communication channels as intended, to analyse and measure the interest in our business, to analyse, measure and follow up the use of the channels, and to create statistics. The processing is carried out on the basis of our legitimate interests (Article 6(1)(f) GDPR) in providing you with a positive user experience, in conducting and developing our business, in handling operational disruptions and preventing unlawful use of the channels.

How long do we store your personal data?

See our Cookie Policy.

Who has access to your personal data?

We use analytical tools to achieve the above purposes, which means that we let the tools retrieve information about your visit to the website.

We also use social plugins on the website. This means that we have embedded content from a social network onto our website, which can in some cases relate your use of and visit to our website to your account in the network (provided you have an account). Content from the social network can be displayed on our website and it is possible for you to share content from our website on the social network.

Who is responsible for your personal data?

Born, who you have contact with. See contact details for us in section 2 above.

Whose personal data do we process?

The natural persons who register for and participate in events that Born arranges or participates in. Natural persons who in some other way come into contact with Born, for example at conventions, through participation in investigations, via communication channels and via e-mail.

What personal data do we process about you?

Name, role/title, employer/client, contact details, food preferences, information in communication (letter, e-mail, oral), image and sound recording, history log regarding the event/seminar, and how you registered. We also process history logs about the mailings we sent you if you responded to the evaluation (not the answers you gave).

Why and on what legal basis do we process your personal data?

Events and seminars

If you register for an event or seminar organised by Born, we will process your personal data in order to administer and implement your participation and the event, as well as evaluate and follow up on how it went. This includes drawing up lists of participants, sending out information regarding the event, ordering food, and conducting surveys. During the event, we may document through images and video for the purpose of providing information about our business operations via our communication channels. The processing is carried out on the basis of our legitimate interests (Article 6(1) (f) GDPR) in marketing and providing information about our business operations, in developing and improving business activities and in maintaining the business relationship we have with you.

Communication in connection with enquiries

If you contact us through our digital communication channels, letters or e-mails, we need to collect and store personal data. The purpose of the processing is to handle and answer enquiries related to our business operations. The processing is carried out on the basis of our legitimate interest (Article 6(1)(f) GDPR) in answering incoming questions and conducting our business. Certain enquiries may also be processed for our legitimate interest in following and demonstrating that we comply with the laws and regulations which we are required to comply with, such as issues relating to the exercise of registered rights under data protection legislation.

How long do we store your personal data?

The data will be saved for one year from your most recent participation. Food preferences are deleted immediately after the event. Images and videos that you appear in are deleted after a maximum of three years (please note that if the material has been published on digital channels we no longer have control over the deletion). If you have given consent to the processing, the period of time you have agreed to will apply instead, or until you withdraw your consent.

Communication in connection with enquiries is normally deleted six (6) months after the question has been answered. If we consider the communication necessary in order to defend legal claims, to demonstrate that we have complied with a legal obligation, or to protect our legal rights, the storage period will be extended to the time required, but to a maximum of ten (10) years.

Who has access to your personal data?

Your personal data may be disclosed to and processed by a third party. This may be employees and consultants to us, service providers such as suppliers of IT systems, server and hosting partners, software and support.

Who is responsible for your personal data?

Born, which carries out the marketing activities, is responsible for the processing. See contact information for us in section 2 above.

Whose personal data do we process?

Natural persons with whom we have or have had a business relationship, such as representatives or employees of existing, former or potential clients, participants at events or seminars, or whose details we have obtained at conventions, and those who have signed up to our newsletter.

What personal data do we process about you?

Name, contact details, client type, role/title, employer/client, in some cases history logs about which mailings we sent you and information about how you have navigated/read the received information will be processed (via cookies).

Why and on what legal basis do we process your personal data?

Your personal data is processed for the purpose of direct marketing to inform you, in your professional role, about our business operations, such as which services we offer, our lawyers’ experience, and to provide other information about the activities we organise or participate in. This includes, for example, sending out information such as newsletters and invitations via digital channels and e-mail, as well as analysing, measuring and following up any marketing activity. The processing is carried out on the basis of our legitimate interests (Article 6(1)(f) GDPR) in marketing and providing information about our business operations, developing and improving business activities and maintaining the business relationship we have with you. In certain cases, consent is obtained for the above purposes and the use of electronic marketing.

How long do we store your personal data?

For the above purposes, your personal data is processed for one year from i) the time when the business relationship or client relationship between your employer and Born ends, or ii) your most recent participation in a seminar or event. If you have given consent to the processing, the period of time you have agreed to will apply instead, or until you withdraw your consent. You always have the right to refuse further direct marketing; you can do this by following the unsubscribe instructions in the message or by contacting us.

Who has access to your personal data?

Your personal data may be disclosed to and processed by a third party. This may be employees and consultants to us, service providers such as suppliers of IT systems, server and hosting partners, software, support and analytical tools.

Who is responsible for your personal data?

Born, who you are applying for a job with. See contact details for us in section 2 above.

Whose personal data do we process?

Natural person applying for a job or internship with Born.

What personal data do we process about you?

The data you provide to us in connection with the application, usually: name, address and contact details, photograph, education, professional experience, grades, other skills and qualities and something about yourself, all information in communication such as e-mail and/or dialogue in our recruitment system. We also keep internal notes in connection with interviews and make an assessment in relation to the position applied for. We may process data about health and ethnicity if you provide this information. We do not use processes that involve automatic decision-making.

Why and on what legal basis do we process your personal data?

Your personal data needs to be processed in order for us to be able to recruit employees for the business. As part of the recruitment process, your data is processed for the following purposes:

• Managing the recruitment process, including administering application documents and booking interviews
• Evaluating and assessing the candidate in relation to the position in question
• Communicating with the candidate and providing information about employment
• If you have submitted a spontaneous application (i.e. not to a specific position), your application will be saved to provide information and consider your application the next time we are hiring

We have assessed that it is in the interests of both Born and the jobseeker that the personal data is processed for recruitment purposes. The processing is carried out on the basis of our legitimate interest (Article 6(1)(f) GDPR) in recruiting employees and in simplifying/increasing the efficiency of the recruitment process.

We save information from previous recruitment processes that you have been involved in. The processing is carried out on the basis of your consent (Article 6(1)(a) GDPR).

We also process your personal data for the purpose of defending and responding to a legal claim, but also to safeguard our legal rights, for example in the context of a discrimination case, or an employment law case such as in a case of pre-emption rights or re-employment. The data is stored for two years for this purpose.

How long do we store your personal data?

Your personal data are stored for six (6) months from the most recent job you applied for. Your data are therefore stored until the job you applied for has become a permanent employment position. If you have given your consent to the processing, the data are instead stored for two (2) years from when you last gave your consent.

Who has access to your personal data?

Your data is processed by staff at Born. We may share your data with

• the suppliers and subcontractors who help us achieve our aims. We work with the following categories of providers: companies that provide server and data storage, e-mail and communication modules, video processing, analytical tools and other IT services or software, and
• public authorities and courts, as well as legal advisers if this is necessary in order to defend or safeguard a legal claim or if we are legally obliged to do this.

We only share your data with parties we trust and if we have entered into the necessary data transfer agreements or processor agreements. In some cases, personal data may be disclosed to a party outside the EU or the EEA.

Aggregated data (non-identifiable personal data)

We may share aggregated data with third parties. In such cases, the aggregated data has been compiled from information collected through the service and may, for example, include statistics on internet traffic or the geographical location where the service is used. The aggregated data do not contain any information that can be used to identify natural persons and is therefore not considered personal information.

As a general rule, your personal data is only processed within the EU or the EEA. In some cases, personal data may be disclosed to a party outside the EU or the EEA. Born only shares personal data with companies in third countries that have an adequate level of protection or companies that are considered to have achieved an adequate level of protection due to approved practices, and otherwise with the appropriate measures to ensure an adequate level of protection, e.g. by entering into standard contractual clauses.

Right to access

You have the right to request access to the personal data that we process, as well as to receive information about the purposes of the processing and about who has received the personal data, among other things. As the controller, Born will provide you with a free copy of the personal data that is processed.

Right to rectification

You have the right to have your personal data rectified or, under certain conditions, to have it restricted without undue delay. If you believe that Born has processed personal data about you that are incorrect or incomplete, you can demand that these be corrected or supplemented.

Right to erasure

You also have the right to have your data erased, for example if it is no longer necessary for the purpose or if the processing of it is based on consent and this has been withdrawn. However, there may be legal requirements, contractual relationships or compelling legitimate interests that prevent us from erasing your personal data.

Right to object

As a data subject, you have the right to object to the processing of your personal data at any time if the legal basis for the processing is a balancing of interests. As a data subject, you also have the right to object to the processing of your personal data at any time if they are processed for direct marketing.

Right to data portability

As a data subject, you have the right to obtain the personal data that you have provided to Born as the controller, and have the right to transmit these data to another controller (data portability). However, this applies only if this is technically possible and if the processing was necessary for the performance of a contract.

Right to make a complaint

If you are dissatisfied with how we process your personal data, we request that you contact us; see our contact details in section 2. You also have the right to submit a complaint about our personal data processing to: Integritetsskyddsmyndigheten, Box 8114, SE-104 20 Stockholm.

Born does not process personal data that involves automatic decision-making, including profiling.

Please note that e-mail without encryption may involve security and confidentiality risks. An e-mail can be compared to a postcard. Therefore, we ask that you do not provide any information that you do not want a third party to see. Never provide any sensitive information or information that may be used for undesirable purposes by a third party.

Born always has standard encryption activated for e-mail communication, but this is not always sufficient. If we deem that the specific information cannot be sent with standard encryption and e-mail, we will, if possible, add additional encryption, or use another method of communication. The same applies if you object to the use of e-mail communication.

Born reserves the right to change and update this policy. In the event of material changes to the policy or if existing information is to be processed in a manner other than that specified, you will be informed in an appropriate manner.