Privacy Policy.

Information about processing of personal data 

Epassi Benefits and Rewards AB (the “Company“, “we” or “us“) collects and stores information that you provide to us within the scope of the below mentioned purposes. This information notice describes the purposes of the processing of your personal data and what categories of personal data that we process about you. 

Throughout this information notice we use the term “processing”, which includes any and all measures that involves personal data, such as (without limitation) collection, administration, storage, sharing, access, use, transmission and deletion of personal data. 

Personal data is any information which directly or indirectly refers to an identified or identifiable natural person. 

Within the scope of providing you with the lunch card, we partly process your Personal Data in the capacity as data processor, on behalf of your employer. The part of the processing operations comprised by our processing as data processor are the operations carried out when we are managing the benefit from your employer, including creation of you card. 

In order to ensure compliance with applicable data protection legislation, we have entered into an agreement with your employer, which regulates how we may process your Personal Data for this purpose. 

3.1               Communication with user of the lunch card solution 

The personal data we process within the scope of this purpose are: 

• Name 
• E-mail address 
• Company 
• Address 
• Information whether the data subject is using a service connected to the lunch card. 

Personal Data processed in accordance with this section 3.1 are processed on the basis of balancing of interests, where the company has a legitimate interest to be able to communicate with the user and e.g. provide relevant information. 

Personal data processed for the above purpose will be processed for the time during which the user is an active user.   

3.2               Keeping electronic notes within the scope of the business 

The personal data we process within the scope of this purpose are:   

• Information in text fields   

Personal Data processed in accordance with this section 3.2 are processed on the basis of balancing of interests, where the company has a legitimate interest in keeping electronic notes within the scope of the work.   

Personal data processed for the above purpose will be processed during the customer relationship, or six (6) months from that the electronic note has been saved if no customer relationship has been initiated. 

3.3               Evaluation and follow-up, including preparation of statistics regarding e-mail recipients’ actions when receiving an e-mail from the company 

The personal data we process within the scope of this purpose are:   

• E-mail address 
• Information whether the data subject has opened an e-mail or any attached material or if the data subject has clicked on any links or deleted the e-mail. 
• Geographic position 

Personal Data processed in accordance with this section 3.3 are processed on the basis of balancing of interests, where the company has a legitimate interest in being able to follow up on how the recipients of e-mail act when receiving e-mails from the company. 

Personal data processed for the above purpose will be processed for the time during which the data subject’s e-mail address is processed for communication purposes. 

3.4               Storage of transaction history in order to establish or defend legal claims. 

The personal data we process within the scope of this purpose are: 

• Name 
• Personal identification number 
• Transactional information 
• Purchase history
• Fund deposition history
• Company 
• Card number 
• Card ID 
• Username 
• Information regarding support matters 
• Information whether the data subject is using a service connected to the lunch card. 
• Access logs 
• Mobil Payment provider 
• Mobile Device Type 
• Mobile Device Number 
• Mobile Device name 
• Mobile Device ID 

Personal Data processed in accordance with this section 3.4 are processed on the basis of balancing of interests, where the company has a legitimate interest in storing transaction in order to establish or defend legal claims. 

Personal data processed for the above purpose will be deleted Ten (10) years from when a user has become inactive. 

3.5               Carrying out surveys 

The personal data we process within the scope of this purpose are:   

• Name 
• E-mail address 
• Phone number 
• Company 
• Address 
• Answers to survey questions 

Personal Data processed in accordance with this section 3.5 are processed on the basis of balancing of interests, where the company has a legitimate interest in carrying out surveys in order to evaluate and develop the business. 

Personal data processed for the above purpose will be processed one (1) month from when the survey was carried out. If the answers are to be stored for a longer period, the answers should be anonymized. 

3.6               Evaluation and follow-up, including drafting reports regarding the end user’s use of the Sodexo card 

The personal data we process within the scope of this purpose are: 

• Transactional information 
• Purchase history 
• Fund deposition history 
• Company 
• Name 
• Card number 
• Card ID 
• Username 
• Information regarding support matters 
• Personal identification number 
• Employee number 
• Phone number 
• Email address 
• Address 
• Information whether the data subject is using a service connected to the lunch card
• Mobil Payment provider 
• Mobile Device Type   

Personal Data processed in accordance with this section 3.6 are processed on the basis of Balancing of interests, where the company has a legitimate interest to evaluate and develop the business. 

Personal data processed for the above purpose will be processed in such that the basis of the reports should be deleted immediately when the report has been drafted. The reports are stored for one (1) year. 

3.7               Keeping access and action logs of users for security and support purposes. 

The personal data we process within the scope of this purpose are: 

• Name 
• Information in log files 

Personal Data processed in accordance with this section 3.7 are processed on the basis of balancing of interests, where the company has a legitimate interest in keeping logs for security and support purposes. 

Personal data processed for the above purpose will be processed during the period the user is an active user. 

3.8               Administration of support matters 

The personal data we process within the scope of this purpose are: 

• Contact details to the party initiating the support matter 
• Contact details to the person responsible for managing the matter 
• Information in text fields 
• Information in log files 
• Card ID 
• Personal identification number 

Personal Data processed in accordance with this section 3.8 are processed on the basis of balancing of interests, where the company has a legitimate interest to manage support matters and other IT-related matters. 

Personal data processed for the above purpose will be deleted Ten (10) years from when the matter was closed. 

3.9               Fulfil accounting and book-keeping obligations 

The personal data we process within the scope of this purpose are: 

• Transactional information 
• Purchase history 
• Fund deposition history 
• Company 
• Name 
• Card number 
• Card ID 
• Username 
• Information regarding support matters 
• Personal identification number 
• Employee number 

Personal Data processed in accordance with this section 3.9 are processed on the basis to fulfil a legal obligation. 

Personal data processed for the above purpose will be deleted Seven (7) years from the expiry of the calendar year during which the fiscal year ended.   

In accordance with the purposes outlined under section 3 above, we may share your Personal Data with colleagues within the Sodexo Group and with external parties such as business partners and suppliers. Any and all transfers of Personal Data outside the EU/EEA will be subject to adequate safety measures that enables us to safely transfer your Personal Data outside the EU/EEA, in accordance with applicable data protection legislation. 

Transfers carried out in accordance with this section 4 relies on the same legal ground as the relevant purpose described under section 3 above. 

Countries outside the EU/EEA to which your personal data may be transferred to are:   

• Singapore 
• India 
• Sri Lanka   
  
  

You may at any time revoke a consent provided to the Company. You revoke your consent by contacting us on the contact details below and by addressing for which purpose you choose to revoke your consent. You acknowledge that you are entitled to request erasure of your personal data processed for the purpose for which you have revoked your consent. 

6.1               Right of rectification and access 

the Company will take steps in accordance with the applicable legislation to keep your Personal Data accurate, complete and up-to-date. If you identify that any Personal Data related to you is inadequate, incomplete or incorrect, you are entitled to have the Personal Data corrected. 

Moreover, you also have the right to request access to the Personal Data that we store about you. Such request should be lodged to the data protection officer at the Company. 

6.2               Further rights as of 25th May 2018 

As of 25th May 2018, you are entitled to extended rights in relation to the Company’s processing of your Personal Data, in accordance with what is set forth below. 

6.2.1                      Right to objection 

If the processing of your personal data is based on a balancing of interests and you deem that your integrity interest overrides the Company’s legitimate interest to process your Personal Data, you may, on grounds related to your particular situation, object to the processing by contacting the Company on the contact details in section 6 below, in which case the Company must have a compelling reason in order to continue to process the Personal Data for the relevant purpose. 

6.2.2                      Right to erasure 

Under certain circumstances, such as when you have revoked you previously given consent and there is no other legal ground available for the Company to process your Personal Data, you may request to have your Personal Data erased.   

6.2.3                      Right to restriction 

You are under certain circumstances entitled to restrict the processing of your Personal Data to only comprise storage of the Personal Data, e.g. during the time when the Company assesses whether you are entitled to have Personal Data erased in accordance with section 5.2.2 above.   

6.2.4                      Right to access 

You are entitled to obtain a confirmation from the Company as to whether your Personal Data are being processed by the Company and, if so, access to the Personal Data and the following information:   

1. the purposes of the processing; 

1. the categories of Personal Data processed; 

• the recipients of Personal Data (in particular in countries outside EU/EEA); 

1. the envisaged time during which the Personal Data will be processed; 

1. information about the rights stated herein; 

1. information about the source from which the Personal Data are collected; and 

• the existence of automated decision-making, including profiling. 

Moreover, you are upon your request entitled to receive your Personal Data in a commonly used electronic format. Kindly note that the Company may charge a fee if you request more than one copy of your Personal Data.   

6.2.5                      Right to data portability 

When Personal Data is processed on the basis of your consent or on the basis that the processing is necessary in order to perform under a contract with you, and provided that the Personal Data have been provided or generated by you, you are entitled to receive a copy of your Personal Data in a common machine-readable format.   

6.2.6                      Rights in relation to automated decision-making, including profiling 

You have the right to not be subject to fully automated decision-making, including profiling, if such decision-making has legal effects or similarly significantly affects you. This right does not apply if the decision-making is necessary in order to perform under a contract with you, if the decision-making is permitted under applicable law or if you have provided your explicit consent. 

  6.3               Complaints to the supervisory authority 

You are welcome to contact us with any enquiries and complaints that you may have regarding the processing of your Personal Data. However, you also have the right to lodge complaints pertaining to the processing of your Personal Data to the Swedish Data Protection Authority. 

If you have any questions regarding the processing of your personal data, please contact us on the contact details below. 

 Epassi Benefits and Rewards AB  

Reg.no. 556649-1444 

Ynglingagatan 14, SE-113 47 Stockholm 

08-555 172 20 , lunchkort@epassi.se

We have appointed a local representative who may be contacted on LDPPC@epassi.se