You are a customer of ours/we see you as a potential customer

1. Information about Ahlsell's processing of personal data - customers and potential customers

2. What personal data do we process about you?

We process personal data about you as a contact person, signatory or other representative of a potential or existing customer. We only collect the personal data we need for each specific purpose – what personal data we collect about you depends on how you interact with us. We collect and process the following categories of personal data:

• Identity data: data that makes it possible to identify you, such as your name, social security number or corporate registration number (for sole proprietorship who are our customers), Bank-ID (a Swedish electronic identification system) and signature. Social security numbers are processed due to the importance of secure identification, in accordance with Chapter 3, Section 10 of the Swedish Act (2018:218) holding supplementary provisions to the EU Data Protection Regulation.
• Contact details: information that enables us to contact you, such as your address, e-mail address and telephone number.
• Account and customer information: such as user-ID, customer number, contract information, card number (for customers holding the so-called Ahlsell blue card) and information for creation and usage of an account on the website and in the app, such as the customer's own notes when placing an order (e.g., employee number and other notations) and customer offers.
• Work-related details: information about your role in the organization for which you represent, such as your job title, the company you represent and the company's geographical location.
• Visiting details: information related to physical visits, such as dietary preferences, clothing size, car registration number, notes and results from security screenings during visits, who was visited, information about accidents and incidents during the visit, and photos and video recordings from surveillance cameras and our events.
• Communication data: information related to your communication with us, such as the content in e-mails, customer support cases, notes from telephone calls, other comments, video and sound recordings from meetings, interviews, etc.
• Payment details: information needed for us to collect payment, such as billing details e.g. Web user-ID (delivery and billing address), bank account number and/or Plus Giro, and other bank details.
• Technical data: information about the device you use (e.g., computer or mobile phone), such as IP-address, operating system and browser type, as well as, information about your user behavior, location data, browsing history and engagement metrics from recipients of e-mail marketing, including "read" status and timestamps for e-mails, which are collected via cookies or similar tracking techniques.

3. Why, on what legal basis and for how long do we process your personal data?

3.1 Provision of our products and servicesr

Administration of customer relationships

Purpose
Managing customer and potential customer relationships, including, among other things, credit checks, creation of customer and customer accounts, and management of customer access to our sales channels.

Categories of personal data
Identity data, contact details, account- and customer information, work-related details, communication data, payment details.

Legal basis

Sole proprietorships: Performance of a contract (GDPR, Article 6.1(b)) – acting according to your request prior to entering a contract and for performance of such contract.

Other legal entities: Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in managing our contractual relationship and fulfilling our obligations under the contract. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted five (5) years after the end of the customer relationship and five (5) years after collection if no customer relationship is established.

 

Order management

Purpose
Manage orders/purchases and other obligations under the contract, including, among other things, management of our sales channels, including e.g., customer offerings, deliveries and notifications, invoicing and incoming payments.

Categories of personal data
Identity data, contact details, work-related details, payment details, account- and customer information, communication data. 

Legal basis

Sole proprietorships: Performance of a contract (GDPR, Article 6.1(b)).

Other legal entities: Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in management of orders/purchases and fulfilling our other obligations under the contract. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted five (5) years after the order/purchase has been completed.

 

Returns, complaints and claims

Purpose
Management of returns, complaints and claims.

Categories of personal data
Identity data, contact details, work-related details, payment details, account- and customer information, communication data.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in the management of returns, complaints and claims. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted five (5) years after the order/purchase has been completed.

 

Non-payment

Purpose
Act in the event of non-payment (debt collection and a possible provision of a payment reminder).

Categories of personal data
Identity data, contact details, communication data.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in being able to collect debts owed to us. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted five (5) years after the order/purchase has been completed.

 

3.2 Provision of customer support and associated services

Customer support

Purpose
To provide customer support in relation to our products and services, including logistics (planned and ongoing deliveries and potential deviations), the website and our systems, sustainability matters and other questions from customers/potential customers.

Categories of personal data
Identity data, contact details, account- and customer information, work-related details, payment details, communication datatechnical data.

Legal basis

The processing of technical data collected via cookies or similar tracking techniques is based on your consent obtained via our consent management platform (GDPR, Article 6.1(a)).

Other personal data is processed based on a legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in providing support and helping our customers/potential customers by answering questions, providing information, troubleshooting, etc. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period

Personal data related to support and development work is deleted six (6) months after the support case/development work has been completed.

Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform.

 

Additional services

Purpose
To provide services, such as training, IT-systems and IT-services, as well as services for cleaning, loan- and demonstration of products.

Categories of personal data
Identity data, contact details, account- and customer details, work-related details, payment details, communication data, technical data.

Legal basis

The processing of technical data collected via cookies or similar tracking techniques is based on your consent obtained via our consent management platform (GDPR, Article 6.1(a)).

Other data is processed based on a legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in providing training and additional services. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted five (5) years after the service has been provided.

Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform.

 

3.3 Visits to our premises

Visits

Purpose
Managing visits, including, among other things, providing parking and guest WiFi-networks at our premises, administrating access management in stores, logistics centers (LC), other premises and offices, and random so-called security screenings carried out by security companies with whom we collaborate  to ensure that no property that belongs to us is removed unlawfully from our premises/areas.

Categories of personal data
Identity data, contact details, account- and customer information, work-related details, visiting details, communication datatechnical data (when using guest Wi-Fi-networks).

Legal basis

The processing of technical data collected via cookies or similar tracking techniques is based on your consent obtained via our consent management platform (GDPR, Article 6.1(a)).

Other data is processed based on a legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in managing visits and ensuring an adequate level of security in connection with such. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period

Personal data is deleted thirty (30) days after the visit.

Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform. 

 

Camera surveillance (CCTV) at logistics centers and our stores, as well as other premises such as local offices

Purpose
To prevent, detect and investigate crimes with the aim of ensuring a safe working environment for our employees/consultants and visitors, we use camera surveillance (CCTV) at our logistics centers (LC), our stores and other premises such as local offices. Camera surveillance is also used to prevent unauthorized access to the above-mentioned locations by monitoring the flow of traffic i.e. to and from the applicable locations.

Categories of personal data
Visiting details, identity data.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in ensuring a safe environment for us and our visitors and preventing unauthorized persons from entering the premises. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted thirty (30) days after the visit, except when necessary to process the personal data thereafter during any investigations.

 

Camera surveillance via intercom at the headquarters

Purpose
To prevent unauthorized access to our headquarters in Marievik, we use camera surveillance at the intercom (image and sound) which is activated when it is used at the unmanned reception desk and where the call is connected to a receptionist who decides whether to let the visitor in or turn them away.

Categories of personal data
Visiting details.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in managing entry and exit. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted thirty (30) days after the visit, except when necessary to process the personal data thereafter during any investigations.

 

Incidents and accidents

Purpose
Incident management and reporting of potential accidents, incidents, fires, etc.

Categories of personal data
Identity data, contact details, work-related details, visiting details, communication data.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in management of incidents, accidents, etc. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted no later than thirty (30) days after the visit.

 

3.4 Marketing and event management

Marketing

Purpose
To market our products and services and provide information about our business via telephone, e-mail, websites, social media, press releases and other communication methods to customers and potential customers.

Categories of personal data
Identity data, contact details, work-related details, technical data.

Legal basis

The processing of technical data collected via cookies or similar tracking techniques is based on your consent obtained via our consent management platform (GDPR, Article 6.1(a)).

Other data is processed based on a legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in marketing ourselves and reaching new customers. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period

Personal data is deleted five (5) years after the end of the customer relationship.

Personal data related to the mailing of newsletters is deleted after notification that the current contact person has left, or in connection with notification that the contact person no longer wishes to receive newsletters.

Personal data related to surveys is deleted six (6) months after completion.

Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform.

 

Photos and videos in marketing

Purpose

Use still and moving material, such as photographs, sound and video recordings from events, in internal and external communication and marketing material.

We use AI technology to produce, edit and identify photos and videos.

Categories of personal data
Visiting details.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in making our marketing material visually appealing and relevant. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is processed for a period of use and for a maximum of five (5) years.

 

Events and competitions

Purpose
To invite and administer participation in our events and competitions, including contacting participants afterwards.

Categories of personal data
Identity data, contact details, work-related details, visiting details, communication data.

Legal basis

Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in organizing events and competitions. Contact us if you would like to know more about how we have balanced our interests against yours.

When processing dietary preferences that involve health information, we base our processing on consent (GDPR, Article 6.1 (a)).

Retention period
Personal data is processed during the relevant event/competition. Where applicable, personal data may be stored for up to three (3) months after the event or up to one (1) year after the competition to conduct follow-up with respect to the event, verify winners and administer prizes related to the competition.

 

3.5 Business analysis and business development

Analysis and improvement of business operations

Purpose
Ongoing compilation of data for statistics, reports and analyses to support the analysis, development, streamlining and follow-up of our business, including our products and services, through customer satisfaction surveys, customer interviews and stakeholder analyses, among other things.

Categories of personal data
All personal data specified in this information, see section 2 above.

Legal basis

The processing of technical data collected via cookies or similar tracking techniques during use is based on your consent obtained via our consent management platform (GDPR, Article 6.1(a)).

Other data is processed based on a legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in analyzing our business at various stages and improving our services. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
No personal data is stored specifically for this purpose. Personal data that serve as a base for statistics, reports, and analyses for this purpose is stored in accordance with the retention periods specified for each purpose, as stated in this information.

 

3.6 General processing

Accounting

Purpose
Manage accounting obligations, including saving accounting material and preparing annual reports.

Categories of personal data
Identity data, contact details, payment details, account- and customer information, communication data.

Legal basis
Legal obligation (GDPR, Article 6.1(c) and Chapter 7, Section 2 of the Swedish Accounting Act (1999:1078)).

Retention period
Personal data is deleted seven (7) years after the end of the calendar year in which the financial year ended.

 

IT- and information security

Purpose
To protect our IT-systems (so that they function in a correct and secure manner), perform tests, troubleshoot and investigate IT-security incidents and causes of technical problems, restore data in IT-systems when necessary (e.g., security incidents), and perform regular backups.

Categories of personal data
Identity data, contact details, account- and customer information, work-related details, visiting details, payment details, technical data, communication data.

Legal basis

The processing of technical data collected via cookies or similar tracking techniques during use is based on your consent obtained via our consent management platform (GDPR, Article 6.1(a)).

Other data is processed based on a legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in ensuring an adequate IT- and information security. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data used in testing our IT-systems is updated in the test environment once (1) a year. Backups of personal data in our IT-systems are updated on an ongoing basis, and old versions are deleted after a maximum of twelve (12) months.

Personal data processed to protect us against unauthorized access, Denial of Service (DoS) because of overload and other security risks is  not normally stored. However, if IT-systems are blocked, for example due to security reasons, storage takes place for three (3) months. Personal data collected in the form of logs about/during troubleshooting is stored for a maximum of one (1) year.

Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform.

 

Supervision, requirements and incidents

Purpose
To investigate incidents, respond to requirements and provide requested information to supervisory authorities in the event of supervision.

Categories of personal data
The categories of persons and personal data requested in the event of incidents and supervision.

Legal basis
Compliance with a legal obligation (GDPR, Article 6.1(c) and GDPR, Articles 31, 33-34 and Article 58 respectively).

Retention period
Personal data is processed for as long as the incident or supervision is ongoing and for up to twenty-four (24) months thereafter.

 

Disputes

Purpose
Protect our interests in the event of a dispute.

Categories of personal data
The categories of persons and personal data necessary in relation to the dispute and the parties involved.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to be able to protect our interests in the event of a dispute. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is stored for as long as the dispute is ongoing and for ten (10) years thereafter.

 

Rights under the GDPR

Purpose
To comply with your request to exercise any of your rights under the GDPR.

Categories of personal data
Identity data, contact details and other information about you that you provide in your request and that is required for compliance.

Legal basis
Legal obligation (GDPR, Article 6.1(c) and GDPR, Chapter III).

Retention period
Personal data is stored for twenty-four (24) months after we have processed your request.

 

Legal obligations

Purpose
To comply with legal obligations under, for example, anti-money laundering legislation or rules on product liability and product safety.

Categories of personal data
Only the categories of personal data that are necessary to fulfil the respective legal obligation.

Legal basis
Compliance with a legal obligation (GDPR, Article 6.1(c) and, for example, the Swedish Act (2017:630) on Measures against Money Laundering and Terrorist Financing, the Swedish Product Liability Act (1992:18).

Retention period
Personal data is generally stored for five (5) years from the date it was collected. If necessary to prevent, detect or investigate money laundering or terrorist financing, the data is stored for up to ten (10) years. For other legal obligations, other data retention periods may apply in accordance with the relevant legislation.