You are our supplier, business- or collaboration partner

1. Information about Ahlsell's processing of personal data – suppliers and business and collaboration partners

2. What personal data do we process about you?

We process personal data about you if you are a contact person, signatory or other representative of a potential or existing supplier, business or collaboration partner. We only collect the personal data we need for each specific purpose – what personal data we collect about you depends on how you interact with us. We collect and process the following categories of personal data:

• Identity data: data that makes it possible to identify you, such as your name, social security number, corporate registration number (for sole proprietorship who serve as a supplier to us), signature and Bank-ID (a Swedish electronic identification system). Social security numbers are processed due to the importance of secure identification, in accordance with Chapter 3, Section 10 of the Swedish Act (2018:218) holding supplementary provisions to the EU Data Protection Regulation.
• Contact details: information that enables us to contact you, such as your address, e-mail address and telephone number.
• Supplier information: supplier number, known as Supplier-ID, and information that we review to ensure that our suppliers and business- and collaboration partners are respectable, such as creditworthiness, possible inclusion on sanctions lists at both company- and owner level, and a Code of Conduct (CoC) questionnaire which is completed by the supplier.
• Work-related details: details of your role in the organization for which you represent, such as your job title, the company you represent and the company's geographical location.
• Visiting details: information related to physical visits, such as dietary preferences, car registration numbers, notes and results from security screenings during visits, who was visited, information about accidents and incidents during the visit, and photos and video recordings from surveillance cameras and our events.
• Communication data: information related to your communication with us, such as the content in e-mails, support cases, other comments, video and sound recordings from digital meetings/training courses, video and sound recordings from meetings, interviews, etc.
• Payment details: information needed for us to make payments, such as supplier invoices, bank details, payment terms, cost centers, etc.
• Technical data: information about the device you use (e.g., computer or mobile phone), such as IP-address, operating system and browser type, as well as, information about your user behavior, location data, browsing history and engagement metrics from recipients of email marketing, including "read" status and timestamps for e-mails, which are collected via cookies or similar tracking techniques.

3. Why, on what legal basis and for how long do we process your personal data?

3.1 Purchase of product/service and management of supplier relationship

Administration of supplier relationships

Purpose
Managing supplier relationships and potential supplier relationships, including, among other things, background checks on the supplier's creditworthiness and reviews in relation to Ahlsell's code of conduct, as well as measures for onboarding (e.g., creation and signing of contracts), offboarding and maintenance of suppliers in our IT-systems/IT-services.

Categories of personal data
Identity data, contact details, supplier information, work-related details, communication data.

Legal basis
Sole proprietorships: Performance of a contract (GDPR, Article 6.1(b)) – taking steps at your request prior to entering a contract and for the performance of such a contract.

Other legal entities: Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in managing our contractual relationships and fulfilling our obligations under the contract. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted ten (10) years after the end of the supplier relationship.

Personal data related to accounts in Ahlsell is deleted six (6) months after the end of the supplier relationship.

Order management

Purpose
Managing orders/call-offs/purchases and other obligations under the contract, including, among other things, placing orders, receiving deliveries and invoices, perform payments, and other ongoing management of product- and service deliveries to Ahlsell.

Categories of personal data
Identity data, contact details, work-related details, visiting details, payment details, communication data.

Legal basis
Sole proprietorships: Performance of a contract (GDPR, Article 6.1(b)).

Other legal entities: Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in placing/performing orders call-offs/purchases, receiving deliveries and fulfilling our other obligations under the contract. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted five (5) years after the order/purchase has been completed.

Returns, complaints and claims

Purpose
Management of returns, complaints, claims and other deviations in relation to orders/call-offs/purchases, such as invoice, return and arrival deviations.

Categories of personal data
Identity details, contact details, supplier information, work-related details, payment details, communication data.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in management of returns, complaints and claims. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted five (5) years after the order/purchase has been completed.

3.2 Visits to our premises

Visits

Purpose
Managing visits, including, among other things, providing parking and guest WiFi-networks at our premises, administrating access management in stores, logistics centers (LC), other premises and offices, courier management and random so-called security screenings carried out by security companies with whom we collaborate to ensure that no property that belongs to us is removed unlawfully from our premises/areas.

Categories of personal data
Identity details, contact details, supplier information, payment details, work-related details, visiting details, communication datatechnical data (when using guest WiFi-networks).

Legal basis
The processing of technical data collected via cookies or similar tracking techniques is based on your consent obtained via our consent management platform (GDPR, Article 6.1(a)).

Other data is processed based on a legitimate interest (GDPR, Article 6.1(f)) - processing is necessary to fulfill our legitimate interest in managing visits to our premises and ensuring an adequate level of security in connection with such. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted thirty (30) days after the visit.

Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform.

Camera surveillance (CCTV) at logistics centers and our stores, as well as other premises such as local offices

Purpose
To prevent, detect and investigate crimes with the aim of ensuring a safe working environment for our employees/consultants and visitors, we use camera surveillance (CCTV) at our logistics center (LC), our stores and other premises such as local offices. Camera surveillance is also used to prevent unauthorized access to the above-mentioned locations by controlling the flow of traffic, i.e. to and from the applicable locations.

Categories of personal data
Visiting details, identity data.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in ensuring a safe environment for us and our visitors and preventing unauthorized persons from entering the premises. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted thirty (30) days after the visit, except when necessary to process the personal data thereafter during any investigations.

Camera surveillance via intercom at the headquarters

Purpose
To prevent unauthorized access to our headquarters in Marievik, we use camera surveillance at the intercom (image and sound) which is activated when it is used at the unmanned reception and where the call is connected to a receptionist who decides whether to let the visitor in or turn them away.

Categories of personal data
Visiting details.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in managing entry and exit. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted thirty (30) days after the visit, except for any investigations.

Incidents and accidents

Purpose
Incident management and reporting of potential accidents, incidents, fires, etc.

Categories of personal data
Identity data, contact details, work-related details, visiting details, communication data.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in management of incidents, accidents, etc. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted no later than thirty (30) days after the visit. 

3.3 Provision of support and additional services

Support

Purpose
To provide support and respond to questions/handle matters from suppliers.

Categories of personal data
Identity data, contact details, supplier information, work-related details, communication data, payment details.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in providing support and assisting our suppliers by answering questions, providing information, troubleshooting, etc. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data related to support and development work is deleted six (6) months after the support case/development work has been completed.

Additional services

Purpose
To provide services such as training and IT-systems/IT-services through our partners.

Categories of personal data
Identity data, contact details, supplier information, work-related details, visiting details, payment details, communication data, technical data.

Legal basis
The processing of technical data collected via cookies or similar tracking techniques is based on your consent obtained via our consent management platform (GDPR, Article 6.1(a)).

Other data is processed based on a legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in providing training and other services. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted five (5) years after the service has been provided.

Technical data is deleted in accordance with Ahlsell's consent management platform.

3.4 Marketing and event management

Marketing

Purpose
To market and provide information about our business via telephone, e-mail, websites, social media, press releases and other communications methods to suppliers and potential suppliers.

Categories of personal data
Identity data, contact details, supplier details, service details, technical data.

Legal basis
The processing of technical data collected via cookies or similar tracking techniques is based on your consent obtained via our consent management platform (GDPR, Article 6.1(a)).

Other data is processed based on a legitimate interest (GDPR, Article 6.1(f)) –processing is necessary to fulfill our legitimate interest in marketing ourselves and reaching new suppliers. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted five (5) years after the termination of the supplier-, business- and collaboration partner relationship.

Personal data related to the mailing of newsletters is deleted after notification that the current contact person has left, or in connection with notification that the contact person no longer wishes to receive newsletters.

Personal data related to surveys is deleted six (6) months after completion.

Technical data is deleted in accordance with Ahlsell's consent management platform.

Photos and videos in marketing

Purpose
Use still and moving material such as photographs, sound recordings and video recordings from events in internal and external communication and marketing material.

We use AI technology to produce, edit and identify photos and videos.

Categories of personal data
Visiting details.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in making our marketing material visually appealing and relevant. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is processed for a period of use and for a maximum of five (5) years.

Events and competitions

Purpose
To invite and administer participation in our events and competitions, including contacting participants afterwards.  

Categories of personal data
Identity data, contact details, work-related details, visiting details, communication data.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in organizing events and competitions. Contact us if you would like to know more about how we have balanced our interests against yours.

When processing dietary preferences that involve health information, we base our processing on consent (GDPR, Article 6.1 (a)).

Retention period
Personal data is processed during the relevant event/competition. Where applicable, personal data may be stored for up to three (3) months after the event and up to one (1) year after the competition to conduct follow-up with respect to the event, verify winners and administer prizes related to the competition.

3.5 Business analysis and business development

Analysis and improvement of business operations

Purpose
Ongoing compilation of data for statistics, reports and analyses to support the analysis, development, streamlining and follow-up of our business including business systems, processes and strategies by, among other things, following up on the outcome of the business's commercial transactions to analyze and increase profitability and to carry out stakeholder analyses.

Categories of personal data
All personal data specified in this information, see section 2 above.

Legal basis
The processing of technical data obtained through cookies or similar tracking techniques is based on your consent obtained through our consent management platform (GDPR, Article 6.1(a)).

Other data is processed based on a legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfil our legitimate interest in analyzing our business at various levels and improving our services. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
No personal data is stored specifically for this purpose. Personal data that serve as the basis for this purpose is stored in accordance with the data retention periods specified for each purpose, as stated in the information.

Technical data is deleted in accordance with Ahlsell's consent management platform.

3.6 General processing

Accounting

Purpose
Manage accounting obligations, including saving accounting material and preparing annual reports.

Categories of personal data
Identity data, contact details, supplier information, payment details, communication data.

Legal basis
Legal obligation (GDPR, Article 6.1(c) and Chapter 7, Section 2 of the Swedish Accounting Act (1999:1078)).

Retention period
Personal data is deleted seven (7) years after the end of the calendar year in which the financial year ended.

IT- and information security

Purpose
To protect our IT-systems (so that they function in a correct and secure manner), perform tests, troubleshoot and investigate IT-security incidents and causes of technical problems, restore data in IT-systems when necessary (e.g., security incidents), and perform regular backups.

Categories of personal data
Identity data, contact details, supplier information, service details, visiting details, payment details, technical data, data communication.

Legal basis
The processing of technical data collected via cookies or similar tracking techniques during use is based on your consent obtained via our consent management platform (GDPR, Article 6.1(a)).

Other data is processed based on a legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in ensuring adequate IT- and information security. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data used in testing our IT-systems is updated in the test environment once (1) a year. Backups of personal data in our IT-systems are updated on an ongoing basis, and old versions are deleted after a maximum of twelve (12) months.

Personal data processed to protect us against unauthorized access, Denial of Service (DoS) because of overload and other security risks is not normally stored. However, if IT-systems are blocked, for example for security reasons, storage takes place for three (3) months. Personal data collected in the form of logs about/during troubleshooting is stored for a maximum of one (1) year.

Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform.

Supervision, requirements and incidents

Purpose
To investigate incidents, respond to requirements and provide requested information to supervisory authorities in the event of supervision.

Categories of personal data
The categories of persons and personal data requested in the event of incidents and supervision.

Legal basis
Compliance with a legal obligation (GDPR, Article 6.1(c) and GDPR, Articles 31, 33-34 and Article 58 respectively).

Retention period
Personal data is processed for as long as the incident or supervision is ongoing and for up to twenty-four (24) months thereafter.

Disputes

Purpose
Protect our interests in the event of a dispute.

Categories of personal data
The categories of persons and personal data necessary in relation to the dispute and the parties involved.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – to be able to protect our interests in the event of a dispute. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is stored for as long as the dispute is ongoing and for ten (10) years thereafter.

Rights under the GDPR

Purpose
To comply with your request to exercise any of your rights under the GDPR.

Categories of personal data
Identity data, contact details and other information about you that you provide in your request and that is required for compliance.

Legal basis
Legal obligation (GDPR, Article 6.1(c) and GDPR, Chapter III).

Retention period
Personal data is stored for twenty-four (24) months after we have processed your request.

Legal obligations

Purpose
To comply with legal obligations under, for example, the Anti-Money Laundering Act or the rules on product liability and product safety.

Categories of personal data
Only the categories of personal data that are necessary to fulfil the respective legal obligation.

Legal basis
Compliance with a legal obligation (GDPR, Article 6.1(c) and, for example, the Swedish Act (2017:630) on Measures against Money Laundering and Terrorist Financing, the Swedish Product Liability Act (1992:18).

Retention period
Personal data is generally stored for five (5) years from the date it was collected. If necessary to prevent, detect or investigate money laundering or terrorist financing, the data is stored for up to ten (10) years. For other legal obligations, other data retention periods may apply in accordance with the relevant legislation.