You have visited us physically or digitally

1. Information about Ahlsell's processing of personal data – physical and digital visitors

2. What personal data do we process about you?

We process personal data about you when you visit our premises or our website. We only collect the personal data we need for each specific purpose – what personal data we collect about you depends on how you interact with us. We collect and process the following categories of personal data:

• Identity data: data that makes it possible to identify you, such as your name, social security number and signature. Social security numbers are processed due to the importance of secure identification, in accordance with Chapter 3, Section 10 of the Swedish Act (2018:218) holding supplementary provisions to the EU Data Protection Regulation.
• Contact details: information that enables us to contact you, such as your address, e-mail address and telephone number.
• Work related details: information about your role in the organization for which you represent, such as your job title, the company you represent and the company's geographical location.
• Visiting details: information related to physical visits, such as dietary preferences, clothing size, car registration number, notes and results from security screenings during visits, who was visited, information about accidents and incidents during the visit, and photos and video recordings from surveillance cameras and our events.
• Communication data: information related to your communication with us, such as the content in e-mails, notes from telephone calls, other comments, video- and sound recordings from meetings, interviews, etc.
• Betaluppgifter: uppgifter som behövs för att vi ska kunna ta betalt, till exempelfaktureringsuppgifter såsom Web-user-ID (leverans- och fakturaadress), bank- och/eller plusgironummer samt övriga bankuppgifter.
• Technical data: information about the device you use (e.g., computer or mobile phone), such as IP-address, operating system and browser type, as well as information about your user behavior, location data and browsing history, which is collected via cookies or similar tracking techniques.

3. Why, on what legal basis and for how long do we process your personal data?

3.1 Physical visitors

3.1.1 Visits and events

Visits

Purpose
Managing visits including, among other things, providing parking and guest Wi-Fi-networks at our premises, administrating access management in stores, logistics centers (LC), other premises and offices, courier management, and random so-called security screenings carried out by security companies with whom we collaborate to ensure that no property that belongs to us is removed unlawfully from our premises/areas.

Categories of personal data
Identity data, contact details, work-related details, visiting details, communication datatechnical data (when using guest Wi-Fi-networks).

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in managing visits to our premises and ensuring an adequate level of security in relation to these. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted thirty (30) days after the visit.

Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform.

Events and competitions

Purpose
To invite and administer participation in our events and competitions, including contacting participants afterwards.

Categories of personal data
Identity data, contact details, work-related details, visiting details, communication data.

Legal basis

Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in organizing events and competitions. Contact us if you would like to know more about how we have balanced our interests against yours.

When processing dietary preferences that involve health information, we base our processing on consent (GDPR, Article 6.1 (a)).

Retention period
Personal data is processed during the relevant event/competition. Where applicable, personal data may be stored for up to three (3) months after the event and up to one (1) year after the competition to conduct follow-up with respect to the event, verify winners and administer prizes related to the competition.

Incidents and accidents

Purpose
Incident management and reporting of any accidents, incidents, fires, etc.

Categories of personal data
Identity data, contact details, work-related details, visiting details, communication data.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in handling incidents, accidents, etc. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted no later than thirty (30) days after the visit.

Photos and videos in marketing

Purpose

Use still and moving material such as photographs, sound and video recordings from events in internal and external communication and marketing material.

We use AI technology to produce, edit and identify photos and videos.

Categories of personal data
Visiting details.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in making our marketing material visually appealing and relevant. Contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is processed for a period of use and for a maximum of five (5) years.

3.1.2 Camera surveillance (CCTV)

Camera surveillance (CCTV) at logistics centers and our stores, as well as other premises such as local offices

Purpose
To prevent, detect and investigate crimes with the aim of ensuring a safe working environment for our employees/consultants and visitors, we use camera surveillance (CCTV) at our logistics center (LC), our stores and other premises such as local offices. Camera surveillance (CCTV) is also used to prevent unauthorized access to the above-mentioned locations by monitoring traffic, i.e. flows to and from the applicable locations.

Categories of personal data
Visiting details, identity data.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in ensuring safe environments for us and our visitors and preventing unauthorized persons from entering the premises. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted thirty (30) days after the visit, except when necessary to process the personal data thereafter during any investigations.

Camera surveillance (CCTV) via intercom at the headquarters

Purpose
To prevent unauthorized access to our headquarters in Marievik, we use camera surveillance at the intercom (image and sound) which is activated when it is used at the unmanned reception desk and where the call is connected to a receptionist who decides whether to let the visitor in or turn them away.

Categories of personal data
Visiting details.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in managing entry and exit. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted thirty (30) days after the visit, except when necessary to process the personal data thereafter during any investigations.

3.1.3 Reporting, evaluation and evaluations

Evaluations

Purpose
To conduct surveys to evaluate our services, products and working methods, for example through questions in relation to the store/stores about the visitors’ experience of us and the visit.

Categories of personal datar
Identity data, contact details, work-related details, communication data.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) - processing is necessary to fulfill our legitimate interest in collecting and analyzing our visitors' opinions. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data included in reports as a result from evaluations and surveys is stored for ten (10) years from the date of creation. 

Reports and analyses

Purpose
To continuously compile data for statistics, reports and analyses to support the planning and follow-up of operations, for example regarding staffing.

Categories of personal data
Identity details, contact details, work-related details, visiting details, communication data.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in analyzing operations at various levels and improving our services. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
No personal data is stored specifically for this purpose. Personal data that serves as the basis for statistics, reports and analyses for this purpose is stored in accordance with the data retention periods specified for each purpose. I.e., which are set out in this information.

In section 3.3 below, you can read about other more general purposes for our personal data processing that may be relevant to you.

3.2 Digital visitors

3.2.1 Data collected via cookies and other tracking technologies

Necessary cookies

Purpose
To enable basic functions on the website, such as shopping in our online store, adding your personal preferences, filling out forms and navigating the website (data is collected via so-called necessary cookies, see our consent management platform for more information).

Categories of personal data
Technical data.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in ensuring that basic functions on the website work. Contact us if you would like to know more about how we have balanced your interests against ours.

Retention period
Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform.

Performance cookies

Purpose
To understand how the website is used and to maintain and improve the website based on our visitors' usage (data is collected via so-called performance cookies, see our consent management platform for more information).

Categories of personal data
Technical data.

Legal basis
Consent (GDPR, Article 6.1 (a)), obtained via our consent management platform.

Retention period
Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform.

Functional cookies

Purpose
To provide improved functionality and personalization of our website, for example to create recommendations for other products that may interest you based on the products you have shown interest in (data collection is done via so-called functional cookies, see more information on our consent management platform.

Categories of personal data
Technical data.

Legal basis
Consent (GDPR, Article 6.1 (a)), obtained via our consent management platform.

Retention period
Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform.

Marketing cookies

Purpose
Marketing/advertising from our advertising partners on other websites/websites through targeted advertising and sponsored posts based on what they deem relevant to you (data collection is done via so-called marketing cookies, see more information in our consent management platform).  

Categories of personal data
Technical data.

Legal basis
Consent (GDPR, Article 6.1 (a)), obtained via our consent management platform.

Retention period
Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform.

3.2.2 Web-based forms

Web forms

Purpose
To manage your information and requests when you use any of our online forms i.e., web-based ones, such as expressing interest, requesting to be contacted or contacting us, asking questions about catalogues, orders or articles, etcetera.

Categories of personal data
Identity data, contact details, work-related details, communication data, technical data.

Legal basis
The processing of technical data collected via cookies or similar tracking techniques is based on your consent obtained via our consent management platform (GDPR, Article 6.1(a)).

Other data is processed based on a legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in enabling us to use web forms on the website. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is deleted fifteen (15) months after use, unless otherwise specified, for example in connection with a specific request.

Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform.

In section 3.3 below, you can read about other more generally applicable purposes for our personal data processing that may be relevant to you.

3.3 General processing

IT- and information security

Purpose
Protect our IT-systems (so that they function in a correct and secure manner), perform tests, troubleshoot and investigate IT-security incidents and causes of technical problems, restore data in IT-systems when necessary (e.g., security incidents), and perform regular backups.

Categories of personal data
Identity data, contact details, work-related details, visiting details, technical data, communication data.

Legal basis
The processing of technical data collected via cookies or similar tracking techniques is based on your consent obtained via our consent management platform (GDPR, Article 6.1(a)).

Other data is processed based on a legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to fulfill our legitimate interest in ensuring adequate IT and information security. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data used in testing our IT-systems is updated in the test environment once (1) a year. Back-ups of personal data in our IT-systems are updated on an ongoing basis, and old versions are deleted after a maximum of twelve (12) months.

Personal data processed to protect us against unauthorized access, Denial of Service (DoS) because of overload and other security risks is not normally stored. However, if IT-systems are blocked, for example due to security reasons, storage takes place for three (3) months. Personal data collected in the form of logs about/during troubleshooting is stored for a maximum of one (1) year.

Technical data is deleted in accordance with what is set out in Ahlsell's consent management platform.

Supervision, requirements and incidents

Purpose
To investigate incidents, respond to requirements and provide requested information to supervisory authorities in the event of supervision.

Categories of personal data
The categories of persons and personal data requested in the event of incidents and supervision.

Legal basis
Compliance with a legal obligation (GDPR, Article 6.1(c) and GDPR, Articles 31, 33-34 and Article 58 respectively).

Retention period
Personal data is processed for as long as the incident or supervision is on-going and for up to twenty-four (24) months thereafter.

Disputes

Purpose
To protect our interests in the event of a dispute.

Categories of personal data
The categories of persons and personal data necessary in relation to the dispute and the parties involved.

Legal basis
Legitimate interest (GDPR, Article 6.1(f)) – processing is necessary to be able to protect our interests in the event of a dispute. Please contact us if you would like to know more about how we have balanced our interests against yours.

Retention period
Personal data is stored for as long as the dispute is on-going and for ten (10) years thereafter.

Rights under the GDPR

Purpose
To comply with your request to exercise any of your rights under the GDPR.

Categories of personal data
Identity details, contact details and other information about you that you provide in your request and that is required for compliance.

Legal basis
Legal obligation (GDPR, Article 6.1(c) and GDPR, Chapter III).

Retention period
Personal data is stored for twenty-four (24) months after we have processed your request.

Legal obligations

Purpose
To comply with legal obligations under, for example, anti-money laundering legislation or rules on product liability and product safety.

Categories of personal data
Only the categories of personal data that are necessary to fulfil the respective legal obligation.

Legal basis
Compliance with a legal obligation (GDPR, Article 6.1(c) and, for example, the Swedish Act (2017:630) on Measures against Money Laundering and Terrorist Financing, the Swedish Product Liability Act (1992:18).

Retention period
Personal data is generally stored for five (5) years from the date it was collected. If necessary to prevent, detect or investigate money laundering or terrorist financing, the data is stored for up to ten (10) years. For other legal obligations, other retention periods may apply in accordance with the relevant legislation.