Your privacy is important. For us at Illuminum, it is important that you feel safe with how your personal data is processed with us. Below you will learn all about how we take care of your data.

Any information that can be directly or indirectly attributed to a living natural person is personal data. This includes names, email addresses, and social security numbers, but also images and usernames in digital media.

Processing of personal data is any action taken with personal data in IT systems, whether on mobile devices or computers. This includes, for example, collection, registration, reading, structuring, storage, processing, transfer and deletion, etc. In some cases, actions that take place outside the IT systems can also be considered processing. This applies when personal data is included in registers.

In general, we process your name, email address, telephone number, job title, employer's address and organization number. For physical events, your food preferences or intolerances will also be processed. We process your data to provide the services and products you have requested. We will also process your data to maintain and manage our relationship with you and, where applicable, to manage the contract with you or with your employer. We may also inform you about our courses, events, new services, and other things that we consider to be in your and our interest. We send out surveys to evaluate our courses or services. Illuminum will always process your personal data under applicable law. Should Illuminum process your data for any purpose that requires your consent, we will inform you of the purpose of the information processing and obtain your consent in advance.

The collection of your personal data takes place, for example, when you provide your data in connection with signing up for newsletters, attending seminars and other events, ordering services and/or products from us, or contacting us in various matters.

In some situations, we must use other parties to carry out our work. For example, we use different IT suppliers or sub-consultants. They are regarded as data processors for us and we have signed data processing agreements in these cases. In such cases, the responsibility for personal data management remains with Illuminum.

We naturally check all data processors to ensure that they can provide sufficient guarantees regarding the security and confidentiality of personal data and sign data processing agreements. When data processors are used, it is only for purposes that are compatible with our purposes for data processing, as we are still the data controller.

We may engage suppliers and partners to perform tasks on behalf of Illuminum, for example, to provide IT services or to assist with marketing, analytics, or statistics. The performance of these services may involve these recipients having access to your personal data.

Illuminum may also disclose personal data to third parties, such as the police or other authorities, if it relates to the investigation of crimes or if we are otherwise required to disclose such information by law or authority decision. When your personal data is shared with an independent data controller, that organization's privacy policy and personal data management apply.

We always strive for your data to be processed primarily within the EU/EEA. However, sometimes this is not possible, and we will inform you in the best possible way where we believe your data is located. For some IT support, data may be transferred to a country outside the EU/EEA. This applies, for example, if we share your personal data with a data processor who, either itself or through a subcontractor, is established or stores information in a country outside the EU/EEA. As a data controller, we are responsible for taking all reasonable legal, technical, and organizational measures to ensure that the protection of personal data is the same as within the EU/EEA.

When personal data is processed outside the EU/EEA, the level of protection is guaranteed, for example, by a decision from the European Commission that the country in question ensures an adequate level of protection or by the use of so-called appropriate safeguards.

Appropriate safeguards may include the use of Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR). If you would like information on these safeguards, please contact us. Standardized model clauses for data transfers, adopted by the European Commission, are also available on the European Commission's website.

We keep your data for the duration of our cooperation. The length of the retention period varies depending on the purpose of the processing and how long the data is necessary for that purpose. After that, we will securely delete or de-identify your data so that it can no longer be linked to you. For example, some accounting data needs to be kept for at least seven years due to legislation, while data on special costs is deleted as soon as the event is finished.

As a data subject, you have several rights under current legislation. We list these rights here.

If you want to know what personal data we process about you, you can request access to the data. When you make such a request, we may ask some questions to ensure that your request is handled effectively. We will also take steps to ensure that the data is requested by and provided to the right person.

If you discover that something is wrong, you have the right to request the rectification of your personal data. You can also complete any incomplete personal data. In some cases, you can make corrections yourself, which we will inform you of.

You can request that we erase the personal data we process about you if, for example: 

· The data is no longer necessary for the purposes for which it is processed.

· You object to a balance of interests we have made based on our legitimate interest, where your reason for objection outweighs our legitimate interest.

· The personal data is processed unlawfully.

· The personal data has been collected about a child (under 13) for whom you have parental responsibility.

·  If the data was collected based on your consent and you wish to withdraw your consent.

However, we may be entitled to refuse your request if there are legal obligations that prevent us from immediately erasing certain personal data. It may also be that the data processing is necessary for the establishment, exercise, or defence of legal claims.

You have the right to request that our processing of your personal data be restricted. For example, if you request rectification because you believe the personal data we process is inaccurate, you can request a restriction of processing for the time we need to verify the accuracy of the personal data.

If and when we no longer need your data for the identified purposes, our normal practice is to delete the data. If you need the personal data for the establishment, exercise or defence of legal claims, you can request limited processing of the data from us. This means that you can request that we do not purge and delete your data.

If you have objected to the personal data processing we carry out based on a balance of interests as a legal basis, you can request restricted processing for the time we need to check whether our legitimate interests outweigh your interests in having the data erased.

If processing has been restricted under any of the above situations, we may only process the data, in addition to the storage itself, for the establishment, exercise, or defence of legal claims, for the protection of the rights of another person, or if you have given your consent.

You always have a right to object to any processing of personal data based on a balance of interests. You also always have the right to opt out of direct marketing.

As a data subject, you have the right to data portability (transfer of personal data) if our right to process your data is based either on your consent or the performance of a contract with you. A precondition for data portability is that the transfer is technically feasible and can be automated.

We never store your personal number or social security number.

We work actively to ensure that personal data is handled securely within Illuminum's protected cloud service. Only relevant actors with access to the project can access your data on Illuminum.

Martketing

Illuminum reserves the right to use Customer’s logo for marketing, namely on Illuminum’s website where Customer’s logo will be shown among organisations which trust Illuminum with their services.

Customer agrees that Customer’s organisation active in this assignment will be added to Illuminum’s mail list for e-mail marketing purposes.

The Swedish Data Protection Authority is the responsible authority for monitoring the application of data protection legislation. If you think we are acting improperly, you can contact the Authority, see www.imy.se

If you would like us to update, correct, or delete the personal information we have registered about you or if you would like to obtain extracts of the information we hold about you, please contact us by sending a request via our website.