Privacy Policy

1. Introduction

This Privacy Policy (“the Policy”) describes how GDQ Associates AB, corporate ID no. 556995-0016 (“we”, “our” and “us”), with the address Västra Trädgårdsgatan 15, 111 53 Stockholm, processes personal data.

We process your personal data when you have provided it to us yourself or when we have received it from another party (a so-called “third party”) in the manner described in this Policy. As a starting point, we process your personal data in the capacity of Personal Data Controller and we therefore have an obligation to ensure that the processing takes place in accordance with this Policy and with the personal data legislation in force at any given time.

We care about your privacy and take data protection matters very seriously. This Policy therefore provides details on aspects such as the categories of personal data we process, the purpose for which we process it and the legal grounds on which we base the processing. We also provide details on who may access and process the data, the principles for thinning the data, the third parties we may share the personal data with, where the personal data is processed and your rights as a data subject consisting of rights to information, correction and erasure, etc. We ask you to read the Policy carefully and familiarise yourself with its contents since it applies to all our personal data processing.

We may occasionally need to update or amend the Policy. In that case, we will inform you in an appropriate manner and ask you to take note of the amendments. You will always find the latest version of the Policy on our website.

We hope this Policy answers your questions about our processing and the protection of your personal data. If you have any further questions or concerns, you are always welcome to contact our Data Protection Officer Maria Åkerlund at the above address or via maria.akerlund@gdq.se.

2. How we process your personal data

This section describes the categories of personal data we process, the purposes for which we process it, what processing is carried out, the legal grounds on which we base the processing and the period of time for which data is stored. 

2.1 GDQ consultants

The following processing applies to Trainer of Trainers (trainers who provide certification trainings), certified GDQ consultants and persons that express interest in undergoing training with us to become a certified GDQ consultant. 

Purpose

  • To enable us to manage and hold training sessions on GDQ. 
  • To enable us to create and manage user accounts, including granting authorisation to log in to your user account. 
  • To enable us to certify new GDQ consultants. 
  • To enable us to send out questionnaires and basic reports to GDQ consultants. 
  • To enable us to send information to certified and future GDQ consultants by e-mail.
  • To enable us to evaluate the use of our website and improve it. 
  • To communicate, when invoicing to the customer where the GDQ consultant is employed, where in the customer organisation measurements of the GDQ consultants have been carried out, should the customer require it.

Processing carried out

  • Collection and storage of personal data in our business systems, backup systems and other storage spaces on-line.
  • Communication with you. 
  • Invoicing to customers. 

Categories of personal data

  • First and last name.
  • E-mail address.
  • Telephone number.
  • Invoicing address.
  • Delivery address.
  • Country. 
  • Place of work and position.
  • Password for user account.
  • Messages you issue via our website. 
  • Technical data relating to devices used when visiting our website (e.g. IP addresses) and statistics on how you have interacted with us, i.e. how you have used our website. 

Legal basis: Balancing of interests. The processing is based on our legitimate interest in being able to manage the training sessions, manage your user account, provide our services and deal with communication with certified and future GDQ consultants. 

Storage period: During the period we consider the data to be necessary in order to maintain the relationship with you as a GDQ consultant. Nevertheless, thinning will take place as soon as we become aware that the data is no longer adequate or necessary for that purpose, for example if you want to de-register as a GDQ consultant. If you want your user account to be closed, your details will be de-identified or erased within one (1) month from when we receive your request.  

Technical data on how you have interacted with our website will be stored for ninety (90) days after your visit. 

2.2 Persons who respond to GDQ questionnaires

The following processing applies to persons who respond to GDQ questionnaires on-line.

Purpose

  • To enable us to send out GDQ questionnaires to group members and collect the responses given.
  • To enable us to manage, evaluate, monitor and develop the GDQ questionnaire. 
  • To enable us to evaluate the use of our website and improve it. 

Processing carried out

  • Collection from certified GDQ consultants and storage of personal data in our business systems, backup systems and other storage spaces on-line. 
  • Sending of messages with links to the GDQ questionnaire to which group members are to respond.
  • Storage of technical data relating to the use of the website. 

Categories of personal data

  • E-mail address. 
  • Responses to the GDQ questionnaire. 
  • Technical data relating to devices used when visiting our website (e.g. IP addresses) and statistics on how you have interacted with us, i.e. how you have used our website. 

Legal basis: For data provided by certified GDQ consultants: balancing of interests. The processing is based on GDQ’s legitimate interest in being able to send messages with links to the GDQ questionnaire to which group members are to respond. 

For information provided by group members when completing the GDQ questionnaire: consent. The processing is based on the consent you give when you complete a GDQ questionnaire. 

Storage period: Your personal data will be thinned no later than three (3) years after it has been collected, unless our work on monitoring the group of which you form part has not continued in that period. Regardless of the date when it was collected, we will always erase your data if you so request. 

Technical data on how you have interacted with our website will be stored for ninety (90) days after your visit. 

2.3 Contact persons at customers and partners

The following applies to contact persons at customers and partners.

Purpose

  • To enable us to contact you in your capacity as a contact person at our customer or partner. 
  • In order to manage book sales and training courses in GDQ for those who contact us as private individuals.

Processing carried out

  • Storage of personal data in our business systems. 
  • Communication with you.

Categories of personal data

  • Name.
  • Contact details (such as address of the company, e-mail address and telephone number).
  • Invoicing details
  • Employer/customer or partner.
  • Position, where appropriate.
  • Technical data relating to devices when visiting our website (e.g. IP addresses) and statistics on you have interacted with us, i.e. how you have used our website.

Legal basis: Balancing of interests. The processing is based on our legitimate interest in maintaining our business relationships and providing our services.

Storage period: During the period we consider the data to be necessary to maintain the business relationship with the customer or partner you represent and provide our services. Thinning is carried out as soon as we have become aware that the data is no longer adequate or necessary for that purpose, for example if the customer relationship or collaboration ceases, if you, as a contact person, have changed job or employer or have retired, or at your request. 

We will store any personal data in agreements we have entered into with our customers and partners for a maximum of ten (10) years based on the general statute of limitation period for claims under the agreements.

Technical data on how you have interacted with our website will be stored for ninety (90) days after your visit.

2.4 People visiting our website

The following applies to people who visit our website and who do not receive the treatment set out in paragraphs 2.1 – 2.3 above.

Purpose

  • To enable us to evaluate the use or our website and develop it and improve it

Processing carried out

  • Analysis in aggregate form of the technical information provided when visiting the website with regard to, for example, how the website is used, which pages or parts of pages have been visited and how the visitors reach and leave the website.

Categories of personal data

  • Technical data relating to devices when visiting our website (e.g. IP addresses) and statistics on you have interacted with us, i.e. how you have used our website.

Legal basis: Balancing of interests. The processing is based on our legitimate interest in being able to evaluate the use of our website and improve it.

Storage period: The technical information on how visitors interact on our website is stored for a maximum of ninety (90) days from the visit.

3. Which third parties may we receive personal data from?

We may receive personal data from third parties when we provide our services. It may, for example, be a question of contact details of group members provided by the GDQ consultant who registers a particular group. It may also be a question of personal data provided by individual group members when responding to the GDQ questionnaire.

We process personal data provided by third parties on the basis of our legitimate interest in being able to offer our services, manage our training courses and analyse GDQ questionnaire responses.

4. Protection of your personal data

We have adopted a series of security measures to ensure that our processing of personal data takes place securely and in order to protect the personal data we process against unauthorised access, unauthorised processing and misuse. For example, access to the systems in which the personal data is stored is restricted to our employees and service providers who need to access the data within the context of their work. They are also informed about how important it is for the security of the personal data to be maintained. We also continually monitor our systems to detect vulnerabilities and protect your personal data.

5. Who could we share your personal data with? 

We share your personal data with third parties to enable us to offer our services, manage our training courses and manage contact with you. The following applies in that regard. 

a) Service providers we use in some parts of our business, including processing of personal data: we share personal data with these suppliers mainly for operational IT services (such as data storage, support, maintenance and development).

b) IT security providers: we share personal data with IT security providers whenever necessary in accordance with law to protect you or our customers and partners or to protect our services.

c) Customers; we share personal data when invoicing with the customer that you are employed by, in order to communicate where in the customer organisation the measurements have been carried out, should the customer require it.

The third parties with which we share personal data in accordance with the above are so-called personal data processors in relation to us. They may only process the transferred data on our behalf and in accordance with our expressed instructions. We only transfer your personal data to those personal data processors for purposes that are compatible with the purposes for which we have collected the data and we ensure by means of agreements in writing with the personal data processors that they undertake to comply with our security requirements and restrictions and requirements regarding international transfer of personal data.

6. Where we process your personal data

We process your personal data within the EU/EEA (more precisely Sweden), where our IT systems are located. 

7. Your rights as a data subject

This section describes what rights you have as a data subject. You can exercise these rights at any time by sending an e-mail to: gdq@gdq.se

7.1. Right to access

If you wish to obtain information on what personal data we process on you, you can ask to be given access to the data. The information will then be provided in the form of an extract from a register that specifies what personal data we process, the purposes for which we process it, where the data was obtained, what third parties the data has been transferred to and for how long the data will be stored. If your request is issued in electronic form, the information will be provided in a widely-used electronic format, unless you request otherwise. 

7.2. Right of correction

You have a right to have inaccurate data on you corrected without delay. You also have a right to complete incomplete data. 

7.3. The right to erasure

You have a right to have your personal data erased without delay in any of the following circumstances: 

a) the personal data is no longer necessary for the purposes for which it was collected or is being processed in another way;

b) you withdraw your consent for processing based on consent and there is no other legal basis for the processing;

c) you object to processing based on a balancing of interests and your reason for objecting outweighs our legitimate interest;

d) the personal data has been processed in an unlawful manner;

e) the personal data must be erased to enable us to fulfil a legal obligation.

7.4. Right to restriction of processing

You have a right to request that the processing of your personal data be restricted if any of the following options apply:

a) you dispute the accuracy of the personal data for a period that gives us an opportunity to check the accuracy of the data;

b) the processing is unlawful and you oppose the erasure of the data and instead request that its use be restricted;

c) we no longer require the personal data for the purposes for which it is processed but you require it to enable you to establish, file or defend a legal claim;

d) you have objected to processing based on a balancing of interests and we check whether our legitimate interest outweighs your legitimate reason. 

If the processing has been restricted in accordance with this paragraph, the personal data to which the restriction on processing must apply, with the exception of storage, may only be processed to establish, file or defend a legal claim or to protect the rights of a third party or for a reason relating to an important public interest for the EU or an EU Member State. 

7.5. The right to data portability

In cases in which our processing of personal data is based on your consent or on fulfilment of an agreement, you have a right to request that the data concerning you and that you have provided to us be transferred to another personal data controller. However, as a condition for this, the transfer must be technically feasible and must be able to be automated. 

7.6. Withdrawal of consent

In cases in which our processing of your personal data is based on your consent, you have a right to withdraw that consent at any time. Such a withdrawal of consent will not affect the legality of the processing that took place on the basis of your consent before it was withdrawn. If you withdraw your consent, we will no longer process the personal data that is based on consent, unless we are required to continue processing it for legal reasons. If our legal obligations prevent us from erasing your data, we will instead mark it so that it is no longer actively used in our system. 

You can send an e-mail to gdq@gdq.se to withdraw your consent at any time. We will respond promptly to your request. 

7.7. The right to file a complaint

If you consider that we are processing your personal data in an incorrect manner you can, in addition to contacting us, file a complaint with the competent supervisory authority in the country in which you reside.  

8. Use of cookies

We use so-called cookies on our website to improve your visit, our services and our website. A cookie is a text file that is sent from our web server and stored in your web browser or on your device. We also use cookies for overall analytical information regarding your use of our website and in order to save functional settings. You yourself can change your browser settings for use of cookies and their scope. Examples of such adjustments include blocking all cookies or deleting cookies when you close your browser. 

Read more about our use of cookies in our cookie policy