Privacy Policy - When Ombea is the Processor

Last updated 12 December 2023

Processor Information

Ombea AB, also known as "Ombea," "We," "Us," or "Our,"
Address: Medborgarplatsen 25, 118 72 Stockholm, Sweden.
Email: privacy@ombea.com
Website: www.ombea.com

Why Ombea Processes Personal Data

Our role in processing Personal Data is to support the delivery of Ombea's services, strictly according to our customers' instructions. It is our customers who define the purpose and means of the data processing, holding the position of Data Controllers, as descibed in the Terms of Sale.

Types of Personal Data We Process

In providing our services, we process feedback data that may contain personally identifiable information about the respondent. This includes, but is not limited to, names, phone numbers, and email addresses.

How Long We Keep Data

As a Processor, Ombea adheres to the instructions provided by the Data Controllers regarding the retention and deletion of Personal Data. We will retain Personal Data for the period specified by the Data Controller, and upon their direction, we will either delete or anonymize the Personal Data. If a Data Controller requests the deletion of data, Ombea will promptly fulfill the request in accordance with the Controller's directives, unless we are otherwise required to retain the data by law.

Data subjects seeking to exercise their right to have their Personal Data deleted should direct their requests to the relevant Data Controller. Ombea will support Data Controllers in addressing such requests from data subjects as required by applicable data protection laws.

Protecting Personal Data

We use strong security measures to protect the Personal Data we handle from being accessed without permission, lost, changed, or seen by the wrong people.

You have rights!

Our customers make the decisions about how your Personal Data is used. They are the Data Controllers. For information on their policies, please look at their Privacy Policy. If you need to, you can talk to them directly.

You have rights like asking for your data, changing it, asking to delete it, limiting how it's used, saying no to certain uses, getting a copy of your data, and complaining to the authority that protects data rights. You can use these rights by talking to the Controller or the data protection authority.

Our sub-processors

Name of processor

Contact address

Location

Purpose

Security measures

Microsoft Corporation

1 Microsoft Way, Redmond, WA, United States

Microsoft Azure: North Europe-Ireland Takeda Ireland Ltd (Grange Castle), New Nangor Road, Grange, Dublin 22, Co. Dublin, Ireland

Microsoft Azure Data hosting (storage, erasure or destruction)

DPA

MongoDB

New York, Paramount Plaza, 1633 Broadway, 38th Floor, United States

Microsoft Azure: North Europe-Ireland Takeda Ireland Ltd (Grange Castle), New Nangor Road, Grange, Dublin 22, Co. Dublin, Ireland

Data hosting (storage, erasure or destruction)

DPA

Sharing and Moving Data

Some of our Affiliates and third-Ombea relies on servers within the EU/EEA, Switzerland and UK territory. Some of our third-party service providers (subcontractors/sub-processors) or their ancillary functions may be based within the EU/EEA or in other regions, including outside of the EU/EEA. We ensure the protection of your Personal Data when engaging with these service providers (subcontractors/sub-processors), regardless of location, by using legally recognized safeguards such as EU-endorsed standard contractual clauses, adequacy decisions, or similar measures. Such protections are in place whenever Personal Data is processed by our service providers (subcontractors/sub-processors), whether inside or outside the EU/EEA, and such processing is always conducted with explicit written consent from our customers (Data Controllers).party service providers process personal data outside the European Economic Area (EEA):

For EU/EEA and UK customers: Ombea Processes all data within the EU/EEA, Switzerland and UK territory. Should data be transferred out of the EU/EEA, Switzerland and UK, it will be governed by the Standard Contractual Clauses, as designated by the European Commission.

For Customers in U.S, or outside of EU/EAA, Switzerland and UK. Citizens/Residents: Should your Personal Data be transferred beyond U.S. borders, be assured that we implement robust security measures, monitoring, and contractual obligations (where relevant) to ensure your Personally Identifiable Information (PII) receives equivalent protection.

.