Purpose

This privacy policy applies to Allderma AB (559156—4322) and or any other company that is part of the same group as the aforementioned company hereinafter ("Allderma, we, our, us").

The privacy policy has been adopted by management and is updated as necessary. The policy constitutes general information, about how the company processes internal and external personal data.

Personal data is handled within the company and its operations. The data is processed, among other things, to enable the company to fulfill concluded contracts with customers, suppliers and employees, as well as due to obligations under law. As a starting point, Allderma's customers are the data controller for all processing of personal data made under contracts between us and our customers. For such processing, the company enters into personal data processing agreements with its customers and processes the data under instructions from and on behalf of the customer.

This General Privacy Policy (”Privacy Policy“) applies when we process personal data for own account, i.e. when Allderma is the data controller. This Privacy Policy applies to all employees and hired personnel of our company, including management, officers, employees and other persons acting for or on behalf of the company.

The overall purpose of this Privacy Policy is to establish roles and responsibilities within our organization, as well as to establish the standards and principles that will ensure that the collection and processing of personal data within the company is carried out in accordance with applicable data protection legislation (as defined below).

‍

Definitions

Processing (of personal data) is any action or series of actions taken in respect of personal data, whether automated or not, such as collection, registration, organisation, storage, processing, alteration, restriction, adjustment, erasure or destruction, disclosure by transmission, dissemination or other provision of data, compilation or interconnection.

Treatment records refers to the register of processing operations that Allderma is obliged to keep for personal data processing pursuant to Art. 30i GDPR.

Data Protection Legislation refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and any other national or European law, regulation or directive which from time to time applies to the processing of personal data by the Company.

Personal data is any information relating to an identified or identifiable natural person who is alive. Identifiable natural person means a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data or online identifiers or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of the natural person.

Data Controller is the legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

Personal Data Processor is a legal entity that processes personal data on behalf of the controller, e.g. Allderma's suppliers.

Privacy Protection Authority (IMY) carry out checks on the basis of complaints from individuals, data in the mass media or on their own initiative. Measures include field inspections and inspections by questionnaires or other control by email, telephone or letter.

‍

Basic principles of Allderma's personupp gifts treatment

We shall comply with applicable data protection legislation at all times when processing personal data.

We will only process personal data in a lawful, correct and transparent manner in relation to the data subject and the controller. This means, among other things, that our processing of personal data must comply with the following basic principles:
‍

• Documented personal data liability: For each processing of personal data, where we determine the purposes and means, there must be one or more companies within the company that have been deemed to be the controller of personal data. The responsibility for processing operations in which companies within the company are the data controller shall be documented in the Processing Register.
• Legally shallow: Any processing of personal data shall be carried out on the basis of a documented legal basis.
• Purpose limitation: The data shall be collected for specific, explicitly stated purposes and may not subsequently be processed in an incompatible manner.
• Task minimization: Only personal data that is adequate, relevant and not too extensive in relation to the purpose shall be collected.
• Correctness: The data shall be accurate and up-to-date and it shall be possible to track changes.
• Storage minimization: The data shall not be kept longer than is necessary in relation to the purpose.
• Confidentiality: Personal data shall be protected by appropriate technical and organisational security measures to prevent unauthorised or unauthorised processing and loss, destruction or distortion of the data.

‍

When the processing of personal data is lawful

General information on legal basis

The processing of personal data is lawful only if at least one of the following conditions is met:

• The data subject has have given their consent the processing of his/her personal data for one or more specific purposes.
• The treatment is necessary to fulfill a decreasel to which the data subject is a party or to take action at the request of the data subject prior to the conclusion of such an agreement.
• The treatment is necessary to fulfill a legal obligation; which is the responsibility of the controller.
• Treatment is necessary in order to protect interests that are of fundamental importance; for the data subject or for another natural person.
• The treatment is necessary for the performance of a task of general interest or as part of the controller's exercise of authority.
• The treatment is necessary for purposes relating to the legitimate interests of the controller or of a third party; unless the interests or fundamental rights and freedoms of the data subject outweigh and require the protection of personal data.

The legal basis for our processing of personal data shall be determined and documented in the Data Controller's Processing Register. In case of uncertainty, consultation shall be made with Allderma's General Privacy Manager (GPM).

‍

Legal basis for personal data processing in recruitment

The processing is necessary to be able to process the application of the person applying for employment with us and is based on the consent you provide in connection with the application. We have no interest in knowing of union membership, creed, sexual orientation, political views, any illnesses or any other data that is irrelevant to recruitment.

For certain specific processing in connection with recruitment, you may need additional, supplementary or different, information about individual processing of personal data.

‍

Rights of the data subject

A fundamental aspect of data protection legislation is that it contains certain statutory and binding rights for data subjects whose personal data are processed. As a data controller, Allderma has an obligation to facilitate the exercise of their rights under the GDPR.

If a person wants to know what data is registered about him or her, or if the person wants to exercise any other of their rights under the GDPR, you are referred to Alldermas GPM.

The data subject also has the right to withdraw any consents provided. The withdrawal of consent shall not affect the lawfulness of processing based on consent, prior to its withdrawal.

The data subject has, inter alia, the right to:

• Right of access of their personal data, which means that the data subject has the right to obtain confirmation as to whether personal data relating to the data subject are being processed and, if so, also have access to the personal data and certain additional information about the processing.
• Right to data portability, which means that under certain circumstances the data subject has the right to access personal data in order to be able to transfer the personal data to another controller.
• Right to rectification, erasure or restriction of the processing of their personal data and the right to object to the processing.
• Right to complain to the national data protection authority (in Sweden IMY) if the processing of their personal data does not comply with the requirements of EU/EEA data protection legislation.
• Right to withdraw consent if and insofar as specific consent has been given to certain processing.
• Right of objection regarding balancing of interests when processing takes place on the basis of so-called balancing of interests in accordance with Art. 6 (1) (f) GDPR.
• Right to object to direct marketing in the processing of their personal data. Then the personal data will no longer be processed for such purposes.

‍

Storage and deletion of personal data

According to the General Data Protection Regulation, personal data may not be stored longer than permitted by law, or otherwise necessary for the purposes for which the data is processed. Data that is no longer allowed to be stored shall be permanently deleted and destroyed (thinning). Under special conditions, thinning can be carried out by anonymizing the personal data instead of destroying it. Anonymization means that all information that makes it possible to trace the data to a data subject is irrevocably deleted.

If there are specific laws or regulations that require the retention of personal data for a certain period of time, such as in tax, accounting or money laundering legislation, such provisions apply before the General Data Protection Regulation. The Accounting Act states, for example, that accounting information must be kept for seven years from the year in which the financial year ended.

The main rule within the company is that personal data that are not subject to specific laws or regulations (in addition to the General Data Protection Regulation) should be deleted when we no longer need the data to fulfill the purpose of the processing.

‍

Security in the processing of personal data

General

Allderma shall take appropriate technical and organisational measures to prevent the destruction, alteration or distortion of personal data. This means that a security assessment needs to be carried out on a case-by-case basis and that different processes/systems require different levels of security measures depending on the sensitivity of the information, risk of intrusion (and other risks) and vulnerability.

Risk analysis

Before we start processing personal data, an initial risk analysis must be carried out in order to take a position on:

‍

• the appropriate technical and organisational security measures for the processing in question, based on an assessment of information sensitivity, relevant risks and vulnerability;
• If the processing is adapted from the outside and meets our requirements regarding privacy by design and information security.
• where the processing is likely to entail a high risk to the rights and freedoms of data subjects, for example by the use of new technologies or by the fact that data subjects cannot be expected to know that they are being subjected to the processing; If such a high risk is identified, the responsible person shall be informed and decide whether further analysis in the form of a Data Protection Impact Assessment is necessary.

‍

Transfer of personal data

‍

Transfer to Personal Data Subsidies

Allderma may transfer personal data to an external party, which processes personal data on our behalf and as instructed by us. Such external party is a personal data processor to us and must always sign an assistance agreement with Allderma. Allderma's General Privacy Manager (GPM) is responsible for ensuring that such template is kept up to date in accordance with applicable data protection legislation from time to time.

‍

Transfer to parties with personal data responsibility

Allderma may transfer personal data to another external party, which has its own personal data responsibility, provided that we have a legal basis for such transfer. Such legal basis may be, for example, that the transfer constitutes a legal obligation for us, or a customer agreement that gives us the right to transfer the data.

‍

Transfer of personal data to a third country

If and to the extent that our processing of personal data involves the transfer of personal data to, stored or otherwise processed outside the EU/EEA, further measures are necessary for the processing to be lawful. It is sufficient that the personal data is accessible from a location outside the EU/EEA, or that some infrastructure or resource is located outside the EU/EEA, for further action to be necessary. When transferring personal data outside the EU/EEA area, the data subject shall be informed of the purpose and scope of the transfer.

The measures we take to ensure that processing of personal data outside the EU/EEA is lawful must always be documented and approved by Allderma's General Privacy Manager (GPM).

‍

Authority's request for information

Allderma and its employees are obliged to provide information about our processing of personal data and related circumstances if requested by IMY. Other authorities may also have the right to receive information containing personal data from us, such as the Swedish Enforcement Authority, the Swedish Tax Agency or the Swedish Environmental Crime Agency. There may also be an obligation to disclose information to police or prosecutors in the course of a criminal investigation, with information only to be disclosed upon written request by the investigating officer or prosecutor.

In addition to regular and mandatory transfers of personal data to authorities that we have a legal obligation to report (e.g. salary data to the Swedish Tax Agency and information on sick leave to Försäkringskassan), personal data shall be disclosed to the authority only after consultation with Allderma's General Privacy Manager (GPM).

Allderma's General Privacy Manager (GPM) is responsible for liaising with IMY. All contacts with IMY, or other authorities regarding personal data processing issues, on Allderma's behalf should be referred to Allderma's General Privacy Manager (GPM).

‍

Reporting

Allderma's General Privacy Manager (GPM) shall report annually or as necessary to management on our processing of personal data and, in addition, immediately report to management if serious deficiencies, privacy risks or problems arise.

The report shall contain the results of the monitoring and control of personal data carried out in accordance with this Privacy Policy, including:

‍

• If the processing is adapted from the outside and meets our requirements regarding built-in data protection (privacy by design) and information security.
• Number of personal data breaches
• Our compliance with applicable data protection legislation and this Privacy Policy.
• Any contacts with the Privacy Protection Authority; and
• Changes to applicable data protection legislation and supervisory practices regarding the processing of personal data.

‍

Contact details

If you have questions about the processing of your personal data, this policy or if you want to exercise your rights set out above, you are welcome to contact us as below.

‍

Allderma AB (559156-4322)

Box 1890, 116 74, Stockholm

Phone number: 010-889 93 10s

E-mail: gpm@allderma.se

‍

This policy is approved by Allderma AB.

‍

Last Updated: 20/8-2025

‍