Privacy Policy
As the data controller, Baker Tilly Stockholm performs the treatments described below, along with the legal basis for each treatment.
Administrative processing within the framework of customer assignments
Registration of contacts in the customer register
Before and during an assignment, Baker Tilly Stockholm will process the names and contact details of the client’s representatives in Baker Tilly Stockholm’s customer register to administer the assignment and conduct the independent and anti-money laundering controls required by law, as well as the risk management controls that apply to an auditing firm. The legal basis for this processing is that it is necessary to fulfill our obligations arising partly from contracts and partly from law; the Auditor’s Act (2001: 883) and the Act (2017: 630) on Measures against Money Laundering and Financing of Terrorism. The legal basis for the risk management controls is a balancing of interests where Baker Tilly Stockholm’s legitimate interest in being able to manage risks in the business justifies the processing. The data to be processed will be names, personal identification numbers, addresses, telephone numbers, and email addresses of the workplace, as well as any information about departmental affiliation and position. The personal data will be retained for a period of twelve (12) months after the agreement has expired. Data for anti-money laundering checks will be retained for five (5) years.
Business monitoring and statistics
After an assignment has been completed, Baker Tilly Stockholm will process the names and contact details of the client’s representatives with legal support from a balancing of interests to satisfy our legitimate interest in conducting business monitoring and producing statistics at an overall level, for example, to evaluate customer satisfaction. The processing will take place during the contractual relationship and for a period of twelve (12) months after the contractual relationship has ceased. However, the statistics cannot be linked to the client’s representatives personally, so the data does not constitute personal data and will therefore be retained indefinitely.
Supervision and quality controls
Baker Tilly Stockholm, as a registered auditing firm, is subject to supervision and undergoes regular quality controls. Baker Tilly Stockholm therefore archives information from completed assignments. Within the framework of such supervision, personal data that Baker Tilly Stockholm has already obtained and processed within the framework of a completed assignment may be processed again, but for the purpose of checking the quality of work performed in the assignment. The legal basis for this processing is that it is necessary to fulfill our obligations under the Auditor’s Act (2001: 883). The data will be retained for a period of eleven (11) years.
Establishing, enforcing, or defending legal claims
Baker Tilly Stockholm will archive its working papers, which may contain personal data, after the completion of an assignment. The legal basis for archiving is a balancing of interests to satisfy Baker Tilly Stockholm’s legitimate interest in documenting the assignment. In the event of a legal claim, the archived personal data may be processed to establish or enforce a legal claim, or to defend Baker Tilly Stockholm against such a claim. The personal data will be archived for a period of eleven (11) years.
Marketing
Direct marketing based on a balancing of interests
In order to provide direct marketing about Baker Tilly Stockholm’s services to both existing and potential customers, Baker Tilly Stockholm may process personal data concerning the customers’ representatives. The legal basis for the processing is a balancing of interests to satisfy Baker Tilly Stockholm’s legitimate interest in informing and offering various marketing activities to a selected target group for a limited time and to a limited extent. The data that may be processed includes names, addresses, telephone numbers, and email addresses of the workplace, as well as any information about departmental affiliation and position. Information and offers about marketing activities may be provided by telephone, mail, email, SMS, and/or other communication channels.
In cases where there is a service agreement between the data subject’s employer and Baker Tilly Stockholm, the processing will take place during the contractual relationship and for a period of twelve (12) months after the contractual relationship has ceased. In cases where such a contractual relationship is absent, the personal data will be processed for a period of three (3) months.
The data subject has the right to object to this processing at any time.
Direct marketing based on consent
If Baker Tilly Stockholm wishes to continue processing personal data belonging to representatives of potential and former customers (older than 12 months after the contractual relationship has ended) for marketing purposes, consent from the data subject is required after three months have passed. If the data subject has provided such consent, the consent constitutes the legal basis for such processing. If the data subject has voluntarily provided their personal data for a specific purpose and has been informed about the processing in connection therewith, the data subject is considered to have consented to the processing.
The data that may be processed includes names, addresses, telephone numbers, and email addresses of the workplace, as well as any information about departmental affiliation and position. Information and offers about marketing activities may be provided by telephone, mail, email, SMS, and/or other communication channels.
The processing will take place for the duration that the consent has not been revoked by the data subject. The data subject has the right to object to this processing at any time and thereby revoke their consent.
Implementation of marketing activities
If the data subject actively signs up for a marketing activity (event, lecture, seminar, or similar), Baker Tilly Stockholm will process names and contact details in order to send out invitations, participant lists, and materials before and after the activity.
In the event that meals are served during the activity, information about special diets may need to be processed. The legal basis for the processing is that it is necessary to carry out the activity. In addition, after the activity has been completed, Baker Tilly Stockholm’s sales and marketing department may follow up on participants in the activity by accessing participant lists and thereby be able to target marketing measures to the participants. The legal basis for the latter processing is a balancing of interests to satisfy Baker Tilly Stockholm’s legitimate interest in offering Baker Tilly Stockholm’s services to the participants. The participant list will be retained for administration and follow-up for a maximum period of six (6) months.
The participant list may also, where applicable, be used as a basis for Baker Tilly Stockholm’s accounting records of any representation.
Media production for marketing
In order to market Baker Tilly Stockholm and disseminate knowledge about Baker Tilly Stockholm’s activities, Baker Tilly Stockholm may process personal data in the form of images – both still images and moving images – and audio recordings. This processing is done with the explicit and informed consent of the data subject. The processing will take place for the duration that the consent has not been revoked by the data subject. The data subject has the right to object to this processing at any time and thereby revoke their consent.
Website interaction
When visiting Baker Tilly Stockholm’s websites, information from the browser may be collected and stored, usually in the form of cookies, in order to optimize both the function and experience of the website. The information typically consists of the website visitor’s preferences and information about the device from which the visit is made. However, no identification of the visitor takes place. Even though no identification takes place, explicit and informed consent from the website visitor is required for Baker Tilly Stockholm to use cookies. If the website visitor has provided such consent, the consent constitutes the legal basis for the processing. Further information about which cookies Baker Tilly Stockholm processes, if any, and how long information from these cookies is stored can be found on the following website:
https://www.bakertillystockholm.se/cookies
Baker Tilly Stockholm acting as a data processor
Unless otherwise agreed between the customer and Baker Tilly Stockholm, Baker Tilly Stockholm acts as a data processor in all audit and advisory assignments. This means that the customer is the data controller and thus responsible for providing information to the individuals whose personal data may be processed within the scope of the assignment. As a data processor, Baker Tilly Stockholm processes the personal data based on the customer’s instructions.
Processing of personal data in auditing
Baker Tilly Stockholm will process information that may contain personal data, such as payroll files, board minutes, and other documents related to the client’s and any subsidiary’s business activities. Personal data related to the client’s customers and suppliers may also be processed, depending on the focus of the audit.
The categories of personal data that may be processed are:
Contact details such as name, address, telephone number, and email address,
Employment details such as employment number, department affiliation, position, and length of employment,
Information about sick leave, leave of absence, or parental leave,
Trade union membership,
Personal identification number/coordination number,
Information about financial circumstances such as bank account details, salary and other benefits, insurance information, and registration number for company cars,
Information about insurance and pensions, or
Other categories of personal data required due to the audit according to good auditing practices.
The legal basis for the processing is to fulfill our contractual obligations towards the customer and the legal obligations incumbent on Baker Tilly Stockholm, or an auditor appointed within Baker Tilly Stockholm, who has undertaken to perform the audit in accordance with applicable laws and regulations and good auditing practices in Sweden. The personal data will be processed for the time necessary to carry out the audit and thereafter, the data will be retained to document the audit for eleven (11) years from the end of the year in which the audit was completed.
Processing of personal data in accounting, HR, and advisory
Baker Tilly Stockholm will process information that may contain personal data, such as payroll files, board minutes, and other documents related to the accounting, HR, and/or advisory client’s and any subsidiary’s business activities. Personal data related to the accounting, HR, and/or advisory client’s customers and suppliers may also be processed by Baker Tilly Stockholm, depending on the nature of the assignment.
For accounting, HR, and/or advisory assignments, all processing of personal data is based on the customer’s explicit instructions. Therefore, the categories of personal data and how they are processed vary.
This is specified in each individual case in the data processing agreement concluded with the respective customer.
Exceptions from Baker Tilly Stockholm’s role as a data processor
As stated above, Baker Tilly Stockholm generally acts as a data processor in all audit, accounting, HR, and advisory assignments, with the exceptions outlined below.
In audit assignments
In exceptional cases, the audit client and Baker Tilly Stockholm may have agreed in a specific assignment that Baker Tilly Stockholm shall be the data controller – either alone or jointly with the audit client. In this case, it is Baker Tilly Stockholm’s responsibility to inform the data subjects about the processing of personal data. This processing is described under the section “Processing of personal data in auditing”.
In tax and pension advisory
In tax advisory, pension advisory, and related services directly to individuals, Baker Tilly Stockholm, using specific systems, will collect personal data directly from the customer’s employees. In these cases, Baker Tilly Stockholm is the data controller and thus needs to inform the data subjects about the processing.
Details of the information processed and why it is processed are provided to the individual concerned when he/she accesses the system and thus consents to the processing.
The data subject’s rights
Right to access (so-called register extract)
The data subject has the right to request confirmation from Baker Tilly Stockholm whether Baker Tilly Stockholm processes personal data concerning the data subject, and if so, request access to the personal data in the form of a so-called register extract.
Right to rectification
If the data subject believes that information relating to the data subject is incorrect or incomplete, the data subject also has the right to request rectification.
Right to object to processing based on consent
If processing of the data subject’s personal data is for direct marketing purposes, the data subject has the right to object to it at any time and request to be unsubscribed from further mailings by reporting this to Baker Tilly Stockholm, for example by clicking on an unsubscribe link in the mailings.
Right to object to processing based on Baker Tilly Stockholm’s legitimate interest
In addition to the above rights, the data subject also has, to the extent that applicable data protection legislation provides for it, the right to object to processing based on Baker Tilly Stockholm’s legitimate interest. However, Baker Tilly Stockholm may continue to process the data subject’s personal data, even if the data subject has objected to the processing, if Baker Tilly Stockholm has compelling legitimate reasons for the processing that outweigh the data subject’s privacy interests.
Right to request restriction or erasure, or right to object to processing, and right to data portability
Under certain conditions, the data subject also has the right to request restriction or erasure of their personal data, or the right to object to processing. In addition, the data subject also has the right to receive the personal data concerning the data subject that the data subject has provided to Baker Tilly Stockholm in a structured, commonly used, and machine-readable format (data portability) for transmission to another data controller.
Security measures
Baker Tilly Stockholm’s aim is to protect personal privacy and to take all technical and organizational measures necessary to protect personal data and ensure that processing is carried out in accordance with applicable data protection legislation and internal guidelines, policies, and procedures for handling personal data. This means that only those persons who need access to the data to perform their duties have access to it. A more detailed description of Baker Tilly Stockholm’s security measures can be obtained upon request to Baker Tilly Stockholm.
Transfer and disclosure of personal data
To fulfill the purposes of Baker Tilly Stockholm’s processing of the personal data specified above, Baker Tilly Stockholm may, where applicable, engage IT service and system providers who process personal data on Baker Tilly Stockholm’s behalf. These service and system providers may only process the personal data in accordance with Baker Tilly Stockholm’s explicit instructions and may not use the data for their own purposes. They are also obliged by law and agreement to take appropriate technical and organizational security measures to protect the data.
Baker Tilly Stockholm may, where applicable, also disclose personal data to recipients other than those specified above in order to comply with applicable laws and regulations, a request or order from a competent court or authority, and to satisfy Baker Tilly Stockholm’s legitimate interest in establishing, asserting, and defending legal claims.
Baker Tilly Stockholm may also transfer personal data to recipients located in countries outside the EU/EEA area that do not have the same level of protection for personal data as the EU. To ensure that the personal data is adequately protected, Baker Tilly Stockholm has entered into data transfer agreements that include the EU Commission’s standard contractual clauses with the recipients or ensured that other appropriate safeguards are in place. The data subject has the right to request, upon request, a list of the countries to which Baker Tilly Stockholm transfers personal data, specifying the category of recipients, and to receive a copy of the EU standard contractual clauses by contacting Baker Tilly Stockholm.
Contact information
For questions about the processing of personal data, please contact Baker Tilly Stockholm at the following email address:
or postal address: Baker Tilly Stockholm
Att. GDPR Box 1303 111 83 Stockholm