Personal data policy of ESTER (Vetevi AB)
Last updated January 30, 2019
ESTER, an assessment system for risk and protective factors among youths (0-18 years) and their legal guardians, and its computer support (ESTER’s computer support), are owned and managed by the company Vetevi AB (Org.nr: 556725-5392) and have their registered office in Örebro, Sweden, EU. In addition to Vetevi AB providing ESTER’s computer support and support to this computer support, they also offer training in ESTER and ESTER’s computer support.
On May 25th, 2018, the General Data Protection Regulation (GDPR) entered into force throughout the EU but also in countries such as for example Iceland. This personal data policy of ESTER came into force for all existing customers and visitors at www.ester-bedomning.se on May 25, 2018. Your eventual continued use of ESTER’s computer support and its containing services and documents, as well as your use of www.ester-bedomning.se and its ordering services of licenses and training, is from that date subject to this personal data policy. The policy is meant to be concise, clear, and easy to understand.
This personal data policy applies to information we collect and save about you as a user of ESTER’s computer support and about you as a user of www.ester-bedomning.se, but also for the information about clients (i.e., youths/legal guardians) that you collect and save as a user/customer of ESTER’s computer support.
We have a procedure (testing) to regularly, at least once a year, test and evaluate the effectiveness of the technical and organizational measures that aims to ensure the safety of our personal data processing. The results of these tests are documented and are available to the personal data controller (i.e., the customer of ESTER’s computer support) upon request.
Personal data policy for information about you as a user of ESTER’s computer support and about you as a user of www.ester-bedomning.se
This part of our personal data policy applies to any personal information that we collect about you when you contact us via www.ester-bedomning.se, by e-mail or by any other means, and when you order a training or an ESTER license. We want to protect your privacy and personal information and it is important that you understand the information about how we process and manage your personal information/data. Contact information to us and our data protection officer can be found under ”KONTAKT/CONTACT” at www.ester-bedomning.se.
We use the information we collect about our customers and users for two main reasons:
- to provide our services (primarily training in ESTER and the administration surrounding ESTER’s computer support), that is; to ensure that users and customers have access to and can use our services,
- to communicate with our users and customers based on the user/customer relationship, which includes both administrative communication such as feedback in a customer service matter and marketing communication directed directly to you as a customer/user, if permitted by law.
Personal data that we collect about you as a user of ESTER’s computer support and about you as a user of www.ester-bedomning.se
We collect personal information to ensure that our services work efficiently and to ensure that we provide you with the best possible service and support. Some of these data is provided by you directly to us, such as when you fill out a form when ordering an ESTER license or ESTER training, when you register for a newsletter, or you contact us for support or any other question. If you do not provide the information necessary to access our services or a particular feature, there is a risk that you will not be able to use that specific service.
What information we collect depends on the context of your interactions with us and your choices. The data we collect about you may include the following:
- Name and contact details. We collect your first and last name, e-mail address, mailing address, phone number, shipping address and other similar contact information.
- User information. We create and save your user information and password to ESTER’s computer support. However, ESTER’s computer support uses dual authentication, which means that we do not have access to the second password that you use to access ESTER’s computer support.
- Information for conducting transactions. We collect information necessary to process your payment for any purchases, which usually consist of an invoice address that you provide when ordering.
- Buy/order history. We save information about your purchases and purchase time via www.ester-bedomning.se of ESTER licenses and trainings.
- Log in ESTER’s computer support. We log and save information about your activities in ESTER’s computer support. However, we never use or take part of information about the specific clients you provide information about in ESTER’s computer support and their personal information. The logging is done to identify malfunctions and bugs in ESTER’s computer support, but also to monitor whether breach attempts are made.
- Other. We also collect information that you provide us and the content of messages you send to us, such as feedback or questions to our support function. When you contact us, for example for support through phone calls, the conversation can be monitored and recorded for your and our security as well as for continuously evaluating our customer service experience.
Please note that if you request that we do not contact you via e-mail, we will keep a copy of your e-mail address in our non-mailing list to ensure that you do not receive unwanted e-mail messages from us in the future.
Security and rule compliance
We use data to protect our products, services and customers’ security, to detect and prevent fraud, such as double-use of offers, to resolve disputes and enforce our agreements. We use data to comply with applicable legislations, such as accounting laws. Please note that we may delete content that you published through, for example, a commentary feature, if it violates our terms of services for a specific service.
Communication
We use personal data to communicate with you. For example, we may contact you via e-mail, phone or via other means to inform you when an ESTER license is about to expire, notify you when updates or trainings are available, to get back to you in a support case, inform you about that you must take an action to actively keep your license, deliver a newsletter included in your subscription or that you have reported interest in, and inform about offers that may be of interest to you.
Other purposes
If we plan to use personal data for a new purpose, beyond what is described in this policy, you will be informed of such use before or in connection with the collection of personal data and we will ask for your permission or, where required, your consent. Alternatively, we will ask for your permission and/or consent after such collection, but before we will use your personal information for a new purpose.
We do not share your personal information with anyone other than other ESTER users
In order for you to share clients through ESTER’s computer support, all ESTER users (those who have an active ESTER license) can find your name and workplace in ESTER’s computer support. We do not share your personal information with anyone except when we consider it necessary to:
- comply with the law or a legal process and provide information to the police and other authorities,
- protect our customers, for example, to prevent fraud
- manage and maintain the security of our products, including preventing or stopping an attack/breach on our systems or networks,
- protect the rights or property of Vetevi AB, including enforce the terms governing your use of our services. If necessary, we hand over the matter to the police authority for further processing.
Your individual rights
It is important that you understand what rights you have concerning the processing of your personal information, which we inform about below. Contact information about where to turn, to act on any of your rights can be found under ”CONTACT” at www.ester-bedomning.se.
You have the following rights:
- If processing of personal data is based on your consent, you are entitled to revoke the consent for future processing of your personal information at any time.
- You are entitled to request free access to, and access to, a copy of your personal data, request correction of incorrect information and, in certain circumstances, request that your personal data be deleted.
- You are entitled to require that we limit the processing of your personal data while it is up to us to investigate any objections from you or if we have no legal basis to continue processing but you do not want the data to be deleted, or if we no longer need the information but you need them to be able to claim your rights.
- You may, in some cases, have the right to data portability, that is; to extract personal data provided by you in a structured, widely used and machine-readable format, and to transfer them to another personal data controller in cases where our right to process your personal data is either based upon your consent or our performance of an agreement with you.
- You may, in some cases, object to the use of your personal information in which case we may need to stop our processing of your personal information if we can not show compelling legitimate reasons considering the interest in not processing the personal information,
- You are entitled to object to direct marketing communication at any time in which case we may no longer continue to use the personal information for that purpose,
- You are entitled to file complaints concerning our processing of personal information/data with a data protection authority.
When we process your personal information, we do so on a need-basis, in order to provide the services you use, conduct our business, comply with our contractual and legal obligations, protect our systems and customers or meet other legitimate interests as described above. The exercise of your rights is free of charge. We reply to your request for your rights and requests for access or deletion of your personal information within 30 days as a starting point. The measures are taken within a reasonable time which, depending on the circumstances, may be up to 3 months. We reserve the right, in the event of unreasonable or clearly unfounded objection or request, to incur a reasonable fee for the actions taken, or to take no action at all.
Security of your personal data
We use a range of security techniques and security methods to protect your personal information from unwanted access, use, and disclosure. For example, personal information that you enter, are stored on on computer systems that have limited access and stored in protected premises. When transferring sensitive data (such as credit card number and password) via the Internet, we protect this information with encryption. In cases where we use sub-contractors, we continuously review these to ensure that processing is conducted in accordance with this policy and our safety practices.
Where we save and process personal data
Our personal data processing takes place in Sweden, EU / EEA, including collection, storage, destruction, etc.
How long we save your personal data
We save personal data as long as necessary for the purposes they are used for, for example, as long as it is necessary to provide our services, to maintain and improve existing services, send necessary communications and market communications, conduct the development of our services and fulfill our legal obligations. As the needs may vary for different types of data and for different types of services, products and contexts, the period of time we save the data varies.
The criteria that determine how long your personal data is saved are:
- For what reason we use the data, that is, if we use the data to meet legal requirements they will be saved longer than for example contact information for direct marketing,
- What kind of information it is, that is; sensitive information, such as for example food allergy, is saved a shorter time than for example contact information,
- How the information is saved, if the data is not pseudonymized it is saved shorter than if they are pseudonymized,
- What relationship we have with you, that is, if you are an existing, former or potential user/customer, or if you visit us without being logged in.
We are entitled to use your contact information for direct marketing while we have a user or customer relationship and a certain amount of time after our user or customer relationship has been terminated as long as you are not opposed to this. We will save your information for three years after the end of the service. We may contact potential customers by phone to promote our services and products. If you choose not to enter into a customer relationship with us, we will save your contact details up to three months from the date of contact.
Your personal data will be stored longer than stated above in cases where we are obliged to do so by law, regulation or authority decision or for retaining information that must be retained for resolving a dispute or if you have consented to it. We use your information for marketing only if permitted by law and if you have not objected to it.
Personal data controller
Vetevi AB which is personal data controller for the above-described personal data processing about you. For more information, see www.ester-bedomning.se under ”CONTACT”.
Personal data policy for the data/information collected by the user/customer of ESTER’s computer support about the clients (youths/legal guardians) in ESTER’s computer support
ESTER, an assessment system for risk and protective factors among youths (0-18 years) and their legal guardians, and its computer support (ESTER’s computer support), are owned and managed by the company Vetevi AB (Org.nr: 556725-5392) and have their registered office in Örebro, Sweden, EU. In addition to Vetevi AB providing ESTER’s computer support and support to this computer support, they also offer training in ESTER and ESTER’s computer support.
What is saved and processed in ESTER’s computer support and its purpose
ESTER is based on that the user/customer uses the computer support of ESTER. In the computer support there are manuals and forms etc., but it is also in the computer support that the user of ESTER documents and saves the conducted assessments made with ESTER screening or ESTER assessment on individual youths and legal guardians. Thus, the use of ESTER’s computer support means that, as a user of ESTER’s computer support, you can store personal data (name and social security number of the youth and the names and contact details of legal guardians) together with information about these persons’ risk and protective factors for norm breaking behavior of the youth. The risk and protective factors concern the youth’s own behaviors but also relationships with others and to school. The factors also concern the behaviors of the legal guardians of the youth as well as their well-being and social relations. For more detailed information about ESTER and what risk and protective factors that are included and what ESTER aims at, see www.ester-bedomning.se. The purpose of assessing these factors is that it should provide useful information about what interventions the youth is in need of. A further purpose is that ESTER should enables follow-ups of the youth and his/her risk and protective factors over time. Thus, follow-up assessments can be conducted to see if risk and protective factors change over time and all these assessments can be documented and saved in ESTER’s computer support.
ESTER’s computer support and its use follow the guidelines of the Swedish Data Protection Authority (Datainspektionen) and is also in accordance with the General Data Protection Regulation (GDPR) in effect from the end of May 2018. The advice of the Data Protection Authority specifies requirements/recommendations and IT security functions in the processing of personal data. GDPR also specifies key issues regarding data processing, security and rights as registered in ESTER’s computer support.
Vetevi AB is the personal data assistant to those organizations using ESTER’s computer support
Those who are users/customers of ESTER’s computer support and, more specifically, their organizations, are personal data controllers for the data they save in ESTER’s computer support. This means that Vetevi AB is the personal data assistant to the organizations that use ESTER, which in turn means that a Personal Data Assistant Agreement is established between Vetevi AB and the organization of the user/customer. This agreement is made up in two identical copies and signed by representatives of Vetevi AB and representatives of the organization using ESTER’s computer support and is valid as long as the organization in question uses ESTER or as long as the information is stored in ESTER’s computer support from the organization in question (information is stored in the three years after a customer have stopped using ESTER’s computer support – see below for more information on how long information is saved). IMPORTANT! The ESTER users whose organization have not yet signed a Personal Data Subscription Agreement with us (Vetevi AB), please download the agreement located at the bottom of this page ”Personal Data Assistant Agreement” and follow the instructions.
Data protection officer
We (Vetevi AB) have a Data protection officer (see contact information at www.ester-bedomning.se under ”CONTACT”) who works to ensure that personal data in the ESTER system’s computer support are processed in a correct and legal manner according to the GDPR and who also answers questions about our personal data processing and our personal data-related agreements.
Specification about security, storage and data processing/management
Basic principles of privacy protection includes not to collect more information than needed, to not save the information longer than necessary, and to not use the data for anything other than the purpose when the data was collected. ESTER is structured with this as a basis. The following describes how the use of ESTER and data processing/management takes place in accordance with the guidelines and legislations of the Swedish Data Protection Authority and from May 25, 2018 effective GDPR.
Secure login: Double authentication
In ESTER’s computer support, personal data is saved together with individual risk and protective factors. We have therefore concluded that secure authentication via double authentication is necessary. Login to ESTER’s computer support is done via the internet and takes place via double authentication (double passwords). Upon login, the user specifies a username and password (password with a high level of security) and when this is done, an additional password (a password valid for that day until midnight that day) is sent to the user’s professional e-mail address. You also enter this password before you can log in to ESTER’s computer support. This is the dual authentication.
Encryption, logging and personal data incidents
All communication between the user and the server where data is stored is encrypted. User activity logs in the system and allows tracking of bugs and malfunctions in ESTER’s computer support or intrusions or intrusion attempts or personal data incidents. The activity of the user, what he/she is adding, changing, deleting, is logged. The logs are saved for 5 years. In case of intrusion, breach or other personal data incident in ESTER’s computer support, we will notify this directly to the affected ESTER user and its organization without delay (within 24 hours) from the time the incident came to our knowledge.
In case of a personal data incident, we as personal data assistants will inform the personal data controller without delay, no later than within 24 hours, from the time we were made aware of the incident. This message to the personal data controller should at least:
- Describe the nature of the personal data incident, including, if possible, the categories of and the approximate number of registered persons involved, as well as the categories of and the approximate number of personal data items concerned;
- Convey the name and contact details of contact points where more information can be obtained,
- Describe the likely consequences of the personal data incident, and
- Describe the actions we have taken or suggest to take as personal data assistants to address the personal data incident, including, where appropriate, measures to minimize its potential negative effects.
Secure data storage
The collected data of the user/customer in ESTER’s computer support is stored on a server managed by Atea Sverige AB (Org.nr: 556448-0282) on behalf of Vetevi AB. Atea Sverige AB is thus a sub-contracted personal data assistant for Vetevi AB. This server is physically located in Sweden (EU). Backup of data on this server occurs every day. High security level applies around this server because it contains personal data. No unauthorized people have access to the server nor to the contents of the server, i.e., to the personal data stored on the server.
All persons who handle data in the ESTER system at Vetevi AB or sub-contractors, e.g. developers and managers of data are subject to confidentiality obligations. The persons at Vetevi AB who work with the administration of the system (i.e., who are responsible for administering the ESTER users’ licenses – for example, adding a new user or extending someone’s license) do not per standard have access to data that applies to individual clients, except specially designated persons who work with the control of logs (to check and be able to adjust errors in the system, check if personal data incidents have occurred, and to be able to transfer logs or data to the customer if and when this is requested). Otherwise, it is only the ESTER user who can see their own entered information. An authorized representative from the Customer can request in writing, logs regarding the Customer’s use of the system and by doing this access data in the system because the logs registers who does what in the system, e.g., what is added, changed, deleted, and by which user.
The obligations of your organization to the persons/clients who you assess and save information about with ESTERs’ computer support – Information, consent, and the rights of the assessed persons/clients
Information. The ESTER user/customer (i.e., the professional using ESTER in an assessment of clients; youth/legal guardian) is responsible for providing clients with all necessary information about ESTER. This means, for example, informing about why and how you collect personal data about the clients and how the information is stored and what legal legal support the organization has for doing ESTER assessments and saving this information. The ESTER user (the professional using ESTER or his/her organization) must make this clear to the affected clients who personal data is collected about. GDPR requires that the information provided should be concise, easy-to-understand and designed in a clear and simple language. Please note that this information should be provided in writing and verbally to the clients before the data is collected and stored/saved. Information aimed at children should be written in a clear and easy way so that children can understand it. Information should also be given to the clients about their rights to file complaints to the supervisory authority if they believe that the personal information has been incorrectly processed or if they are wondering what kind of information is stored about them. Information also need to include how long information is stored and what happens after storage with these data. Furthermore, information should be provided about that the clients have the right to access their personal data, get incorrect personal information corrected, have their personal data deleted (unless there is legal basis for something else in the organization at hand), that they can object against the use of personal data for direct marketing, and object against the use of personal data for automated decision making and profiling. An important thing is that there is an obligation for the organization that uses ESTER (i.e., an organization that collects and saves personal data) to on requests from registered clients provide information to this registered client on what information is saved about him/her (this should be done without charge for the client). It is therefore important that your organization has standard procedures to answer these questions that may come from the people/clients that you have saved information about in ESTER’s computer support.
Consent. If no other legislation exists that is in force within your organization and which exceeds the requirement for consent, then consent must be obtained from the clients prior to storage of data in ESTER’s computer support – and the given consent from the client is to be saved. The ESTER user and his/her organization are responsible for this. The consent must be a voluntary, specific and unambiguous will, by which the registered person, after receiving information, accepts the processing of personal data relating to him or her. There can be no doubt that the registrant accepts the processing of his/her personal data. GDPR makes clear that the person who processes personal data with the support of a consent must be able to show that the consent has been given. It is therefore important that you get a written consent which is dated and saved.
Legal basis. The organization that uses ESTER and ESTER’s computer support is responsible for ensuring that there is a legal basis for storing personal data together with the data (i.e., individual risk and protective factors for norm breaking behavior) collected via ESTER (this is not the responsibility of Vetevi AB).
About how long data is stored in ESTER’s computer support and how data is erased
In ESTER’s computer support, the personal data and other information stored about clients by the user of ESTER’s computer support is stored for three years and after three years, the user is clearly noted in ESTER’s computer support that these clients are have been inactive for three years and should be deleted from the computer support. Thus, this deletion of clients from the computer support is done manually by the ESTER user but the computer support reminds the ESTER user that there are clients that have not been activated for three years. It is up to the ESTER user to handle this deletion in the correct legal manner and according to any local guidelines/procedures. The above applies if the ESTER user has access to ESTER (i.e., is holder of an ESTER license) throughout this time. When an ESTER license for an ESTER user has expired and is inactive, the license is erased with all user information and all clients, after three years. This deletion is carried out manually by Vetevi AB.
Changes to this Personal data policy
We will update our Personal data policy when needed to reflect customer feedback and changes to our services or when legislation or guidelines changes or are renewed. When the policy is updated, the latest update date changes at the top of this page. If there are major changes in the policy or in the way we use your personal information, you will be notified via a web page or e-mail notification before the changes come into force where required by law. Please read this Personal data policy from time to time to keep you informed about how we protect your personal information and privacy.
Contact us
If you have any questions about your personal information or our processing of personal information, a complaint, or a question to our Data protection officer, please contact us. See ”CONTACT” at www.ester-bedomning.se
Personal data assistant agreement (choose one of the two procedures below – digital or paper-pencil)
IMPORTANT INFORMATION! ESTER users (users of ESTERs’ computer support) whose organization has not yet signed a Personal data assistant agreement with us (Vetevi AB), please fill out and sign one of the below agreements – see the last page of the agreement for where to sign and send, etc.
Agreement for digital signing. (Please fill out and sign digitally and then e-mail the signed document to info@ester-bedomning.se):
Personal Data Assistant Agreement for Digital Signing (Last updated 180810)
Agreement for printing and signing with pencil (Established in duplicate copies. Please fill out and sign two identical copies and send to us. You find the address on the last page of the agreement.)
Personal Data Assistant Agreement (Last updated 180810)