This is the data protection policy of Stillfront Group AB (“Stillfront”, “we”). We provide, in various ways, such as our website (“website”) and via mobile applications (“mobile apps” or “apps”) (all together “services”), electronic games. With this data protection policy, we would like to provide you with information on which personal data we collect and process. Furthermore, we would like to inform you about your rights. The responsibility to protect and process personal data is an important concern to Stillfront. Your data is protected against unauthorized access as well as loss using various technical and contractual measures. Stillfront has taken the necessary technical and organizational measures for this purpose. If links lead to third-party websites, please note that these companies provide their own data protection statements that apply accordingly. We offer our services only to persons who are at least 16 years old. We therefore do not knowingly collect and process data from persons younger than 16 years old.
I. Name and address of the responsible party
The responsibly party, with respect to the General Data Protection Regulation and other national data protection laws of member states as well as other data protection provisions, is:
Stillfront Group AB
Sveavägen 9, 5th floor
SE 111 57 Stockholm
II. Name and address of the data protection officer
The data protection officer of the responsible party is:
Attorney and certified specialist in information technology law
Dr. Christian Rauda
GRAEF Rechtsanwälte Digital PartG mbH
III. General Remarks on data processing
1. Scope of personal data processing
We gather and use personal data of our users generally only as far as it is necessary for providing a functional website as well as our contents and services. Gathering and using personal data of our users normally will happen only after the user’s consent was given. An exception is made for those cases where for factual reasons no prior consent could be obtained and processing the data is allowed by legal provisions.
2. Legal basis for processing personal data
Insofar as we receive consent for the processing procedures from the affected person, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as legal basis for processing personal data.
For processing personal data necessary for executing a contract the affected person is contracting party of, Art. 6 para. 1 lit. b GDPR serves as legal basis. This also applies to processing procedures necessary to perform precontractual measures.
Insofar as processing personal data is necessary in order to fulfill legal obligations our company is subject to, Art. 6 para. 1 lit. c GDPR serves as legal basis.
In case vital interests of the affected person or another natural person call for personal data to be processed, Art. 6 para. 1 lit. d GDPR serves as legal basis.
If processing is necessary for upholding a justified interest of our company or a third party, as long as the interests, fundamental rights, and fundamental freedoms of the affected person do not outweigh the former interest, Art. 6 para. 1 lit. f GDPR serves as legal basis for processing.
3. Purpose of processing personal data
We may collect and process data in order to enable you to use our services. This also includes processing for the purpose of data security and the stability and operational security of our system as well as accounting purposes.
We and our service partners process data in order to provide you newsletter services should you decide to use it.
4. Data erasure and storage duration
All personal data of the affected person get deleted or blocked as soon as the reason for storing them expires. Besides, storing can take place when intended so by European or national lawmakers in form of Union regulations, laws, or other provisions the liable entity is subject to. Blocking or deletion of data also takes place when a storage period prescribed by said norms expires, unless there exists a necessity for continuing to store the data to conclude or fulfill a contract.
5. Data security
We are eager to make arrangements to a reasonable extent in order to prevent unauthorized access or distortion of these data and minimize the according risks. Nonetheless, providing personal data, be it personally, by phone, or via internet, always involves a certain amount of risk as no technological system can be entirely free from the possibility of getting manipulated or sabotaged.
We process the data gathered from you in accordance with Swedish and European data protection laws. All employees are bound to data secrecy and data protection regulations and trained accordingly. For payment processes, your data is transmitted in an encrypted form using the SSL method.
IV. Provision of services and creation of log files
1. Description and scope of data processing
Whenever our services are solicited, our system automatically collects data and information on the visiting computer system.
The following data is collected during this:
- Internet protocol
- IP address
- URL of the referring website from which the file was requested
- Data and time of access
- Browser type and operating system as well as hardware information
- The site you visited
- Quantity of data transmitted
- Access status (file transferred, file not found, etc.)
- Duration and frequency of use
The data is also stored in the log files of our system.
2. Legal basis for data processing
Art. 6 Para. 1 f GDPR is the legal basis for the temporary storage of data and log files.
3. Purpose of data processing
Temporary storage of the IP address by the system is necessary in order to deliver services to the computer of the user.
To do so, the IP address of the user must be stored for the duration of the session.
Data is stored in log files in order to ensure the functionality of the services.
Additionally, the data also serves to optimize the services and to ensure the security of our IT systems.
Data is stored over the duration of the session for purposes of combating fraud (e.g. payment fraud, violation of the rules of play through the use of multiple accounts by the same person) and for the purposes of IT security (e.g. protection against DDoS attacks).
Otherwise, the data is stored merely for purposes of statistical evaluation.
In order to monitor compliance with the rules of use and rules of play, we reserve the right to store IP addresses and log files for a certain period of time after our services are utilized.
In particular, this procedure serves to avoid certain cases of misuse or to resolve them and be able to forward the data in individual cases to investigative authorities or to rectify bugs. Additionally, any evaluation of data is carried out in an anonymous manner wherever possible.
After this period ends, the IP address and log files are completely erased, unless there exist mandatory statutory storage requirements or concrete criminal or abuse proceedings.
For these purposes, our legitimate and overriding interest is to process data in accordance with Art. 6 Para. 1 f GDPR.
4. Duration of storage
The data is erased as soon as it is no longer required to achieve the purpose for which it was collected.
5. Option to object and erase
Data collection to provide services and data storage in log files is absolutely required in order to ensure the uninterrupted provision of services.
As a consequence, the user has no option to object.
V. E-mail Contact
1. Description and scope of data processing
Making contact is possible via the e-mail address provided. In this case the user’s personal data transmitted along with the e-mail are saved.
In this context no data are passed on to third parties. The data are used to process the request exclusively.
2. Legal basis for processing personal data
Legal basis for processing data when the user’s consent is present is Art. 6 para. 1 lit. a GDPR.
Legal basis for processing data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f GDPR. If the e-mail contact is targeted at forming a contract, Art. 6 para. 1 lit. b GDPR is additional legal basis for processing.
3. Purpose of data processing
Processing the personal data for us serves the sole purpose of processing the contact. This is also what makes up the required justified interest in processing the data.
4. Duration of storage
The data are deleted once they are no longer needed for the purpose they were gathered for. For personal data transmitted via e-mail that is the case when the respective conversation with the user has come to an end. The conversation has come to an end when it can be concluded from the circumstances that the issue in question has been resolved conclusively.
5. Possibilities of Objection and Removal
The user has the possibility to at any time revoke their consent to having personal data processed. If the user makes contact with us, they may at any time object to having their personal data stored. In such an event, the conversation cannot be continued. All personal data saved in the course of making contact will be deleted in this case.
VI. Data Protection for Applicants and During Application Process
We gather and process personal data of applicants for the purpose of handling the application process. The data is used to check your suitability for the position (or, as the case may be, other job openings in our company) and complete the application process. The processing may take place electronically as well. That is the case in particular if an applicant transmits their respective application documents to the head of department electronically, for example via e-mail or by using the online form that can be found on the website. Your applicant data will be sighted by the human resources department after receiving them. Suitable applications are then forwarded internally to the department heads in charge of the respective vacant position. Then the further procedure gets coordinated. As a matter of principal, in our company only those who need access to your data to ensure an orderly run of our application process will be granted it. If the person in charge of processing an application enters an employment contract with an applicant, the transmitted data, bearing in mind all legal provisions, will be saved for the purpose of handling the employment. If the person in charge of processing an application does not enter an employment contract with the applicant, the application documents will be deleted after announcing the rejection, unless the person in charge of processing the application holds other justified interests opposing deletion. Other justified interests in this sense are, for example, a burden of proof in a lawsuit under the General Equal Treatment Act. Legal basis for processing is Art. 6 para. 1 lit. b GDPR. Should the occasion arise that after completing the application process the data are required for prosecution, the data can be processed based on the requirements of Art. 6 GDPR, especially to appreciate justified interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our interest in that case would be assertion of or defense against claims. We will delete data six months after a rejection unless you gave consent to a longer period of storing. Should your application be crowned by success in form of being offered a position, the data will be moved from the applicant data system over to our human resource management system.
VII. Online Presences in Social Media
VIII. Newsletter Signup for Press Release via a Third Party Service
Embedded on our website, users are given the opportunity to subscribe to our press release newsletter via a third party service provided by NASDAQ Corporate Solutions International Limited. The input mask used for this purpose determines what personal data are transmitted, as well as when the newsletter is ordered by the controller.
We inform our investors and business partners regularly by means of a newsletter about regulatory and other news about our company or one of our subsidiaries. The newsletter may only be received by the data subject if
(1) the data subject has a valid e-mail address and
(2) the data subject registers for the newsletter shipping. A confirmation e-mail will be sent to the e-mail address registered by a data subject for the first time for newsletter shipping, for legal reasons, in the double opt-in procedure. This confirmation e-mail is used to prove whether the owner of the e-mail address as the data subject is authorized to receive the newsletter.
During the registration for the newsletter, our third party service also store the first name, last name, company name and profession of the data subject (if provided). Furthermore, the IP address of the computer system assigned by the Internet service provider (ISP) and used by the data subject at the time of the registration, as well as the date and time of the registration.
The collection of this data is necessary in order to deliver an accurate service and understand the (possible) misuse of the e-mail address of a data subject at a later date, and it therefore serves the aim of the legal protection of the controller.
The personal data collected as part of a registration for the newsletter will only be used to send our newsletter. In addition, subscribers to the newsletter may be informed by e-mail, as long as this is necessary for the operation of the newsletter service or a registration in question, as this could be the case in the event of modifications to the newsletter offer, or in the event of a change in technical circumstances.
The legal basis for processing your data is Article 6 (1) lit. A GDPR. Since the newsletter service is provided by a third party, the third party NASDAQ Corporate Solutions International Limited will be processing the data.
There will be no transfer of personal data collected by the newsletter service to other third parties except NASDAQ Corporate Solutions International Limited which operates the service on behalf of us.
The subscription to our newsletter may be terminated by the data subject at any time. The consent to the storage of personal data, which the data subject has given for shipping the newsletter, may be revoked at any time. For the purpose of revocation of consent, a corresponding link is found in each newsletter. It is also possible to unsubscribe from the newsletter at any time directly our website.
IX. Rights of the person concerned
If we process your personal data, you are the person concerned in the sense of the GDPR, and you have the following rights with respect to the responsible party.
1. Right of access
You can request from the responsible party a confirmation of whether personal data that concerns you is processed by us.
If such processing occurs, you can request the following information from the responsible party:
- The purposes for which the personal data is processed;
- The categories of personal data that is processed;
- The recipient or categories of recipients to which the personal data that concerns you was submitted or not submitted;
- The planned duration of storage of the personal data concerning you, or, if concrete information on this is not available, the criteria for determining the storage duration;
- The existence of a right to disclose or erase the personal data concerning you, a right to limit processing on the part of the responsible party, or a right to object to this processing;
- The existence of a right to lodge a complaint with a supervisory authority;
- All available information on the source of the data if the personal data is not collected for the person concerned;
- The existence of an automated decision making process including profiling in accordance with Art. 22 Para. 1 and 4 GDPR and, at least in these cases, detailed information on the logic involved as well as the scope and the desired effects of such processing for the person concerned.
You have the right to request information on whether the personal data concerning you is sent to a third country or an international organization.
In this context, you can request suitable guarantees pursuant to Art. 46 GDPR in connection with the transfer.
2. Right to rectification
You have the right to rectify and/or completion, with respect to the responsible party, provided that the processed personal data concerning you is incorrect or incomplete.
The responsible party must make the rectification without delay.
3. Right to limit processing
Under the following conditions, you can request a limit to the processing of the personal data concerning you:
- If you contest the correctness of the personal data concerning you for a duration of time that enables the responsible party to verify the correctness of the personal data;
- The processing is illegal and you refuse erasure of the personal data and instead request a limitation of the use of the personal data;
- The responsible party no longer requires the personal data for the purposes of processing, but you require it to assert, exercise, or defend legal claims, or
- If you have submitted the objection to processing according to Art. 21 Para. 1 GDPR and it is not yet certain whether the legitimate concerns of the responsible party prevail over your concerns.
If the processing of the personal data concerning you was limited, this data, except for its storage, may only be processed with your consent or to assert, exercise, or defend legal claims, or to protect the rights of another natural or legal person or for reasons of an important public interest of the Union or a member state.
If processing was limited according to the above conditions, you will be informed by the responsible party before the limitation is applied.
4. Right to erasure
a) Obligation to erase
You can request that the responsible party immediately erase the personal data concerning you, provided one of the following reasons applies:
- The personal data concerning you is no longer required for the purposes for which it was collected or processed in another manner.
- You withdraw your consent upon which processing pursuant to Art. 6 Para. 1 a or Art. 9 Para. 2 a DSGVO is based, and there is no other legal basis for processing.
- You submit an objection to processing pursuant to Art. 21 Para. 1 GDPR and there exist no superordinate legitimate reasons for processing, or you submit an objection to processing pursuant to Art. 21 Para. 2 GDPR.
- The personal data concerning you was processed illegally.
- The erasure of the personal data concerning you is required to comply with a legal requirement according to Union law or the law of a member state to which the responsible party is subject.
- The personal data concerning you was collected in regard to services offered by the information company in accordance with Art. 8 Para. 1 GDPR.
b) Information to third parties
If the responsible party published the personal data concerning you and is required to erase such according to Art. 17 Para. 1 GDPR, said party will take suitable measures, also of a technical nature and in consideration of available technology and implementation costs, to inform data processors processing the personal data that you, as the person concerned, have requested the erasure of all links to this personal data or copies or replications of this personal data.
There is no right of erasure if processing is required to exercise the right of free expression and information;
- To comply with a legal obligation to which the responsible party is subject according to Union law or that of a member state for processing purposes, or to perform a task that is in the public interest or in the practice of public authority conferred to the responsible party;
- For reasons of public interest in the area of public health according to Art. 9 Para. 2 h and i as well as Art. 9 Para. 3 GDPR;
- For archiving purposes, scientific or historic research purposes, or for statistical purposes in the public interest according to Art. 89 Para. 1 GDPR, provided that the right specified in section a) temporarily makes the achievement of the goals of processing impossible or severely limits such, or
- To assert, exercise, or defend legal claims.
5. Right to information
If you have asserted the right to information on, erasure, or limitation of processing with respect to the responsible party, said party is required to share this rectification or erasure of the data or limitation of processing with all recipients to whom the personal data concerning you was published, unless this proves to be impossible or is associated with excessive cost.
You have the right to information on these recipients from the responsible party.
6. Right to data transferability
You have the right to receive the personal data concerning you, which you provided to the responsible party, in a structured, standard, and machine-readable format.
Additionally, you have the right to transfer this data to another responsible party without obstruction on the part of the responsible party, to which the personal data was provided,
- provided that processing occurs based on consent pursuant to Art. 6 Para. 1 a GDPR or Art. 9 Para. 2 a GDPR or a contract pursuant to Art. 6 Para. 1 b GDPR,
- and the processing is carried out using automatic processes.
When exercising this right, you also have the right to ensure that the personal data concerning you is transferred directly from one responsible party to another responsible party, provided this is technically feasible.
The freedom and rights of others may not be affected by this.
The right of data transferability does not apply for processing personal data that is required to carry out a task that is in the public interest or in the practice of public authority conferred to the responsible party;
7. Right to object
You have the right, for reasons relating to your particular situation, to submit at any time objection to processing of the personal data concerning you which is conducted based on Art. 6 Para. 1 e or f GDPR; this also applies to profiling based on these conditions.
The responsible party no longer processes the personal data concerning you, unless said party can provide evidence of compelling reasons worthy of protection for the processing that prevail over your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
If the personal data concerning you is processed in order to pursue direct advertising, you have the right to submit at any time objection to processing of the personal data concerning you for the purposes of such advertising; this also applies to profiling, provided it is in connection with direct advertising.
If you object to processing for the purpose of direct advertising, the personal data concerning you will no longer be processed for these purposes.
Regardless of Directive 2002/58/EC, you have the option, in connection with the use of services of the information company, of exercising your right to object using an automated process that uses technical specifications.
8. Right to withdraw data protection declarations of consent
You have the right to withdraw your declaration of consent at any time.
The withdrawal of consent does not affect the legality of the processing conducted on the basis of the consent up to the date of the withdrawal.
9. Automated decision in individual cases including profiling
You have the right not to be subjected to a decision based solely on automated processing, including profiling, which will have legal effect or similarly affect you in a similar manner.
This does not apply if the decision
- a) is required to conclude or carry out a contract between you and the responsible party,
- b) is permissible on the basis of Union or member state law to which the responsible party is subject, and that legislation contains suitable measures to safeguard your rights and freedoms and your legitimate interests, or
- c) is made with your explicit consent.
However, these decisions must not be based on special categories of personal data under Art. 9 Para. 1 GDPR, provided that Art. 9 Para. 2 a or g does not apply, and reasonable measures have been taken to protect your rights and freedoms and your legitimate interests.
With respect to the situations mentioned in (a) and (c), the responsible party shall take appropriate measures to protect your rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person on the part of the responsible party to express his own position and challenge the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial legal remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence or employment or the place of the alleged infringement, if you believe that the processing of the personal data concerning you violates the GDPR.
The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.