1. General

This privacy policy ("the Privacy Policy") describes how Biz Apartment AB, corporate ID no. 556825-4220, with the address of Sandhamnsgatan 67, 115 28 Stockholm, and the other companies that form part of the Biz group process your personal data ("Biz", "we", "our" and "us"). Biz Apartment AB is the Personal Data Controller for the personal data processing carried out by companies in the group.

We care about your privacy and take data protection matters very seriously. The Privacy Policy therefore provides details on aspects such as the categories of personal data we process, the purposes for which we process it and the legal grounds on which we base the processing. We also provide details on who may access and process the data, the principles for thinning, the third parties we may share the personal data with, where the personal data is processed and your rights as a data subject in the form of rights to information, correction and erasure, etc.

We may occasionally need to update or amend this Privacy Policy. In that case, we will inform you in an appropriate manner and ask you to take note of the amendments. You will always find the latest version of this Privacy Policy on our website.

We hope this Privacy Policy answers your questions about our processing of your personal data and how it is protected. If you have any further questions or concerns, you are always welcome to contact us at the above address or by e-mailing us at micaela.krook@bizapartment.se.

2. How do we process your personal data?
   • How we collect your data

We collect your data directly from you when you make bookings with us and when you otherwise use our hotel services ("the Services"). We may also obtain your personal data from our partners (such as travel agencies or booking companies), if you make bookings with us via such third parties, or from the company you represent.

• The data we collect

We collect and process the following personal data:

• name, address and other contact details, including e-mail address and telephone number and copies of identity documents;
• information about your booking and any special requests that you submit to us;
• payment information, such as payment method and account or credit card details;
• personal preferences, for example if you wish to receive marketing from us; and
• IP address if you book via our website.
  • The purpose of the processing, legal basis and storage period

Your data will not be used in a way that is incompatible with the purposes for which the data was collected. We process your data for the purposes and in accordance with the provisions set out in paragraphs 2.3.1–2.3.5 below.

• To manage bookings and provide our Services

We use your personal data in order to manage your booking and to provide our services. We therefore use your data to verify your identity and to make, manage, monitor, take payment for and communicate with you about your booking. Furthermore, we use your personal data in order to provide our hotel services and manage such aspects as breakfast orders and other requests. We also take a copy of your identity document when you check in at our hotels we save it for up to one month after your stay. The legal basis for this personal data processing is the fact that it is necessary to enable us to fulfil the agreement with you concerning your booking. You must provide your personal data to enable us to make and manage your booking.

If we do not have an existing business relationship with you in accordance with paragraph 0, we store your personal data for this purpose for approximately 1 year

• To manage our business relationships

We also process personal data for the purposes specified in paragraph 2.3.1 to enable us to provide our Services to the company you represent and to tailor future bookings according to previous preferences. If the company you represent has an agreement with us and has designated you as a contact person, we also use your personal data in order to communicate with your company about our contractual relationship or our Services. We can also process your personal data to enable us to contact you and maintain and develop contact with you or your company. The legal basis for this personal data processing is the fact that it is necessary for our legitimate interest in being able to provide our Services to our customers and to maintain a business relationship with you or your company.

We store your personal data for this purpose for as long as the company you represent has a valid agreement with us or until the company designates another contact person. If your company has no agreement with us, we store your personal data for the period for which we consider the data to be necessary in order to maintain the business relationship with your company.

• Marketing

We use your personal data for direct marketing purposes, including communication regarding our Services and information about important events at our company. Direct marketing means all types of outreach marketing actions, i.e. mailings by post, e-mail and text message. You are entitled, free of charge, to oppose the use of your data for such purposes and every mailing from us for marketing purposes contains an option for deregistration, a so-called opt-out. The legal basis for this personal data processing is your consent.

We store your personal data for this purpose for as long as you subscribe to our marketing mailings or until you deregister from those mailings.

• To fulfil legal obligations

We may also process your data in order to fulfil our legal obligations in accordance with law, court judgments or decisions by public authorities. This may, among other things, apply to requirements relating to accounting, product liability and money laundering legislation. The legal basis for this personal data processing is the fact that it is necessary to enable us to fulfil our legal obligations.

• How we share your data

Your data may be shared with companies in the Biz group. If Biz shares your personal data within the group, we will ensure that your data will continue to be processed only in accordance with this Privacy Policy. Biz does not share your data with any third party except in the manner described below.

• Our suppliers: We may use third parties to manage one or more aspects of the business, including processing or managing personal data. We may share personal data with these third parties to enable them to provide services on our behalf such as providing our booking system, managing payments, sending out marketing communications and assisting us with IT services. When we make use of suppliers in accordance with this paragraph, we draw up personal data processing agreements and carry out other suitable actions to ensure that your personal data is processed in a manner that is consistent with this Privacy Policy.
• Sale or transfer: Biz may transfer or hand over your personal information to a purchaser or potential purchaser in the event of a sale, assignment or other transfer of all or part of our business or assets. In the event of such a transfer, we will take reasonable steps to ensure that the receiving party processes your data in a manner that is consistent with this Privacy Policy.
• Biz may also share your personal data with such bodies as the police, the Swedish Tax Agency or other authorities when we are required to do so by law.

3. How we protect your data

We adopt appropriate protection measures and maintain security standards to protect your personal data against unauthorised access, unauthorised disclosure and abuse. Your personal data is stored in files that may only be accessed by our employees, our representatives and our service providers who need the data in order to perform their duties. We use technical tools such as firewalls and passwords and we ensure that our employees are trained in the importance of maintaining security and confidentiality in relation to the personal data we process.

4. Where we process your personal data

Our objective is to always process your personal data within the EU/EEA, where all our IT systems are located. Nevertheless, it may be the case that your personal data is shared with our suppliers, referred to as personal data processors, which, either themselves or through subcontractors, are established or store information in a country outside the EU/EEA. In that case, we will adopt all reasonable legal, organisational and technical measures required to ensure that the level of protection for the processing is equivalent to the level in the EU/EEA. This will take place either through a decision by the European Commission that the country in question guarantees an adequate level of protection or through the use of appropriate protection measures such as standard agreement clauses or approved codes of conduct in our agreements with those personal data processors.

You can find out more about which third countries the EU Commission has classified as guaranteeing an adequate level of data protection at https://ec.europa.eu/info/law/law-topic/data-protection_sv

5. Your rights

This section describes what rights you have as a data subject. You can exercise these rights at any time by contacting us as described above:

• The right of access

If you wish to obtain information on what personal data we process on you, you can ask to be given access to the data. The information will then be provided in the form of an extract from a register that specifies what personal data we process, the purposes for which we process it, where the data was obtained, what third parties the data has been transferred to and for how long the data will be stored.

• Right of correction

You have a right to have inaccurate data on you corrected without delay. You also have a right to complete incomplete data.

• The right to erasure

You are entitled under certain circumstances to have your personal data erased by us if the personal data is no longer necessary to fulfil the purposes for which it was collected or processed, if you have objected to the processing of personal data and we have no legitimate interest which outweighs your interest, if the personal data was processed unlawfully or if the personal data must be erased in order to fulfil a legal obligation. Nevertheless, in some cases we have a right to oppose the erasure of your personal data and we will inform you if that is applicable.

• Right to restriction of processing

You have a right to require us to restrict the processing of your personal data in certain cases if you dispute the accuracy of the personal data for the period it takes us to check whether the data is accurate, if the processing is unlawful and you oppose the erasure of the data and instead request a restriction, if we no longer need the personal data but you nevertheless need it to enable you to establish, file or defend a legal claim or if you have objected to processing based on our legitimate interest for the period in which we check whether our interest outweighs your interests.

• Right to file objections

You have a right to file objections to processing of your personal data that takes place on the basis of our legitimate interest. If that is the case, we must, in order to be able to continue the processing, be able to show compelling legitimate reasons which outweigh your interests, rights and freedoms.

• The right to data portability

If we process your personal data pursuant to an agreement with you or to your consent, you have a right to obtain the personal data you have provided to us and that relates to you in an electronic format that is generally used whenever this is technically possible and can take place in an automated way. You have a right, where applicable, to transfer such data to any other personal data controller (data portability).

• The right to file a complaint

In Sweden, the Data Protection Authority is the authority responsible for supervising the application of the legislation among companies that process personal data. If you consider that we are processing your personal data in an incorrect manner you can, besides contacting us, file a complaint with the Data Protection Authority.