1.1 This Privacy Notice (the “Privacy Notice”) describes how we, Educatius Group AB, Reg. No. 556721-0819, (“Educatius”, “we”, “our” or “us”), including our subsidiaries, process your personal data in connection with the provision of our services (the “Services”), e.g. when registering, when traveling with us, when using our website and our applications and otherwise when you interact with us.
1.2 This Privacy Notice also describes how we work to ensure that such personal data is processed in compliance with applicable data protection legislation.
1.3 Unless otherwise stated below, Educatius is the personal data controller in relation to the processing of personal data set out in this Privacy Notice. Thus, it is our responsibility to ensure that the processing of personal data for which we are the personal data controller takes place in accordance with applicable data protection legislation.
1.4 The terms used in this Privacy Notice shall have the same meaning as in Regulation (EU) 2016/679 (“GDPR”).
2. CATEGORIES OF PERSONAL DATA
2.1 When we provide our Services, we process the categories of personal data set out in Section 3 below.
2.2 We may also process other categories of personal data than those set out in Section 3 below, e.g. when we offer customer support. Exactly what personal data we will process may also depend on what data you decide to share with us.
2.3 Generally, the personal data we process is collected directly from you. However, there are situations in which we collect personal data from third parties, e.g. if we receive information about you from resellers or other relevant parties, including but not limited to public agencies, partners etc.
2.4 Where applicable, we may process personal data about children. Since children are considered to be worthy of extra protection from an integrity perspective, we collect consent from the child’s legal guardian in cases where the child in question is under 13 years of age (or younger, depending on what age limit applies in the relevant country).
3. THE PURPOSES OF THE PROCESSING OF PERSONAL DATA
We process personal data for the following purposes:
3.1 To provide the Services
3.1.1 We process personal data to provide the Services to our users and customers, e.g. to manage your account or your booking as well as to manage your orders and purchases. The categories of personal data processed for this purpose are identity information (including first name, last name, username, student ID number, marital status, title, date of birth, gender, photograph, passport information, immigration status, right to work, curriculum vitae (CV), covering letter, academic record, employment history and references), contact data (including home address, email address, phone number and emergency contact information), insurance information, medical information, dietary preferences, religion or disability, transaction data (including ails about payments to and from you and other details of services you have purchased from us) and technical data (including IP address, login data, browser type and version, location etc.).
3.1.2 Please note that we may share certain transaction data with payment service providers or other entities who are otherwise involved in the payment process linked to our services or products.
3.1.3 The legal basis for the processing of personal data for the purposes set out above is our legitimate interest in being able to provide the Services. In the event that you place an order or if you make a purchase, the legal basis will be the contract between you and us. The processing of personal data conducted for this purpose is necessary for us to be able to fulfil the contracts we enter into with our customers for the purposes of providing the Services.
3.1.4 Processing of special categories of personal data (sensitive personal data) will only take place after you have given us your consent to such processing, and only for the purpose for which you have given your consent. However, processing of special categories of personal data may also take place without your consent provided that such processing is necessary to protect your or someone else’s fundamental interest(s). for instance, this could be relevant should you be physically or legally hindered to provide your consent, e.g. to provide medical care in the event of an illness or accident.
3.1.5 We process personal data during the period which you use the Services, or for a longer period if it is necessary for us to be able to defend our legal interests and to be able to fulfil our contractual obligations towards our customers. In addition to this, we may also store your personal data for seven years in order to comply with Swedish bookkeeping legislation.
3.2 To manage and improve the Services
3.2.1 We process your personal data when you use the Services or otherwise interact with us in order to develop and improve the Services. The categories of personal data processed for this purpose are, for example, information on how you use the Services, transaction data, and technical data.
3.2.2 The legal basis for the processing of personal data for this purpose is our legitimate interest in developing and improving the Services and our website.
3.2.3 Personal data processed for this purpose is stored for a period of 36 months from the date you last used the Services, or for a longer period if it is necessary in order for us to be able to develop and improve our Services.
3.3 For contact and identification purposes
3.3.1 We process personal data in order to contact our customers and partners. We also process personal data in order to identify such parties. The categories of personal data processed for this purpose are mainly identity data.
3.3.2 The legal basis for the processing of personal data for this purpose is our legitimate interest in contacting our customers and partners as well as in verifying their identities. If the contact or the identification process is carried out in order to fulfil our contractual obligations with the data subject, the legal basis is instead the contract.
3.3.3 The personal data processed for this purpose is collected either directly from the customer, or from our partners. We store the personal data in question during for as long as it is necessary to fulfil the purpose for which the personal data is processed. However, we strive not to store personal data for this purpose longer than 36 months after the termination of the customer relationship. We apply this retention period in order to be able to defend ourselves against potential legal claims.
3.4 To provide support
3.4.1 We process personal data in order to provide customer support and service to our existing customers as well as any potential customers, e.g. by answering questions and managing support matters. What personal data is processed for this purpose depends on the specific subject and also on what personal data you share with us. The processing of personal data for this purpose typically involves identity data and contact data. We may also process other categories of personal data in the event that we deem it necessary in order to answer your questions or in order to provide support.
3.4.2 The legal basis for the processing of personal data for this purpose is our legitimate interest in answering questions and providing support related to the Services. In the event that the processing of the personal data takes place for the purpose of fulfilling a contractual obligation, the legal basis is instead that particular contract.
3.4.3 The personal data processed for this purpose is collected directly from the data subject. We process the personal data for this purpose for as long as it is necessary in order for us to handle the relevant matter. However, we strive to delete the personal data as soon as the matter has been processed and closed.
3.5 For marketing and communication purpose
3.5.1 We process personal data in order to market the Services, in order to perform market research, in order to inform existing customers as well as potential customers, and in order to ensure that recipients receive interesting and relevant marketing messages. For example, we send out newsletters via email, SMS and social media. From time to time, we may also conduct other types of marketing measures, such as pay-per-click advertising. The categories of personal data processed for this purpose are contact data and identity data, but also profile data (meaning information on purchases and orders made by you, interests and preferences etc.).
3.5.2 The legal basis for the processing of personal data for this purpose is our legitimate interest in marketing our Services and our legitimate interest in informing both existing and potential customers about upcoming campaigns, offers etc. Should a specific marketing measure require consent, we will ensure that such consent is collected in accordance with applicable data protection legislation.
3.5.3 The personal data will generally be collected directly from you. We store the personal data for a period of twelve months from the time you last interacted with the Services, or otherwise were in contact with us.
4. TRANSFERS OF PERSONAL DATA
4.1 We will transfer personal data to our partners and other companies within the same group as Educatius within the framework of the purposes stated in the Privacy Notice. We also keep parts the personal data on servers located in the US.
4.2 When we share personal data with our partners, they are either acting in the capacity of personal data processors or as independent personal data controllers in relation to us. The partners who are personal data processors process personal data on our behalf and in accordance with our instructions. We enter into personal data processing agreements with our personal data processors to ensure that their processing of personal data takes place in accordance with our instructions as well as applicable data protection legislation.
4.3 We only transfer and process personal data to/in third countries (countries outside the EU/EEA) in the event that (i) the European Commission has decided that the country in question ensures an adequate level of protection, (ii) the recipient of the personal data has signed a binding and enforceable agreement on adequate protection of the personal data transferred, or (iii) if there is another applicable legal basis under applicable data protection legislation for such transfer.
4.4 In order for you or your child to be able to travel with us, we are at occasions obliged to (according to the requirements set out by authorities at the place of departure and/or destination) share and process personal data for immigration, border control, security and counter-terrorism purposes or other purposes required by such authorities from time to time.
4.5 We will also transfer personal data to authorities or other public actors in the event that such transfer is required by law.
5.1 We have taken appropriate technical and organisational measures in relation to the processing of personal data described in this Privacy Notice. When required, we perform, among other things, anonymization and pseudonymization of personal data. We also take technical and organizational measures with the aim of preventing intentional or illegal destruction, loss, alteration, revealing of or unauthorized access to the personal data that is transferred, stored or otherwise processed.
5.2 For more information on our security measures, please contact us.
6. STORAGE PERIOD
6.1 We only process personal data for as long as it is necessary to fulfil the relevant purpose of why we process personal data. We do not store personal data for a longer period than is permitted under applicable data protection legislation, including the GDPR.
6.2 We will not retain your personal data longer than necessary for the purposes set out in this Privacy Notice. When it is no longer necessary to retain your personal data, we will securely destroy it in accordance with applicable laws and regulations. In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
6.3 We have implemented internal retention policies in relation to the personal data we process. Please contact us if you want to learn more about our retention policies.
7. COOKIES AND SIMILAR TECHNOLOGY
7.1 We collect information using technology such as cookies, pixels and local storage on your browser or device (e.g. your mobile phone, computer or tablet). This is done in order to learn more about the users of the Services and so that we can improve the user experience.
8. DATA SUBJECT RIGHT
8.1 According to applicable data protection regulation you have the following rights:
- Right to information – You have a right to be informed about the collection and use of their personal data.
- Right of access – You have the right to access and receive a copy of your personal data, and other supplementary information.
- Right to rectification – You have a right to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Right to erasure – This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
- Right to limitation of processing – You have the right to demand that the processing of their personal data be limited. “Limited” means that you are flagged so that we may only processed your personal data for certain limited purposes.
- Right to data portability – We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format
- Right to object – Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
- Rights in relation to automated decision-making, including profiling – You have the right to not be the subject of a decision that is only based on some form of automated decision-making, including profiling, if the decision can have legal consequences for you or in a similar way affects you to a considerable degree
8.2 You may contact us via the contact details set out below if you have any questions or complaints regarding our processing of personal data, or if you want to exercise any of the rights set out above. Please note that some of these rights could be restricted by law. This means that under certain circumstances we are not obliged to comply with a request to exercise a certain right.
8.3 If you want to make a complaint regarding our processing of personal data, you may contact the Swedish Authority for Privacy Protection (Sw. Integritets-skyddsmyndigheten) at www.imy.se/kontakta-oss/.
9. CHANGES TO THE PRIVACY NOTICE
9.1 We reserve the right to make changes to the Privacy Notice from time to time. The date of the last change is set out below. All changes to this Privacy Notice will be published on our website. We recommend that you keep yourself updated on the content of the Privacy Notice in order to keep track of any changes.
9.2 If we change the Privacy Notice in a manner that entails a material change, we will inform anyone who is affected and, if applicable, request that the relevant persons read and accept the changes to the Privacy Notice.
9.3 The last update of the Privacy Notice was made on 4/7 2022.
10.1 If you have questions concerning the Privacy Notice or our processing of personal data, you can contact us at: