General

BioGaia AB (“BioGaia”) is committed to respecting and protecting your privacy.

This privacy notice sets out how BioGaia processes your personal data for example in conjunction with your use of biogaiagroup.com (our “Site”). It also explains your privacy rights and how to the law protects you.

We process your personal data primarily so that you can communicate with us and for evaluation of the Site. In some cases, we will also process your data for marketing purposes or to fulfil a legal obligation. More details in this respect are set out below.

 

About us

BioGaia is the personal data controller for the company’s processing of personal data. All personal data is collected and processed in accordance with Regulation (EU) 2016/679 (the “GDPR”).

If you have questions about how we process your personal data, or if you wish to exercise your rights, you can contact us using the contact information below:

BioGaia AB
Corp. ID No. 556380-8723
P.O. Box 3242
SE-103 64 Stockholm
e-mail: [email protected]

 

What is personal data, and what is processing?

Personal data is information that, either directly or indirectly, can identify a physical person. Personal data can thus be names, addresses, e-mail addresses, personal identification numbers, IP addresses, and so on. Processing is everything we do with your personal data. For example, processing can be collection, storage, registration, sorting, revision, transfer or erasure of data.

 

What personal data do we collect, and why?

BioGaia collects personal data only for specific purposes. Those purposes, together with our legal basis for processing the data, and the relevant data retention periods, are set out below:

Job applications
When you apply for a job at BioGaia, we collect your name, contact details, e-mail address and CV.
Purpose: To evaluate and make decision regarding recruitment of new employees.

Legal basis: The processing is our legitimate interest to evaluate and offer a jobseeker employment at BioGaia.
Storage period: Your personal data is stored as long as it’s necessary for the recruitment process.

Business partners
To manage our existing business relations, and to evaluate potential business partners, we collect data regarding your name and e-mail address.
Purpose: We will also use your personal data to fulfil our contractual obligations with our business partners.
Legal basis: To manage our business relations is supported by our legitimate interest as a business.
Storage period: Your personal data is stored 7-10 years, in accordance with applicable accounting regulations and for the protections of our legal rights.

Newsletters
When you sign up for our newsletter, we collect data regarding your name and e-mail address in order to provide you with relevant information about BioGaia.
Purpose: Letting you know about BioGaia that could be of interest to you.
Legal basis: Your consent when signing up for the newsletter.
Storage period: Your personal data is stored until you unsubscribe from our newsletter, and for two months afterwards.

Shareholders and Annual General Meeting
When you register as a shareholder, when you interact with us in relation to your shareholding in BioGaia, and registrations of participants of the annual general meeting, we collect data regarding your name, social security number, and e-mail address. If you are a major shareholder, we may also process your personal data by publishing names and shareholdings in annual reports and on our Site.
Purpose: To provide you with relevant information as a shareholder and to be able to attend the annual general meeting.
Legal basis: Legal obligation,
Storage period: Your personal data is stored in accordance with applicable regulations and as long as it is needed to fulfil the purpose of the processing. Personal data for registrations of participants of the annual general meeting is stored for 12 months.

Analysis, development and operations of the Site and our services
For the purpose of developing our operations, we collect data about your user behavior.
Purpose: We do this in order to: i) evaluate, develop and identify how you use the Site; ii) detect, prevent and investigate fraud and security monitoring; and iii) develop and improve our business operations.
Legal basis: Processing is necessary in order to satisfy our legitimate interest in developing and operating the Site.
Storage period: Personal data is stored for two years.

We also use cookies to collect personal data about your behavior on the Site. For more information about cookies, see below.

 

Who do we share personal data with?

BioGaia may share your personal data with third parties. These parties are either

 

Data Processors

These are allowed to process personal data only for the specific aims and purposes defined by us. Our processors, and the data they receive, include:

–       Platform and technology suppliers: IP addresses, contact information and purchase history

 

Data controllers

These companies use personal data for their own purposes and are independently responsible to you for the personal data processing they carry out.

BioGaia may share your personal data with:

– other companies in the BioGaia Group, if required for completion of the purposes and the legal basis indicated above; and

– government agencies, to the extent that it results from law or other legal obligation incumbent upon us.

 

On rare occasions, we may share personal data when we believe it is necessary to comply with the law, regulation or legal request (including a court order or government inquiry), or to enforce or apply our terms of use or other agreements. In addition, we may use, make available or transfer personal data to third parties in conjunction with reorganisation, merger, sale, joint venture, conveyance, transfer or other disposition of all or part of our operations, assets or shares (including in conjunction with bankruptcy or similar proceedings).

Our ambition is for your personal data to always be processed within the EU/EEA.

In the event that personal data for which BioGaia is responsible is to be transferred to a country outside the EU/EEA, we will only do so in those cases where the transfer country and recipient are deemed to maintain an adequate level of protection under the rules of the GDPR, or the transfer takes place in accordance with the standard contractual clauses as defined by the EU Commission to regulate such transfers.

 

Third country transfers

If you interact with us on social media, this means that your personal data – your picture and name, for example – will be transferred to a country outside the EU/EEA, normally the US. The transfer will take place in accordance with applicable privacy protection legislation, including the GDPR. However, the GDPR is not valid in the third country, which could entail an increased risk as regards privacy, concerning situations such as the possibility of government authorities in the third country having access to your personal data and your possibilities of exercising control over your personal data. This transfer is necessary in order for you to be able to contact us on social media so that we can fulfil your request.

The transfer between us and social media services is based on the EU Commission’s standard contractual clauses, and is supplemented with technical and organisational protective measures. Read more about the EU Commission’s standard contractual clauses here.

If you accept cookies and other similar technology for marketing and/or analysis such as the Facebook pixel or Google Analytics, your personal data may be transferred to a third country – more specifically, the US. The transfer then takes place based on the consent you provide when you accept the use of cookies. To terminate future transfers to third countries, you can contact us using the contact information below, or block all cookies via the settings in your web browser. More information on blocking cookies is available on your browser’s help pages. You can also read more about cookies in our cookie notice; see below.

 

How is your personal data protected?

All personal data you provide to us is protected using both organisational and technical security measures. These measures are used to store, process and communicate the data securely. In the event that you would like to know which security measures we apply, you can contact us using the contact information above.

 

Your rights

Right to access

You can always request access to your personal data, which includes the right to request information on where we retrieved the data from, the scope, and which recipients your personal data has been distributed to, as well as the legal basis.

Right to erasure

You also have the right, in certain cases, to demand that we erase some or all of your personal data, provided that it is not necessary for us to retain this data in order to fulfil our legal obligations. You have the right to request that your data be erased if:
–       your personal data is no longer necessary for the purpose behind the processing;
–       you withdraw your consent on which the processing is based;
–       you object to the processing and we are not considered as having a legitimate interest;
–       the personal data has been processed unlawfully.

To the extent that continuing to process your personal data is necessary – for example, to fulfil our legal obligations – we are not obligated to remove your personal data. This means that some information may be stored until we are no longer obligated to process it.

Right to rectification

You have the right to have erroneous personal data concerning you corrected without unnecessary delays. When you discover errors in the data about you that we have registered, you can contact us via e-mail to have your data corrected. You also have the right to supplement incomplete data that we have on you.

You must provide us with correct data and inform us in the event your data changes so that we can update it in accordance with the GDPR.

Right to limitation

You have the right to request that we limit our processing of your personal data. A limitation can be imposed for several reasons.
–       If we cannot fulfil your request for erasure owing to our legal obligations, you can request limited processing of the data we have.
–       If you believe that the data we have on you is incorrect and request correction, you can request limited processing during the time we take to check whether the personal data is correct.
–       If you objected to a legitimate interest, you can request limited processing during the time we take to check whether our legitimate interest outweighs your interest in having the data erased.

 

Data portability

Under certain conditions, you have the right to extract and transfer your personal data in a structured, generally used and machine-readable format to another personal data controller. One condition for data portability is that the transfer is technologically possible and can take place automatically, and that BioGaia processes your personal data on the basis of your consent or to fulfil an agreement.

Right to object

You have the right to object at any time to our processing of your personal data on the basis of legitimate interest. Continued processing of your personal data requires that we demonstrate a legitimate reason for the processing in question. Otherwise, we can only process the information to establish, exercise or defend a legal claim. You also have the right to object to direct marketing, including profiling.

Right to withdraw consent

In the event we base our processing on your consent as a legal basis, you can withdraw your consent at any time either by contacting us or by unsubscribing from our online mailings.

Right to complaint

If you feel we are processing your personal data incorrectly, you can submit a complaint to our supervisory authority, the Swedish Authority for Privacy Protection (www.imy.se).

Contact information

If you wish to exercise any of your rights, please contact us via e-mail at [email protected]. In the event you request that your personal data be erased, it is not certain that we will be able to communicate with you in accordance with the above.

 

Minors

This Site is not aimed at persons under the age of 18 years, and we will not process personal data that could be linked to minors.

 

Changes

We have the right to change this privacy notice at any time by publishing a new version on the Site. In the event it is required, we will inform you of current changes. This privacy notice was updated on September 16, 2024.