Privacy policy

Privacy and Cookie Policy

How we process your personal data

Approved by: Approval date: Last revised: Document owner:
Board 2021-10-27 2021-10-27 Group CEO

Introduction

Transcendent Group AB (the Company) together with its subsidiaries (the Group) is a consultancy company within Governance, Risk and Compliance (GRC) services. The Company’s Board of Directors works to ensure that the Group has good governance and internal control. The Board of Directors shall establish internal rules and policies to ensure that these procedures are followed and regularly monitored and evaluated within the business.

The policy framework in the Group applies to all legal entities and employees, as well as vendors and subcontractors that are engaged to support us in delivering value to our customers.

It is the responsibility of each CEO in the Group to ensure that this policy is implemented and complied with where relevant within his/her respective area of responsibility.

If any employee violates any of the regulations within the Company’s internal governance framework, this should immediately be reported to the CEO for further action.

1 How we process your personal data

At Transcendent Group, we respect your privacy and want you to feel safe with how your personal data is being processed. Below you will find information about what personal data Transcendent Group processes, for which purposes, the lawful basis for processing, how long we retain personal data and your rights in accordance with applicable legislation.

1.1 Structure of The Group

The Group was founded in Stockholm in 2001 and has since inception been a value-driven company. We hand-pick our employees, and only recruit experienced consultants within GRC. Today, the Group has grown to become a management consulting business with offices throughout Europe.

The Group consists of Transcendent Group AB as parent company with each local office as a wholly-owned subsidiary. As per Q3 2018, the group Transcendent Group consists of the following companies:

  • Transcendent Group AB
  • Transcendent Group Sverige AB (Sweden)
  • Transcendent Group Regulatory Technology AB (Sweden)
  • Transcendent Group Norge AS (Norway)
  • Transcendent Group Danmark Aps (Denmark)
  • Transcendent Group Finland Oy (Finland)
  • Transcendent Group Belgium SA (Belgium)
  • Transcendent Group Baltics UAB (Lithuania)
  • Transcendent Group Luxembourg SARL (Luxembourg)

As our parent company Transcendent Group AB is headquartered in Sweden, Swedish legislation sets forth the minimum requirements regarding handling of personal data within the Group. In addition, each Group Company shall comply with applicable local law regarding the processing of personal data in its country or territory.

Data controller

Transcendent Group AB (corporate identity number: 559005-1164, Address: Transcendent Group AB, Lästmakargatan 20, 111 44 Stockholm, Sweden) acts as data controller regarding the processing of your personal data by the Group.

Joint controller

In certain circumstances, Transcendent Group AB may act as a joint controller with another data controller where both parties jointly determine the means and purposes of processing, such as in certain joint activities performed in conjunction with a Group vendor or supplier.

2 What personal data do we process?

The Group processes personal data of individuals in the following categories:

  • Customers and potential customers (Section 3.1) – Contact persons at organizations that purchase our services and products or contact persons at organizations with which we are looking to form customer relationships.
  • Employees (Section 3.2) – Individuals who are current or former employees of a Group company.
  • Candidates (Section 3.3) – Individuals that we are in contact with regarding prospective employment at a Group company. This includes individuals that have actively applied for a position, individuals who have registered a profile in our database, and individuals who are potential candidates that we have found through candidate research.
  • Suppliers (Section 3.4) – Contact persons at organizations from which we purchase services and products.
  • Subcontractors (Section 3.5) – Individuals that are supporting a Group customer or project without being employed at a Group company.
  • Other categories (Section 3.6) – Individuals who do not belong in any of the above categories whose personal data is processed by a Group company. This could include visitors to a Group website, individuals acting as a personal reference for a candidate or consultant, emergency contacts and/or family members of a Group employee,  or other individuals in contact with a Group company, such as sales representatives seeking a Group company as a customer, individuals part of professional or industry networks, media contacts, etc.

3 How do we process and protect personal data?

For each category of data subject, we process different kinds of personal data for different periods of time and for different purposes. This is further specified for each category below.

3.1 Customers and potential customers

Why do we process your personal data?

  • Customer: If you are employed at a Group customer as the responsible contact person or are otherwise involved in our professional relationship, we may process your personal data to maintain our professional relationship and comply with relevant legislation, such as accounting regulations.
  • Potential customers: We process personal data including contact information about key individuals at organizations with which we would like to do business.

What kind of personal data do we process?

  • Name
  • Title
  • Telephone number (work related)
  • E-mail address (work related)
  • Your employment history and/or CV
  • Notes from our cooperation and/or dialogues

How do we collect your personal data?

  • By receiving the data from you directly
  • By receiving the data from your employer or colleague
  • By receiving the data from you through your use of our website or other services we offer (such as participation in a Group seminar or other event), including your interest to be contacted by us and subscribed to our newsletter
  • By information provided by you in relation to ongoing and performed assignments
  • By information regarding your viewing of our newsletter
  • By researching publicly available information about you, such as from a relevant organization’s homepage or professional network such as LinkedIn
  • By purchasing the information from external sources such as recruiting agencies

With whom do we share the information?

Your personal data is processed by our organization in order to create or maintain a professional relationship with the organization you represent. In the event of an assignment involving more than one Group company, we may share your personal data between Group companies if it is necessary to fulfill our assignment.

We may share your personal data with third party suppliers that we hire to perform services on our behalf (such as technical, administrative, market-related or other services), when such is required for administrating our relationship or if in our prospecting of you or your organization as a potential customer. We will secure that appropriate safeguards are in place which provide adequate levels of protection of your personal data as required by applicable data protection laws.  These third party suppliers are prohibited from using your personal data for their own purposes as stipulated our governing agreements.

3.2 Employees

Why do we process your personal data?

When you enter in to an employment agreement with a Group company, we are required as your employer to process your personal data in order to comply with applicable regulations and to fulfil our employment agreement with you, including paying your salary, ensuring that you follow our internal policies and the like. Examples of applicable law requiring the processing of your personal data include legislation regarding workplace environment, discrimination, workers’ compensation, vacation and tax regulations.

What kind of personal data do we process?

  • Name
  • Address
  • Telephone number
  • Birthday
  • Personal identification number
  • E-mail address
  • Bank account number
  • Salary, pension and benefit information
  • Gender
  • Employment history and time reporting
  • Resource allocation scheme
  • Absence from work (vacation, illness, etc.)
  • Sensitive matters (Doctors’ certificates, medical investigations, rehabilitation evaluations, fraud investigations, investing matters, etc.)
  • Citizenship/immigration/employment status
  • Your image
  • Organizational affiliation
  • Education history
  • Professional feedback from clients and colleagues
  • Domestic relationships, including emergency contacts, number of children and their birth year, including your eligibility for social benefits for your minor children
  • Allergies and dietary preferences
  • Information connected to your professional performances, such as personal development discussions and completed courses/educations
  • Your CV, competencies and performed assignments

Please note that the list is not exhaustive, and that other personal data may be processed for the purpose(s) set forth above.

How do we collect your personal data?

  • By receiving the data directly from you or from a recruitment agency in relation to a recruitment process
  • By receiving the data directly from you during the course of your employment
  • By receiving the data from other sources such as authorities, third party suppliers that perform services for us (salaries, pensions and insurance), professional references and customers

With whom do we share the information?

If you are employed at a Group company, your personal data may be shared with consultants, customers, suppliers and other parties who may be relevant to communicate with regarding your role. If you are a consultant in the Group, we may also share certain personal data with our customers to grant you access to physical and/or IT-systems, for the customer to perform background or security checks on you and other processing that is necessary for the assignment. The customer will in turn share information to the Group regarding your performance during and after the assignment.

We share your personal data with third party suppliers that we hire to perform services on our behalf when such is required for administrating your employment, including IT service vendors, payroll administrators and insurance carriers. We will secure that appropriate safeguards are in place which provide adequate levels of protection of your personal data as required by applicable data protection laws.  These third party suppliers are prohibited from using your personal data for their own purposes as stipulated our governing agreements.

Your personal data may also be shared where required by law, such as with relevant tax authorities or other authorities.

3.3 Candidates

Why do we process your personal data?

If you are interested in a position at a Group company or if you have a professional profile that may be relevant to us, we may process your personal data to communicate with you, administer your application or suggest that you apply for a position, all subject to an applicable lawful basis as detailed below in section 6. During a recruitment process, we will evaluate your competence related to your work history, professional skills and personality. In the final steps of the recruitment process, we may use your personal data to verify your identity or work status in order to offer you a position if relevant. We also process your personal data for other statistical purposes, for example to maintain and develop the quality of our services and to measure requirement process efficiency.

What kind of personal data do we process?

  • Name
  • E-mail address
  • Telephone number
  • Home address
  • Gender
  • Your image
  • Personal identification number
  • Professional competencies and work experience collected from documents you provided or during interviews with you
  • Professional social media profile (e.g., LinkedIn)
  • E-mail correspondence
  • Position(s) applied for
  • Possible relevant rating (e.g., suitability, skill rating, etc.) regarding you as a future employee
  • Skills testing results, if you have performed testing in our application process
  • Other personal data that you chose to share with Transcendent Group*

The Group advises you to not share with us any sensitive information (also referred to as “special category personal data”) at this stage about your ethnic origin, political views, religious or philosophical beliefs, trade union membership, health or sexual orientation, or any personal data about individuals other than yourself.

Please note that the list is not exhaustive, and that other personal data may be processed for the purpose(s) set forth above.

How do we collect your personal data?

  • By receiving the data from you when you apply for a position with a Group company
  • By collecting the data from a third party, including professional references, recruitment agencies, customers and professional social media such as LinkedIn
  • During email and telephone correspondence with you regarding your application

With whom do we share the information?

We do not share personal data regarding candidates with anyone outside of the Group except in cases where we utilize a recruiting agency in the recruitment process.

Your personal data may also be shared where required by law, such as with relevant tax authorities or other authorities.

3.4 Suppliers

Why do we process your personal data?

The personal data we process regarding our suppliers is restricted to only that which is necessary to maintain our professional relationship. This may include personal data of the supplier’s personnel including support functions, service personnel, finance department or other key individuals.

What kind of personal data do we process?

  • Name
  • Title
  • Employer
  • Telephone number (work related)
  • E-mail address (work related)

How do we collect your personal data?

  • By receiving the data from you
  • By receiving the data from your employer or colleague
  • Through publicly available records on your employer’s website or professional social media account

With whom do we share the information?

We may share your personal data with third party suppliers that we have engaged to perform services on our behalf when such is required for administrating our professional relationship with you as a supplier (e.g., invoice management). We will secure that appropriate safeguards are in place which provide adequate levels of protection of your personal data as required by applicable data protection laws.  Our suppliers are prohibited from using your personal data for their own purposes as stipulated our governing agreements.

3.5 Subcontractors

Why do we process your personal data?

As a subcontractor to a Group company, your personal data is processed in order to facilitate the purpose of your engagement, such as supporting a Group customer or project. The personal data we process regarding our subcontractors is restricted to only what is necessary to fulfill the engagement.

What kind of personal data do we process?

  • Name
  • Home address
  • Telephone number
  • Personal identification number if relevant
  • E-mail address
  • Time reporting and invoice details
  • Domestic relationships – emergency contact
  • Allergies and dietary preferences if attending one of our events
  • CV, competencies and performed assignments

Please note that the list is not exhaustive, and that other personal data may be processed for the purpose(s) set forth above.

How do we collect your personal data?

  • By receiving the data from you during the scope of our professional collaboration
  • By receiving the data from other sources such as authorities, third party suppliers that perform services for us (e.g., invoice management), professional references and customers

With whom do we share the information?

As a subcontractor, your personal data may be shared with our customers to grant you access to their physical offices and/or IT-systems, for the customer to perform background or security checks on you and other processing that is necessary for the assignment. The customer may share information with the Group regarding your performance during and after the assignment.

We share your personal data with third party suppliers that we hire to perform services on our behalf when such is required for administrating your subcontractor agreement. We will secure that appropriate safeguards are in place which provide adequate levels of protection of your personal data as required by applicable data protection laws.  These third party suppliers are prohibited from using your personal data for their own purposes as stipulated our governing agreements.

Your personal data may also be shared as otherwise required by law.

3.6 Other categories

Why do we process your personal data?

This category includes all other individuals whose personal data is processed by the Group that are not included in any of the previous categories, such as professional references in a recruitment process, a contact in a professional network, an industry colleague and sales personnel from other organizations. Below you will find examples of processing that involve this category of individuals.

  • Professional references in a recruitment process or related to project assignments – When a candidate is considered for a position within the Group, we may contact references to verify how the candidate has performed in a professional capacity.
  • Emergency contacts of employees – Each employee at a Group company  is required to provide the contact details of a relation to contact during an emergency, such as a close relative.
  • Individuals that contact us via telephone, e-mail, our social media profiles and our website – If you as an individual have initiated contact with a Group company regarding a specific matter or occurrence, we may retain your personal data in order to facilitate the purpose of your inquiry.
  • Partners, colleagues in the industry, sales representatives and key individuals in other organizations, individuals in our professional network, media contacts and similar – We may process your personal data for future communication including marketing activities (subject to the appropriate lawful basis identified below in section 6).

What kind of personal data do we process?

  • Name
  • Title
  • Telephone number
  • E-mail address
  • Your relationship to the candidate (e.g., the candidate’s manager)
  • Your relationship to the employee (e.g., spouse or parent)
  • Web browser details and session data from your visit to our website
  • Other personal data that you have given us during our communication

How do we collect your personal data?

  • By receiving the data from a candidate in a recruitment process as a professional reference
  • By receiving the data from an employee to manage our emergency contact list
  • By receiving the data from you personally, via e-mail or business card
  • By receiving the data from your employer or a colleague
  • By receiving the data from you when you communicated an interest in being contacted or have contacted us via telephone, e-mail, social media or through our website
  • By receiving the information through our personal professional networks, such as LinkedIn

With whom do we share the information?

When governing with whom we share this category of personal data, we distinguish between persons that are in contact with us either in a personal or professional capacity.

For personal contacts, we are more restrictive with our processing of personal data and do not share this type of data with any external stakeholder.

Personal data you share with us when representing an organization is viewed as less sensitive information and subject to lower scrutiny. We are therefore not as restrictive in this processing and share certain personal information within professional networks for the professional development of company and corporate growth.

We use third party suppliers that we hire to perform services on our behalf (such as technical, administrative, market related or other services) when such is required for administrating contacts with other stakeholders. We will secure that appropriate safeguards are in place which provide adequate levels of protection of your personal data as required by applicable data protection laws.  These third party suppliers are prohibited from using your personal data for their own purposes as stipulated our governing agreements.

4 How long do we retain the information?

Generally, we retain personal data only as long as it is relevant and necessary for each processing activity, including within our ongoing assignments for customers, in our professional collaboration with a supplier or customer, in a recruitment process or in managing our employees.

However, we are obligated to retain specific personal data for a stipulated period of time in line with applicable legislation within the countries we operate. This legislation can include, for example, accounting laws and regulations against discrimination. The retention times vary across the applicable legislation in each county we operate. Because our parent Company is headquartered in Sweden and is subject to Swedish law, we store personal data for accounting purposes for at least seven (7) years in line with law in that country. In addition, we retain personal data provided in the performance of our services for ten (10) years.

  • Customer – If you are a representative of an organization who has purchased services from the Group, and your contact information has been provided as the reference for the assignment, we will retain your personal data described above in line with the timeframes stipulated by applicable accounting legislation.
  • Customer and potential customer – We continuously update our CRM database to ensure having relevant and correct contact information.
  • Employees – The Group will process your personal data described above during the course of your employment.  Upon termination of your employment with us, we will delete all personal data that we are not otherwise required to retain due to other legal obligations.   For example, certain personal data such as login files, emails and similar data may be retained for up to one (1) year after the termination of your employment. Other personal data will be retained for a longer period of time as required by applicable legislation, such as retention of payroll information for seven (7) years due to applicable accounting law.
  • Candidates – Your personal data processed for a recruitment will be retained as long as necessary for the recruitment process and thereafter for a period not exceeding what is stipulated in local legislation regarding, for example, discrimination.

You manage the personal data that is registered in your recruitment profile and you are free to erase all or part of the information as you wish. If you have registered a recruitment profile with us which you have not logged into or updated for at least two (2) years, your account will be erased automatically. Please note, however, that we may retain certain information contained in your profile after deletion of our account in order to comply with specific local legislation. See further information in section 5 below about exercising your rights.

We reserve the right to erase a user account that we believe has been misused in any way.

  • Suppliers – We will retain your personal data as a supplier contact as long as you are involved in the professional relationship with the Group. If it comes to our attention that your duties have changed or that you have changed employers, all personal data not subject to further retention (under applicable accounting law, for example) will be erased.
  • Subcontractors – We will process your personal data for the duration of your subcontracting agreement with a Group company. When your agreement terminates, we will erase all personal data not subject to further retention, or that is included in historical data from the relevant assignment.

Other Categories:

  • Professional references in a recruitment process – Personal data for professional references will be retained solely for those candidates who have received and accepted a job offer with a Group company. We will retain the personal data and a professional reference protocol, together with the candidate’s other documentation until the expiration of the period to appeal final job offerings as stipulated in applicable legislation.
  • Emergency contacts of employees – Personal data for emergency contacts will be retained as long as the relevant individual is employed. The employee is responsible for maintaining accurate and updated information for these contacts.
  • Individuals that contact us via telephone, e-mail, our social media profiles and our website – Personal data for these individuals will be retained as long as the data is required in order to establish and maintain communication.
  • Partners, colleagues in the industry, sales representatives and key individuals at other organizations, contacts in professional networks, media contacts and similar – Personal data for these individuals will be retained as long as it has a defined purpose and is necessary and relevant to said purpose according to applicable law.

5 Your rights

5.1 Right to access to your personal data – extract from register

You have the right to request information identifying the categories of personal data that apply to you. Please contact us with a written request or via the email address listed below.

5.2 Right to rectification or erasure of personal data

You have the right to demand that we correct or erase your personal data by contacting us via a written request. If you have the ability to correct or erase the data yourself, e.g., as an employee or a candidate that has registered a profile in our database, you have the right to do so yourself.

As an employee or subcontractor, you are obliged to notify us if your personal data is incorrect as we otherwise may experience difficulties managing your employment, such as paying your salary or establishing contact with you.

If your personal data is processed in our CRM database as a potential customer, you can either notify us with your deletion request or unsubscribe from our newsletters and other further contact. In order for us to avoid contacting you after you have unsubscribed, we will retain either your name or e-mail address in an opt-out list.

Please observe that there are certain exceptions to your right to completely erase all of your personal data upon request due to specific legislation requirements as discussed in section 4 above. Furthermore, employees do not have the right to have all of their personal data erased during the duration of their employment.

5.3 The right to object

You have the right to object to our processing of your personal data, including objecting to processing based on legitimate interest or processing for direct marketing. Further, you have a right to request restriction of the processing of your personal data under certain circumstances.

5.4 The right to data portability

You have the right to request portability of your personal data portability (e.g., transfer of your personal data to another data controller) if our processing of your personal data is based on consent or contractual obligation and is automated. Please see section 9 below for information on how to contact us.

6 Lawful basis

In order to process your personal data, the Group must identify a relevant lawful basis for the processing. Applicable law in Sweden lists six (6) common lawful bases, four of which are applicable for the Group:

  • Consent – You as an individual has given us your explicit permission to handle personal data for certain purposes that you have received clear information about prior to the processing. We must be able to document your consent and allow you to withdraw it at any time as easily as it was first given. Should you withdraw your consent, we will stop the applicable processing.
  • Contract – If you have entered into a contract with us as an individual, we may process your personal data in order to fulfil the terms of our agreement.
  • Legal obligation – As a corporation, we must process certain personal data in order to comply with specific regulations.
  • Legitimate interest – We may also process your personal data based on our legitimate business interests, so long as our interests are not outweighed by the risks to your privacy and said risks are acceptably low.

Which lawful bases do we base our processing of personal data upon?

  • Customers, suppliers and subcontractors – In situations where the Group engages in commercial transactions with other organizations, including the buying or selling of goods and services, the applicable lawful basis will be performance of contract and/or compliance with legal obligations.
  • Potential customers – Where the Group is marketing itself to other organizations and processing personal data of employees at these organizations, we base this processing on our legitimate business interests.
  • Employees – If you are employed by a Group company, we process your personal data based on the lawful basis of performance of the employment contract and/or compliance with legal obligations. Additional personal data may be processed on the basis of legitimate interest.
  • Candidates – We process the personal data of candidates and potential recruits based on compliance with legal obligations and/or consent.
  • Other data subjects – The lawful basis of processing for this category can vary depending on the means and purposes of processing. In most cases, our processing will be based on our legitimate business interests as the lawful basis. If our relationship with you changes and you subsequently fit in any of the other categories listed above, then the legal basis for processing for said new category will apply.

7 Securing your personal data

The Group maintains an information security policy which governs how we ensure and protect the confidentiality, integrity and availability of our information assets.  Appropriate technical and organizational security measures are taken and maintained to protect the personal data we process against accidental loss, unlawful or unauthorized access, use, disclosure, alteration or destruction.

8 Regarding cookies

8.1 Our homepage

We collect personal data when you visit our website (transcendentgroup.com), including information about your usage of the site and which pages you visit. For more information on how we use cookies and how to manage your settings, please see the Cookie Settings section of our cookie notice.

8.2 What is a cookie?

We use two types of cookies. One type saves a text file during a specified period with a set expiration date. This cookie aims to, for example, inform you of what has changed on the site since your last visit.

The other type of cookie – a so-called session cookie – is saved temporarily while you are visiting a webpage, such as displaying the page in a certain language you’ve chosen. Session cookies are deleted upon closing your web browser.

8.3 Why do we use cookies?

We use cookies on our website to, for example, retain which open windows you have saved. We also use cookies to receive web statistics on usage and traffic. These statistics are needed to further develop our website in order to create a better user experience.

In order for you to use our website to its full extent, you are requested to accept certain cookie usage via the cookie notice that appears when you first visit the site. Certain cookies are disabled by default, including sol-called performance and targeting cookies, for which we need your affirmative consent to use.  You are free to reject use of cookies on our site, though please understand that certain website features may no longer work as intended.

9 Our contact information

If you would like to get in touch with us regarding our processing of your personal data, you can send an e-mail to info@transcendentgroup.com or to hr@transcendentgroup.com if you are a candidate, employee or former employee of a Group company.

In your correspondence, you may request any or all of the following in addition to your rights set forth in section 5 above:

  • Request access to and extracts from your personal data processed by us, or demand rectification or erasure of your personal data
  • Notify us if you suspect that your personal data is being processed by an unauthorized party as a result of Transcendent Group’s processing of your personal data or through processing conducted by our third party suppliers
  • Obtain information regarding the purposes of processing, the categories of personal data processed and the legal basis for the processing of your personal data

Your request should contain a detailed, accurate description of the personal data you want access to. When there are reasonable doubts regarding your identity, you might be asked to provide a copy of a document to help us to verify your identity, such as your ID card or passport.

You may also contact us via mail by send your request to: Transcendent Group AB, Lästmakargatan 20, 111 44 Stockholm Sweden.

You also have the right to lodge any complaints you may have regarding our processing of your personal data to a supervisory authority.  The relevant supervisory authority in Sweden is the Swedish Authority for Privacy Protection (IMY) located at www.imy.se.