Privacy Notice for Mölnlycke Employees
1. Why and how we process your personal data
This privacy notice (the “Privacy Notice”), together with other information provided at the time of collection of your personal data describes how Mölnlycke Health Care AB, reg. No. 556547-5489, including all its affiliates (“Mölnlycke”, “we”, “us” and “our”) will process your personal data during the time you are employed by Mölnlycke as well as after your employment has ended.
Mölnlycke’s processing of personal data as described in this Privacy Notice is in all cases subject to the requirements of applicable local law. To the extent this Privacy Notice conflicts with local law in your jurisdictions, local law controls how Mölnlycke is processing your personal data.
The data controller for the processing of your personal data as described in this Privacy Notice is Mölnlycke Health Care AB. If you have questions about your personal data processing, please submit your question to the Chief Privacy Officer via privacy@molnlycke.com.
You can also contact our Data Protection Officer (DPO) directly via email at dpo@molnlycke.com, if you have any questions or concerns.
In general, we process your personal data for personnel administrative purposes as the processing is necessary for us to be able to fulfil our obligations under the employment contract between us, or due to the legal obligations we incur as your employer. Below, we provide more details regarding the processing and what personal data (hereinafter referred to as “Personal Data”) that we process for each purpose.
To administer and fulfil obligations regarding your salary, expenses, absence, incidents and work injuries, holidays and other leave and benefits.
| What we are doing with the Personal Data: | Categories of Personal Data: |
| We administer your working hours, payroll, travel and expense compensation, absence, incidents and work injuries, holidays, other leave, rehabilitation, and benefits, including insurance and occupational pension, as well as conduct salary revisions. |
Personal Data
Sensitive Personal Data
|
| Legal basis: Performance of the terms regarding salary, expenses, leave and benefits in your employment contract. Compliance with our legal obligations regarding personnel administration as an employer (e.g., laws on minimum wage, working time, annual leave, accounting, and tax) and our legal obligation to handle and report incidents and work injuries. |
| Retention period: The information is retained for the time needed for us to be able to fulfil our obligations under your employment contract and thereafter for 1 year after the employment has ended. The information is also retained for the time needed for us to be able to fulfil our obligations under mandatory regulation. E.g., accounting information is as a starting point stored for 7 years after the end of the current financial year. The data can also be retained for a longer time, if necessary to establish, assert or defend legal claims. |
To provide certificates, referrals, and grades
| What we are doing with the Personal Data: | Categories of Personal Data: |
| We issue certificates, grades, character references, assessments and similar. |
Personal Data
|
| Legal basis: Our legitimate interest to, up on your request, compile and issue certificates, grades, character references and assessments. |
| Retention period: Information regarding employment period and work assignments, on which certificates, grades, character references and the like are based, are stored as a starting point for 2 years from the time your employment ended. Certificates, grades, character references, assessments and the like that are drawn up at your request are stored until you have confirmed that you have received this from us and are then deleted. |
To contact your next of kin in case of emergency
| What we are doing with the Personal Data: | Categories of Personal Data: |
| We contact your next of kin in the event of an emergency, for example in the event of an accident or serious illness during working hours. |
Personal Data Contact information for your next of kin (including telephone number) |
| Legal basis: Our legitimate interest to be able to contact your registered next of kin in a situation where, for example, an accident has occurred or if you were to become seriously ill during work hours. |
| Retention period: The data is stored during the time you are employed with us and is then normally deleted within 1 month unless the employee or the employee’s next of kin requests erasure of the Personal Data before the termination or expiration of the employment. |
To administer participation and communicate regarding our business activities
| What we are doing with the Personal Data: | Categories of Personal Data: |
| We organize internal business activities, publish information on our website and on our intranet, share photos on our corporate website, social media (including on internal platforms), as well as publish interviews on our marketing channels. |
Personal Data
|
| Legal basis: Legitimate interest where our legitimate interest is to be able to communicate externally about our business activities and our employees participating in such activities. |
| Retention period: The Personal Data is stored during the time you are employed with us and is then anonymised or deleted within a reasonable period following the end of your employment and no later than after five (5) years. You can request deletion of any published pictures at any time. |
To administer and control permissions and access to our premises and information
| What we are doing with the Personal Data: | Categories of Personal Data: |
| We administer your login information for our IT services and IT equipment as well as logging of key tags issued to you. |
Personal Data
|
| Legal basis: Our legitimate interest in ensuring that unauthorised access to our premises or information in our IT systems or networks does not take place. |
|
Retention period: The information is stored during the time you are employed with us and is then normally deleted within 1 month after your employment has ended. When you leave, you will also be prompted to delete or transfer any private emails or files stored on your account. If such information is not transferred or deleted by you, it will be deleted by Mölnlycke. Logging information is normally stored for 1 month from the time it is registered. |
To investigate violations of internal policies
| What we are doing with the Personal Data: | Categories of Personal Data: |
| We investigate misbehavior and misconduct within our organization, such as in the form of violations of internal policies, including follow up and documentation of the content and questions of the report. |
Personal Data
Sensitive Personal Data
|
|
Legal basis: Our legitimate interest to manage personnel cases concerning misbehavior and our legitimate interest to ensure compliance with our internal policies in the event of a serious suspicion of violation of such policy, misconduct, or criminal behavior. Compliance with our legal obligations under applicable laws on the protection of persons who report irregularities (i.e., whistleblower protection), where the irregularities are reported and handled within the scope of our internal reporting system. |
| Retention period: We process your Personal Data during the retention period required by law, which is normally no longer than 2 years after a case has been closed for which the internal reporting system has been used, or otherwise during the time it is necessary for the establishment, exercise, or defense of legal claims. |
To negotiate with unions and issue work certificates
| What we are doing with the Personal Data: | Categories of Personal Data: |
| We negotiate with unions, document such negotiations, issue work certificates, and store a compilation of union representatives at the workplace. |
Personal data Information discussed during negotiations, such as about your employment Sensitive Personal Data Data regarding (as applicable in relation to you): Union membership, unemployment benefit, position as a union representative and safety representative, periods of absence |
| Legal basis: Compliance with our legal obligations as an employer in accordance with laws on employment protection and work environment, co-determination in the workplace, unemployment insurance and union representatives. |
| Retention period: The data is as a starting point stored for 10 years after we have fulfilled the current legal obligation for us as an employer. |
To administer and fulfill obligations in connection with termination of employment
| What we are doing with the Personal Data: | Categories of Personal Data: |
| We administer the termination of your employment, calculate the notice period, and determine the order of priority in the event of notice. | Personal Data Employment information (such as start and end day of the employment, form of and terms of employment, employment number, periods of absence) |
| Legal basis: Our legitimate interest to be able to determine, exercise or defend legal claims in relation to the termination of the employment or preferential right to re-employment. Also, the performance of our legal obligations as employers in accordance with laws on employment protection. |
| Retention period: The data is stored during the time you are employed with us and during the time necessary to establish, assert or defend legal claims. |
To enable us to respond to requests from authorities
| What we are doing with the Personal Data: | Categories of Personal Data: |
| We process your data in order for us to be able to respond to and fulfil our obligations in accordance with requests from authorities. We will inform you when we receive such a request, thereby indicating what Personal Data the authority requests in addition to those listed here (if we are not restricted by law from doing so). |
Personal Data
|
| Legal basis: Fulfilment of legal obligation in accordance with official requests from authorities. |
| Retention period: The data is stored during the time you are employed with us and during the time necessary to establish, assert or defend legal claims. |
To carry out employee surveys
| What we are doing with the Personal Data: | Categories of Personal Data: |
| We will process your Personal Data in order to arrange for a third-party provider to help us administer the survey, and to have the results of such survey presented to Mölnlycke in aggregated format. |
Personal Data
|
| Legal basis: Our legitimate interest as an employer is to learn about the satisfaction and opinions of employees, in order to improve Mölnlycke’s business processes and company culture. |
| Retention period: The information is stored during the time you are employed with us. After the end of your employment, this data will either be deleted or kept by Mölnlycke as aggregated statistics. |
2. Control of it use
As an employee with us, you must comply with our rules, as applicable from time to time, on the use of computers, mobile phones, e-mail, internet and other IT equipment and IT tools used in our business. As a main rule, we have complete access to all materials and content in all IT equipment, all IT tools and all systems and networks used by you as an employee. This includes e.g. all e-mail correspondence and all communication and internet use that is stored with the support of or takes place via the systems and networks that we own or otherwise dispose of. We may check the contents of the IT equipment and IT tools (e.g. computer, e-mail and mobile phone) used by you as an employee (a) for security reasons to gain access to our IT systems and maintain IT security, (b) to maintain customer contact and the like during your absence, (c) in case of suspicion that you use our IT equipment in violation of our rules, policies and guidelines, and (d) in case of suspicion of disloyal or criminal conduct. In case of serious suspicion of disloyal or criminal conduct, we may also check private communications and content such as private files and e-mails.
Any processing of Personal Data that takes place in connection with our control of your IT use according to this section is conducted based on legitimate interests, based on our legitimate interest in carrying out the measures for the reasons stated above and, in case of (serious) suspicion of disloyal or criminal conduct, based on our legitimate interest to be able to establish, assert or defend legal claims or protect our business in general.
Data processed in connection with the control of the content and use of the IT equipment and the IT tools used by you as an employee is saved for the time necessary to implement the measures stated above. The processing of the data ceases as a starting point within 1 month thereafter, if it does not turn out that the data is needed for a longer period in order to e.g. investigate and take measures in order to be able to establish, assert or defend legal claims or protect our business in general.
3. How we collect your personal data
We collect Personal Data from the following sources:
- From you directly (such as when you update your account and profile in our IT systems).
- From relevant governmental authorities (such as the national tax agency).
- Insurance companies that we have agreements with.
- Where applicable, occupational health partners and job coaches.
4. How we share and transfer your personal data
Recipients: We will share your Personal Data with the following recipients:
| Recipients: | Such as: |
| Suppliers or vendors assisting Mölnlycke | Our employee training partners, our insurance company, our supplier of local payroll management systems, our supplier of salary systems, private pension companies with whom we have an agreement, our advisors, our supplier of IT-systems, our external legal advisors, our external partner who manages the reports of violation received via our whistleblowing system, our suppliers of travel services |
| Public authorities, if required | Relevant governmental authorities, such as the national tax agency, migration agency, pensions agency, social insurance agency, work environment authority or the police authority |
| Other recipients | Collective bargaining parties (if applicable), the employee’s union, our customers and possible customers, visitors on our website |
| Other Mölnlycke entities | Our group companies |
Transfer: Mölnlycke operates globally and therefore Personal Data may need to be transferred to countries outside of where the Personal Data was originally collected. As Mölnlycke is headquartered in the European Union (“EU”), Personal Data will generally be processed within the EU. We will also transfer your Personal Data to countries outside the EU and the European Economic Area (“EEA”) for the purpose of sharing information with other Mölnlycke entities part of our company group or with our service providers, such as our suppliers of IT-systems, which are established outside of EU/EEA. Such countries outside EU/EEA include USA, China, Chile, Thailand, Singapore, Brazil, Canada, Japan, Australia, India, South Africa, New Zealand, Malaysia, and South Korea.
If we transfer your Personal Data from a country which requires that so called transfer mechanism are used to safeguard your rights, we will rely on one of the official options, as applicable. This could e.g., be:
- European Commission’s Adequacy Decisions. This means that the European Commission has assessed and decided that your Personal Data will be equally protected in that country as within the EU/EEA. You can access a list of the countries that the European Commission has decided provide an adequate level of data protection here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
- European Commission’s standard contractual clauses. These clauses function as a contract between Mölnlycke and the recipient, with the purpose of safeguarding your rights. You may access the European Commission’s standard contractual clauses here: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32021D0914.
Please contact Mölnlycke’s DPO for specific information.
5. Your rights
In this section we describe your rights as a data subject. You can exercise them by contacting us, using the contact details above in section 1. Please note that not all rights listed below are absolute and there are exemptions which can be valid.
Your rights are the following:
Right of access. You have the right to obtain a confirmation as to whether or not we process your Personal Data. If that is the case, you also have the right to receive copies of the Personal Data concerning you that we process as well as additional information about the processing, such as for what purposes the processing occurs, relevant categories of Personal Data and the recipients of such Personal Data.
Right to rectification. You have the right to have your Personal Data corrected (rectified) and/or complemented if it is wrong and/or incomplete.
Right to erasure. You have the right to request that we erase your Personal Data without undue delay in the following circumstances: (i) the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) you withdraw your consent on which the processing is based (if applicable) and there is no other legal ground for the processing; (iii) you object to our processing of Personal Data, and we do not have any overriding legitimate grounds for the processing; (iv) the processed Personal Data is unlawfully processed; or (v) the processed Personal Data has to be erased for compliance with legal obligations.
Right to restriction. You have the right to restrict the processing of your Personal Data in the following circumstances: (i) you contest the accuracy of the Personal Data during a period enabling us to verify the accuracy of such Personal Data; (ii) the processing is unlawful, and you oppose erasure of the Personal Data and request restriction instead; (iii) the Personal Data is no longer needed for the purposes of the processing, but are necessary for you for the establishment, exercise or defence of legal claims; or (iv) you have objected to the processing of the Personal Data, pending the verification whether our legitimate grounds for our processing override your interests, rights and freedoms.
Right to object. You have the general right to object to our processing of your Personal Data when it is based on our legitimate interest. If you object and we believe that we may still process your Personal Data, we must demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
Right to data portability. If your Personal Data has been provided by you and our processing of your Personal Data is based on your consent or on the performance of a contract with you, you have the right to receive the Personal Data concerning you in a structured, commonly used and machine-readable format in order to transmit these to another service provider where it would be technically feasible and can be carried out by automated means.
Complaints to the supervisory authority. If you believe that our processing is performed in breach of applicable data protection legislation, we encourage you in first-hand to contact us in order for us to oversee your complaints. You may at any time also file a complaint with the relevant supervisory authority where you are located. You can find contact details to each local EU supervisory authority by visiting the website of European Data Protection Board, https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.
6. Security measures
We have taken measures to ensure that your Personal Data is handled in a safe way. For example, access to systems where Personal Data is stored is limited to our employees and service providers who require it in the course of their duties. Such parties are informed of the importance of maintaining security and confidentiality in relation to the Personal Data we process. We maintain appropriate safeguards and security standards to protect your Personal Data against unauthorized access, disclosure or misuse. We also monitor our systems to discover vulnerabilities.