Privacy Policy

1. Collected Data

TQM shall process data about Users that has been voluntarily submitted to the TQM platform. Users understand that the submission of data to TQM is voluntary, but they will not be able to use the TQM platform and the services it provides unless data is submitted.

TQM shall collect and process the following data about Users (hereinafter collectively referred to as “Personal Data“):

name, phone number, and email address;

information about the legal entity represented (company name, registration code);

Credit card information for payment of the service;

Other data that the User chooses to share about themselves on the platform.

2. Purpose & Legal Basis

TQM shall process Personal Data solely for the purposes established by law and this Privacy Policy, including the following purposes: to create a personal account for the User, identify and contact the User, provide the platform service, provide support services (including user support), and fulfill obligations arising from the law.

TQM shall process Users' personal data on the basis of the following:

The legal agreement between the legal entity represented by the User and TQM to provide the platform service to it, which also includes providing access to the platform;

The consent given by the User to TQM. On the basis of this consent, TQM will process such data that are not necessary for providing the platform service in the event that the User has nevertheless chosen to voluntarily submit them on the platform (for example, the profile picture);

To comply with relevant legal obligations.

3. Data Transfer & Storage

TQM may forward Users' personal data to third parties, such as auditors, legal service providers, or other persons providing services to TQM (for example, a cloud service provider or food technologist). TQM has made every effort to ensure that the aforementioned third parties guarantee the confidentiality and security of personal data.

The third parties to whom TQM forwards Users' personal data may be located outside the European Economic Area where other data protection rules may apply and where the European Commission has not implemented a decision on adequate protection. In these countries, the security of personal data (including protection against misuse, unauthorized access, disclosure, alteration or destruction) cannot be guaranteed at the same level as within the European Union. When forwarding personal data outside the European Economic Area, TQM guarantees that appropriate security measures are taken. If the User wishes to receive a copy of such data, please notify TQM accordingly.

TQM has implemented the necessary organizational, physical, and IT security measures to ensure that the data published on the platform, including personal data, is protected from all forms of misuse, unauthorized access, disclosure, alteration, or destruction. Third parties have been informed that they may only use Users' personal data for the purpose and to the extent specified by TQM.

TQM will store personal data as long as required by law, but no longer than TQM reasonably needs to fulfill the purposes for which the data was collected or processed; among other things, storage of personal data until any claims from the User expire may be one of these criteria.

TQM shall take reasonable measures to ensure that personal data is accurate and reliable.

4. User's Rights Regarding Data Collection

The User has the following rights regarding data collection:

to request access to the personal data about the User collected by TQM and to request a copy of this personal data;

to request rectification, amendment, or deletion of personal data if it is inaccurate or not processed in accordance with applicable requirements;

in cases determined by law, to demand that TQM limits the collection, processing, or use of the User's personal data;

in the event of a violation of the User's rights, to file a complaint with the Swedish Authority for Privacy Protection (Datainspektionen).

5. Cookies

On its platform, TQM uses cookies and other tracking tools to improve the user experience on the TQM platform, ensuring high quality of the provided service and user-friendly navigation on the platform.

Cookies are essentially text files that are stored on the User's computer, smartphone, or other devices.

The cookies that TQM uses on its platform can be divided as follows depending on when they are placed:

Temporary or session cookies expire when the User leaves the platform or closes the browser. TQM uses session cookies for certain functions of the platform to work (e.g., login).

Permanent cookies are stored permanently on the User's device for the period specified in the permanent cookie and are activated when the User visits the platform whose cookie has been installed. The purpose of permanent cookies is to remember the User's settings on the TQM platform. For example, TQM uses permanent cookies to remember language settings or to save information about the company and its place of business and its authentication code.

TQM also uses the following type of cookies on its platform, which can be distinguished by the purpose of their placement:

Necessary cookies are essential for navigating the website, using its functions, and providing the services chosen by the User. The website cannot be provided and requested services cannot be provided to the User without the installation of such cookies;

Preference cookies make it possible to remember the choices the User has made (e.g., language selection) to create a more personalized and convenient user experience.

To prevent misuse of the platform, TQM may use cookies that collect data about the devices and applications used for the platform.

The User can at any time delete cookies or block them using browser settings; however, some cookies may be necessary for the service provided by the platform to function. In this regard, the User understands that certain functions of the platform may not work correctly if cookies are deleted or blocked.

The following types of cookies are used on the website:

Strictly necessary/essential cookies. These cookies are necessary for the user to move around the website and use its features, such as accessing secure areas of the website. Without these cookies, the services the user has requested cannot be provided. These cookies do not collect information that identifies a visitor.

Performance cookies. These cookies collect information about how visitors use a website, for example, which pages visitors go to most often and if they get error messages from web pages. These cookies do not collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.

Functionality cookies. These cookies allow the website to remember choices the user makes (such as the user's username, language, or the region the user is in) and provide enhanced, more personal features. They can also be used to provide services the user has requested, such as watching a video or commenting on a blog. The information these cookies collect may be anonymized, and they cannot track your Browse activity on other websites.

Behavioral advertising and messaging cookies. These cookies are used to deliver advertisements and messages that are more relevant to you and your interests. They are also used to limit the number of times the user sees an advertisement or message and help measure the effectiveness of advertising and messaging campaigns. They remember that the user has visited a website, and this information is shared with other organizations, such as advertisers or messaging service providers. Quite often, targeted or advertising cookies will be linked to website functionality provided by the other organization.

Further information on the use of cookies and instructions for disabling cookies are available on the website.

6. Contact Information

If the User wishes to exercise any right established in section 4 of the Privacy Policy or obtain further information about the processing of their rights, please contact TQM via email address: contact@qualityfoodcontrol.com.

Data Processing Agreement

1. Background and Scope

The Parties have entered into an agreement whereby the Data Controller has gained access to the services, and the Data Processor has undertaken to perform one or more services on behalf of the Data Controller, which are regulated within the framework of this Data Processing Agreement and other terms which together constitute the “Agreement”. In performing the services under the Agreement, the Data Processor will process personal data on behalf of the Data Controller. The Data Processor will therefore act as a Data Processor for the Data Controller, who is responsible for the personal data to be processed, during the performance of the relevant services.

2. Purpose of Personal Data Processing

The Data Processor may only process personal data for the purposes stated in the Agreement or in a written supplementary agreement that refers to this agreement, and for no other purpose than what is necessary for the fulfillment of the Agreement.

3. Sub-processor

The Data Processor may not, without the client's consent, transfer personal data for processing to a sub-processor. If general consent is given, the Data Processor shall inform the Data Controller of any plans to engage new sub-processors or change sub-processors. The Data Controller shall promptly object to such changes, but no later than 2 weeks after the Data Processor has notified that the change will occur.

If the Data Controller objects to the changes, the personal data may not be transferred, and the services shall be performed by the Data Processor in-house or by a previously approved sub-processor.

The Data Processor is responsible for entering into written agreements with sub-processors.

4. Conditions for Personal Data Processing

The following applies to the Data Processor's processing. The Data Processor:

• shall only process personal data on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organization, unless such processing is required by Union or Member State law to which the Data Processor is subject. In such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
• shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• shall take all measures for security in connection with the processing of personal data in accordance with Art. 32 of the GDPR;
• shall respect the conditions referred to for engaging another processor as referred to in paragraph 3 above;
• shall, taking into account the nature of the processing, assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;
• shall assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (concerning information to the data subject about a personal data breach, notification of a personal data breach to the supervisory authority and communication of a personal data breach to the data subject), taking into account the nature of processing and the information available to the processor;
• at the choice of the Data Controller, delete or return all the personal data to the Data Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data; and
• shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

Furthermore, the Data Processor undertakes to maintain a record of processing activities and cooperate with the supervisory authority and make this record available to the supervisory authority.

The Data Processor shall, if necessary and upon request, assist the Data Controller in fulfilling the obligations arising from the performance of data protection impact assessments and prior consultations with the supervisory authority.

5. Security Measures

The Data Processor shall limit access to personal data to persons who need such access to fulfill their duties.

The Data Processor shall ensure that personal data is not processed in violation of the provisions of current legislation etc. regarding data protection for personal data, such as the GDPR and the Swedish Authority for Privacy Protection's regulations. The Data Processor shall take appropriate technical and organizational measures to protect personal data from unauthorized access, destruction, and alteration.

The Data Processor undertakes to immediately inform the Data Controller if an instruction violates the GDPR or other provisions regarding data protection for personal data.

The Data Processor and Data Controller undertake, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:

• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

The Data Controller and the Data Processor shall take steps to ensure that any natural person acting under the authority of the Data Controller or the Data Processor who has access to personal data does not process them except on instructions from the Data Controller, unless required to do so by Union or Member State law.

6. Personal Data Breaches

The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach. The notification shall describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned. If and insofar as it is not possible to provide the information at the same time, the information may be provided in stages without undue further delay.

The Data Processor shall assist the Data Controller in documenting all personal data breaches, including the circumstances surrounding the personal data breach, its effects, and the corrective actions taken.

7. Compensation

The Data Processor is entitled to charge the Data Controller for costs incurred due to security measures and costs related to personal data incidents beyond the compensation stated in the Agreement, only to the extent that the Data Controller has caused the costs through negligence.

8. Contacts with Third Parties

If a third party (e.g., data subject, authority, or any other party) contacts the Data Processor with a request for information about the processing of personal data, the Data Processor shall without undue delay forward such a request to the Data Controller.

The Data Processor is not entitled to represent the Data Controller vis-à-vis third parties regarding the processing of personal data unless the Data Controller has explicitly consented to this.

9. Confidentiality

The Data Processor and its employees and sub-consultants are bound by confidentiality for all personal data processed unless otherwise agreed in writing with the Data Controller. Confidentiality does not apply to the data subject or to information that is generally known.

10. Intellectual Property Rights

All intellectual property rights to the personal data are held by the Data Controller or the data subject. The Data Processor receives a non-exclusive right to use the personal data and any intellectual property rights linked to them solely for the fulfillment of its obligations under the Agreement.

11. Liability

If a data subject or other third party makes claims against the Data Controller due to the Data Processor's processing of personal data, the Data Processor shall indemnify the Data Controller for claims resulting from the Data Processor's failure to comply with this agreement.

If a data subject or other third party makes claims against the Data Processor due to the Data Controller's instruction regarding the processing of personal data, the Data Controller shall indemnify the Data Processor for claims, unless the Data Processor should have informed the Data Controller that the processing violates applicable rules for data protection in connection with personal data processing.

Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are jointly responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. However, where they are joined in the same judicial proceeding in accordance with Member State law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that the data subject who has suffered damage is ensured full and effective compensation. Any controller or processor who has paid full compensation may subsequently initiate proceedings to recover from other controllers or processors involved in the same processing.

12. Deletion

After the termination of the Agreement, the Data Processor shall delete all personal data processed for the Data Controller unless an earlier date is agreed upon or if the Data Processor was obliged to do so at an earlier date due to applicable regulations. In connection with the termination of the Agreement, the Data Processor is obliged to return processed data to the Data Controller.

13. Amendments and Additions

Amendments or additions to this agreement shall, to be valid, be in writing and signed by both parties.

14. Agreement Period and Termination

This agreement enters into force when both parties have entered into the Agreement in accordance with the procedure stated in the General Terms and Conditions. The parties agree, considering that it is a SaaS service, that the agreements do not need to be signed to be valid but are valid from when the customer has a) registered or b) gained access to the services, whichever occurs first, in accordance with the Agreement. This agreement ceases to be valid when the Agreement ceases to be valid. However, paragraph 9 shall continue to apply for one year after the agreement has ceased.