Background
The General Data Protection Regulation (GDPR) is a new EU regulation. The regulation will apply from 25 May 2018.

The regulation is binding in all EU member states and aims to strengthen citizens’ fundamental rights in the digital age by giving them the right to control the use of their personal data. The regulation includes rules about the rights to information and access to personal data you have, rules on correction of incorrect personal data, and the ability to limit in certain cases the processing of personal data.

Lannebo has a data protection policy that is updated as a result of GDPR. Below we describe the main features of our policy.

Principles relating to processing of personal data
Lannebo’s operations consist of fund management and discretionary portfolio management. We will only process personal data to the extent that it is a natural part of performing this business.

Lannebo is the controller of personal data and protects your individual rights and personal data.

We process personal data in a lawful, fair and trasparent manner. The requirement that the processing of personal data should be lawful means, inter alia, that there must be a legal basis for each processing. Personal data should be treated in a transparent manner, which includes that it is clear how personal data are collected and otherwise processed.

Personal data should only be collected for specified, explicit and legitimate purposes. This means that we will have the purpose ready for us even before the collection of personal data begins. Personal data may not be further processed in a manner that is incompatible with those purposes.

We follow the principle of data minimization, which means that personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. In other words, we do not collect personal data for indefinite future needs. Also, collected personal data may not be processed if, for example, they are so old that they are no longer relevant to the original purposes.

Personal data should be accurate and kept up to date. We take every reasonable step to ensure that personal data that are inaccurate are erased or rectified without delay.

We follow the principle of storage limitation meaning that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. When personal data is no longer needed for those purposes, they should be erased or unidentified.

Personal data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

We are e responsible for, and be able to demonstrate compliance with the above mentioned principles. For our part this is primarily done through this policy as well as the actions taken on the basis of the policy.

Categories of personal data and collection of personal data
Processing of personal data shall mainly concern clients and potential clients, including representatives and beneficial owners, and representatives of companies and organizations with whom we may or may have a business relationship with, and government agencies.

The personal data we process can be divided into the following categories:

Identification data: eg. personal identity number and name
Contact information: for example, phone numbers and addresses
Financial data: such as information on transactions
Information required by law: eg. TIN, information required for customer due diligence and anti money laundering measures
Specific categories of personal data: for example, certain information about employees
Personal data should, as a starting point, be collected directly from you or generated by your activities with us. As a new client, for example, we ask for personal data such as name, personal identity number, e-mail address and telephone number. If you send an email to us, it may contain personal data that we in such cases process.

However, information is sometimes also collected from a third party. For example, information may need to be collected to keep records up to date or to check the information we collected from the data subject. These may include public or other externally available sources in the form of registers by authorities (such as SPAR), sanctions lists (at EU and UN) and other commercial information providers, for example, about beneficial owners and politically exposed persons. In connection with payments we collect information from banks.

Purpose and legal basis for the processing of personal data
We will use your personal data to comply with legal obligations and for the performance of the contract with you, as well as to provide you with information, offers and other services.

The legal basis for our processing of personal data is as follows.

Processing is necessary for the performance of a contract to which you are party or in order to take steps at the request of you prior to entering into a cont
Processing is necessary for compliance with a legal obligation to which we are subject.
Processing is necessary for the purpose of legitimate interests pursued by us. This is done in connection with marketing and product and customer analyzes. The purpose of this treatment is marketing and business development. We do this to improve our product range and our offers. We believe that both you and Lannebo have an interest in the use of personal data in this way.
It may happen that we ask for your consent to processing your personal data. For example, it may be the case at customer meetings or if you choose to subscribe to information from us. If you have consented to the processing of your personal data, you can always withdraw the consent.
Further process of personal data
If we intend to further process the personal data for a purpose other than that for which the personal data were collected, we will provide you with information about this other purpose and further relevant information before this further processing.

Automated individual decision-making
We do not apply automated individual decision making.

Recipient of data
We may share your personal data with others, such as public authorities, suppliers, and business partners. Before sharing such data, we always ensure that the confidentiality obligations applicable to the financial sector are complied with. When we perform services and tasks under a contract, we sometimes need to provide information about you. For example, if you have asked us to transfer your fund savings, we must provide certain information about you in order to perform that transfer.

Personal data processors are those who process personal information on our behalf. The processors we employ should be able to provide sufficient guarantees that the processing meets the requirements of applicable law and ensures that the rights of the data subjects are protected. We will enter into binding contract with all data processors. A data processor r and its staff may only process personal data on documented instructions from us. The processor shall not engage another processor without prior written authorization of Lannebo.

Transfer of personal data to third countries
We do not transfer your personal data to any third country.

Your rights
As a data subject you have rights in respect of the personal data we process.

You have the right to access the personal data we have about you. However, your right to access may be limited by, inter alia, applicable law.
If personal data are inaccurate or incomplete you have the right to rectification with the restrictions stipulated in applicable law or other regulations.
You may, under certain conditions, request that your personal data be erased. As a result of the legislation in the financial sector, we are in many cases obliged to keep personal data about you during the time you are a client of us, and also thereafter, for example, to fulfill a legal obligation or to handle legal claims.
You may in certain cases require restriction of the processing of personal data.
You can always object to the processing of personal data that takes place after a balancing of legitimate interests.
You are entitled to receive personal data that you have provided to us in a machine-readable format. This applies only to personal data processed automatically on the basis of your consent or in order to fulfill a contract. If it is safe and technically possible, we can also transfer personal data to another person responsible for personal data.
If you wish to exercise your rights, please do so in writing with us (dpo@lannebo.se or Lannebo Fonder AB, Box 7854 103 99 Stockholm).

Your request to exercise your rights above is assessed on a case-by-case basis on the basis of the prevailing circumstances and based on the restrictions stipulated by law or other constitution.

Right to withdraw your consent
If the processing of your personal data is based on your given consent, you have the right to withdraw the consent at any time.

Storage
We keep your personal data only as long as it is necessary for the purposes for which the personal data were collected and as required by laws, regulations and governmental decisions. This means that we save your data as long as it is necessary to fulfill an agreement and as long as required by applicable minimum requirements for storage times in laws and regulations. In cases where we retain your information for a purpose other than fulfilling an agreement, such as for the purpose of combating money laundering or accounting, we retain only the information if it is necessary and / or required for the purpose in question as stated by respective law or other constitution or authority decision

Security
Keeping your personal data safe and secure is important to us. We have taken appropriate technical, organizational and administrative security measures to protect the data we keep against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Data protection impact assessment
We carry out a data protection impact assessment where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.

Data breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise process.

In the case of a personal data breach, we will without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to Datainspektionen, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to Datainspektionen is not made within 72 hours, it shall be accompanied by reasons for the delay.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the personal data breach to the data subject without undue delay.

Records of processing activites
Lannebo maintains a record of processing activities. What information that should be included in the records is explicitly stated by GDPR, such as the purposes of the processing, description of the categories of data subjects and the categories of personal data, possible external recipients of personal data and if data is transferred to third countries.

Statutory or contractual requirement to provide personal data
The personal data collected from you are in many such that is required by law, and/or those that are contractual requirements and/or necessary for entering into an agreement. This means that we may be prevented from entering into an agreement with you if data is not provided.

E-mails
GDPR and this policy also apply to e-mails containing personal data. E-mail often leads to the processing of personal data. The e-mail address itself usually contain personal data and all other information in the message that can be linked to an identified or identifiable natural person is also personal data.

This means that we must have a legal basis that allows the processing of personal data. For example, we may or should conclude a contract or fulfill a legal obligation. The processing of incoming e-mails is usually necessary for legitimate interests. It depends on the content of and how long an e-mail can be kept.

The following principles shall apply especially to Lannebo Fonder emails:

1. Personal data shall not be sent by e-mail unnecessarily.
2. Personal data should only be sent to those who need the information for their work.
3. Sensitive personal data or other extraordinary personal data shall, provided they must be sent by e-mail, not be sent in insecure e-mails.
4. Based on the content of an email, it should be decided whether, and in such cases, how long it may be kept. If the e-mail should not be kept, it should be erased.
5. E-mail with personal data should not be kept “because it may be good to have”.
6. Personal data in e-mails shall be transferred to other systems if the inbox is not appropriate for the continued processing of the data.
7. Appropriate procedures for the deletion of old emails should be put in place.
8. Appropriate information should be provided to external persons who have contact with Lannebo about how Lannebo processes personal data.

How changes are made to the data protection policy
We are constantly trying to improve and develop, and therefore the content of this policy can change over time. We review the policy at least once a year. If the changes are significant, we will communicate this in a clear way. Please read the policy occasionally to keep you posted on any changes.

Data protection officer
Lannebo has designated a data protection officer that you may contact by e-mail (dpo@lannebo.se) or by letter (Lannebo Fonder AB, Att. DPO, Box 7854 103 99 Stockholm).

Right to lodge a complaint with Datainspektionen
You have the right to lodge a complaint or contact Datainspektionen at any time.