1. Introduction
This policy (the “Policy”) on protection of personal information shall apply to Rud Pedersen Public Affairs Company AB (“Company”) and its subsidiary legal entities (“Subsidiaries”) in the Rud Pedersen Group (“RPG”). The Policy shall also be applicable to any new legal entities/brands in RPG in the future.

The Policy has been prepared and implemented to meet the requirements of Article 14(5)(b) in the General Data Protection Regulation (EU) 2016/679.

In the event of conflict between the Policy and any policies and procedures implemented by Subsidiaries at the national level, the Policy shall prevail, always subject to statutory rules and limitations.

The Policy shall be reviewed annually by Company Board and confirmed or updated at Company’s annual general assembly.

2. RPG scope of services
RPG is concerned with consultancy and advisory activities within public affairs, media relations, communications, recruitment, executive training and other business advisory matters, under different brand names. At the time of adoption of this Policy, RPG consists of legal entities in 16 European countries.

In the course of business, it is the desire and ambition of RPG to work with a broad range of companies, organisations, public authorities and government decision makers. With due respect to its values and goals, RPG will guide and assist clients to navigate in society, monitor and influence political and administrative processes, design and implement outreach strategies, contribute constructively to dialogue and decision-making and build networks and organisations to meet current and future demands.

3. Processing of Personal Information
RPG collects and uses personal information for the purpose of uncovering political processes and decision-making, and for planning and executing outreach and dialogue activities with stakeholders among politicians, civil servants, media, organisations, corporations and society in general.

RPG will process the following information:
• Name and other publicly available information, e.g. occupation, contact information, extracurricular activity when public;
• political history, e.g political memberships, publications, political priority areas, contribution to debates, opinions shared; and
• process and influence, e.g. an organisation’s or person’s role in specific political processes, including the influence on such processes.

4. Purpose of Processing
The purpose of processing of personal information is for RPG to be able to inform clients about the business and political options and context of a given topic or issue at a given point in time, and to assist with specific outreach activities.

The ability to prepare and deliver a comprehensive and unique professional service to clients depends on RPG’s understanding of decision-makers and other stakeholders in the political landscape, and on RPG’s ability to prepare and execute timely outreach activities and dialogue on that basis.

RPG’s service to the clients is delivered with focus on the business aspects of a topic or issue. Any personal information will be presented neutrally, and focus of attention will be on political and economic processes and aspects. Privat information of any individual will never be in focus, attention is on information relevant at a professional political level.

In consequence, RPG will only process information from:
• The registered entities and persons themselves, e.g. from social media and media statements;
• commonly recognized public media, e.g. newspapers, news media, open websites and political programs.
• Information gathered through the RPG network of contacts, including dialogue with stakeholders among politicians, civil servants, media, organisations, corporations and society in general.

All employees in RPG have been instructed to solely collect and process personal information which is correct and necessary to fulfil the described professional purpose.

5. Legal Grounds of Processing
RPG processes personal information in accordance with its legitimate interest in carrying out work assignments involving analyses and information regarding business and political processes. RPG will conduct its business on conditions which do not conflict with the reasonable interests of any person’s right of data protection and privacy, cf. Article 6(1)(f) in the EU General Data Protection Regulation. RPG will process special categories of information with respect to Article 9(2)(e) and (g).

6. Transfer of Personal Information
RPG entities will share personal information with other RPG entities in the EU as part of delivering cross border services.

Where required for business purposes, RPG will transfer personal information to entrusted data processor who perform services, including cloud services, or other IT infrastructure service providers. RPG data processors are subject to the same security requirements as RPG, with no independent right to use RPG data. All RPG data processors are established in the EU/EEA.

RPG will forward personal information to clients. RPG clients are responsible for their own use of data, and RPG will not disclose client information.

RPG will not transfer, share or forward personal information in any other way than specified above.

7. Security Measures
RPG has implemented a number of technical and organisational measures to ensure the proper protection of data against unauthorized access, including a fine mesh of control of employee access to data.

RPG security measures are subject to continuous updating and include the following:
• Centralized user database for computers, mail accounts and wireless network
• Password protection, including use of complex passwords and periodic change
of passwords
• Encryption of computers, file sharing services and cloud traffic
• Firewall, anti-virus, anti-malware and filtration of data traffic
• Backup
• Automatic security updates
• Separate guest network

All data is stored on servers within the EU/EEA

8. Deletion
RPG will keep personal information as long as required to meet the purpose of the storing or processing. The storage time depends on the character of the work assignment and the stakeholders’ individual position and influence over time. RPG will not automatically delete information at a specific date or time.

RPG professional advice and use of information depend on pertinent and updated data, and standalone and/or historical analyses are not kept more than 7 years back in time.

9. Rights of Information
A person is always entitled to inquire with RPG (contact [email protected]) about personal information kept or processed by RPG. In such case, the relevant Subsidiary will confirm or deny whether personal information is kept or processed. RPG will not provide a copy of any such information, as our analyses and stakeholder mapping are key to our business performance and considered business confidential information.

If a person becomes familiar with any error in RPG data or presentations, RPG will welcome notification (contact [email protected]) and take action to rectify or delete without undue delay any incorrect information.

Exception is taken by RPG for any storing or processing of data and information necessary for meeting statutory requirements or for defending RPG’s position in court or arbitration.

Complaints may always be filed with the Swedish Data Protection Agency.