Privacy policy

Nynas AB (publ) (“Nynas”) is committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (GDPR) and Swedish data protection law (Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning). This Privacy Policy explains how we collect, process, store, and protect personal data in relation to employees, partners, contractors, and other individuals with whom we interact.

At Nynas, we respect the confidentiality and integrity of personal data and ensure that it is processed in a lawful, transparent, and secure manner. We will only process personal data for legitimate, specified purposes and in accordance with applicable data protection laws.

Data Controller

The data controller is Nynas AB (publ) (“Nynas”), and/or the local Nynas entity with whom you have a relationship. Nynas AB (publ) operates the website www.nynas.com and acts as the data controller for personal data collected through the website and related processes. Where personal data is processed by a local Nynas subsidiary, that subsidiary is responsible for processing in connection with local operations.

Nynas has appointed a dedicated Privacy Lead to oversee data protection matters. You can contact the Privacy Lead at privacy@nynas.com. Under GDPR, Nynas is not legally required to appoint a Data Protection Officer (Article 37).

Nynas AB (publ), company reg. no. 556029-2509, with the address Kabyssgatan 4D, 12030 Stockholm.

Nynas corporate structure with subsidiaries is described in Nynas’s annual report, which you can find on Nynas Annual Reports.

Purposes for Processing Personal Data

Nynas processes personal data for a variety of purposes. The main categories of personal data we process, and the purposes for which they are used, are described below.

We process personal data about employees, external consultants, business partners, and other individuals who interact with Nynas. This includes, but is not limited to, contact details, contract management, communications, recruitment, and other necessary business activities.

Personal data will only be processed when necessary for:

The legitimate interests of Nynas (e.g., managing business relationships, complying with our Code of Conduct),
The performance of a contract that Nynas is party to (e.g., employment contracts, service agreements),
Compliance with legal obligations (e.g., tax laws, anti-money laundering regulations),
or when you have provided explicit consent (e.g., for receiving marketing communications or subscribing to newsletters). You have the right to withdraw your consent at any time.

Procurement, Sales and Business Relationships

We process personal data necessary for the performance of a contract, such as contracts with customers, suppliers, contractors, and service providers. This data may include contact details, customer information, information regarding the business relationship, human resources data, and contractual information. The legal basis for processing is:

The performance of a contract, or steps prior to entering into a contract,
Nynas's legitimate interest in managing these relationships effectively and in compliance with Nynas’ Code of Conduct
Necessity to comply with legal obligations under relevant laws including anti-money laundering laws and trade compliance and sanctions laws and regulations.

Nynas’ whistleblower system

Nynas has established a Whistleblowing system for employees, contractors, and other third parties to report suspected violations of laws or the Nynas Code of Conduct. The processing may include a wide range of personal data, including special categories of data (e.g., sensitive data related to health or criminal offenses). The legal basis for processing is:

Necessity to ensure compliance with legal obligations on whistleblowing, and
Nynas's legitimate interest in ensuring that business is conducted in line with Nynas’ Code of Conduct.

Sanctions Compliance Screening

Nynas conducts screening of third parties to comply with national and international sanctions regulations, anti-money laundering laws, and other relevant compliance measures. Personal data processed in this context may include contact details, job titles, and screening results. The legal basis for processing is:

Nynas's legitimate interest to ensure regulatory compliance and risk management,
Nynas's legitimate interest in ensuring that business is conducted in line with Nynas’ Code of Conduct, and
Necessity to comply with legal obligations under relevant laws including anti-money laundering laws and trade compliance and sanctions laws and regulations

Communication Activities

Nynas may engage in various communication activities, both internally and externally, to keep stakeholders informed, conduct surveys, distribute newsletters, and manage interactions on social media. Personal data processed may include contact information and communication preferences. The legal basis for processing is:

Nynas's legitimate interest in maintaining business relationships and providing relevant information,
Consent, e.g. where you have subscribed to a newsletter, updates etc.
The performance of a contract.

Recruitment and Onboarding

Nynas processes personal data for recruitment and onboarding activities. This includes contact details, CVs, interview records, and any other recruitment-related data. The legal basis for processing is:

The performance of a contract, or steps prior to entering into a contract, or
Your consent when you have provided information.

Security and Emergency Management

Nynas processes personal data to ensure security in the workplace and production, and compliance with laws and regulations such as the Swedish Protective Security Act (‘Säkerhetsskyddslagen’), including monitoring premises and access to premises (e.g., CCTV, visitor logs) and managing emergency situations. Personal data processed may include contact information, identification, your image, and emergency contact details. The legal basis for processing is the necessity of ensuring safety and compliance with legal obligations.

The legal basis for processing is compliance with legal obligations (GDPR Article 6(1)(c)) and Nynas’s legitimate interest in ensuring safety and security (GDPR Article 6(1)(f)). Video footage and related data are stored only for a limited period in accordance with internal protocols, and access is restricted to authorized personnel. Individuals have the right to exercise their GDPR rights, including the right of access and the right to object.

Information from third parties

Nynas may, to the extent permissible by law, collect and process information gathered from third parties, such as databases and screening tools, lists including sanctions, ultimate beneficial ownership, politically exposed persons status, and databases maintained by authorities including sanctions lists, ultimate beneficial ownership.

Categories of Personal

The personal data Nynas may collect and process include the following categories:

Contact Information: Names, addresses, phone numbers, email addresses, and job titles.
Recruitment Information: Applications, CVs, references, assessments, and background checks.
Human Resources Data: Work experience, dates of birth, identification documentation, bank account details, salaries, job titles, and union membership.
Communication Data: Marketing preferences, event participation details, feedback from surveys, and social media interactions.

Personal data may be collected through direct interactions, third-party providers, publicly available sources, or data provided by you.

Data Transfers outside of the EU/EEA

Nynas may transfer personal data to other companies within the Nynas Group, or to service providers located outside the EU/EEA. Such transfers will ensure compliance with GDPR and Swedish data protection laws. These transfers may include countries without an EU adequacy decision. In such cases, we implement appropriate safeguards, such as Standard Contractual Clauses (SCCs), to ensure your data is protected in accordance with GDPR and Swedish data protection laws.

Your Rights as a Data Subject

You have the following rights regarding your personal data:

Right to access: You can request a copy of the personal data we hold about you.
Right to rectification: You can request corrections to any inaccurate or incomplete data.
Right to erasure: You can request the deletion of your personal data under certain circumstances.
Right to restriction of processing: You can request a limitation on how your data is used.
Right to object: You can object to the processing of your personal data in certain situations, including direct marketing or profiling.
Right to data portability: You can request to receive your personal data in a structured, commonly used, and machine-readable format.
Right to withdraw consent: If you have provided consent for the processing of your personal data, you have the right to withdraw that consent at any time.

If you believe that Nynas is processing your personal data incorrectly, you can contact us at privacy@nynas.com and we will do our utmost to respond to your request in accordance with GDPR Article 12(3), which requires a response within one month.

The Swedish Authority for Privacy Protection (IMY) is responsible for the application of the legislation. You can find more information about your rights and you have the right to lodge a complaint with the Swedish Data Protection Authority (Integritetsskyddsmyndigheten) at https://www.imy.se.

Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal obligations. If significant changes are made, we will provide notice on our website. Please review this policy periodically to stay informed about how we are protecting your personal data.

Links to External Websites Our website may contain links to third-party websites. We are not responsible for the privacy practices or the content of those websites. We encourage you to review the privacy policies of any third-party websites before providing them with any personal data.

Last updated: 2025-12-16