Privacy Policy for Telos Advisory
Effective Date: 2024-07-25Last Updated: 2024-07-25
1. Our Commitment to Your Privacy
Telos Advisory AB provides specialized digital and compliance transformation consultancy services to the Swedish manufacturing industry, with a distinct focus on navigating the complexities of the Corporate Sustainability Reporting Directive (CSRD) and the Network and Information Systems Directive 2 (NIS2). Our business is built on a foundation of trust, expertise, and an unwavering commitment to the highest standards of regulatory compliance. This commitment extends profoundly to the protection of personal data and the respect for individual privacy.
This Privacy Policy outlines how we collect, use, store, share, and protect personal data in our capacity as a business. We view data protection not merely as a legal obligation but as a core tenet of our professional philosophy and a direct reflection of the services we provide to our clients. Our data processing activities are conducted in strict accordance with all applicable legal frameworks, including:
- The General Data Protection Regulation (EU) 2016/679 (GDPR).
- The Swedish Data Protection Act (Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning).
- The Swedish Electronic Communications Act (Lagen om Elektronisk Kommunikation).
For a consultancy that advises on the intricacies of EU compliance, demonstrating our own meticulous adherence to these regulations is paramount. This policy is designed to be a transparent and comprehensive guide to our data protection practices, providing assurance to our clients, partners, and website visitors that their data is handled with the utmost care and professionalism. This document serves as a testament to our expertise and our principle of "practicing what we preach," establishing a high level of credibility with a sophisticated B2B clientele who rightfully expect their partners to be exemplars of compliance.
2. Understanding Our Role: Data Controller vs. Data Processor
Under the GDPR, organizations that process personal data are classified as either a "Data Controller" or a "Data Processor," with each role carrying distinct legal responsibilities. Given the nature of our business, Telos Advisory operates in both capacities. Understanding this distinction is crucial for our clients and partners. By dedicating a clear, upfront section to this topic, we aim to proactively address a key due diligence question, demonstrating a sophisticated understanding of our GDPR obligations and fostering trust from the outset.
2.1. Telos Advisory as a Data Controller
Telos Advisory acts as a Data Controller when we determine the "purposes and means" of processing personal data for our own business operations. This means we make the decisions about why and how personal data is processed. We are the Data Controller for personal data relating to:
- Website Visitors: When you browse our website, we process data about your interaction with our site.
- Business Contacts: When you contact us through forms, email, or at events, we process the information you provide to manage our business relationships.
- Clients and Suppliers: We process professional contact and billing information to manage our contracts and commercial relationships.
- Marketing Activities: We process contact information to communicate with individuals who may be interested in our services.
In all instances where we act as a Data Controller, we are directly responsible for ensuring that the processing of personal data complies with the GDPR and other applicable laws. We bear the primary responsibility for upholding the rights of the data subjects involved.
2.2. Telos Advisory as a Data Processor
Telos Advisory acts as a Data Processor when we process personal data on behalf of our clients as part of delivering our contracted consultancy services. In this capacity, our client is the Data Controller, and we are their service provider. Our role as a Data Processor is defined by the following principles:
- Acting on Instruction: We process personal data only on the documented instructions of our client, the Data Controller.
- Client as Decision-Maker: The client determines the purposes and means of the processing; we execute the processing as directed.
- Contractual Governance: Our relationship as a Data Processor is always governed by a legally binding Data Processing Agreement (DPA). This contract is meticulously drafted to comply with all requirements of GDPR Article 28, which sets out the mandatory clauses governing the relationship between controllers and processors.
Examples of when we act as a Data Processor include engagements where we conduct a CSRD readiness assessment that involves reviewing employee data, or a NIS2 gap analysis that requires access to system logs containing user information. A sophisticated client, such as a Chief Information Security Officer, will immediately look for clarity on how a vendor understands and manages this critical role. Our explicit commitment to formal DPAs provides this clarity, signaling that we are legally savvy and prepared for a professional contracting process, which accelerates the sales cycle and builds client confidence.
3. The Personal Data We Process
This section provides a transparent and granular breakdown of the types of personal data we process, categorized by the context of the interaction. We are committed to the principle of data minimization, meaning we only collect and process data that is adequate, relevant, and limited to what is necessary for the specified purpose.
3.1. When You Visit Our Website
When you navigate our website, we may automatically collect certain information about your device and browsing activity. This data is primarily used to ensure the security of our website and to analyze traffic to improve user experience. This data includes:
- Technical Information: Your IP address, browser type and version, operating system, and device type.
- Usage Information: The referral source, your navigation paths through our website, page views, length of visit, and timing of your visit.
- Cookie Data: Information collected via cookies and similar technologies. We only use non-essential cookies with your explicit consent. For a complete overview, please refer to our detailed Cookie Policy.
3.2. When You Interact With Us
When you voluntarily engage with us, for example by filling out a contact form, sending an email, registering for a webinar, or speaking with us at an event, we collect the personal data you choose to provide. This typically includes:
- Professional Identity Data: Your full name, job title, and the name of your organization.
- Contact Data: Your work email address and business phone number.
- Inquiry Data: The content of your message or inquiry, and any other information you provide in relation to your request for information about our services.
3.3. When You Are Our Client
To establish and manage a client relationship, we process data necessary for the performance of our contract and for legitimate business administration. This includes:
- Professional Contact Data: Names, job titles, email addresses, and phone numbers of the personnel within your organization who are involved in the project for communication, project management, and support purposes.
- Financial and Transactional Data: Billing information, payment details, and contract information, which may include professional contact details.
3.4. When We Act as a Data Processor
When delivering our consultancy services, we may be required to process personal data that is under the control of our client. The specific categories of personal data and the types of data subjects involved are determined entirely by our client (the Data Controller) and are formally documented in the DPA for each specific engagement.
This is a critical risk management distinction. Our consultancy services might expose us to sensitive client data, such as employee information for a social audit under CSRD or system logs containing user IDs for a NIS2 assessment. Our Privacy Policy, which governs our role as a Controller, must be explicit that for client engagements, the scope of data processing is strictly defined by the client in a separate, legally binding DPA. This clarifies that we do not make unilateral decisions about client data and reassures the client that their data will be handled within a controlled, contractually defined framework, reinforcing our professional and structured approach.
Depending on the scope of the engagement, this data could potentially include, but is not limited to:
- Employee data.
- Customer or supplier data.
- User data from IT and OT (Operational Technology) systems.
- Other categories of personal data relevant to the client's CSRD or NIS2 compliance obligations.
4. Purpose and Legal Basis for Processing
Under the GDPR, all processing of personal data must be justified by a valid legal basis as defined in Article 6. We are committed to ensuring that all our data processing activities are lawful, fair, and transparent. The following table provides a clear and structured overview of our processing activities as a Data Controller, the purposes of these activities, and the specific legal basis we rely upon for each.
This table format is a tool for demonstrating meticulous compliance. It goes beyond a simple narrative and provides a structured, auditable record of our data processing logic, reflecting the "Records of Processing Activities" (ROPA) required under GDPR Article 30. For a target audience that includes compliance officers, this transparent and easily verifiable format is the most effective way to communicate our robust internal data governance.
| Processing Activity | Categories of Personal Data Involved | Purpose of Processing | Legal Basis (GDPR Article 6) |
|---|---|---|---|
| Website Operation and Security | IP Address, Browser Data, Device Information | To operate, maintain, and secure our website, and to prevent fraudulent activity. | Art. 6(1)(f) - Legitimate Interest (to ensure the security and functionality of our online presence). |
| Website Analytics | Anonymized IP Address, Usage Information, Cookie Data | To analyze website traffic and user behavior to improve our website's content, functionality, and user experience. | Art. 6(1)(a) - Consent (obtained via our cookie banner for non-essential analytics cookies). |
| Responding to Business Inquiries | Professional Identity Data, Contact Data, Inquiry Data | To respond to your requests, provide information about our consultancy services, and initiate a potential business relationship. | Art. 6(1)(f) - Legitimate Interest (to engage with and respond to prospective business clients). |
| Contractual Engagement | Professional Contact Data, Financial and Transactional Data | To prepare, negotiate, and execute a contract for services with your organization. | Art. 6(1)(b) - Necessary for taking steps at the request of the data subject prior to entering into a contract. |
| Service Delivery and Client Management | Professional Contact Data, Financial and Transactional Data | To deliver the contracted consultancy services, manage the client relationship, provide support, and handle invoicing and payments. | Art. 6(1)(b) - Necessary for the performance of a contract to which the data subject's organization is a party. |
| Marketing and Communications | Professional Identity Data, Contact Data | To send you relevant information about our services, industry insights, and events that we believe may be of interest to you as a business professional. | Art. 6(1)(f) - Legitimate Interest (to maintain client relationships and conduct B2B marketing). You have the right to opt-out at any time. |
| Legal and Regulatory Compliance | Any relevant data category | To comply with our legal obligations, such as financial record-keeping under the Swedish Bookkeeping Act. | Art. 6(1)(c) - Necessary for compliance with a legal obligation. |
5. Cookies and Tracking Technologies
Our website, www.telos-advisory.com, uses cookies and similar tracking technologies to enhance user experience, ensure site functionality, and gather analytics. We are fully committed to complying with the strict consent requirements of the Swedish Electronic Communications Act (ECA), which implements the EU's ePrivacy Directive.
A compliant cookie mechanism is a non-negotiable credibility test for a consultancy specializing in compliance. The Swedish regulator (PTS) actively enforces the ECA's rules, and any visitor to our website will immediately see our cookie banner. A non-compliant banner would instantly destroy the credibility of a firm promising to help with complex regulations like NIS2 and CSRD. Therefore, our approach reflects the strictest interpretation of the law.
Our use of cookies is governed by the following principles:
- Strictly Necessary Cookies: Some cookies are essential for the basic functioning of our website. These do not require your consent and are used, for example, to maintain security and enable core site navigation.
- Consent for All Other Cookies: For all other cookies, including those used for performance analytics, functional enhancements, or marketing purposes, we will not place them on your device without your explicit and active consent.
- Granular and Informed Consent: Our cookie consent banner provides clear and transparent information about the purpose of each category of cookie. You have the option to accept all cookies, reject all non-essential cookies, or customize your preferences.
- No Pre-Ticked Boxes: Consent requires an affirmative action from you. Therefore, checkboxes for non-essential cookies are never pre-ticked.
- No Dark Patterns: We do not use manipulative design techniques ("dark patterns") such as confusing wording or visually biased buttons to nudge you into accepting cookies. The options to accept and reject are presented with equal clarity and prominence.
- Easy Withdrawal of Consent: You can withdraw or change your consent at any time with the same ease with which you gave it. A persistent link or icon is available on our website to access your cookie settings.
For a detailed list of the cookies we use, their purpose, and their duration, please see our comprehensive Cookie Policy.
6. Data Sharing and Third-Party Disclosures
We do not sell your personal data. We only share personal data with third parties in limited, necessary circumstances, and always with appropriate safeguards in place.
6.1. Sub-processors (Our Service Providers)
We engage trusted third-party service providers to support our business operations. These providers act as our sub-processors and may have access to personal data for which we are the Controller. All our sub-processors are carefully vetted and are contractually bound by Data Processing Agreements that require them to protect personal data to the same high standards that we do. This approach is a direct reflection of the supply chain security principles central to the NIS2 directive; we apply the same rigor to our own operations that we recommend to our clients.
Categories of sub-processors we use include:
- Cloud Hosting Providers: For our website and internal systems.
- Customer Relationship Management (CRM) Platforms: To manage our business contacts and client relationships.
- Communication and Collaboration Tools: For email and internal communications.
- Accounting and Invoicing Software: For financial administration.
6.2. Professional Advisors
We may share personal data with our professional advisors, such as lawyers, accountants, auditors, and insurers, on a strictly need-to-know basis to obtain professional advice or manage legal and financial obligations.
6.3. Legal Obligations and Authorities
We may be required to disclose your personal data to comply with a legal obligation, a court order, or a binding request from a competent public authority, such as the Swedish Tax Agency (Skatteverket), the Swedish Police Authority (Polismyndigheten), or the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten).
6.4. As a Data Processor
When we act as a Data Processor on behalf of a client, we operate under a strict contractual framework. In accordance with GDPR Article 28, we will not engage any sub-processors to process our client's personal data without the prior specific or general written authorization of our client (the Data Controller). Any authorized sub-processors will be bound by the same data protection obligations as those set out in our DPA with the client.
7. International Data Transfers
In the course of our business, primarily through the use of global cloud service providers, it may be necessary to transfer personal data to countries outside the European Union (EU) and the European Economic Area (EEA). We are acutely aware of the legal complexities surrounding international data transfers, particularly to the United States, following the "Schrems II" court ruling and in light of US laws such as the CLOUD Act.
Many companies use vague language regarding this complex issue. Being specific and confident demonstrates a high level of expertise. A sophisticated client CISO will be acutely aware of this risk and will specifically probe any vendor on how they handle it. Our policy is therefore explicit and reflects current best practices.
Any transfer of personal data to a third country will only take place if appropriate safeguards are in place to ensure the data remains protected to a standard equivalent to that provided within the EU. The primary legal mechanism we rely upon for such transfers is the European Commission's Standard Contractual Clauses (SCCs).
In addition to implementing SCCs, we conduct a Transfer Impact Assessment (TIA) for each restricted transfer. This assessment evaluates the laws and practices of the recipient country to determine whether the SCCs can be complied with in practice. Where necessary, we implement supplementary technical and organizational measures to ensure an adequate level of data protection.
8. Our Commitment to Data Security
Protecting the confidentiality, integrity, and availability of personal data is a top priority for Telos Advisory. We have implemented a comprehensive set of technical and organizational measures (TOMs) designed to prevent unauthorized access, disclosure, alteration, or destruction of the data we process. This section is a direct reflection of the NIS2 services we sell; it is an exemplar of best practice. The security measures we describe are intentionally aligned with the principles of the NIS2 directive, demonstrating that security is not just a service we sell, but a principle we live by.
Our security measures include, but are not limited to:
- Encryption: We use strong encryption protocols to protect data both in transit (e.g., Transport Layer Security - TLS) and at rest. This aligns with the NIS2 requirement to use cryptography and encryption where appropriate.
- Access Control: Access to personal data is strictly controlled and limited to authorized personnel based on the principle of least privilege. We enforce strong password policies and other access control mechanisms.
- Multi-Factor Authentication (MFA): We mandate the use of MFA for access to all critical systems and applications that process personal data, providing an essential layer of security against unauthorized access.
- Vulnerability Management: We conduct regular security assessments and vulnerability scanning of our systems and promptly apply security patches to mitigate identified risks.
- Incident Response: We have a documented incident response plan that outlines the procedures for detecting, responding to, and recovering from a security incident. This includes procedures for notifying relevant authorities and data subjects in the event of a personal data breach, as required by GDPR and NIS2.
- Employee Training: All our personnel receive regular training on data protection principles, cybersecurity best practices, and their responsibilities for protecting personal data.
- Data Minimization and Secure Disposal: We design our processes to minimize the personal data we handle and have secure procedures for the permanent deletion of data once it is no longer required.
9. Data Retention Periods
In accordance with the GDPR's storage limitation principle, we retain personal data only for as long as is necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Our retention periods are based on a careful assessment of our business needs and legal obligations.
9.1. Data Retained as a Controller
For data where we act as the Data Controller, our retention periods are as follows:
- Client and Financial Records: In accordance with the Swedish Bookkeeping Act (Bokföringslagen 1999:1078), we are legally obligated to retain accounting records, including invoices and supporting documentation that may contain personal data, for a period of seven (7) years after the end of the calendar year in which the financial year concluded. Citing this specific Swedish law demonstrates diligent localization and a deep understanding of our legal obligations.
- Business Contact and Inquiry Data: We retain personal data from prospective clients and business contacts for as long as we have a legitimate interest in doing so (e.g., an ongoing business relationship or dialogue). We periodically review this data and will securely delete it if a contact has been inactive for a defined period or upon request.
- Website Analytics Data: Data collected for analytics purposes is typically anonymized or aggregated and is retained for a period necessary to conduct trend analysis, generally not exceeding 26 months.
9.2. Data Retained as a Processor
When we act as a Data Processor, we retain client data strictly in accordance with the client's instructions. The specific retention period is defined in the Data Processing Agreement for each engagement. Upon termination of the contract, we will, at the choice of the client, securely delete or return all personal data to the client and delete existing copies, unless Swedish or EU law requires its storage.
10. Your Data Protection Rights
Under the GDPR, you, as a data subject, have specific rights concerning your personal data. We are fully committed to upholding these rights. The clarity and accessibility of this section reflect the GDPR principle of transparency, showing respect for the individual and reinforcing our brand as a trustworthy partner.
You have the following rights:
- The Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you and information about how we process it.
- The Right to Rectification (Article 16): If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct it.
- The Right to Erasure ('Right to be Forgotten') (Article 17): You have the right to request the deletion of your personal data, under certain conditions (e.g., if the data is no longer necessary for the purpose for which it was collected).
- The Right to Restrict Processing (Article 18): You have the right to request that we restrict the processing of your personal data, under certain circumstances (e.g., while the accuracy of the data is being contested).
- The Right to Data Portability (Article 20): Where our-processing is based on your consent or on a contract, you have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
- The Right to Object (Article 21): You have the right to object to the processing of your personal data where we are relying on legitimate interest as our legal basis. You also have an absolute right to object to your data being used for direct marketing purposes.
- Rights related to Automated Decision-making (Article 22): We do not currently engage in any processing that results in automated decision-making that produces legal or similarly significant effects on individuals.
To exercise any of these rights, please contact us using the details provided in Section 11. We will respond to your request within one month, as required by the GDPR.
11. Contact and Supervisory Authority
11.1. How to Contact Us
Legal Entity: Telos Advisory AB
Corporate Registration Number (Organisationsnummer): 559483-3687
Registered Address: Parkgatan 3, 43450, Kungsbacka, Sweden
Email for Privacy Inquiries: privacy@telos-advisory.com
11.2. Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority if you believe that our processing of your personal data infringes the GDPR. Providing these details is not just a legal requirement but a sign of our confidence in our own compliance processes.
Name: Integritetsskyddsmyndigheten (IMY) - The Swedish Authority for Privacy Protection
Address: Box 8114, 104 20 Stockholm, Sweden
Email: imy@imy.se
Website: www.imy.se
12. Updates to This Policy
The regulatory landscape for data protection and cybersecurity is dynamic. We will review and update this Privacy Policy periodically to reflect changes in our business operations, services, or applicable laws. The "Last Updated" date at the top of this policy will always indicate when the most recent changes were made. For significant updates, we may provide a more prominent notice on our website or notify you directly via email.
This commitment to keeping our policy current reflects the core of our business philosophy: compliance is not a one-time project but an ongoing process of vigilance and adaptation, a principle we apply to our own operations just as we advise our clients to do.