We protect your personal data
It is important for us at ICA Gruppen AB (“ICA” or “we”) that you feel confident about how we process your personal data. We are therefore open about how we collect, process and share the information about you that we have stored. We never sell your personal data to other companies.
Personal data is all information that can be used to identify a natural person. Examples include basic information about you, such as your name and contact information, but also your clicking history.
We make sure your personal data is always protected and that our processing is in compliance with applicable data protection rules as well as with internal guidelines and routines. We have also appointed a Data Protection Officer who ensures our compliance with these rules.
On these pages we describe how and why we process your personal data, and what your rights are in this regard. For processing conducted by other ICA companies in ICA Gruppen, such as in connection with you as an ICA card customer, please visit www.ica.se/dataskydd or contact the other companies.
The ICA Idea is based on independent retailers working in cooperation. The individual ICA retailers own and operate their own ICA stores, but they also cooperate with other ICA companies. ICA thus consists of independent ICA stores as well as ICA companies in ICA Gruppen. If you have a relationship with any of these companies, then they need to process your personal data. For further information, please visit the respective ICA companies’ websites.
ICA Gruppen consists of, for instance, the following ICA companies, which may process your personal data:
• ICA Gruppen, which is the parent company
• ICA Sweden, which conducts grocery retail business
• ICA Bank, which offers financial services
• ICA Insurance, which offers insurance
• Apotek Hjärtat, which conducts pharmacy business
• Minutkliniken, which operates health clinics adjacent to ICA stores and/or Apotek Hjärtat pharmacies
• ICA Maxi Special, which conducts retailing in household and leisure items (non-food)
We always strive to process your personal data within the EEA. When your data is processed outside the EEA (in a so called third country) e.g. by one of our service providers we always ensure that there are sufficient technical and organizational safeguards in place, in order to ensure that the recipients process the data in a secure way. Below is a list of our main third country transfers, where we list why we transfer the personal data, which category of recipients, which transfer mechanism the transfer has and to which country the transfer takes place.
For IT- and other support, ICA may use vendors accessing personal data from countries outside the EU/EEA. ICA uses vendors that are based in a variety of countries outside the EU/EEA and transfers depends on the time of the day (follow-the-sun). Hence such countries are not listed in the table below. In all such cases we monitor and strictly limit the personal data accessed to the specific support case.
When ICA transfers your personal data to a country outside the EU/EEA, we use either the standard contractual clauses or an adequacy decision as a transfer mechanism, and in rare cases a processor of ICA may transfer the personal data to a sub-processor outside the EU/EEA with Binding Corporate Rules as a transfer mechanism. Countries with an adequacy decision can be found here and the standard contractual clauses issued by the European Commission can be found here.
For more detailed information, please contact our Data Protection Officer.
Why are we transferring
|
Category of recipient |
Transfer mechanism |
Transfer country |
| Operate, manage, support (including incidents) and develop |
Platform and cloud service providers, network surveillance and monitoring security providers and IT consultants |
Standard contractual clauses and supplementary security measures |
USA and India |
| Protect ICA's infrastructure | Platform and cloud service providers, network surveillance and monitoring security providers and IT consultants |
Standard contractual clauses and supplementary security measures, Adequacy decision |
USA, India and Japan |
| Manage identities and permissions |
Platform and cloud service providers, network surveillance and monitoring security providers and IT consultants |
Standard contractual clauses and supplementary security measures |
USA and India |
| Electronic signing of agreements and documents |
Provider of e-signature solutions | Standard contractual clauses and supplementary security measures |
USA |
| Recruitment process | Provider of recruitment platform - SaaS service, including support and development |
Standard contractual clauses and supplementary security measures |
USA |
| Administrative HR services | Provider of services to administer HR processes within the framework of employment/assignment |
Standard contractual clauses and supplementary security measures |
USA |
| Learning tools | Supplier of SaaS services in learning including support | Standard contractual clauses and supplementary security measures |
USA and Ukraine |
| Analysis Services | Supplier of analysis platform – SaaS service | Standard contractual clauses and supplementary security measures |
USA |
Certain ICA companies have a joint responsibility for ensuring that your personal data is processed in a secure and correct manner. These ICA companies have therefore entered into arrangements with each other to protect personal data. The information provided by the pertinent ICA companies on the handing of personal data states whether a joint responsibility exists and who is the contact point for questions.
We may need to update this information, such as if we were to process your personal data for a new purpose, collect additional information, or share your personal data with other recipients than those indicated here. In such case you will be notified about the updated information, where the changes will be highlighted. The most recent version of this information is always posted here on icagruppen.se.
