2023-04-11

Privacy Notice

Introduction

The purpose of this privacy policy is to provide information about how we, Thule Sweden AB, process your personal data in connection with the use of our website (https://www.thule.com) and the services we provide through this website. We respect your privacy and protect the personal data we process about you.

We protect children’s integrity. Therefore, we do not intentionally process personal data relating to children under the age of 18.

The following describes, among other things, how we collect, process and share your personal data.

Purpose and legal basis for the processing of your personal data

In the below you will find a description of the personal data we process about you, for which purposes we process your personal data and the legal bases we base our processing of personal data on.

  • When visiting our website
  • (i) What personal data is being processed and why?
  • When you visit our website, we can collect and/or store information about your visit by placing cookies. Cookies are small text files that a website or its service provider transfer to your computer's hard drive through your web browser. They enable us to recognize your browser and capture and remember certain information. 

    Personal data collected through cookies entail e.g. your Internet Protocol (IP) address, browser language, geographical location data, demographic information, date and time, information about webpages, weblinks, and any other information on our website accessed by you.

  • For processing of personal data collected through strictly necessary cookies, the purpose of such processing is to provide a functioning website.
  • For processing of personal data collected through performance cookies, the purpose of such processing is to develop our website and improve its functions.
  • For processing of personal data collected through functional cookies, the purpose of such processing is to improve usability and enable personal settings.
  • For processing of personal data collected through marketing cookies, the purpose of such processing is to provide you with relevant offers via other channels. The information may be used for customer segmentation for advertising and online advertisements to advertise relevant products to you.

  • (ii) What is the legal basis for the processing?
  • Our processing of personal data collected through strictly necessary cookies is based on our legitimate interest in providing you with a functioning website, as the basic website functions would not work properly without these cookies (Art. 6(1)(f) GDPR). If you want more information regarding how we made this assessment please contact us at privacy@thule.com.

    Our processing of personal data collected through performance, functional and marketing cookies is based on your consent (Art. 6(1)(a) GDPR).

    For more information about how we use cookies and similar technologies on our website please visit our Cookie Policy.

  • When you send us a request
  • (i) What personal data is being processed and why?
  • When you send us a request regarding e.g. your orders or purchased products, either via our contact form available through our support function or directly to one of our employees listed as contact persons on the website, we process the following personal data to be able to answer and fulfil your request: your e-mail address, name and telephone number if you choose to provide it, the country you come from, which category/contact reason the question concerns, a description of the topic and your question. We may use the information to contact you regarding your request by e-mail or telephone and to administer and handle your request.

  • (ii) What is the legal basis for the processing?
  • The processing of your personal data for this purpose is based on our legitimate interest to enable us to provide you with good service and to be able to answer your request (Art. 6(1)(f) GDPR). When you contact us with a request, it is also in your interest that we process your personal data in order to provide you with the information and service that you have requested. Furthermore, the personal data is necessary for us to be able to assist you and answer your request.

    In certain cases, the processing is also necessary to fulfil the agreement entered into with you (Art. 6(1)(b) GDPR), e.g. to handle cancellations of orders before delivery etc.

    If you want more information regarding how we made this assessment please contact us at privacy@thule.com.

  • When you buy a product online
  • (i) What personal data is being processed and why?
  • In order to administer your order, to be able to deliver the products you have purchased online and to be able to follow-up on your order and any potential issues or requests arising in connection thereto, we process your name, billing address, delivery address, e-mail address, telephone number, payment method and information about the products you have ordered.

    Personal data relating to your payment (including personal identity number, bank details and account information or information about other payment methods) is processed by our collaboration partner, who act as a separate controller for its processing of personal data. Please see the privacy policy of the collaboration partners that is available upon collection of your personal data for information about its processing of your personal data.

  • (ii) What is the legal basis for the processing?
  • The processing of your personal data for the purpose of fulfilling your order is necessary to fulfil the agreement we enter into with you (Art. 6(1)(b) GDPR). If you do not provide your personal data in connection with the purchase, we will not be able to administer your purchase or delivery in accordance with your order.

    The processing of your personal data for the purposes of being able to follow-up on your order and handle issues and requests is based on (i) our legitimate interest to provide you with good customer service and shopping experience (Art. 6(1)(f) GDPR), and (ii) in certain cases, depending on the type of request made, our obligation to fulfil the agreement entered into with you regarding the purchase (Art. 6(1)(b) GDPR)

    Personal data relating to your purchase is also stored based on our legal obligation to keep records according to applicable accounting legislation (Art. 6(1)(c) GDPR).

    If you want more information regarding our legitimate interest assessment please contact us at privacy@thule.com.

  • When registering or logging in to a user account
  • (i) What personal data is being processed and why?
  • In order for you to be able to register and use a user account, we process your e-mail address and your password, as well as your name, delivery address and telephone number if you choose to provide it.

  • (ii) What is the legal basis for the processing?
  • The processing of your personal data for this purpose is based on our legitimate interest to be able to provide you with a user account and the features that follow from you registering a user account (Art. 6(1)(f) GDPR), e.g. to be able to provide you with order history, order status, delivery information and quicker order checkout process. This is information that we provide to make your shopping experience better as Thule always strives to provide you with the best possible service.

    If you want more information regarding our legitimate interest assessment please contact us at privacy@thule.com.

  • When making a return
  • (i) What personal data is being processed and why?
  • When you make a return, we process your order number, information about purchased products, financial information relating to the purchase, your name, address, signature (if applicable) and your e-mail address to be able to administrate and follow-up on your request to return the product you purchased and to provide you with good customer service.

  • (ii) What is the legal basis for the processing?
  • The processing of your personal data for the purpose of fulfilling and administrating your request is necessary for us to be able to comply with applicable consumer law in the event that you exercise your right of withdrawal (Art. 6(1)(c) GDPR). Furthermore, we process your personal data based on our legitimate interest to keep records of the returns in order to be able to provide you with good customer service (Art. 6(1)(f) GDPR). Personal data relating to your purchase is also stored based on our legal obligation to keep records according to applicable accounting legislation (Art. 6(1)(c) GDPR).

    If you want more information regarding our legitimate interest assessment please contact us at privacy@thule.com.

  • When making a compensation claim
  • (i) What personal data is being processed and why?
  • When you make a compensation claim (including incident claims and warranty claims), we process your order number, information about purchased products, postal code for billing address, phone number and your e-mail address to be able to administrate and follow-up on your compensation claim relating to the product you purchased and provide you with good customer service. The name of your bank and your bank account number will be processed in order for us to administer and complete the compensation payment.

  • (ii) What is the legal basis for the processing?
  • The processing of your personal data for this purpose is necessary for us to be able to comply with applicable consumer law in the event that you exercise your right to compensation (Art. 6(1)(c) GDPR). The processing is also necessary to fulfil our obligations in the agreement we enter into with you that includes our own product guarantees through the “Thule Guarantee” and/or “Thule Extended Warranty” (Art. 6(1)(b) GDPR). Furthermore, we process your personal data based on our legitimate interest to keep records of compensation claims to be able to provide you with good customer service (Art. 6(1)(f) GDPR).

    If you want more information regarding our legitimate interest assessment please contact us at privacy@thule.com.

  • When making a product registration
  • (i) What personal data is being processed and why?
  • To provide you with some of our services, e.g. the ”Thule Extended Warranty” the product must be registered. For the product registration service we process your name, e-mail address, country, purchased products, date of purchase, as well as telephone number if you choose to provide it.

  • (ii) What is the legal basis for the processing?
  • The processing of your personal data for the purposes of making the product registration is based on our legitimate interest to provide the service and to simplify warranty matters (Art. 6(1)(f) GDPR). The processing conducted to be able to offer you “Thule Extended Warranty” is necessary in order for us to fulfil our obligations in the agreement entered into with you including our future warranty commitment in relation to you (Art. 6(1)(b) GDPR).

    If you want more information regarding our legitimate interest assessment please contact us at privacy@thule.com.

  • When we need to send product safety notices or conduct product recalls
  • (i) What personal data is being processed and why?
  • To be able to provide you with product safety notices and to notify you about product recalls, e.g. in the event of a defect product, we process your name, address, e-mail address, purchased products and telephone number. The processing is also carried out to document recalls and safety notices.

  • (ii) What is the legal basis for the processing?
  • The processing of your personal data for this purpose is based on that the processing is necessary for us in order to fulfil our obligations in accordance with applicable product safety and liability laws to prevent risks to your health and safety (Art. 6(1)(c) GDPR). Furthermore, we store records of sent product safety notices and products recalls based on our legitimate interest to exercise and defend legal claims (Art. 6(1)(f) GDPR).

    If you want more information regarding our legitimate interest assessment please contact us at privacy@thule.com.

  • When we send out-of-stock emails
  • (i) What personal data is being processed and why?
  • In order to provide you with out-of-stock emails requested by you, we process you email address, product information as well as date and time of the request.

  • (ii) What is the legal basis for the processing?
  • The processing of your personal data for this purpose is based on our legitimate interest to be able to provide you with the requested relevant stock information and the features that follow from your request (Art. 6(1)(b) GDPR).

  • When we send you marketing materials, and similar information
  • (i) What personal data is being processed and why?
  • In order to provide you with our marketing information such as newsletters and similar marketing communication and advertisement and abandoned cart emails, we process your name and e-mail address, language, country, product information, as well as date and time of consent.

  • (ii) What is the legal basis for the processing?
  • The processing of personal data for sending newsletters and similar marketing communication and advertisement and abandoned cart emails is based on your consent (Art. 6(1)(a) GDPR). You can always withdraw your consent with future effect by contacting us at the contact information provided in section 5 or by using the link to unsubscribe from further marketing e-mails provided in each marketing email we send you.

    If you want more information regarding our legitimate interest assessment please contact us at privacy@thule.com.

  • Verifying your identity for legal compliance and sanctions checks
  • (i) What personal data is being processed and why?
  • To ensure compliance with legal obligations, particularly with regard to international sanctions, we may carry out customer due diligence when there is a need to verify your identity. The purpose of the processing is to confirm your identity and to ascertain that you are not an individual subject to any international sanctions. This activity may involve processing of your date of birth and place of birth to crosscheck with applicable sanction lists.

  • (ii) What is the legal basis for the processing?
  • The processing of your personal data for customer due diligence is based in our legal obligation to comply with laws and regulations pertaining to international sanctions and anti-money laundering (Art. 6(1)(c) (GDPR). These laws require us to not engage in business with individuals who are subject to international sanctions.

3. Who has access to your personal data?

3.1 Sharing within the Thule Group

The number of people who have access to your personal data is limited. Only Thule employees who need to process your personal data in accordance with the purposes stated above have access to the personal data.

We share your personal data with companies within the Thule group if it is necessary to fulfil the purposes mentioned above, e.g. for engaging global consumer service and technical support. Such Thule companies might be located inside or outside of the EU/EEA. Please find information about the group companies that we share your personal data with here.

3.2 Sharing to third parties outside the Thule Group

We also share your personal data with suppliers and partners who perform services on our behalf or who in other ways co-operate with us. Such service provider may either act as an separate personal data controller (including e.g. our partners providing tax calculation, our payment service providers and third party cookie providers) or as a personal data processor (including e.g. our business system providers, our website host supplier, fraud protection services and our system development partners). Please find information about the partners that we share your personal data with here.

When service providers act as separate personal data controllers, you will be provided with their privacy notice containing information on their processing of your personal data in connection with their collection of your personal data. When service providers act as personal data processors, processing personal data on behalf of Thule, relevant data processor agreements are entered into.

If you would like to obtain more detailed information on who your data is shared with, please contact us at the contact information provided in section 5.

3.3 Sharing outside of the EU/EEA

Thule’s own processing of personal data by Thule entities within the EU/EEA primarily takes place within the EU/EEA, but for some services and support involve Thule entities outside the EU/EEA (third countries). Personal data may also be processed in a third country by some of our business partners and suppliers (section 3.2 above). Third countries may have a lower level of protection of personal data than the one offered within the EU/EEA. When your personal data is shared with countries outside the EU/EEA, we use standard contractual clauses that have been approved by the European Commission as well as supplementary measures necessary to ensure an adequate level of protection for your personal data. The standard contractual clauses are available via the following link: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

Furthermore, in certain cases we also rely on the European Commission’s adequacy decisions for international transfers of personal data, meaning that we may transfer personal data to countries outside the EU which have been deemed to have an adequate level of data protection. Please see information on the adequacy decisions here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

If you would like to obtain actual copies of our agreements, or further information as to which adequacy decision that applies for a certain transfer, or to detailed information regarding our third country transfers and where your data has been transferred, please contact us at the contact information provided in section 5.

For how long do we store your personal data?

Type of processing Time period or criterion for determining the storage period
For logged in users with Thule account:  Your data will be stored and processed until you decide to delete your user account, unless the personal data must be stored longer in accordance with applicable laws, including applicable accounting legislation. 
Personal data collected in connection with registration,  use of user account and placing orders or returns as logged in 
Guest checkout: 
Stored for a maximum period of three (3) years. Certain personal data relating to your purchase will be stored for as long as required according to applicable accounting legislation. 
Personal data collected in connection with placing orders or returns as a guest 
 
Personal data collected in connection with a consumer service request 
Deleted continuously taking into account the type of request in question. However, stored for a maximum period of three (3) years. 
Personal data collected through cookies in connection with usage of the website. For more information on how long we store cookies on our website please visit our Cookie Policy.
Personal data being processed in connection with a compensation claim Stored for a maximum period of three (3) years unless the personal data must be stored longer in accordance with applicable laws, including applicable book keeping legislation.
Personal data being processed in connection with a product registration During the period of the Thule Extended Warranty applicable to the product you have registered.
Personal data being processed in connection with product safety notices and product recalls Ten (10) years after we sent out the product safety notice or did the product recall.
Personal data used for sending out newsletters and similar marketing communications and advertisement Your data will be stored and processed until you decide to unsubscribe. If you, before signing up, have visited thule.com and accepted the use of marketing cookies, then data from previous visits can be connected to your account and you might receive communication and advertisement based on these previous visits 
Personal data used for sending out-of-stock emails Stored for a maximum period of three (3) months.
Personal data collected in connection with an initiated not completed purchase (abandoned cart) Stored for a period of 2 weeks.
Personal data processed for the fulfilment of legal obligations under relevant accounting legislation. Stored for a period of ten (10) years, unless a shorter period is required under local laws.

4. What are your rights?

Thule Sweden AB, reg. no. 556076-3970, address box 69, 330 33 Hillerstorp, Sweden, is the data controller of the processing of your personal data. However, in relation to the processing taking place when we send product safety notices or conduct product recalls, the data controller will be the Thule entity that is the legal manufacturer of the product you purchased. Yet, you may always contact Thule Sweden AB if you have any questions or concerns regarding the processing of your personal data. The data controllers are responsible for your personal data being processed correctly and in accordance with applicable laws. Read more about your rights below.

  • The right to access: You have the right to know which personal data we process about you, for what purposes the personal data is being processed and who we share your personal data with, etc. You also have the right to access the personal data and request a copy of the personal data being processed.
  • The right to rectification: If you notice that we have incorrect inaccurate or incomplete personal data about you, you can always request that we correct this personal data without undue delay. Additionally, taking into account the purposes for which we process your personal data, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  • The right to erasure: Subject to certain limitations, in the following cases, you may request that we delete your personal data;
  • (i) when the personal data are no longer necessary in relation to the purposes for which we collected or otherwise processed them;
  • (ii )when our processing is based on your consent and you withdraw such consent;
  • (iii) when you object to the processing and there are no overriding legitimate grounds for the processing, or you objects to the processing for direct marketing purposes;
  • (iv) we have processed your personal data unlawfully;
  • (v) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which Thule is subject;
  • Please note that deleting your personal data may result in us not being able to e.g. deliver not yet shipped orders or provide you with the services offered in connection with product registration.

  • The right of restriction: Under the following circumstances, you have the right to request that we limit out processing for a certain period of time:
  • (i) if you contest the accuracy of the personal data, we shall restrict our processing until we are able to verify the accuracy of the data;
  • (ii) if the processing is shown to be unlawful and you request restriction of our use of your personal data instead of erasure;
  • (iii) if we no longer need the personal data for the purposes of the processing as stated in this notice, but we are required by you to do so for the establishment, exercise or defence of legal claims; and
  • (iv) if you objected to our processing, for the time pending the verification whether the legitimate grounds of the controller override those of the data subject.
  • Where our processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed by us with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

    Please note that restricting your personal data may result in us not being able to e.g. deliver not yet shipped orders or provide you with the services offered in connection with product registration.

  • The right to object: You have the right to object to the processing we perform based on our legitimate interest (Art. 6(1)(f) GDPR). To the extent we process your personal data for direct marketing purposes, you also have the right to, at any time, object to such processing.
  • The right to data portability: In cases where we base our processing on your consent or on the fulfilment of an agreement, you have the right to receive your personal data in a structured, commonly-used and machine-readable format and have the personal data transferred to another controller.
  • Withdrawal of consent: If you have given your consent to processing of your personal data, you always have the opportunity to withdraw your consent with future effect by contacting us using the contact information below.
  • If you have any questions about our processing of your personal data or wish to exercise any of your rights set out above, you can contact us at privacy@thule.com. If you have any objections or complaints regarding how we process your personal data, you also have the right to contact or file a complaint with the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) or another competent data protection authority.

5. Does the privacy policy apply to external linked websites?

Our website may contain links to other websites e.g. charitable organizations. Such third parties are beyond our control and are not covered by our privacy policy. If you enter such other websites through links provided, administrators of those websites may collect your personal data. Please review the websites' privacy policies before providing your personal data.

6. Changes in the privacy policy

If any changes are made concerning the processing of your personal data, we will inform you of the changes by publishing an updated version of this privacy policy on the website. However, if we make material changes to this privacy policy, we will inform you by active means, e.g. by sending you an email or similar.