POLICIES
Privacy Policy
Unless defined below capitalized terms used in this Privacy Policy shall have the meanings as in the Terms of Use. The purpose of this privacy policy is for you, as a website visitor or customer, to learn how Marshall handles your personal data and for you to be able to feel secure that the processing is being carried out in accordance with the General Data Protection Regulation and other applicable data protection laws.
1. Who is responsible for your personal data?
The Swedish company Marshall Group AB, 556757-4610 (“Marshall”, “We”, “Us”) is the data controller. Marshall’s group companies and selected suppliers may process your personal data on Marshall’s behalf and in accordance with Marshall’s instructions as stated below and are thereby processors of your personal data.
You may contact us at any time through customer service, or at:
E-mail: support@marshall.com
By mail: Marshall Group AB Att: Privacy, Centralplan 15, 111 20 Stockholm, Sweden
2. Processing and collecting Personal Data
When browsing the website, purchasing products, interacting with customer support, subscribing to newsletters and other interactions with Marshall, we process your personally identifiable information (“Personal Data”).
If you choose to withhold any Personal Data requested by Marshall for such purposes, it might not be possible for us to accept your purchase, subscription for newsletters or marketing or solve the matter that you would like to have solved by the support or customer service.
2.1 Purchasing products
Type of personal data | Legal Ground | Purpose | When the purpose ends |
---|---|---|---|
Your name, shipping and billing address, phone number and e-mail address | Fulfilling the purchase contract | Fulfilling our obligations related to the purchase, such as processing orders, delivering products, providing product warranty, resolving disputes, handling payments and claims, and for compliance with legal obligations (such as bookkeeping) | When the purchase is completed and there no longer are any legal obligations (7 years for bookkeeping and up to 10 years for statutes of limitation). |
Your IP-adress | The processing is based on a balancing of interests, where we have determined that our interest in processing your Personal Data for security and fraud prevention, outweighs your rights to not have your data processed for this reason. | Security and fraud prevention. | When we have established that there is no fraud or security risk. |
2.2 Subscribing to newsletters and marketing
Personal Data type | Legal Ground | Purpose | When the purpose ends |
---|---|---|---|
Your name, birthdate, country of residence and postal code, e-mail address, IP-address, and phone number. | Consent. | Sending product information, special offers, running competitions, conducting market research, measuring interest in our website, products and services, and sending newsletters. | When you withdraw your consent and no longer wish to receive newsletters and marketing. |
2.3 Contacting customer service
Type of Personal Data | Legal Ground | Purpose | When the purpose ends |
---|---|---|---|
Your e-mail address and other information you voluntarily provide upon contact with support or customer service. | The processing is based on a balancing of interests, where we have determined that our interest in processing your Personal Data for providing customer service, outweighs your rights to not have your data processed for this purpose. | Fulfilling our obligations and undertakings related to your purchase, such as handling claims, returns and refunds. | When your contact with customer service ends and the statutes of limitation expire (normally 10 years). |
2.4 Leaving reviews
Type of Personal data | Legal Ground | Purpose | When the Purpose ends |
---|---|---|---|
Your name and e-mail address. | The processing is based on a balancing of interests, where Marshall has determined that Marshall’s interest in processing your Personal Data for leaving reviews, outweighs your rights to not have your data processed for this purpose. | Processing your name is to display it with your review and your e-mail to be able to identify you and to be able to verify that you are a real person. | Until further notice or until you ask for us to stop processing your Personal Data for this purpose. |
3. Third parties and Personal Data transfer
Except as provided in this Privacy Policy, we will not intentionally disclose your Personal Data to third parties without your consent. We may however disclose information to third parties under the circumstances set out below. When we share your personal data, we ensure that the recipient processes it in accordance with this notice, such as by entering into data transfer agreements or data processing agreements. Such agreements include all reasonable contractual, legal, technical and organizational measures to ensure that your information is processed with an adequate level of protection and in accordance with applicable law. We may share your data with affiliated companies, including group companies. These recipients are only entitled to process your personal data on behalf of us while performing a service for us. We take all reasonable legal, technical and organizational measures in order to ensure that your data is handled securely and with an adequate level of protection when transferring it to, or sharing it with, such selected third parties. We may also release your personal data to public authorities where we are obligated to do so by law. If all or part of Marshall’s operations are sold, Marshall may transfer your personal data to a potential purchaser of the business, either in whole or in part, for the sole purpose of continuing the business subject to such sale and only if the recipient of such of the Personal Data commits to a Privacy Policy with terms materially consistent with this Privacy Policy.
3.1 Marshall’s service providers
We work with third party service providers who provide (i) website and application development, hosting, maintenance, e-mail servers, and other related services, (ii) order and payment fulfillment, product shipment, after sales services, support services and other related services, (iii) services related to sending e-mails, newsletters, providing marketing and other related services, and (iv) financial services, bookkeeping and audits and other related services. Such third parties may receive access to your Personal Data for them to provide the intended services for Marshall. Marshall will however limit the Personal Data provided to them to what is reasonably necessary for them to perform their obligation in relation to us, and always subject to obligations of confidentiality.
3.2 Law enforcement and legal processes
Marshall may disclose Personal Data if required by applicable laws, court orders, judicial and government subpoenas or warrants, or otherwise to cooperate with law enforcement or other governmental agencies. Marshall may also disclose Personal Data that Marshall believes is appropriate or necessary to take actions to protect Marshall and others from fraudulent, abusive or unlawful use or activity, to investigate and defend Marshall from third party claims or allegations and to protect Marshall’s business and legal rights, enforce contracts or protect the rights, property or safety of others.
3.3 Personal Data transfers outside the EU
Marshall may transfer Personal Data to service providers, as stated in Section 3.1 above, located outside of the EU. Marshall will however always comply with GDPR requirements providing adequate protection for the transfer of such Personal Dara to such third countries and will try to minimize such transfer. Such safeguards may be that the receiving party has signed standard data protection clauses adopted by the EU Commission.
4. Your rights when Marshal processes your Personal Data
You have the following rights regarding our processing of your Personal Data:
4.1 Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
You have the right to lodge a complaint with a supervisory authority. The supervisory authority in Sweden is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, www.IMY.se) In detail: Your right to complain exists without prejudice to any other administrative or judicial remedy. You have the right to lodge a complaint with a supervisory authority, in particular, in the EU/EEA member state of your habitual residence, place of work or place where the alleged infringement of applicable data protection laws has allegedly occurred. The supervisory authority has an obligation of informing you on the progress and the outcome of the complaint, including the possibility of a judicial remedy.
4.2 Right to withdraw consent (Article 7.3 GDPR)
You have the right to withdraw any consent at any time by contacting us. In detail: The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
4.3 Right of access (Article 15 GDPR)
You have the right to obtain confirmation as to whether we are processing personal data concerning you or not. You can make a request by contacting us. If we process your personal data, you also have a right to obtain a copy of the personal data processed by us as well as information about our processing of your personal data. In detail. The information we provide includes the following:
- the purposes of the processing
- the categories of personal data concerned
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing
- the right to lodge a complaint with a supervisory authority
- if the personal data are not collected from you, we provide you with available information about the source of the personal data
- the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the predicted consequences of such processing
- where your personal data are transferred to a third country or to an international organisation, you have the right to information regarding the appropriate safeguards, pursuant to Article 46 GDPR, put in place for the transfer. For any further copies of the personal data undergoing processing requested by you, we may charge a reasonable fee based on administrative costs. If you have made the request by electronic means the information will be provided to you in a commonly used electronic form, unless otherwise requested by you. Your right to obtain a copy referred to above shall not adversely affect the rights and freedoms of others.
4.4 Right to object (Article 21 GDPR)
You have the right to object to our processing of your personal data at any time. In detail: Your right to object applies as follows:
- relating to your situation, you have the right to at any time object to processing of your personal data which is necessary for the purposes of our legitimate interest, including any profiling (Article 21.1). We shall in such case no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims
- where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, including any profiling (Article 21.2). If you make such objection, you have an unconditional right to have the processing of your personal data for such purposes ceased
- in the context of the use of information society services, and regardless of Directive 2002/58/EC (ePrivacy Directive, or ePD), you may exercise your right to object by automated means using technical specifications.
4.5 Right to erasure (“the right to be forgotten”) (Article 17 GDPR)
You have the right to ask us to erase your personal data.
In detail: We have the obligation to erase your personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
- you withdraw your consent on which the processing is based, and there is no other legal ground for the processing
- you object to the processing pursuant to Article 21.1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21.2 GDPR
- the personal data have been collected in relation to the offer of information society services referred to in Article 8.1 GDPR
- the personal data have been unlawfully processed, or
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law that applies to us.
Where we have made the personal data public and are obliged in accordance with the rights stated above to erase the personal data, we shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data. We will notify any erasure of personal data carried out in accordance with your rights stated above to each recipient whom the personal data have been provided to, unless this proves impossible or involves disproportionate effort. If you want information about those recipients, you are more than welcome to contact us. Please note that our obligation to erase and inform according to above shall not apply to the extent processing is necessary according to the following reasons:
- for exercising the right of freedom of expression and information,
- for compliance with a legal obligation which requires processing by Union or Member State law which applies to us, or
- for the establishment, exercise, or defence of legal claims.
4.6 Right to rectification of processing (Article 16 GDPR)
You have the right to obtain, without undue delay, the rectification of inaccurate personal data concerning you. In detail: Considering the purposes of the processing, you have the right to have incomplete personal data completed, including by providing a supplementary statement.
We will communicate any rectification of personal data to each recipient whom the personal data have been provided to, unless this proves impossible or involves disproportionate effort. If you want information about those recipients, you are more than welcome to contact us.
4.7 Right to restriction of processing (Article 18 GDPR)
You have the right to obtain from us restriction of the processing of your personal data.
In detail: Your right applies if:
- the accuracy of the personal data is contested by you, during a period enabling us to verify the accuracy of the personal data,
- you have objected to processing pursuant to Article 21.1 GDPR pending the verification whether our legitimate grounds override yours,
- the processing is unlawful, and you oppose the erasure of the personal data and instead request the restriction of their use, or
- you need the personal data for the establishment, exercise or defence of legal claims even though we no longer need the personal data for the purposes of the processing.
Where the processing has been restricted according to above, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. We will notify each recipient whom the personal data have been provided to about any restriction of processing according to above, if this do not occur to be impossible or entails a disproportionate effort. If you want more information about these recipients, you are welcome to contact us.
4.8 Right to data portability (Article 20 GDPR)
You have the right to receive your personal data (that you have provided to us) from us in a structured, commonly used and machine-readable format and, where technically feasible, have your personal data transferred to another data controller (“data portability”).
In detail: The right applies if:
- the processing is based on the lawful basis consent or on a contract, and
- the processing is carried out by automated means.
The exercise of the right to data portability shall be without prejudice to the right to erasure, i.e. Article 17. Your right to data portability shall not adversely affect the rights and freedoms of others. To enforce your rights, Marshall provides you access to a personal account where your Personal Data can be managed, reviewed, corrected, updated, and exported. If you haven’t created a login to your personal account, you can create it by using the same e-mail address as used during purchase. You may also contact Marshall regarding your rights via the customer service form, e-mail, or post.
When contacting customer service for this purpose, you may need access to the same e-mail address used during your purchase or registration with Marshall, for us to have the possibility of verifying your identity and right to access your Personal Data. Please note that while changes or updates will usually be reflected in Marshall’s systems immediately, we may retain your Personal Data for backups, prevention of fraud or abuse, satisfaction of legal obligations, or where Marshall otherwise believes that Marshall has the legitimate or mandatory reason to do so.
Marshall is not able to correct or update any Personal Data in relation to orders for products being processed or being shipped to you.
5. Cookies and Analytics
We use cookies and other technologies to personalise your experience visiting the website, to provide customised advertisement, information, and content, and to monitor and analyse use of the website. Please see Marshall's cookie policy to obtain more information about the cookies and other technologies used. Marshall also uses analytics technologies (Google Analytics) to measure and evaluate the access to and traffic on the website, and to generate navigation reports. Google operates independently from Marshall and has its own privacy policy. You may from some browsers opt out from the collection of navigation information by Google Analytics by using Google’s opt-out feature.
6. Period for Storing your Personal Data
The period during which we store your Personal Data depends on which purpose we use the Personal Data for. We generally store Personal Data for a contractual relationship up to 10 years after the relationship ends, due to statutes of limitation. We generally store data for legal obligations for 7 years, mainly due to bookkeeping laws. Regarding Personal Data that we store for other purposes than contractual relationships and legal obligations, we usually store such data until there no longer is a purpose for it.
7. Additional Information for California Residents
If you are a consumer residing in California, you have additional rights under the California Consumer Privacy Act (CCPA). Please see our CCPA Privacy Notice for more information.
8. Changes and Updates
We may update our services and this Privacy Policy from time to time. If that happens, we will make the new Privacy Policy available on the website and indicate the date of the latest revisions made. If the update requires a notice or consent, you will be notified or given the opportunity to consent. You are encouraged to revisit this Privacy Policy every time you use any of our services to keep yourself informed about any changes.
This Privacy Policy was last updated: 25 March 2024.