By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
imgContact Us

SDC Privacy Policy

LAST UPDATED: 2026-04-13

This privacy policy explains how we collect and use your personal data, as well as the rights you have and how to exercise them.

1 Introduction

Scandinavian Data Centers AB (“SDC”, “we”, “us”, or “our”)is a Swedish-owned data center operator providing colocation, power, andconnectivity services across a distributed network of facilities in Sweden. Weare committed to protecting the personal data of our customers, partners,employees, and website visitors in accordance with applicable privacylegislation.

This Privacy Policy explains how we collect, use, store,and share personal data in connection with our services and businessoperations. It applies to all personal data processed by SDC in its capacity asa data controller, and where applicable, as a data processor acting on behalfof our customers.

Our processing of personal data is governed primarily byRegulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”), asimplemented in Swedish law, as well as applicable sector-specific legislationincluding the Swedish Electronic Communications Act (LEK) and the SwedishSecurity Protection Act (Säkerhetsskyddslagen). Where SDC operates as acolocation provider for customers falling within the scope of the NIS2Directive (EU 2022/2555), we maintain processing practices consistent with thoseobligations.

By engaging with SDC’s services, entering into acontractual relationship with us, or visiting our website or facilities, youacknowledge that your personal data may be processed as described in thisPolicy. If you do not agree with the terms of this Policy, please refrain fromusing our services or providing us with your personal data.

We may update this Privacy Policy from time to time toreflect changes in our operations, services, or legal obligations. The mostcurrent version will always be available on our website and, where required bylaw, we will notify you of material changes before they take effect.

2 Definitions

For the purposes of this Privacy Policy, the followingterms shall have the meanings set out below. These definitions align with theGDPR and applicable Swedish legislation.

Personal Data: Any information relating to an identified or identifiablenatural person (“Data Subject”). An identifiable person is one who can beidentified, directly or indirectly, in particular by reference to an identifiersuch as a name, identification number, location data, or online identifier.

Processing: Any operation or set of operations performed on PersonalData, whether by automated means or otherwise, including collection, recording,organisation, structuring, storage, adaptation, retrieval, use, disclosure,dissemination, restriction, erasure, or destruction.

Data Controller: The natural or legal person, public authority, agency, orother body which, alone or jointly with others, determines the purposes andmeans of the processing of Personal Data. SDC acts as a Data Controller withrespect to Personal Data collected in connection with its own businessoperations, including customer and supplier relationships, facility management,and marketing activities.

Data Processor: A natural or legal person, public authority, agency, orother body which processes Personal Data on behalf of the Data Controller. SDCmay act as a Data Processor where it processes Personal Data on behalf of itscolocation customers pursuant to a Data Processing Agreement.

Data Subject: Any identified or identifiable natural person whosePersonal Data is processed by SDC or on behalf of SDC.

GDPR: Regulation (EU) 2016/679 of the European Parliament andof the Council of 27 April 2016 on the protection of natural persons withregard to the processing of personal data and on the free movement of suchdata.

Sensitive Personal Data: Categories of Personal Data afforded heightenedprotection under Article 9 GDPR, including data revealing racial or ethnicorigin, political opinions, religious or philosophical beliefs, trade unionmembership, genetic data, biometric data processed for the purpose of uniquelyidentifying a person, health data, and data concerning a person’s sex life orsexual orientation.

Third Party: Any natural or legal person, public authority, agency, orbody other than the Data Subject, Data Controller, Data Processor, and personswho, under the direct authority of the Data Controller or Processor, areauthorised to process Personal Data.

Data Processing Agreement(DPA): A legally binding agreemententered into between SDC and a customer or supplier governing the processing ofPersonal Data by SDC in its capacity as Data Processor, in accordance withArticle 28 GDPR.

Security Protection Act(Säkerhetsskyddslagen): Swedishlegislation (SFS 2018:585) governing the protection of classified informationand security-sensitive activities. Certain SDC facilities and customerengagements may be subject to obligations under this Act.

NIS2 Directive: Directive (EU) 2022/2555 on measures for a high commonlevel of cybersecurity across the Union. Certain customers operating criticalinfrastructure and hosted within SDC facilities may be subject to thisDirective’s requirements.

Colocation Services: The service offering whereby SDC provides physical space,power, cooling, and connectivity infrastructure within its data centerfacilities for customers to house their own IT equipment.

Supervisory Authority: The competent national authority responsible formonitoring and enforcing compliance with the GDPR. In Sweden, this is theIntegritetsskyddsmyndigheten (IMY).

3 Responsibility

Scandinavian Data Centers AB, registered in Sweden (org.nr. 559332-4295), with its registered address at Rådmansgatan 22, 114 85 Stockholm,, is the Data Controller for Personal Data processed in connection with SDC’s ownbusiness operations, including the management of customer and supplierrelationships, access control and facility security, employment matters, andmarketing communications.

3.1  Data Controller Responsibilities

As Data Controller, SDC is responsible for ensuring thatPersonal Data is processed lawfully, fairly, and transparently in accordancewith the GDPR and applicable Swedish law. This includes:

•      Establishing andmaintaining a lawful basis for each category of processing activity.

•      Ensuring that Personal Datais collected for specified, explicit, and legitimate purposes and not processedin a manner incompatible with those purposes.

•      Implementing appropriatetechnical and organisational measures to ensure a level of security appropriateto the risk of processing, including measures to prevent unauthorised access,accidental loss, destruction, or damage.

•      Maintaining a Record ofProcessing Activities (RoPA) in accordance with Article 30 GDPR.

•      Ensuring that Data Subjectscan effectively exercise their rights as set out in this Policy.

•      Notifying the Swedishsupervisory authority (IMY) and, where required, affected Data Subjects, of anyPersonal Data breach in accordance with Articles 33 and 34 GDPR.

3.2  Data Processor Responsibilities

Where SDC processes Personal Data on behalf of itscolocation customers acting as Data Controllers, SDC acts as a Data Processor.In this capacity, SDC will:

•      Process Personal Data onlyon documented instructions from the customer (Data Controller), unless requiredto do so by applicable law.

•      Ensure that personsauthorised to process the Personal Data are subject to appropriateconfidentiality obligations.

•      Implement appropriatetechnical and organisational security measures in accordance with Article 32GDPR.

•      Not engage sub-processorswithout prior written authorisation from the customer, and where suchauthorisation is given, ensure that sub-processors are bound by equivalent dataprotection obligations.

•      Assist the customer infulfilling its obligations with respect to Data Subject rights requests,security measures, data breach notification, and data protection impactassessments.

•      At the customer’s choice,delete or return all Personal Data upon termination of the colocationagreement, unless retention is required by law.

•      Provide the customer withall information necessary to demonstrate compliance and cooperate with auditsand inspections.

The respective rights andobligations of SDC and its customers in their capacity as Data Controllers andData Processors are further governed by Data Processing Agreements entered intopursuant to Article 28 GDPR.

3.3  Data Protection Contact

SDC has designated a point of contact for data protectionmatters. Any questions, concerns, or requests relating to the processing ofPersonal Data under this Policy should be directed to:

Scandinavian Data Centers AB

DataProtection Contact

Email: info@scandinaviandatacenters.se

Address: Rådmansgatan 22, 114 85 Stockholm, Sweden

You also have the right to lodgea complaint with the Swedish supervisory authority,Integritetsskyddsmyndigheten (IMY), at imy.se, if you believe that SDC’sprocessing of your Personal Data is not conducted in accordance with applicabledata protection law.