Pandox AB (publ), company reg. no. 556030-7885, (“Pandox”) and other companies within the Pandox Group respect and protect the privacy rights of individuals. We are transparent in how we process personal data and it is important for us that all processing is carried out in accordance with the General Data Protection Regulation and other applicable legislation.

General comments

This privacy policy is intended to describe how Pandox processes external personal data and to inform you, as an individual, about our processing of personal data. The information contained here is general in nature and in many cases more specific information is provided in an agreement or in other contexts, and such specific information applies as a supplement to and, where applicable, amends the information set forth below. 

Pandox’s internal personal data policy, based on the General Data Protection Regulation, is applied by the companies and employees of the Pandox Group.

Controller of personal data

Pandox is the data controller for the processing of any personal data for which it determines the purposes and means. Pandox is the data controller for general group operations and for certain subsidiaries which conduct real property business. In addition, there are subsidiaries within the Pandox Group that have independent personal data responsibility, for example companies which conduct hotel operations. Information regarding how subsidiaries that are data controllers fulfil their obligations are set forth on each subsidiary’s website. This privacy policy covers the processing for which Pandox is responsible.

Processing of personal data


Pandox collects and processes personal data only where permitted under the General Data Protection Regulation or other applicable legislation, and processes only personal data according to the purposes for which the data was collected.

Pandox processes personal data which is obtained directly from you when an agreement is entered into or in other contacts with Pandox. We also process your personal data, which we have obtained indirectly via your employer, in order to administer the business relationship your employer has with Pandox. Pandox also regularly collects personal data from publicly available sources such as private services and public filing systems for information regarding potential tenants, cooperating partners, competitors and other stakeholders.

Categories of personal data

The personal data which is processed is normally the name, contact information, personal ID number (where required by law or in order to manage a contractual relationship) and the account information for private tenants.


The personal data is processed in order to fulfil obligations and exercise rights according to contracts and to fulfil requirements imposed on Pandox by law or decisions by public authorities. The purpose of the processing of the personal data is normally to fulfil administrative, financial and property management purposes, but may also involve marketing and other questions which are related to potential and ongoing contractual relationships.

Legal basis

The legal basis for Pandox’s processing as set forth above is normally:

  • that the processing is necessary to perform a legal obligation;
  • that the processing is necessary for Pandox’s legitimate interests in fulfilling the above-stated purposes/goals and that these interests override the interests or fundamental rights and freedoms of the data subject in not having their personal data processed; or
  • that the processing is necessary to perform a contract with the data subject.

In the cases where the legal basis for the processing is consent, separate information is provided at the time consent is given.

Data and storage minimization

Pandox does not collect more data than is necessary to fulfil the purpose for which the personal data is collected. This means that Pandox will only request personal data which is necessary for the Group’s business operations.

Pandox does not store information longer than is necessary to fulfil the purpose for which the personal data was collected.


Pandox attaches great importance to the security of personal data and has established both technical and organizational routines in order to ensure that personal data is not lost, manipulated or become accessible to unauthorized persons. All companies within the Pandox Group work according to established security standards for handling information and only retain the services of suppliers who have provided sufficient guarantees for the protection of personal data and other information. Pandox regularly updates its routines and systems in order to guarantee the security of the personal data.

Third-party applications and external websites

There may be references in Pandox’s business to third-party applications and external websites over which Pandox does not have control. This privacy policy only covers such processing which is directly related to Pandox’s processing of personal data and Pandox is not liable for any processing of personal data which is carried out independently by any third party.

Transfers of personal data to third countries and disclosure to third parties

Pandox only stores personal data within the EU/EEA. Where a transfer to a third country takes place in exceptional cases, Pandox will ensure that there is a legal basis for such a transfer and will provide the relevant data subject with required information.

Pandox guarantees that all transfers to third parties and third countries take place in accordance with the applicable data protection legislation.

The rights of individuals

Pandox wants to be accommodating to individuals in their exercise of their rights. Pandox therefore maintains clear guidelines and routines for how an inquiry from a data subject is to be handled.

As a data subject, you are entitled to request information free of charge from Pandox regarding the processing of your personal data. Upon your request, or on our own initiative, we will correct or erase any incorrect personal data and/or restrict the processing of such data. In addition, you are entitled to request that your personal data not be processed for direct marketing purposes. You also have the right to object to any processing Pandox carries out based upon a weighing of interests as the legal basis. Where Pandox is of the opinion that processing nonetheless needs to be carried out, it is Pandox’s obligation to prove that there are interests which override the interests of the data subject. If you would like to contact us regarding the exercise of your rights, please contact us according to the contact information stated in the section “Contact information” below.

If you are dissatisfied with how we process your personal data, you can contact us or submit a complaint to the supervisory authority (Datainspektionen, the name of which is currently being changed to Integritetsmyndigheten,

Information for the data subjects who are the contact persons at Pandox’s suppliers or customers

Link to Information regarding Supplier Contact Person
Link to Information regarding Tenant Contact Person

Contact information

To exercise your rights under the General Data Protection Regulation, or if you have any questions regarding our processing of your personal data, please send your inquiry to:


This privacy policy may be updated and, in such case, a new version will be published on Pandox’s website.