Skip to content

Privacy policy

At Oatly we believe in the importance of protecting personal information and an individual’s right to privacy and integrity.

This privacy policy explains how we collect and use your personal data when you are in contact with us. It also outlines your rights and how you can exercise them.

You are always welcome to contact us if you have any questions.

Who is responsible for the personal data we collect?

Oatly AB, 556446-1043, P.O Box 588, 201 25 Malmö, Sweden, is the data controller responsible for the processing of personal data described in this privacy policy.

What is personal data and what constitutes the processing of personal data?

Personal data refers to any information that can be linked directly or indirectly (together with other information) to a natural, living person. This means that information such as name and contact details, images, audio recordings, IP addresses and competition entries is classified as personal data if it can be linked to a natural person.

Any action taken with personal data is called processing, regardless of whether it is carried out in an automated manner or not. Examples of common processing procedures are collection, recording, organization, structuring, storage, adaptation, transfer or erasure.

What personal data do we collect about you and for what purpose (why)?

PurposeProcessing that is carried outCategory of personal data
To handle complaints and other consumer matters. •Communication and response to complaints and other issues related to consumer contact (via telephone, letter or digital channels, including social media) •Investigation of complaints and questions •Eventual dispatch of compensation•Name •Contact details (address, email and telephone number) •Your correspondence •Details of purchase date, place of purchase, possible error/complaint •Health data (e.g. allergic reactions and health conditions that you inform us about)

Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in dealing with complaints and consumer issues.
Storage period: Personal data relating to complaints and consumer issues is stored for two years. 

PurposeProcessing that is carried outCategory of personal data
To carry out competitions and manage entries therein.•Communication before and after participation in a competition (e.g. confirmation of registration, questions, contact with winners) •Handing out of winnings •Name •Contact details (address, email and telephone number) •Personal identity number if the winnings are to be taxed by the winner

Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in handling your participation in competitions and events.
Storage period: During the time that the competition/event is in progress (including any evaluation). In the event of profit tax payable by the winner, the filing rules of the accounting act shall apply. 

PurposeProcessing that is carried outCategory of personal data
Photography in connection with Oatly’s participation in events, festivals, trade fairs, etc.•Photographing •The storage of photographs taken •The use of photographs in social media marketing campaigns globally•Photography •Time of photography

Legal basis: Consent in connection with photography and a legitimate interest with regards to so-called mingle images in connection with Oatly’s participation in events, festivals and trade fairs.
Storage period: 5 years.

PurposeProcessing that is carried outCategory of personal data
To handle incoming requests for sponsorship.•Communication in connection with incoming sponsorship inquiries (e.g. confirmation of incoming inquiry, questions, response) •Selection of sponsorship activities•Name •Contact details (address, email)

Legal basis: Legitimate interest and contractual duties in case s where sponsor agreements has been entered . The processing is necessary to meet our and your legitimate interests in handling sponsorship matters.
Storage period: As long as is necessary to handle the sponsorship case, but no more than 1 year. Accounting documents are filed in accordance with the regulations in the accounting act. Sponsor agreements are stored as long as either party may take any legal action under the agreement.

PurposeProcessing that is carried outCategory of personal data
To communicate with you as a subscriber of the Oatly newsletter “Havrenytt”, “The Oatly Way” and/or “ODDS”.•Collection of addresses in order to mail out our newsletters •Storage of addresses in order to mail out our newsletters •Newsletter mailouts•Name •Address (postal address for postal mailouts, email address for electronic mailouts)

Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in the mailing of the Havrenytt and/or The Oatly Way.
Storage period: Until the person unsubscribes.

PurposeProcessing that is carried outCategory of personal data
To communicate with you as a recipient of press releases from Oatly.•Collection of addresses in order to mail out our press releases •Storage of addresses in order to mail out press releases •Press release mailouts•Name •Email

Legal basis: Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in the mailing of press releases from Oatly. 
Storage period: Until the person unsubscribes.

PurposeProcessing that is carried outCategory of personal data
To offer you as a board member or an auditor access to information through our board portal.•Creating a user account •Access control •Notification, when new data has been uploaded to the portal •Storage of data•Name •Social security number •Company •Title •Contact information (e.g. email, address, phone number)

Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in providing financial and corporate information.
Storage period: As long as your assignment is going and then until limitation periods for legal action expire.

PurposeProcessing that is carried outCategory of personal data
Camera surveillance at our establishment in Landskrona to prevent accidents, and to prevent, investigate and expose possible criminal activity.•Camera surveillance at Oatly’s production facility in Landskrona, both indoors and outdoors. •The personal data is stored and includes data confirming that visitors to the production facility have read and accepted Oatly’s quality standards.•Video recording

Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in preventing accidents and to prevent, investigate and expose possible criminal activity.
Storage period: 7 days.

PurposeProcessing that is carried outCategory of personal data
To handle the necessary permissions when you, as entrepreneur, have temporarily work at our production facility.•To verify the necessary permissions •Filing of the permissions•Name •Personal identity number (for driving permission) •Company Validity

Legal basis: Legal obligation.
Storage period: Stored during the validity period and for a maximum of one year.

PurposeProcessing that is carried outCategory of personal data
To handle the necessary contact information regarding our customers and suppliers. •Collection of contact information •Use of contact information •Storage of contact information•Name •Position •Company •Contact information (e.g. email, company address, phone number)

Legal basis: Agreement and legitimate interest.
Storage period: Stored during the time of the agreement and for a maximum of five years.

PurposeProcessing that is carried outCategory of personal data
To handle applications for published job vacancy•Collection of applications and the appraisal/ disposal in relation to the requirements in job advert •Review and selection of applicants for interview •Candidates are called for an interview •Potential tests of candidates and reference check •Selection of candidate •The application documents of dismissed candidates are deleted•Oatly has no specific requirements regarding which personal data is to be included in an application. Usually includes: •Name •Personal identity number/Date of birth •Contact details(address, email and telephone number) •CV data

Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in handling recruitment applications.
Storage period: The application documents of dismissed candidates are stored until the expiration of the appeal period, for example in accordance with anti-discrimination legislation.

PurposeProcessing that is carried outCategory of personal data
To handle incoming spontaneous applications/ letters of interest.Answers to the applicant saying that we do not currently have the opportunity to handle the letter of interest and recommend that the candidate monitors vacancies published on our website. Following that, the letter of interest and associated documents are deleted. Oatly has no specific requirements regarding which personal data is to be included in spontaneous job application. Usually includes: •Name •Personal identity number/Date of birth •Contact details (address, email and telephone number) •CV data

Legal basis: Legitimate interest in responding to a spontaneous application to Oatly.
Storage period: Canceled immediately following response to the sender as above, unless consent has been collected for the purpose of storing the application.

From what sources do we retrieve your personal data?

In addition to the information you provide us or that we collect from you based on your purchases and how you use our services, we may also collect personal data from someone else (third party). The data we collect from third parties is address details obtained from public records in order to verify your address.

Who do we share your personal data with?

The data processor. We may disclose your data to other companies, such as data processors, when it is necessary for us to offer our services or fulfill our commitments to you. Data processors are companies that process data on our behalf and according to our instructions.

When your personal data is shared with a data processor, it is only for purposes that are compatible with the purposes for which we have collected the data. We have written agreements with all our data processors through which they guarantee the security of the personal data processed and undertake to comply with our security requirements as well as restrictions and requirements regarding the international transfer of personal data.

Personal data may also be disclosed by us if it is necessary to comply with applicable legal or governmental requirements, to safeguard our legal interests or to detect, prevent or be attentive to fraud and other security or technical issues.

Companies that are independent data controllers. We also share your personal data with companies that are independent data controllers. Sharing data with an independent data controller means that it is not us who control how the data will be processed.

When your personal data is shared with a company that is an independent data controller, that company’s privacy policy and personal data management guidelines apply.

Where do we process your personal data?

Personal data may be transferred between different companies within our group. We always strive for the processing of your personal data to take place within the EU/EEA. However, in case of systematic support and maintenance, we may be required to transfer the data to a non-EU/EEA country, for example if we share your personal data with a data processor who, either themselves or through asubsupplier, is established or stores data in a non-EU country. In this case, the data processor shall only be granted access to data relevant to the purpose (e.g. log files). Regardless of the country in which your personal data is processed, we take allthe necessary legal, technical and organizational measures to ensure that the level of protection is the same as within the EU/EEA.

In cases where personal data is processed outside the EU/EEA, the level of protection is guaranteed either by a decision of the EU Commission that the country concerned ensures an adequate level of protection or through the use of so-called appropriate safeguards. Examples of appropriate safeguards are: approved code of conduct in the destination country, standard contract clauses, Binding Corporate Rules (BCRs) or the Privacy Shield.

How long do we store your personal data?

We will never store your personal data beyond what is necessary for each purpose. Please refer to the specific storage period for each purpose.

What are your rights as data subject?

Right of access (Subject Access Request). We are always open and transparent about how we process your personal data, and if you require further information regarding which personal data we process about you in particular, youcan request access to the data. Please note that if we receive a subject access request, we may ask for additional data to ensure the effective handling of your request and that the information is given to the correct person.

Right to rectification. If your personal data is incorrect, you may request its correction. Within the stated purpose, you also have the right to supplement any incomplete personal data. Oatly may also, on its own initiative, correct, disassociate, delete or supplement data that is found to be incorrect, incomplete or misleading.

Right to erasure. You may request the deletion of the personal data we process about you if:
• The data is no longer necessary for the purposes for which it has been collected or processed.
• You oppose a balance of interest that we have made based on a legitimate interest, and your reason for the objection weighs heavier than our legitimate interest.
• You oppose processing for direct marketing purposes.
• The personal data is processed in an unlawful way.
• The personal data must be deleted to comply with a legal obligation we are subject to. • Personal data has been collected pertaining to a child (under 13 years) for which you have parental responsibility, and collection has been made in connection with the offerof information society services (e.g. social media).

Please note that we may have the right to deny your request if there are legal obligations that prevent us from immediately deleting certain personal data. These obligations are related to accounting and tax legislation, banking and money laundering, and consumer law. It may also be possible that the processing is necessary for us to determine, enforce or defend legal claims. Should we be prevented from meeting a request for deletion, we will instead block personal data from being used for purposes other than the purpose that prevents the requested deletion.

Right to restriction. You have the right to request that our processing of your personal data be limited when the processing is based on a legitimate interest.

You may, in some cases, have the right to demand that the processing of your personal data is limited. By limitation, it means that the data is marked so that in future it will only be processed for certain limited purposes.

The right to restriction applies, inter alia, to the fact that the data is incorrect and relates to a request for it to be corrected. In such cases, you may also request that the data processing be restricted during the time that the data is being corrected.

If processing is restricted,we may, in addition to storage, only process the data in order to apply or defend legal claims to protect someone else’s rights or if you have given your consent.

Direct marketing: You may object to the processing of your personal data for direct marketing purposes by sending an email to info@oatly.com. Once we have received your objection, we will discontinue the processing of your personal data for that purpose, as well as cease all types of direct marketing actions.

Right to data portability. If our right to process your personal data is based on your consent or performance of an agreement with you, you have the right to request for the data that relates to you and which you have provided to us to be transferred to another data controller (so-called data portability). A prerequisite for data portability is that the transfer is technically feasible and can be automated.

How do we handle personal identity numbers?

We will only process your personal identity number when motivated by the purpose, necessary for a secure identification or if there is any other worthy reason. We always minimize the use of your personal identity number as much as possible.

How is your personal data protected?

We have taken appropriate technical and organizational security measures to protect your personal data against unlawful and unauthorized processing, e.g. we use IT systems to protect the privacy, integrity and availability of personal data for which we are data controller.

The Swedish Data Protection Authority is the supervisory authority. What does this imply?

The Swedish Data Protection Authority is responsible for monitoring the application of the legislation. If a person believes that a company is handling personal data incorrectly, they can file a complaint with the Swedish Data Protection Authority.

Contact

Please do not hesitate to contact us at info@oatly.com if you have any questions regarding this Privacy Policy, the processing of your personal data, or if you wish to request subject access. We may be required to make changes to our privacy policy. The latest version of our privacy policy is always available on our website.