Privacy policy

At Oatly we believe in the importance of protecting personal information and an individual’s right to privacy and integrity.
 
This privacy policy explains how we collect and process your personal data when you interact with us. It also outlines your rights and how you can exercise them. 

Additionally, your device sends its IP address when you visit our website. We only use this information temporarily to deliver content to you and, for security, to ensure you’re not a malicious bot. We don’t save your IP address or any unique identifiers alongside your searches or visits to our websites. We also never log IP addresses or any unique identifiers to disk.

You are always welcome to contact us if you have any questions at info@oatly.com.

Who is responsible for the personal data we collect? 

Oatly AB, 556446-1043, P.O Box 588, 201 25 Malmö, Sweden, is the data controller responsible for the processing of personal data described in this privacy policy. The Data Controller is the one determining the purposes and means of the processing. 

You can also reach our Global Data Privacy Manager at privacy@oatly.com

What is personal data and what constitutes the processing of personal data?

Personal data refers to any information that can be linked directly or indirectly (together with other information) to a natural, living person. This means that information such as name and contact details, images, audio recordings, IP addresses and competition entries is classified as personal data if it can be linked to a natural person.

Any action taken with personal data is called processing, regardless of whether it is carried out in an automated manner or not. Examples of common processing procedures are collection, recording, organization, structuring, storage, adaptation, transfer or erasure.

How we collect personal data about you?

We use different methods to collect data from and about you including:

  • Direct interactions. You may give us information about you by filling in forms or by corresponding with us by phone, email or otherwise. This includes information you provide when you subscribe to our newsletters, participate in discussion boards or other social media functions on our Website, enter a competition, promotion or survey, use our customer service and other similiar activities.
  • Automated technologies or interactions. As you interact with our Website, we may automatically collect technical data about your equipment, browsing actions and patterns as specified above. We collect this information by using cookies and other similar technologies (read more in our Cookie Policy).
  • Third parties or publicly available sources. We may receive information about you from third parties including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, data brokers, or aggregators.
  • User contributions. You also may provide information for us to publish or display ("post") on public website areas or transmit to other website users or third parties (collectively, "User Contributions"). You submit User Contributions for posting and transmission to others at your own risk. Although you may set certain privacy settings for User Contributions, please be aware that no security measures are perfect or impenetrable. Additionally, we cannot control the actions of any website users with whom you choose to share your User Contributions. Therefore, we cannot and do not guarantee that unauthorized persons will not view your User Contributions.

What personal data do we collect about you and for what purpose (why)?

Purpose  

To handle complaints and other consumer matters.   

Processing that is carried out

  • Communication and response to complaints and other issues related to consumer contact (via telephone, letter or digital channels, including social media)
  • Investigation of complaints and questions
  • Eventual dispatch of compensation
  • Certain processing may be performed in an automated way to find the best matches to handle your complaint or consumer matter

Category of personal data

  • Name
  • Contact details (address, email and telephone number)
  • Your correspondence
  • Details of purchase date, place of purchase, possible error/complaint
  • Health data (e.g.   
    allergic reactions and health conditions that you choose to inform us about)

Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in dealing with complaints and consumer issues.  

Storage period: Personal data relating to complaints and consumer issues is stored for no longer than two years.   

Purpose  

To carry out  competitions and manage entries therein.  

Processing that is carried out

  • Communication before and after participation in a competition (e.g. confirmation of registration, questions, contact with winners)
  • Handing out of winnings 

Category of personal data

  • Name
  • Contact details (address, email and telephone number)
  • Personal identity number if the winnings are to be taxed by the winner  

Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in handling your participation in competitions and events.

Storage period: During the time that the competition/event is in progress (including any evaluation). In the event of profit tax payable by the winner, the filing rules of the accounting act shall apply.   

Purpose  

Photography in connection with Oatly’s participation in events, festivals, trade fairs, etc. 

Processing that is carried out

  • Photographing
  • Storage of photographs taken
  • The use of photographs in social media marketing campaigns globally 

Category of personal data

  • Photography
  • Time of photography   

Legal basis: Legitimate interest with regards to so-called mingle images in connection with Oatly’s participation in events, festivals and trade fairs.

Storage period: 5 years.  

Purpose  

Portrait photography

Processing that is carried out

  • Photographing
  • Storage of photographs taken
  • Agreed usage of photography  

Category of personal data

  • Photography
  • Time of photography

Legal basis: Consent in connection with the photographing session.

Storage period: 5 years or when you withdraw your consent.

Purpose  

To handle incoming requests for sponsorship.  

Processing that is carried out

  • Communication in connection with incoming sponsorship inquiries (e.g. confirmation of incoming inquiry, questions, response)
  • Selection of sponsorship activities

Category of personal data

  • Name
  • Contact details (address, email)  

Legal basis: Legitimate interest and contractual duties in cases where sponsor agreements has been entered. The processing is necessary to meet our and your legitimate interests in handling sponsorship matters.

Storage period: As long as is necessary to handle the sponsorship case, but no more than 1 year. Accounting documents are filed in accordance with the regulations in the accounting act. Sponsor agreements are stored as long as either party may take any legal action under the agreement.  

Purpose  

To communicate with you as a subscriber of any of Oatly's newsletters.

Processing that is carried out

  • Collection of addresses in order to mail out our newsletters
  • Storage of addresses in order to mail out our newsletters
  • Newsletter mailouts

Category of personal data

  • Name
  • Address (postal address for postal mailouts, email address for electronic mailouts)
  • Date of birth (yy,dd,mm)  

Legal basis: Consent. The consent is voluntary and you can withdraw your consent at any time by unsubscribing. 

Storage period: Until the person unsubscribes.  

Purpose  

To communicate with you as a recipient of press releases from Oatly.

Processing that is carried out

  • Collection of addresses in order to mail out our press releases
  • Storage of addresses in order to mail out press releases
  • Press release mailouts   

Category of personal data

  • Name
  • Email

Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in the mailing of press releases from Oatly.

Storage period: Until the person unsubscribes.  

Purpose  

To offer you as a board member or an auditor access to information through our board portal.  

Processing that is carried out

  • Creating a user account
  • Access control
  • Notification, when new data has been uploaded to the portal
  • Storage of data 

Category of personal data

  • Name
  • Social security number
  • Company
  • Title
  • Contact information (e.g. email, address, phone number)  

Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in providing financial and corporate information.

Storage period: As long as your assignment is ongoing and then until limitation periods for legal action expire.  

Purpose  

To handle visits to Oatly’s production facilities correctly, efficiently and safely (e.g. fire protection and quality issues). 

Processing that is carried out

  • Visitors register their arrival and departure
  • The personal data is stored and includes data confirming that visitors to the production facility have read and accepted Oatly’s quality standards. 

Category of personal data

  • Name
  • Company
  • Email
  • Mobile
  • Telephone
  • Photography   

Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in providing a safe and efficient visit.

Storage period: 2 years.  

Purpose  

Camera surveillance at targeted areas of our business premises, such as entrances to office space, plants and the warehouses to prevent accidents, and to prevent, investigate and expose possible intrusion and criminal activity.   

Processing that is carried out

  • Camera surveillance at Oatly’s production facilities, both indoors and outdoors.
  • Camera surveillance at entrances to office spaces, both indoors and outdoors.
  • The personal data is stored and includes data confirming that visitors to the production facility have read and accepted Oatly’s quality standards. 

Category of personal data

  • Video recording

Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in preventing accidents and to prevent, investigate and expose possible intrusion and criminal activity.

Storage period: 7 days.

Purpose  

To handle the necessary permissions when you, as entrepreneur, do temporarily work at our production facilities.

Processing that is carried out

  • To verify the necessary permissions
  • Filing of the permissions  

  

Category of personal data

  • Name
  • Personal identity number (for driving permission)
  • Company
  • Validity

Legal basis: Legal obligation.

Storage period: Stored during the validity period and for a maximum of one year.  

Purpose  

When hiring an external consultant for an assignment.

Processing that is carried out

  • Collection of name and contact information
  • Use of personal data to give access to relevant systems and information

Category of personal data

  • Name
  • Contact information
  • Company

Legal basis: Performance of a contract.

Storage period: For as long as the assignment is ongoing and/or in accordance with tax- and employment regulations and/or other applicable legislation.

Purpose  

To handle the necessary contact information regarding our customers and suppliers.

Processing that is carried out

  • Collection of contact information
  • Use of contact information
  • Storage of contact information

Category of personal data

  • Name
  • Position
  • Company
  • Contact information (e.g. email, company address, phone number)

Legal basis: Legitimate interest.

Storage period: Stored during the time of an agreement and for a maximum of five years.

Purpose  

To handle applications for published job vacancy.  

Processing that is carried out

  • Collection of applications and the appraisal/disposal in relation to the requirements in job advert
  • Collection of data from third parties and public sources, such as social media
  • Review and selection of applicants for interview
  • Call candidates for an interview
  • Potential tests of candidates and reference checks
  • Selection of candidate

Category of personal data

Oatly has no specific requirements regarding which personal data is to be included in an application. Usually includes:  

  • Name
  • Personal identity number/Date of birth 
  • Contact details (address, email and telephone number) 
  • CV data (such as current work position and any photos included therein)
  • Data published on social media
  • Test results
  • Input from references

Legal basis: Legitimate interest. The processing is necessary to meet our and your legitimate interests in handling recruitment applications.

Storage period: The application documents of dismissed candidates are stored until the expiration of the appeal period, for example in accordance with anti-discrimination legislation.  

Purpose  

To handle incoming spontaneous applications/letters of interest.  

Processing that is carried out

  • Answering the applicant
  • Applications/letters are stored to be matched against future open positions. Furthermore, applications and other data collected in relation to a specific recruitment process (regarding a position which has been assigned to another applicant) may be stored to be matched against future open positions

Category of personal data

Oatly has no specific requirements regarding which personal data is to be included in spontaneous job application. Usually includes:

  • Name
  • Personal
  • Identity number/Date of birth
  • Contact details (address, email and telephone number)
  • CV data  

Legal basis: Consent given by you to such processing.

Storage period: Canceled immediately following response to the sender as above, unless consent has been collected for the purpose of storing the application.  

Who do we share your personal data with?

We do not sell or trade your information to third parties but we may disclose your data to other companies, such as data processors, when it is necessary for us to offer our services or fulfill our commitments to you. Data processors are companies that process data on our behalf and according to our instructions.

When your personal data is shared with a data processor, it is only for purposes that are compatible with the purposes for which we have collected the data. We have written agreements with all our data processors through which they guarantee the security of the personal data processed and undertake to comply with our security requirements as well as restrictions and requirements regarding the international transfer of personal data.

Personal data may also be disclosed by us if it is necessary to comply with applicable legal or governmental requirements, to safeguard our legal interests or to detect, prevent or be attentive to fraud and other security or technical issues.

We also share your personal data with companies that are independent data controllers. Sharing data with an independent data controller means that it is not Oatly who controls how the data will be processed.

When your personal data is shared with a company that is an independent data controller, that company’s privacy policy and personal data management guidelines apply.

Where do we process your personal data?

Personal data may be transferred between different companies within Oatly group.

We always strive for the processing of your personal data to take place within the EU/EEA or within the jurisdiction in which the Oatly company acting as Data Controller has its principal establishment. However, in case of systematic support and maintenance, we may be required to transfer the data to a Third country, for example if we share your personal data with a data processor who, either themselves or through a subsupplier, is established or stores data in a non-EU country. In this case, the data processor shall only be granted access to data relevant to the purpose (e.g. log files). Regardless of the country in which your personal data is processed, we take all the necessary legal, technical and organizational measures to ensure that the level of protection is the same as within the EU/EEA.

In cases where personal data is processed outside the EU/EEA, the level of protection is guaranteed either by a decision of the EU Commission that the country concerned ensures an adequate level of protection or through the use of so-called appropriate safeguards. Examples of appropriate safeguards are: Approved code of conduct in the destination country, Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).  

How long do we store your personal data?

We will never store your personal data beyond what is necessary for each purpose. Please refer to the specific storage period for each purpose.  

What are your rights as data subject?

Right of access (Subject Access Request): We are always open and transparent about how we process your personal data, and if you require further information regarding which personal data we process about you in particular, you can request access to the data. Please note that if we receive a subject access request, we may ask for additional data to ensure the effective handling of your request and that the information is given to the correct person.

Right to rectification: If your personal data is incorrect, you may request its correction. Within the stated purpose, you also have the right to supplement any incomplete personal data.

Oatly may also, on its own initiative, correct, disassociate, delete or supplement data that is found to be incorrect, incomplete or misleading.

Right to erasure: You may request the deletion of the personal data we process about you if:

  • The data is no longer necessary for the purposes for which it has been collected or processed.
  • You oppose a balance of interest that we have made based on a legitimate interest, and your reason for the objection weighs heavier than our legitimate interest.
  • You oppose processing for direct marketing purposes.
  • The personal data is processed in an unlawful way.
  • The personal data must be deleted to comply with a legal obligation we are subject to.
  • Personal data has been collected pertaining to a child (under 13 years) for which you have parental responsibility, and collection has been made in connection with the offer of information society services (e.g. social media).   

Please note that Oatly may have the right to deny your request if there are legal obligations that prevent us from immediately deleting certain personal data. These obligations are related to accounting and tax legislation, banking and money laundering, and consumer law. It may also be possible that the processing is necessary for us to determine, enforce or defend legal claims. Should we be prevented from meeting a request for deletion, we will instead block personal data from being used for purposes other than the purpose that prevents the requested deletion.

Right to restriction: You have the right to request that our processing of your personal data be limited when the processing is based on a legitimate interest.

You may, in some cases, have the right to demand that the processing of your personal data is limited. By limitation, it means that the data is marked so that in future it will only be processed for certain limited purposes.

The right to restriction applies, inter alia, to the fact that the data is incorrect and relates to a request for it to be corrected. In such cases, you may also request that the data processing be restricted during the time that the data is being corrected.  
If processing is restricted, we may, in addition to storage, only process the data in order to apply or defend legal claims to protect someone else’s rights or if you have given your consent.

Direct marketing: You may object to the processing of your personal data for direct marketing purposes by sending an email to info@oatly.com. Once we have received your objection, we will discontinue the processing of your personal data for that purpose, as well as cease all types of direct marketing actions.

Right to data portability: If our right to process your personal data is based on your consent or performance of an agreement with you, you have the right to request for the data that relates to you and which you have provided to us to be transferred to another data controller (so-called data portability). A prerequisite for data portability is that the transfer is technically feasible and can be automated.  

How do we handle personal identity numbers?

We will only process your personal identity number when motivated by the purpose, necessary for a secure identification or if there is any other worthy reason. We always minimize the use of your personal identity number as much as possible.

How is your personal data protected? 

We have taken appropriate technical and organizational security measures to protect your personal data against unlawful and unauthorized processing, e.g. we use secure IT systems to protect the privacy, integrity and availability of personal data for which we are data controller, privacy by default and in design and appointed roles to ensure security, privacy and compliance.

The National Data Protection Authority is the supervisory authority. What does this imply?

The National Data Protection Authority is responsible for monitoring the application of the legislation. If a person believes that a company is handling personal data incorrectly, they can file a complaint with the National Data Protection Authority. For cross-border processing, the Swedish Data Protection Authority (IMY) will act as a lead supervisory authority since it is the supervisory authority for the main establishment.  

Contact

Please do not hesitate to contact us at info@oatly.com or privacy@oatly.com if you have any questions regarding this Privacy Policy, the processing of your personal data, or if you wish to request subject access. We may be required to make changes to our privacy policy. The latest version of our privacy policy is always available on our website.