GDPR Compliance Statement

Version 1.0 – Approved 1 February 2025

1 Accountability Statement

Vetnio AB affirms its full commitment to comply with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) and all applicable Swedish data-protection legislation. The Board of Directors accepts ultimate responsibility for, and is able to demonstrate, GDPR compliance across all personal-data processing activities. In particular, Vetnio AB undertakes to:

  • Embed the seven data-protection principles—lawfulness, fairness & transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity & confidentiality; and accountability—into the design and operation of every processing activity.
  • Maintain complete and accurate Records of Processing Activities (ROPA) and perform Data-Protection Impact Assessments (DPIAs) where processing is likely to result in a high risk to data subjects.
  • Implement appropriate technical and organisational measures (TOMs) proportionate to the risks presented by each processing activity.
  • Ensure that the Data Protection Officer (DPO) and designated Privacy Champions are afforded sufficient autonomy, resources and authority.
  • Provide regular, role-based training so that all personnel understand their data-protection responsibilities.
  • Monitor compliance through audits, metrics and management reviews, and take prompt remedial action when required.

This Statement will be reviewed at least annually, or immediately following any significant organisational, technological or regulatory change.

2 Organisation Profile

Legal EntityVetnio AB
Company Registration No.559494-6807
Registered AddressGrev Magnigatan 10, 114 55 Stockholm, Sweden
Main IT Locations / Data CentresSweden (primary), Germany (secondary)
Supervisory AuthoritySwedish Authority for Privacy Protection (Integritetsskyddsmyndigheten – IMY)
Data Protection OfficerMax Henry Xie – max@vetnio.com

3 Data-Protection Governance

3.1 Roles & Responsibilities

  • Board of Directors Provides strategic oversight and approves this Statement.
  • Chief Technology Officer (CTO) Accountable executive for technical compliance; restricts access to recordings and transcriptions to the CTO and senior technical staff on a strict need-to-know basis.
  • Data Protection Officer (DPO) Independent function reporting to the Board; advises on, and monitors, GDPR compliance.
  • Privacy Champions Local points of contact embedded within senior technical teams:
    • Emil Franzell
    • Arvid Norström
    • Rakin Ali

All staff must authenticate using multi-factor authentication (MFA) and are authorised according to least-privilege principles.

3.2 Policies & Procedures

4 Principles of Processing & Legal Bases

Vetnio AB processes personal data only when at least one lawful basis under Article 6 GDPR applies (e.g., contract, consent, legitimate interests). Sensitive data (Article 9) is processed solely with an explicit derogation.

5 Records of Processing Activities (ROPA)

A full ROPA is maintained in accordance with Article 30 GDPR and is available to the Supervisory Authority upon request. Key elements recorded include:

  • Categories of data subjects & personal data.
  • Purposes of processing.
  • Recipients & international transfers.
  • Technical and organisational safeguards.

6 Technical & Organisational Measures (TOMs)

  • Access Control: Role-based access; MFA for all privileged accounts.
  • Encryption: AES-256 at rest; TLS 1.3 in transit.
  • Logging & Monitoring: Centralised, tamper-evident logs with security-information and event-management (SIEM) correlation.
  • Resilience & Backup: Daily encrypted backups with quarterly restore tests.
  • Physical Security: ISO 27001-compliant data-centre controls.
  • Vendor Due Diligence: Risk-based onboarding and annual review of processors.

7 Data Subject Rights Management

Procedures are in place to honour all rights under Articles 12–23 GDPR (access, rectification, erasure, restriction, portability, objection, and automated decision-making). Requests are logged and fulfilled within statutory timeframes.

8 Third-Country Transfers & Sub-Processors

International transfers occur only to jurisdictions benefiting from an adequacy decision or under appropriate safeguards (e.g., Standard Contractual Clauses). A register of approved sub-processors is published at https://vetnio.com/sub-processors.

9 Personal-Data Breach Notification

All incidents are assessed within 24 hours. Where a breach is likely to result in risk to individuals, IMY is notified within 72 hours and affected data subjects without undue delay, in line with Articles 33–34 GDPR.

10 Training & Awareness

All personnel must complete GDPR and information-security training upon hire and annually thereafter.

11 Review & Continuous Improvement

This Statement, together with supporting policies, is reviewed at least annually and after any material change to legislation, processing activities or organisational structure.

12 Approval

This GDPR Compliance Statement was approved by the Board of Directors of Vetnio AB on 1 February 2025.

Signed on behalf of the Board of Directors

NamePositionSignatureDate
Max Henry XieChief Technology Officer(signed)01-02-2025

Want to know more?

Please fill out the form, and we will get back to you shortly.