Personal data
Personal data is every type of information that can directly or indirectly be
linked to a living natural person. If a registered piece of information reveals
in any way, or makes it possible to find out, who the information is about,
this is personal data. Examples of personal data include names, addresses,
personal identity numbers, photographs and video clips.
There are many laws and ordinances containing rules on the processing of
personal data. Common to these rules is that they aim to protect people
from their personal privacy being violated when personal data is processed.
‘Processing personal data’ essentially refers to everything that can be done
with such data. This may include collecting, registering, storing, aligning or
printing data. A person who processes personal data is either the personal
data controller or the personal data processor.
Our personal data processing
Missions abroad are entitled to process the personal data that is necessary to
fulfil the official duties entrusted to them by the Riksdag and the
Government. Missions abroad also process personal data when someone:
• contacts a mission abroad to obtain information;
• requests to examine official documents;
• applies for a job;
• registers to attend meetings or other events;
• uses a subscription service; or
• contacts the mission for any other reason.
Responsibility for personal data
Every mission abroad is the personal data controller for the processing of
data that takes place as part of the mission’s activities, unless otherwise
prescribed. As personal data controller, the mission must ensure that all
personal data processing takes place in accordance with the applicable
legislation.
Legal basis for processing personal data
To process personal data, there must be support for this in the applicable
data protection regulations, the ‘legal basis’. For missions’ processing to be
legal, it must be necessary to fulfil an agreement or legal obligation, or to
complete a task of public interest, or as part of the exercise of public
authority. In some cases, personal data may also be processed if the person
in question has consented to this or the processing is necessary to protect
interests that are of fundamental importance to the registered person or
another natural person.
Register
All categories of processing carried out within the scope of activities must be
contained in a register at the mission abroad. This enables the mission to
systematically check that processing has a legal basis. Each mission abroad is responsible for keeping the register up-to-date. For access to the register,
contact either the relevant mission or the data protection officer for the
missions abroad. The contact details are provided at the bottom of the last
page of this document.
More information about the collection and processing of personal data
General
Missions abroad only collect personal data that is necessary for the purposes
of the processing. The data will not subsequently be processed in a way that
is not compatible with these purposes.
Personal data of employees and contractors
As employers, missions abroad are permitted by law to process the personal
data of employees and contractors to the extent necessary to fulfil their
obligations under the employment agreement or contract.
Personal data of local job applicants and interns
The personal data of local job applicants and interns will only be used by the
mission abroad for recruitment purposes and statistical follow-up. The data
can only be accessed by people who work on recruitment.
Personal data for orders of information material, newsletters, subscriptions and registration to events and conferences
Personal data (name, address and email) submitted in connection with a
subscription or an order of information material is stored only for as long as
the subscription lasts or as long as it takes to send the mailout or order. The
subscriber can cancel their subscription at any time. The mission abroad will
then delete the personal data.
Personal data (title, name, address, telephone number and email) submitted
in connection with registration to conferences and other events is stored
only for as long as is necessary for the administration of the conference or
event.
Periods of retention
Personal data is regularly cleaned up, culled and de-identified. The personal
data collected by missions abroad is processed for varying purposes. The
data is therefore stored for varying periods of time, depending on what it
will be used for and what obligations apply under law.
The principle of public access to official documents
Missions abroad are central government agencies. Communications that are
sent to missions abroad become official documents and may in future be
released in accordance with the principle of public access to official
documents. Official documents containing personal data may be released to
journalists and private individuals who request to access them. In some
cases, data is subject to secrecy and cannot therefore be released.
The missions abroad may also release personal data to other government
agencies. This may happen, for example, if the other agency needs to access
the data in connection with the exercise of public authority or other official
duties.
Personal data processors
Personal data may also be released to contracting partners or IT suppliers. A
number of different IT services and IT systems are used in the activities of
missions abroad. Some systems are locally installed at missions abroad and it is only mission staff who have access to the personal data they contain. In
these cases, no personal data is transferred to third parties.
Other systems are installed at the supplier’s premises or in cloud solutions
and personal data is then transferred to the supplier. In these cases, the
supplier is the personal data processor and processes personal data on behalf of the mission abroad and in line with the mission’s instructions.
Security measures
Technical and organisational measures are taken to ensure that all
information processed by missions abroad is protected from unauthorised
access, changes or destruction.
All development of systems, services and activities takes place with respect
for personal privacy and taking account of the data protection legislation.
Your rights
Missions abroad are responsible for ensuring that your personal data is
processed in accordance with the applicable legislation.
Missions abroad will – at your request or of its own initiative – correct or
supplement personal data that is discovered to be incorrect, incomplete or
misleading.
In some cases, you are entitled to have your personal data deleted. This
means that you have the right to request that your personal data be removed
if it is no longer needed for the purposes for which it was collected.
However, there may be legal requirements that do not allow a mission
abroad to delete your personal data immediately. The mission abroad will
then cease processing that is for purposes other than following the
legislation.
You are always entitled to present any complaints concerning a mission’s
processing of your personal data. You can either contact the mission abroad directly or contact the data protection officer. You can also lodge a
complaint with the Swedish Data Protection Authority.
Request for extracts from records and corrections
You have the right, following an application for which there is no charge, to
receive information about which personal data a mission abroad registers
and processes about you. Contact the mission in writing, stating your name,
personal identity number, postal address, telephone number and email
address (which is used in communications with the relevant mission abroad).
The excerpt is normally sent to the postal address you have provided, or
otherwise to your registered address in Sweden, if you have one.
For any questions on data protection, please contact the embassy sweden.ottawa@gov.se.
