Data protection policy for Swedish missions abroad
Personal data is every type of information that can directly or indirectly be linked to a living natural person. If a registered piece of information reveals in any way, or makes it possible to find out, who the information is about, this is personal data. Examples of personal data include names, addresses, personal identity numbers, photographs and video clips.
There are many laws and ordinances containing rules on the processing of personal data. Common to these rules is that they aim to protect people from their personal privacy being violated when personal data is processed. ‘Processing personal data’ essentially refers to everything that can be done with such data. This may include collecting, registering, storing, aligning or printing data. A person who processes personal data is either the personal data controller or the personal data processor.
Our personal data processing
Missions abroad are entitled to process the personal data that is necessary to fulfil the official duties entrusted to them by the Riksdag and the Government. Missions abroad also process personal data when someone:
Responsibility for personal data
Every mission abroad is the personal data controller for the processing of data that takes place as part of the mission’s activities, unless otherwise prescribed. As personal data controller, the mission must ensure that all personal data processing takes place in accordance with the applicable legislation.
Legal basis for processing personal data
To process personal data, there must be support for this in the applicable data protection regulations, the ‘legal basis’. For missions’ processing to be legal, it must be necessary to fulfil an agreement or legal obligation, or to complete a task of public interest, or as part of the exercise of public authority. In some cases, personal data may also be processed if the person in question has consented to this or the processing is necessary to protect interests that are of fundamental importance to the registered person or another natural person.
All categories of processing carried out within the scope of activities must be contained in a register at the mission abroad. This enables the mission to systematically check that processing has a legal basis. Each mission abroad is responsible for keeping the register up-to-date. For access to the register, contact either the relevant mission or the data protection officer for the missions abroad. The contact details are provided at the bottom of the last page of this document.
More information about the collection and processing of personal data
Missions abroad only collect personal data that is necessary for the purposes of the processing. The data will not subsequently be processed in a way that is not compatible with these purposes.
Personal data of employees and contractors
As employers, missions abroad are permitted by law to process the personal data of employees and contractors to the extent necessary to fulfil their obligations under the employment agreement or contract.
Personal data of local job applicants and interns
The personal data of local job applicants and interns will only be used by the mission abroad for recruitment purposes and statistical follow-up. The data can only be accessed by people who work on recruitment.
Personal data for orders of information material, newsletters, subscriptions and registration to events and conferences
Personal data (name, address and email) submitted in connection with a subscription or an order of information material is stored only for as long as the subscription lasts or as long as it takes to send the mailout or order. The subscriber can cancel their subscription at any time. The mission abroad will then delete the personal data.
Personal data (title, name, address, telephone number and email) submitted in connection with registration to conferences and other events is stored only for as long as is necessary for the administration of the conference or event.
Periods of retention
Personal data is regularly cleaned up, culled and de-identified. The personal data collected by missions abroad is processed for varying purposes. The data is therefore stored for varying periods of time, depending on what it will be used for and what obligations apply under law.
The principle of public access to official documents
Missions abroad are central government agencies. Communications that are sent to missions abroad become official documents and may in future be released in accordance with the principle of public access to official documents. Official documents containing personal data may be released to journalists and private individuals who request to access them. In some cases, data is subject to secrecy and cannot therefore be released.
The missions abroad may also release personal data to other government agencies. This may happen, for example, if the other agency needs to access the data in connection with the exercise of public authority or other official duties.
Personal data processors
Personal data may also be released to contracting partners or IT suppliers. A number of different IT services and IT systems are used in the activities of missions abroad. Some systems are locally installed at missions abroad and it is only mission staff who have access to the personal data they contain. In these cases, no personal data is transferred to third parties.
Other systems are installed at the supplier’s premises or in cloud solutions and personal data is then transferred to the supplier. In these cases, the supplier is the personal data processor and processes personal data on behalf of the mission abroad and in line with the mission’s instructions.
Technical and organisational measures are taken to ensure that all information processed by missions abroad is protected from unauthorised access, changes or destruction.
All development of systems, services and activities takes place with respect for personal privacy and taking account of the data protection legislation.
Missions abroad are responsible for ensuring that your personal data is processed in accordance with the applicable legislation.
Missions abroad will – at your request or of its own initiative – correct or supplement personal data that is discovered to be incorrect, incomplete or misleading.
In some cases, you are entitled to have your personal data deleted. This means that you have the right to request that your personal data be removed if it is no longer needed for the purposes for which it was collected. However, there may be legal requirements that do not allow a mission abroad to delete your personal data immediately. The mission abroad will then cease processing that is for purposes other than following the legislation.
You are always entitled to present any complaints concerning a mission’s processing of your personal data. You can either contact the mission abroad directly or contact the data protection officer. You can also lodge a complaint with the Swedish Data Protection Authority.
Request for extracts from records and corrections
You have the right, following an application for which there is no charge, to receive information about which personal data a mission abroad registers and processes about you. Contact the mission in writing, stating your name, personal identity number, postal address, telephone number and email address (which is used in communications with the relevant mission abroad). The excerpt is normally sent to the postal address you have provided, or otherwise to your registered address in Sweden, if you have one.
You can contact the embassy with an email: firstname.lastname@example.org