About the Data Protection Regulation
The General Data Protection Regulation (GDPR) is an EU regulation that replaced the Swedish Personal Data Act PUL on 25 May 2018. This means that the requirements on how personal data may be processed have been strengthened.
Personal data is any kind of information that can be directly or indirectly linked to a living person. Examples of personal data are name, personal identity number, address and e-mail address. The Data Protection Regulation specifies several lawful grounds. At least one lawful ground in required for the processing of personal data to be legal. The lawful grounds are:
- Consent: Provided that the approval is voluntarily through a statement or unequivocal affirmative action, and that the consent can be revoked.
- Contract: Provided that the processing of data is necessary to fulfill a contract with the individual, for example a purchase.
- Legal obligation: Provided that processing of data is necessary in order to comply with legal requirements.
- Fundamental interest: Provided that the processing of data is necessary to protect interests that are of fundamental importance, such as an emergency when the person cannot give consent.
- Exercise of official authority or task in the public interest: Provided that the processing of data is supported by law and is necessary in order to be able to carry out a task of public interest, or as part of the exercise of official authority, for example registration and filing of public documents.
- Weighing of interests: Provided that the processing is necessary and the registered interest in the protection of personal data does not weigh more heavily.
Read more about the legal grounds and other information about the Data Protection Regulation on the Swedish Authority for Privacy Protection’s website.
SBU's personal data processing
SBU is a government agency. This means that documents you send to us becomes a public document that in many cases is registered and archived in a digital system. Public documents can be requested from SBU according to the principle of public access to official documents.
SBU respects your personal privacy and processes your personal data in compliance with the General Data Protection Regulation, GDPR. SBU does not sell any personal data to third parties. We do not collect any personal data about you without first contacting you directly. SBU does not have access to any patient records. We do not transmit any personal data to third countries. We do however use social media and those companies are based in third country.
SBU is responsible for ensuring that the personal data we process is protected by appropriate technical and organizational measures such as authorization, encryption and backup. The security aspects include a classification of the accessibility, accuracy, traceability and confidentiality of the data. The classification ensure a level of security that is appropriate in relation to threats to the data.
We process your personal data:
When you contact SBU by mail, e-mail or via forms on our website
When you send an e-mail to SBU, the personal data that you enter yourself is processed, such as your name and e-mail address. Your e-mail and your contact details may be stored and archived in our digital system. Documents of minor importance are saved for two years, while important documents are saved for all future. The lawful ground is Public interest, since the handling of public documents is part of the public service obligation.
When you sign up to receive our newsletter or journal Science & Practice
We save your name, your e-mail address and your address in our digital system so that we can send you the newsletter or magazine. You can cancel your subscription at any time. We will then erase your personal data. The lawful ground is Public interest since the newsletter aims to inform you about SBU's activities.
When ordering a report or publication of SBU
Your name and address are stored in our digital system for one year when you order something. If you buy a report from SBU, we also process card or account information in order to invoice the purchase. Financial data is stored for up to seven years according to other legislation. The lawful ground is Contract when it is a purchase and the data is necessary to make the purchase.
When you visit and use SBU's channels in social media
SBU has accounts with LinkedIn, YouTube, Twitter and Facebook. These companies can store data about you. SBU does not have access to statistics that can be tracked to an individual. However, your profile is visible if you comment or share SBU's posts. Your posts in our channels are public documents. The lawful ground is Public interest since the handling of public documents is part of the public service obligation.
When you participate in SBU's trainings, conferences and events
The lawful ground for the administration of the registration is to fulfill the contract.
SBU saves participant lists as the public has the right to access information about SBU. However, the participant lists may not contain more personal data than is required, which usually is name, email address, organization and job title. The lawful ground is Public interest since the handling of public documents is part of the public service obligation.
Sometimes SBU send out a survey to the participants after the event so that we can evaluate and follow up the event. All individual responses are anonymous. The lawful ground is Public interest as this is part of the public service obligation.
Sometimes SBU is filming or photographing at events. The images are published on social media as well as our website and saved in a digital system. We always inform you when we film or take pictures, so you can object. We apply the lawful ground Public interest because it is part of our mission to inform about our business. If you identify yourself on an image or in a film and wish to exercise your rights for example request that it be erased, you can contact us. See contact details below.
When you visit our site
When you visit our website, your IP address is logged. This data is used only for our visitor statistics. The lawful ground is Public interest.
When you answer one of SBU's surveys
Individual survey responses are anonymized. Your IP address can be a personal data if it can be linked to an individual user. Individual questionnaires that belong to practice surveys are erased after ten years, while questionnaires of minor importance are erased after two years. The lawful ground is Public interest because the handling of public documents is part of the public service obligation.
When you apply for a job
We save all application documents for two years. The lawful ground is Public interest.
When you participate in one of SBU's projects
We register your name, your address, your social security number and your account number in our financial system. This is necessary partly for us to be able to fulfill our part of the contract and pay your fees. According to the law, we must also save receipts, travel bills and other invoice documents for seven years. The lawful grounds are Contract and Legal Obligation.
We keep records and archive contracts, declarations of indifference and important correspondence. These documents are preserved for all time, as they are public documents. The lawful ground is Public interest since the handling of public documents is part of the public service obligation.
During the project, your user information is included in our digital system so that you can log in and use the tool. Your e-mail address is stored in our e-mail system so that we can contact you during the project. The lawful ground is Public interest. E-mails of a minor importance are stored on our server, in a digital system or in our e-mail system, as these are public documents. Such documents are erased two years after the end of the project. The lawful ground is Public interest.
For security reasons you need to register when you visit us. Your name is stored in the digital system for two months. The lawful ground is Public interest.
We will also send you a questionnaire after the project is completed. Individual responses are always anonymized. The IP address is personal data if it can be linked to an individual user. The lawful ground is Public interest.
Sometimes SBU is filming or photographing the project group. The images and films are published on social media and our website and saved in a digital system. We always inform you when we film or takes pictures, so you can object. The lawful ground is Public interest because part of the public service obligation to inform the public about SBU. If you identify yourself on an image or a film and wish to exercise your rights and for example, request that it be erased, you can contact us. See contact details below.
You have the right to have your personal data erased if they are not public documents. General acts of minor importance are generally erased after two years. Public documents of importance, however, are preserved for all future in accordance with the legislation governing public documents and filing.
You have the right to request that SBU rectify or erase personal data that we process about you. You have the right to request that the processing of your personal data be limited, as well as the right to object to the processing of your personal data.
You have the right to receive, free of charge, information about which of your personal data that SBU processes, where the data has been collected and for what purpose, what the data has been used for, and to whom the data has been shared. You can only request information about your own personal data and the information is sent to your address. If the data contains classified information, it may need to be sent by registered mail.
Fill out an application if you would like information about what personal data that we process about you. Send the application to:
Data Protection Officer
102 33 Stockholm
We will respond to your application within one month.
SBU is responsible for the processing of personal data. If you have questions about the data controller, you can contact email@example.com
If you wish to lodge a complaint regarding SBU's personal data processing about you, contact the Swedish Authority for Privacy Protection.