How we process your personal data
From 25 May, a new General Data Protection Regulation (GDPR) will apply in all EU countries. In Sweden, it will replace the Personal Data Act (PUL). In practice, protection of your personal data will be reinforced, as well as your right to know what it is used for and how it is processed by this government agency as well as other organisations and businesses.
The county administrative board may need to collect, receive or by other means process your personal data. Personal data is any type of information directly or indirectly attributable to a physical person who is alive. All handling of personal data, such as storing, deleting, distributing and copying, constitute personal data processing.
If you have a case registered with the county administrative board, have your name on a voting slip, are on the board of a foundation or are active in an area in which we exercise supervision, we will process your personal data. The same thing applies if you, for example, attend a conference organised by us or if you appear in a video or photo for our social media channels, websites, etcetera.
Processing of personal data must have a legal basis
All handling of personal data must have a legal basis. The county administrative board is active in a large number of legal areas, which is why it is not possible to define the legal grounds for each individual instant of data processing performed here on the website. If you want to know more about which of your personal data we process, please contact the appropriate county administrative board or the Swedish County Administrative Boards’ common organisation for data protection, NOD.
The county administrative boards are joint controllers
All 21 county administrative boards across the country have a common IT organisation, and in a number of respects we also have shared systems. The county administrative boards are thus joint controllers with respect to the new General Data Protection Regulation (GDPR). The country administrative boards are also joint controllers together with other government agencies.
Legislation requires a structure, and it should be clear to the data subject how responsibility is apportioned between the county administrative boards and other government agencies; i.e., who is responsible for ensuring your personal data is processed lawfully, securely and fairly.
The country administrative boards’ data protection officer
As the county administrative boards have similar tasks, the government agencies have chosen to have a common organisation (called “NOD”) for data protection and GDPR. One requirement of GDPR is that the government agency must appoint a data protection officer and notify the Swedish Data Protection Authority, which is the supervisory authority.
The county administrative boards have two data protection officers and their role is to monitor compliance of GDPR, provide advice and support, help you as a data subject and act as a point of contact for the Swedish Data Protection Authority.
If you have any questions or opinions on how the county administrative board processes your personal data, please contact the data protection officer via e-mail.
Each individual has ownership of their own personal data. Therefore, as an individual, you have certain rights which the county administrative board is obliged to observe under certain circumstances. In accordance with the data protection legislation, you have the following rights which you can refer to. In order to invoke your rights, you can contact the data protection officer.
Pursuant to GDPR, you always have the right to receive information about what type of personal data the county administrative has registered concerning you.
If you submit a request via email@example.com we will send you an excerpt from the register. The excerpt will contain the personal data we process which concerns you and a text describing how we process personal data. It will normally take up to one month before a register excerpt can be sent to you.
If you consider any personal data relating to you to be inaccurate or misleading, you can request that it be rectified or, in some cases, used in a more restrictive manner. In such cases, please contact the data protection officer and explain what you consider to be inaccurate and why.
You do not have the right to have your personal data erased if, for example, the county administrative board:
Needs to process your personal data in order to perform a duty in the public interest, within the scope of a contractual relationship with you, as part of exercising public authority, for archival purposes, in order to exercise the right to freedom of speech and freedom of information, to fulfil a legal obligation or to defend legal claims.
You have the right to request the erasure of your personal data which is stored by the county administrative board if at least one of the following conditions is fulfilled:
- the data is no longer required for the purposes for which it was collected
- the processing is based on consent and you revoke your consent
- the processing is for direct marketing purposes and you object to the data being processed for such purposes
- you object to personal data processing which takes place within the scope of exercising public authority or following a balancing of interests and there are no legitimate reasons which outweigh your interests
- the personal data has been processed unlawfully
- erasure is required in order to fulfil a legal obligation
- the personal data has been collected in connection with offering information society services (e-services, social media).
Under certain circumstances you have the right to obtain your personal data in a general, structured and machine-readable format and to have them transferred to another organisation (where technically possible) if the processing is based on consent or an agreement and is automated (using IT resources). This right is not applicable if the government agency’s processing is necessary in order to perform a duty in the public interest or constitutes part of exercising public authority. Please contact our data protection officer for further information.
You have the right to object to the county administrative board’s processing of your personal data and to submit complaints to the Data Protection Authority. You can at any time object to direct marketing, whereby the county administrative board will cease direct marketing. An objection may not, however, affect the principle of public access to official documents, and other parties may still use your information for marketing.
Each county administrative board acts as controller for their specific activities.
In order for the county administrative boards to offer their services and fulfil their commitments to you, we need to process your personal data. Throughout the process of handling your personal data, we safeguard your privacy.
We will only keep your personal data if there is a reason for retaining this information. Personal data processed by a county administrative board is normally part of an “official document”. In order to determine whether or not an official document is to be kept or destroyed, an assessment of the information must be performed. This assessment takes into account:
- the importance of the information to the organisation
- the public right to transparency
- the long-term significance of the information for future research
The fundamental provisions on storing and destroying information can be found in Chapter 2, Section 18 of the Freedom of the Press Act and in the Archives Act. The county administrative board is also obligated to retain personal data as required by various statutes such as the Foundations Act and the Bookkeeping Act.
Your personal data is only accessible by people who need it in order to perform their duties. According to the principle of public access to official documents, which is part of one of Sweden’s fundamental laws, the public has the right to access documents which are not subject to confidentiality. As your personal data may be part of official documents, this means that other persons and media or marketing companies have the right to see these documents provided that their purposes are not in breach of data protection legislation and that the documents are not otherwise subject to confidentiality pursuant to the Public Access to Information and Secrecy Act.
The county administrative board may also need to provide necessary information to government agencies such as the Police Authority, the Swedish Tax Agency or other government agencies if we are required to do so by law.
The county administrative board always endeavours to process your personal data within the European Union/European Economic Area (EU/EEA). In certain situations, however, the data may be transferred to and processed in countries outside of the EU/EEA, as some of our suppliers or subcontractors are international organisations, such as Microsoft and Google.
The county administrative board will take all reasonable legal, technical and organisational measures to ensure that your personal data is handled securely and with an appropriate level of protection, both within and outside of the EU/EEA. If you would like to know whether your personal data has been transferred outside of the EU/EEA – and if so, where to – please contact our data protection officer.