Responsibility personal data
The Swedish Institute of Space Physics (org. No. 202100-3567) is data controller for the processing of personal data and is responsible for ensuring that personal data is processed in accordance with current legislation. For example, the Swedish Institute for Space Physics (IRF) processes personal data in the institute’s research work, in handling questions and in administering courses and seminars. On our web site we process personal data to a small extent.
Personal data is any information that relates to an identified or identifiable physical person. It is crucial that the piece of information, on its own or in combination with other pieces of information, can be associated with a living person. Typical personal information is social security number, name and address.
Pictures of, and audio recordings of, people can be personal data if the people can be identified. Even information that has been encoded, encrypted or made anonymous but which can be attributed to a physical person by means of supplementary information is personal data.
Processing of personal data is any form of use of personal data, e.g. collection, registration and storage.
The principle of public access to official documents
The Swedish Institute of Space Physics is a governmental research institute. Documents and messages that are sent to IRF are therefore, as a general rule, public documents that are registered. If your personal information is in a public document, it may be disclosed to the public or mass media in accordance with the Public Access to Information and Secrecy Act.
Before a document is released, a confidentiality test is always carried out to determine whether the information should be classified as confidential or not. As long as it has no particular significance for the confidentiality assessment, IRF has no right to investigate to whom the information is disclosed.
The processing of personal data required by the Public Access to Information and Secrecy Act, archival legislation and the Administrative Procedure Act for the proper handling of the institute’s public documents, and is carried out under the EU’s General Data Protection Regulation (GDPR), is considered necessary with regard to an important public interest.
Collection and processing of personal data
IRF only collects and processes personal data relevant to the stated purposes of the registers in which they are kept.
How we process personal data
Our processing of personal data must be supported by current data protection regulations. This means that in order for IRF’s processing of personal data to be legal, one or more of the following must apply:
• the processing is necessary to fulfill an agreement with the person registered,
• the person registered has given his/her consent,
• the processing of personal data is carried out to fulfill legal obligations,
• it is necessary to protect interests that are of fundamental importance to the person registered or to another physical person and finally
• the processing is necessary to carry out a task of general interest or the exercise of public authority.
All types of data processing should be in a single list. This means that IRF can systematically verify that the different types of data processing have a legal basis.
IRF processes information to communicate with the person submitting an inquiry and to handle the case. The legal basis for the treatment is information of general interest.
Research and development
IRF conducts research and development work in space physics and atmospheric research as well as development in space technology. The legal basis for processing personal data in a research and development context is to carry out a task of general interest.
IRF processes personal data in connection with ordering publications and data. Processing takes place to administer the order and the legal basis is to fulfill the agreement entered into in connection with the order.
Registration for courses, education, conferences and other events organised by the institute
IRF processes personal data in connection with registration for the event. The processing is done to administer the course registration and to follow up the institute’s events. When you register for events which we organise, such as conferences, seminars, meetings, courses, etc., your information such as name, title, organisation and email address is included in a list of participants.
The legal basis for the administration of registration for the event is to fulfill the agreement entered into in connection with the registration. The legal basis for the processing that occurs in connection with the follow-up is to perform a task of general interest.
Processing of personal data concerning employees and contractors
As an employer, IRF may legally process personal data concerning employees and contractors to the extent necessary to fulfill the employment or contract for services.
IRF processes personal data when an application for employment is submitted to IRF. The personal data is processed in order for the IRF to be able to administer the applications and fill the position. The data is used only for recruitment purposes and for statistical follow-up. The personal data of the person who fills the position is retained.
The processing of personal data while filling the position takes place as part of IRF’s exercise of public authority and other processing is to perform a task of general interest.
Visitors to our web site
When you visit our web site, we store anonymous information about your visit. For example, we gather statistics on the type of device and which browser our visitors use and which pages they visit. The information is stored using so-called cookies. You can read more about what cookies we use here [link].
Categories of personal data which are processed
The categories of personal data that are processed are names and contact details of individuals who have contacted the institute. If the case is basically an organisation of some kind and a contact person has been appointed for the organisation, the name and contact details of the contact person are processed. Cases that are registered will receive a reference number.
Documents and messages sent to IRF may contain other types of personal data. This information is handled only by adding the document to the case in question. The information is not recorded separately and the information in the document we have received is not made searchable.
Handling of sensitive data that comes to the institute
Sometimes sensitive personal information is sent to the institute. This personal data is processed in order for the case to be acted upon, but the data is processed solely by adding the document to the current case. The information is not recorded separately and the information in the document we have received is not made searchable.
The legal basis for the processing of sensitive personal data is important general interest.
Transfer to other countries
IRF does not transfer personal data to any country outside the EU or EEA.
Those who can access the information
The employees at IRF who will have access to the information need it to perform their duties.
In addition to the disclosure of personal data that IRF needs to make as to comply with the principle of public access to official documents, IRF sometimes uses processors. The processors employed may only process personal data in accordance with the purposes and instructions provided by IRF.
Furthermore, the processor and those acting under the direction of the processor never receive more information than is required for the performance of the service covered by the contract with IRF. When personal data is to be processed by a processor, a so-called personal data assistant agreement is drawn up.
As a government authority, archival legislation requires us to preserve public documents. IRF complies with these rules on preservation and only disposes of public documents in accordance with applicable record retention and disposal rules. Personal data that is not part of a public document is stored only as long as is necessary for the purposes for which they are processed.
Personal data concerning employees is erased shortly after termination of employment. This applies, for example, to the employee’s e-mail account or information about employees on web pages. It may be necessary to preserve other personal data for a longer period of time, for example information that is necessary for the payment of pensions.
Employment application documents from those other than the person who was appointed to the position or anyone who appealed against the appointment decision are disposed of two years after the employment decision gained legal force.
Documents of minor or temporary importance are usually disposed of immediately or at the latest after two months.
IRF takes technical and organisational measures to ensure that all information processed by IRF is protected from unauthorized access, alteration and destruction.
All development of our systems, services and other operations takes place with due respect for personal integrity and taking into account data protection legislation.
Your rights as registered
IRF is responsible for ensuring that your personal data is processed in accordance with current legislation. As registered, you have several rights. If you are registered by IRF and wish to exercise your rights or have questions regarding the IRF’s processing of your personal data, you can contact the institute’s Data Protection Officer, e-mail firstname.lastname@example.org
Right of access
You are entitled to apply, free of charge, to receive information about the personal data about you that IRF records and processes in its registers. Contact us in writing (letter or e-mail) and supply your name, social security number, postal address, telephone number and e-mail address (that you have used in communication with IRF). The excerpt will be sent to your officially registered address.
Right to correction
If you believe that the personal information that concerns you is incorrect or incomplete, you may request that the information be corrected or supplemented.
Right to object
When IRF processes personal data within the scope of its exercise of public authority or to be able to perform other duties of general interest, you have the right at any time to object to the processing of your personal data. If IRF cannot demonstrate that there are compelling, justifiable reasons for continuing to process the data, IRF must discontinue the processing.
Right to restriction of processing
In some cases, for example if you have objected to the processing, you have the possibility to demand restriction to the processing of your personal data. By requesting a restriction you have the possibility of, at least for a certain period of time, preventing IRF from using the information other than to, for example, defend legal claims.
You can also prevent the IRF from deleting the data, for example if you need the data to claim damages.
Right to delete (“the right to be forgotten”)
You may in some cases have your personal data deleted. When your personal data is needed for IRF to fulfill its duties or if they appear in a public document, IRF has no possibility of deleting the data.
Right to data portability
If IRF processes personal data about you to fulfill a contract, you may in some cases be able to obtain personal data relating to you to use elsewhere, for example to transfer the data to another data controller.
Comments on IRF’s processing of your personal data?
You have the right to submit any complaints regarding the processing of your personal data to The Swedish Data Protection Authority (DPA