The Public Health Agency of Sweden
Published 10 September 2018

Processing of personal data

It is important to respect personal privacy and for your personal data to be processed correctly. For this reason we would like to inform you about how we process the personal data for which our Agency is the Controller so that those persons registered with us can exercise their rights. This processing is governed by the new General Data Protection Regulation (GDPR) which applies throughout the EU.

The following information does not encompass personal data processed as part of purely administrative activities conducted by the Public Health Agency of Sweden.

Personal data is all kinds of information that can be directly or indirectly linked to a living natural person. Examples of personal data are name, personal identity (ID) number, postal address and email address.

The Public Health Agency of Sweden does not sell any personal data to any other party.

Responsibility for personal data

The Public Health Agency of Sweden is the Controller for the processing of personal data about which the Agency has made a decision regarding purpose and means. For example, the Public Health Agency of Sweden processes personal data as part of the Agency's case management, when dealing with questions and for the administration of courses and subscriptions.

The principle of public access to official records

The Public Health Agency of Sweden is a public authority. The communications sent to the Public Health Agency of Sweden consequently generally become official documents that are logged, registered and, upon request, will be disclosed unless the data is subject to secrecy. In other words, personal data may be disclosed in accordance with the principle of public access to official records. The Public Health Agency of Sweden is not entitled to inquire about the party to whom the data is being disclosed unless this is essential to be able to assess secrecy.

The processing of personal data required under the Public Access to Information and Secrecy Act, archive legislation and the Administrative Procedure Act for the correct processing of the Agency's official documents, and that is carried out on the basis of EU's General Data Protection Regulation, is deemed necessary for reasons of substantial public interest.

We process personal data in the following way

Enquiries

The Public Health Agency of Sweden processes data to communicate with those who make an enquiry and to process the matter. The legal basis for this processing is 'a task carried out in the public interest'.

Supervision

The Public Health Agency of Sweden processes data about an intended contact person for the object of supervision. This data is used to communicate with the object of supervision and investigate the matter. The processing is an essential part of the exercise of official authority by the Public Health Agency of Sweden.

Processing of licence/permit applications

The Public Health Agency of Sweden processes personal data about contact persons for those applying for the permit/licence in question and also personal data about individuals whose expertise and prudence are to be considered and also their referees. This data is processed to deal with the matter and inform the general public about existing licence/permit holders. The processing is an essential part of the exercise of official authority by the Public Health Agency of Sweden.

Collaboration

The Public Health Agency of Sweden processes contact details for the person who is a contact person for the collaboration matter. The legal basis for this processing is 'a task carried out in the public interest'.

Orders of information material

The Public Health Agency of Sweden processes personal data in conjunction with orders of products from the Agency's order service. The processing is carried out to administer the order and the legal basis is 'to perform the contract concluded in conjunction with the order'.

Applications for courses, training, conferences and other events arranged by the Agency

When you apply for an event under our auspices, such as conferences, network meetings, meetings, training, etc., your data (such as name, title, organisation and email address) will be added to a list of participants. This list is distributed to those participating in the event for which you have applied in writing or digitally. The list of participants is also entered into our conference app if the app is being used for the event. The list of participants may also be logged. Data that you have provided about, for example, allergies, need of assistive aids, special diets, etc., is only processed internally and directly with those parties we engage for the event in order to be able to meet your needs, and the data is not saved for longer than necessary.

The legal basis for the administration of course applications is 'to perform the contract concluded in conjunction with the application'. The legal basis for the processing performed in conjunction with the follow-up is 'to perform a task carried out in the public interest'.

Subscriptions for press releases and newsletters

The Public Health Agency of Sweden processes personal data in conjunction with applications to subscribe for the Agency's press releases and newsletters. This processing is carried out to enable the Public Health Agency of Sweden to administer the subscription and send out the information. The legal basis is 'to perform the contract concluded in conjunction with the application as a subscriber'.

Job applications

The Public Health Agency of Sweden processes personal data in conjunction with job applications submitted to the Public Health Agency of Sweden. The personal data is processed to enable the Public Health Agency of Sweden to administer the applications and fill the post. The processing for filling the post is performed as part of the exercise of official authority by the Public Health Agency of Sweden and other processing 'to perform a task carried out in the public interest'.

Categories of personal data processed

The categories of personal data processed are the name and contact details of individuals who contact the Agency. If the matter essentially relates to an organisation of some kind and a contact person has been appointed for the organisation, the name and contact details of the contact person are processed. Matters registered are given a registration number.

Other kinds of personal data often appear in documents and messages submitted to the Public Health Agency of Sweden. This data is only processed through the document being added to the matter in question. The data is not specially registered and the data in the document submitted is not made searchable.

Processing of sensitive personal data received by the Agency

Sensitive personal data is sometimes sent to the Agency. This data is processed to enable the matter to be processed; however, the data is only processed through the document being added to the matter in question. The data is not specially registered and the data in the document submitted is not made searchable. The legal basis for the processing of sensitive personal data is 'a substantial public interest'.

Research

The Public Health Agency of Sweden conducts research projects within the framework of its assignment. This may mean that the Public Health Agency of Sweden compiles information from health and social care services that includes personal data, from other filing systems or directly from individuals via surveys. The basis of this processing is to enable the performance of a task carried out in the public interest.

Those who can access the data

Employees of the Public Health Agency of Sweden who will access the data need this to perform their work tasks.

Besides the disclosures of personal data that the Public Health Agency of Sweden needs to make as a consequence of the principle of public access to official records (see above under the heading 'Principle of public access to official records'), the Public Health Agency of Sweden sometimes uses processors. The processors engaged may only process personal data in accordance with the purposes and instructions provided by the Public Health Agency of Sweden for the processing. The processor and those acting under the leadership of the processor may also never have access to more data than is required to perform the task encompassed by the contract with the Public Health Agency of Sweden. A 'processor agreement' is drawn up when personal data is to be processed by a processor.

Period for which personal data will be stored

As a governmental authority, the point of departure according to archiving legislation is that the Agency should preserve official documents. The Public Health Agency of Sweden complies with these rules relating to the preservation and thinning out of official documents in accordance with applicable thinning out rules and decisions. Personal data that is not included in an official document is only saved for as long as necessary for the purposes for which it is being processed.

Application documents that do not refer to the person who has been appointed or a person who has appealed an appointment decision are thinned out two years after the appointment decision has entered into final legal force.

Documents of minor or temporary importance are generally thinned out immediately or no later than after two months.

Personal data about subscribers is erased when the subscription has ceased.

Your rights as the data subject

You have several rights as a data subject. You can contact the Agency's Data Protection Officer by email on  if you, as a data subject of the Public Health Agency of Sweden, want to exercise your rights or have any questions relating to the Agency's processing of your personal data.

Right of access

You can ask to have information about whether the Public Health Agency of Sweden processes personal data relating to you and, if so, a copy of this – a 'register extract' – together with certain more detailed information. You can only request information about your own personal data and the information will be sent to your population register address. If the data involves secrecy, it may need to be sent by registered letter. The application must be a signed original. It is not possible to submit a power of attorney to ask for information relating to you.

Right to rectification

You can ask to have personal data relating to you rectified or completed if you consider that the data is incorrect or incomplete.

Right to object

When the Public Health Agency of Sweden processes personal data within the framework of its exercise of public authority or to be able to perform other work tasks of public interest, you are entitled to object to the processing at any time. The Public Health Agency of Sweden must stop the processing if the Public Health Agency of Sweden cannot demonstrate that there are compelling, legitimate grounds to continue processing the data.

Right to restriction of processing

You sometimes have the opportunity to require restriction of the processing of your personal data, for example if you have objected to the processing. By requesting restriction you have, in any event for a certain period, the opportunity to stop the Public Health Agency of Sweden from using the data other than to, for example, defend legal claims. You can also prevent the Agency from erasing the data, for example, if you need the data to claim damages.

Right to erasure ('right to be forgotten')

You can sometimes have your personal data erased. The Public Health Agency of Sweden does not have the option to erase your personal data when this data is required to enable the Public Health Agency of Sweden to perform its assignment or the data is part of an official document.

Right to data portability

If the Public Health Agency of Sweden processes personal data about you to perform a contract, you sometimes have the possibility of receiving personal data relating to you in order to use this elsewhere, for example to transfer the data to another controller.

Complaints

You are entitled to file a complaint with the Swedish Data Protection Authority about the way the Public Health Agency of Sweden is processing your personal data.