How the Public Health Agency of Sweden processes personal data

This information is intended to provide comprehensive information on the processing of personal data for which the Public Health Agency of Sweden is responsible in accordance with the General Data Protection Regulation (GDPR).

The purpose of the information is also to provide information to those on whom the Public Health Agency of Sweden processes personal data (registered), so that they can exercise their rights.

What is personal data?

Personal data is any kind of information that can be directly or indirectly linked to a living natural person. Examples of personal data are name, social security number, postal address and email address.

More about the meaning of personal data (imy.se) (in Swedish)

What is processing of personal data?

Processing of personal data refers to all processing of personal data, regardless of whether it is carried out electronically or not. This may include, for example, collecting, registering, storing, interacting, or printing the data.

Data Controller

The Public Health Agency of Sweden is the data controller for the processing of personal data for which the agency determines the purposes and means.

The principle of public access to official documents

The Public Health Agency of Sweden is a government agency and this means that messages sent to the agency as a general rule become public documents that are recorded, registered and that, upon request, will be disclosed if the information is not covered by confidentiality. In other words, personal data may be disclosed in accordance with the principle of public access to official documents.

Categories of personal data that are processed

The categories of personal data processed are the names and contact details of individuals who have turned to the agency. If the matter basically concerns an organisation of some kind and a contact person has been appointed for the organisation, the name and contact details of the contact person are processed. Cases that are registered receive a reference number.

In documents and messages submitted to the Public Health Agency of Sweden, other types of personal data often appear. These details are only processed by the document being added to the case in question. The data is not specifically registered and the information in the document received is not made searchable.

How we process personal data

Email

The Public Health Agency of Sweden cooperates with many actors and processes data linked to this, most often by email. It includes name, contact details, and information linked to a person's profession.

The legal basis for this in the GDPR is what is known as public interest. The national legal basis can be found in our regulation or in specific government assignments.

If necessary, the data can be shared with other actors and suppliers, if this is necessary for the cooperation.

Enquiries

The Public Health Agency of Sweden processes data to communicate with the person submitting an enquiry and to process the case. The legal basis for the processing is data that is of public interest.

Supervision

The Public Health Agency of Sweden processes data about the designated contact person for the supervised object. The data is used to communicate with the supervised object and investigate the matter. The processing is an essential part of the Public Health Agency of Sweden’s exercise of official authority.

Processing of permit applications

The Public Health Agency of Sweden processes personal data about the contact person of the person applying for the permit in question as well as personal data about individuals whose expertise and judgement are to be examined and referees to this person. The data is processed in order to handle the case and inform the public about existing permit holders. The processing is an essential part of the Public Health Agency of Sweden’s exercise of official authority.

Collaboration

The Public Health Agency of Sweden processes contact information for the person who is the contact person for the collaboration case. The legal basis for the processing is data that is of public interest.

Ordering of information material

The Public Health Agency of Sweden processes personal data in connection with ordering products from the agency's ordering service. The processing is carried out to administer the order and the legal basis is to fulfill the agreement entered into in connection with the order.

Registration for courses, training programmes, conferences and other events organised by the authority

When you register for events arranged by us, such as conferences, networking meetings, meetings, trainings, etc., your data such as; name, title, organisation and email address are added to a participant list. The list is distributed to the participants of the event you have registered for in written and/or digital form. The list of participants is also added to our conference app in cases where the app is used for the event. The list of participants may also be registered. Information that you have provided about, for example, allergies, need for special aids, special diets, etc. is only processed internally and directly with the parties we hire for the event, in order to meet your needs and the data is not saved longer than necessary.

The legal basis for the administration of the course registration is to fulfill the agreement that has been entered in connection with the registration. The legal basis for the processing that takes place in connection with the follow-up is to carry out a task that is of public interest.

E-learning

In order to administer e-learning, we process the personal data name and e-mail. The data is stored as long as you are registered. The legal basis is to fulfil the contract entered into in connection with your registration under Article 6(1)(b) of the General Data Protection Regulation.

Subscription for press releases and newsletters

The Public Health Agency of Sweden processes personal data in connection with you registering for a subscription to the agency's press releases and newsletters. The processing takes place in order for the Public Health Agency of Sweden to be able to administer the subscription and send out the information. The legal basis is to fulfill the agreement entered into in connection with you registering as a subscriber.

Job application

The Public Health Agency of Sweden processes personal data in connection with a job application; service or consulting assignments are submitted to the Public Health Agency of Sweden. The personal data is processed in order for the Public Health Agency of Sweden to be able to administer the applications and fill the position or consulting assignment. The processing for the appointment of the position is carried out as part of the Public Health Agency of Sweden’s exercise of public authority and other processing to perform a task that is of public interest.

Processing of sensitive personal data that is sent to the authority

Sensitive personal data is sometimes sent to the authority. This data is processed in order for the case to be administered, however, the data is administered only by entering the document into the case in question. The data is not specifically registered and the data in the submitted document is not made searchable. The legal basis for the processing of sensitive personal data is substantial public interest.

More about sensitive personal data (imy.se) (in Swedish)

Research and Surveys

Within the framework of its assignment, the Public Health Agency of Sweden conducts research projects and surveys. This may mean that the Public Health Agency of Sweden collects information from healthcare that includes personal data, from other registries or directly from individual people via surveys, sometimes in combination. The basis for the processing is that tasks of public interest can be carried out.

Those who can access the data

As a starting point, personal data is only processed by the Public Health Agency of Sweden. The employees at the Public Health Agency of Sweden who will have access to the data need the data to perform their work duties.

In addition to the disclosures of personal data that the Public Health Agency of Sweden needs to make as a result of the principle of public access to official documents (see above under the heading Principle of public access to official documents), the Public Health Agency of Sweden in some cases uses personal data processors. The personal data processors that are engaged may only process personal data in accordance with the purposes and instructions provided by the Public Health Agency of Sweden for the processing. Furthermore, the processor and those who act under the leadership of the processor may never have access to more data than is required to perform the service covered by the agreement with the Public Health Agency of Sweden. When personal data is to be processed by a personal data processor a so-called data processor agreement is drawn up.

More about data processors (imy.se) (in Swedish)

Period during which the personal data will be stored

As a government agency, the basic principle of the archiving legislation is that the authority must preserve official documents. The Public Health Agency of Sweden follows these rules on preservation and deletes public documents in accordance with current rules and decisions on deletion of data. Personal data that is not included in a public document is only saved as long as it is necessary for the purposes for which it is processed.

Your rights as the data subject

As a data subject, you have several rights. If you as a data subject with the Public Health Agency of Sweden want to exercise your rights or have questions regarding the agency's processing of your personal data, you can contact the authority's data protection officer.

dataskyddsombud@folkhalsomyndigheten.se

Right of access

You can request to be notified of whether the Public Health Agency of Sweden processes personal data concerning you and, if so, receive a copy of this data - a so-called register excerpt - together with certain detailed information. You can only request information about your own personal data and the information will be sent to your registered address. If the information is confidential it may need to be sent by registered mail. The application must be a signed original. It is not possible to give a power of attorney to another person to request information about you.

More about data subjects' right to information (imy.se) (in Swedish)

Right to rectification

If you believe that the personal data concerning you is incorrect or incomplete, you can request that the data be corrected or supplemented.

More about the data subject's right to rectification (imy.se) (in Swedish)

Right to object

When the Public Health Agency of Sweden processes personal data within the framework of its exercise of public authority or in order to perform other tasks of public interest, you have the right to object to the processing at any time. If the Public Health Agency of Sweden cannot show that there are compelling, legitimate reasons for continuing the processing of the data, the Public Health Agency of Sweden must cease the processing.

More about the right to object (imy.se) (in Swedish)

Right to restriction of processing

In certain cases, for example if you have objected to the processing, you have the opportunity to demand restriction of the processing of your personal data.

More about the right to restriction of processing (imy.se) (in Swedish)

Right to erasure ("right to be forgotten")

In some cases, you may have your personal data deleted. When your personal data is needed for the Public Health Agency of Sweden to be able to fulfill its task or appear in a public document, the Public Health Agency of Sweden has no possibility to delete the data.

More about the right to erasure (imy.se) (in Swedish)

Right to data portability

If the Public Health Agency of Sweden processes personal data about you in order to fulfill an agreement, you sometimes have the possibility of receiving personal data relating to you in order to use this elsewhere, for example transfer the data to another data controller.

More about the right to data portability (imy.se) (in Swedish)

If you have a complaint about the Public Health Agency of Sweden’s processing of your personal data

The Swedish Authority for Privacy Protection is the authority that supervises the processing of personal data. If you are dissatisfied with how the Public Health Agency of Sweden processes your personal data, you can submit a complaint to the Swedish Authority for Privacy Protection.

Information on how to do this can be found on the Swedish Authority for Privacy Protection's website:

Swedish Authority for Privacy Protection's website (imy.se) (in Swedish)