How the Public Health Agency of Sweden processes personal data
It is of outmost importance that personal privacy is respected and that personal data is processed in an adequate and correct way.
This information is intended to provide comprehensive information on the processing of personal data for which the Public Health Agency of Sweden is responsible in accordance with the General Data Protection Regulation (GDPR).
Furthermore, the information is intended to provide information to those on whom the Agency processes personal data (registered), so that they can exercise their rights.
This information does not include the processing of personal data that occurs within the purely administrative activities of the Agency.
Personal data is any kind of information that can be directly or indirectly linked to a living natural person, for example name, social security number, postal address and e-mail address.
The Public Health Agency does not sell any personal data to any other part.
Here you can find more information about the meaning of personal data.
The Public Health Agency is responsible for the processing of personal data (controller) for which the Agency decide its purpose and means. For example, the Agency processes personal data in the authority´s case management and when administrating questions, courses and subscriptions.
The Principle of Public Access
The Public Health Agency is an authority. As a general rule, messages sent to the Agency will be public documents that are registered and that will be released upon request if the information is not covered by confidentiality. In other words, personal data may be disclosed in accordance with the principle of public access.
As long as it does not have a decisive significance for the confidentiality assessment, the Agency has no right to investigate to whom the information is disclosed.
The processing of personal data required by the Public Access to Information and Secrecy Act, Archives Act and Administrative Act for the proper handling of the documents of the Agency, and which is carried out with the support of the GDPR, is considered "necessary for the performance of "a task carried out in the public interest".
We process personal data in the following way
The Public Health Agency of Sweden processes data on its own and when cooperating with others, mostly by sending emails. The information includes for example name, contact information, and information linked to a person´s profession.
When processing data, the Agency relies on the grounds of lawfulness, that is, processing "is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller".
Data may be shared with stakeholders if it is necessary when cooperating on tasks carried out in the public interest.
The Agency only collects necessary information, and store it only as long as there is a need.
If other people are mentioned, for example in an email, the Agency will try to inform that person. However, this will only be done if the Agency has the correct contact information and the work is proportionate to the interest of that person to be informed.
The Agency processes data to communicate with those who make an enquiry, and to respond to questions. The legality of this is that processing "is necessary for the performance of a task carried out in the public interest".
To be able to carry out its supervisory duties, data regarding contact information and contact persons may be processed. This information will be used for communication purposes and in order to carry out the tasks. This processing is necessary for the exercise of official authority vested in the controller".
Processing of licence/permit applications
The Agency also processes information and data when administrating applications for licenses and permits. Then the data is related to a contact person as well as that persons experience, prudence and potential referees. Also, in some cases, data will be made available to the general public in order to inform them about permit/licence holders. The legality of this data processing is again, that "processing is an essential part of the exercise of official authority vested in the controller".
Co-operations and collaborations
When co-operating or collaborating, the Agency processes contact information in order to be able to communicate. This processing is necessary for the performance of a task carried out in the public interest".
When the Agency sends you information
Your data will be processed when you order any pamphlets, posters or other kinds of information from the Agency. The legality of this processing is that "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".
Application for courses, training programmes, conferences or other events
When organising a course, training programme, conference or other event – the Agency will process information such as names and contact information of participants and speakers/functionaries. In most cases all participants will be listed in a file, that in turn will be logged.
Data that you have provided regarding allergies, special aids and special diets will only be processed internally and with for example those who cater and provide assistance for the event. The information you provide will not be saved longer than necessary.
The legality for this processing is that "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".
Subscriptions for press releases and newsletters
When you register for a subscription of newsletters, press releases, or any such information, your data will be processed in order for you to receive the information you requested. The legality of this processing is that "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".
When you apply for a job, either traditional employment or if you are hired as a consultant at the Agency, your information will be processed. This is done in order for the Agency to administer a fair process. The legality for this processing is that "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".
Other kinds of data processing
As is true for any authority in Sweden, personal data will be processed as it is registered in the case management system. Then the name and other contact information of an individual is processed. All cases are given a unique reference number.
Other kinds of personal data often appear in documents and messages sent to the Agency. This kind of data is only processed as a part of a case, and is not registered as such and made searchable.
Processing of sensitive personal data received by the Agency
Sensitive personal data is sometimes sent to the Agency. This data is processed in order for the case to be administered. However, the data is administered only by inserting the document into the current case. The data is not specially registered and the data in the document submitted is not made searchable. The legal basis for the processing of sensitive personal data is that "processing is necessary for the performance of a task carried out in the public interest " together with the exception "a substantial public interest".
Research and Surveys
As a part of its official duties, the Agency is assigned certain research and surveys. This could, for example, include combining information on health, social care services that could include personal data, either from official records or from governmental and other registries. The legality for this processing is again, that "processing is necessary for the performance of a task carried out in the public interest".
Those who can access the data
Staff and consultants who need your data for their work at the Agency has the right to access such information. Also, every Governmental Agency has the obligation to disclose in accordance with the rules on access to public information (see above).
In certain circumstances, the Agency is assisted in their tasks as data controller by a data processor. The Agency could also be acting as data processor for another data controller. In these cases, the processors engaged may only process personal data in accordance with the instructions given by the controller. Further on, the processor and those acting under the leadership of the processor may also never have access to more data than is required to perform the task.
Period for which personal data will be stored
As a governmental authority, the basic principle of Swedish archiving legislation is that the Agency shall preserve official documents and information. However, certain kinds of documents and information will be deleted after a certain time depending on their contents. This is done in accordance with official decisions and regulations. Personal data that is not included in any official document will only be preserved as long as it is necessary.
Job application that do not belong to the new employee are deleted two years after said employee has been hired.
Documents of minor or temporary importance are generally deleted immediately or no later than after two months after they are received.
Personal data about subscribers is erased when the subscription has been terminated.
Your rights as the data subject
As your data is being processed by the Agency, GDPR enables you to invoke certain rights. If you want to invoke any of these rights you may contact the Data Protection Officer, if you want to exercise any of these rights or if you have any questions.
Right of access
You have the right to access your own information. If the Agency processes your personal data, you can ask the Agency to send you an excerpt of the information registered. Depending of what the excerpt contains, it could be sent to the address that can be found in the civic registration or by recommended post. You cannot send an agent to request and obtain an excerpt on your behalf.
Right to rectification
You may ask to have personal data relating to you rectified or completed if you consider that the data is incorrect or incomplete. If you find that the Agency has registered inaccurate data pertaining to you, or any other kind of faulty information, you may have the right to correct that data. However, this right could also be restricted due to national legislation.
Right to object
You have the right to object to any kind of processing as the Agency processes your personal data. The Agency processes personal data as it preforms tasks of public interest. You have the right to object to processing at any time, at which point the Agency must cease processing your data unless the Agency cannot show compelling legitimate reasons for continuing the processing.
Right to restriction of processing
You sometimes have the opportunity to require restriction of the processing of your personal data, for example if you have objected to the processing. By requesting restriction you have, in any event for a certain period, the opportunity to prevent the Agency from using the data other than to, for example, defend legal claims. You may also prevent the Agency from erasing the data, for example, if you need the data to claim damages.
Right to erasure ("right to be forgotten")
Depending on the legality of the data processing, you may invoke your right to have your personal data erased. However, this right is not absolute, and is limited to cases when the data is NOT required to enable the Agency to perform its task, or when the information falls under the application of a different regulation such as public access to information.
Right to data portability
If the Public Health Agency of Sweden processes your personal data in order to perform a contract, you sometimes have the possibility of receiving personal data relating to you in order to use this elsewhere, for example to transfer the data to another controller.
How to register a complaint
You are entitled to file a complaint with the Swedish Data Protection Authority about the way the Agency is processing your personal data.