Skip to content

How we process personal data

The Swedish Authority for Privacy Protection is responsible for the processing of personal data for which the authority determines the purpose and means. The authority processes for example personal data in the handling of the authority's business, in the handling of questions and in the administration of courses and subscriptions.

This information is intended to provide general information about the kinds of personal data processing for which the Swedish Authority for Privacy Protection (IMY) is the personal data controller.

Our data protection officer

If you as a data subject of the Swedish Authority for Privacy Protection wish to exercise your rights or have questions concerning the authority's processing of your personal data, you can contact the authority's data protection officer by sending an e-mail to dso@imy.se.

Alternatively, you can send a letter to:
Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm
Please mark the envelope "To the DPO at IMY"

How the Swedish Authority for Privacy Protection processes personal data

Swedish Authority for Privacy Protection is a public agency. Messages sent to Swedish Authority for Privacy Protection therefore generally become official documents that are recorded and registered and that upon request will be disclosed unless the information is subject to confidentiality. In other words, personal data may be disclosed under the principle of public access to official records. As long as it is not of crucial importance for the assessment of confidentiality, Swedish Authority for Privacy Protection has no right to investigate to whom the data is disclosed.

The type of processing that is required under the Public Access to Information and Secrecy Act, archiving legislation and the Administrative Procedure Act for the lawful processing of the authority's official documents, and that takes place with the support of the EU's General Data Protection Regulation is considered to be necessary with reference to important public interest.

Swedish Authority for Privacy Protection handles personal data concerning appointed data protection officers to be able to administrate notifications of data protection officers that are received in accordance with Article 37 of the EU's General Data Protection Regulation. The data is also processed for Swedish Authority for Privacy Protection to be able to execute its duties as a supervisory authority and for example communicate with the data protection officer. When the contact is made within Swedish Authority for Privacy Protection's supervisory duties, the processing of personal data takes place as part of the authority's exercise of its official authority. In other respects, the lawful basis for the processing is data of public interest.

Swedish Authority for Privacy Protection processes data to be able to communicate with people who submit an enquiry and to be able to deal with the matter. The lawful basis for the processing is data of public interest.

Swedish Authority for Privacy Protection processes data to be able to communicate with people who submit a complaint and to be able to deal with the matter. The processing takes place as part of Swedish Authority for Privacy Protection's exercise of its official authority.

Swedish Authority for Privacy Protection processes personal data concerning designated contact persons for objects of supervision. The data is used to be able to communicate with the object of supervision and investigate the matter. The processing is necessary as part of Swedish Authority for Privacy Protection's exercise of its official authority.

Swedish Authority for Privacy Protection processes personal data relating to a data controller's contact person/data protection officer who has reported a personal data breach. The processing is necessary as part of Swedish Authority for Privacy Protection's exercise of its official authority.

Swedish Authority for Privacy Protection processes personal data concerning contact persons at the entity applying for the permit in question and personal data concerning the individual whose expertise and judgement are to be examined and the references cited by this person. The data is processed to be able to deal with the application and inform the public of existing permit-holders. The processing is necessary as part of Swedish Authority for Privacy Protection's exercise of its official authority.

Swedish Authority for Privacy Protection processes the contact details of the person who is contact person for the cooperation. The lawful basis for the processing is data of public interest.

Swedish Authority for Privacy Protection processes personal data in the case of registration for the authority's courses. The data is processed to administrate the courses and to follow up the authority's courses. The lawful basis for the administration of course registrations is to perform the contract entered into in conjunction with the registrations. The lawful basis for the processing carried out in connection with follow-ups is to perform a task of public interest.

Swedish Authority for Privacy Protection processes personal data when people subscribe to the authority's press releases and newsletters. The data is processed to enable Swedish Authority for Privacy Protection to administrate the subscriptions and send out the information. The lawful basis is to perform the contract entered into in conjunction with the subscription being taken out.

Swedish Authority for Privacy Protection processes personal data when the authority receives a job application. The personal data is processed to enable Swedish Authority for Privacy Protection to administrate the applications and fill the vacant position. The processing for filling the position is done as part of Swedish Authority for Privacy Protection's exercise of its official authority and other processing to perform a task of public interest.

 

Categories of personal data that are processed

The categories of personal data that are processed are the name and contact details of those individuals who have contacted the authority. If the matter fundamentally concerns an organisation of some kind and a contact person has been designated for the organisation, the name and contact details of the contact person are processed. Matters that are registered are given a reference number.

Documents and messages received by IMY often contain personal data of various kinds. This data is handled only by the document being entered in the relevant matter. The data is not registered separately and the data in the received document is not made searchable.

Handling of sensitive personal data received by the Swedish Authority for Privacy Protection

Sensitive personal data is sometimes sent to IMY. This data is processed in order for the matter to be dealt with; however, the data is handled only by the document being entered in the relevant matter. The data is not registered separately and the data in the received document is not made searchable. The lawful basis for the processing of sensitive personal data is important public interest.

People who can see the data

Those employees of IMY who will see the data need it to perform their duties.

In addition to the disclosures of personal data that IMY needs to make as a consequence of the right of public access to official records (see above under the heading "Right of public access to official documents"), IMY in certain cases uses data processors. The data processors engaged may only process personal data in accordance with the purposes and instructions that IMY issues for the processing. The processor and anyone acting on behalf of the processor may furthermore never see more data than is necessary to carry out the service covered by the agreement with IMY. Where personal data is to be processed by a data processor, a so-called data processor agreement is drawn up. IMY uses data processors for various kinds of IT services.

As part of the cooperation under the EU's General Data Protection Regulation, personal data within the Swedish Authority for Privacy Protection's supervisory activities can be disclosed to another data protection authority inside the EU.

Period for which the personal data will be stored

As a government agency the point of departure under the archiving legislation is that the authority is to retain official documents. IMY complies with these retention rules and disposes of official documents in accordance with current record retention and disposal policy and decisions. Personal data not included in an official document is retained only for as long as it is needed for the purposes for which it is processed. Documents that are not considered to be official are for example drafts of decisions and notes that have not been archived. When a matter has been concluded, an assessment is made of what should be retained under archiving legislation. Documents that contain personal data and that are not to be retained are deleted or the personal data removed.

Application documents that do not relate to the person appointed to the position or a person who has appealed the appointment decision are deleted two years after the appointment decision has gained legal force. Spontaneous applications that do not relate to an advertised position are deleted immediately or after contact has been made with the person who submitted the application.

Documents of no or temporary importance are as a rule deleted immediately or at the latest after two months.

Personal data relating to subscribers is erased when the subscription ends.

Your rights as a data subject

You have several rights as a data subject. If you as a data subject of IMY wish to exercise your rights or have questions concerning the authority's processing of your personal data, you can contact the authority's data protection officer, e-mail dso@imy.se.

Right of access

You can request information as to whether IMY processes personal data relating to you and if so receive a copy of such data – called a register extract – together with certain more detailed information.

Right to rectification

If you consider that the personal data relating to you is inaccurate or incomplete, you can request to have the data rectified or completed.

Right of objection

When IMY processes personal data in the context of its exercise of its official authority or to be able to perform other tasks of public interest, you can object to the processing at any time. If IMY cannot show that there are compelling, authorised reasons to continue processing the data, the authority must terminate the processing.

Right to limitation of processing

In certain cases, for example if you have objected to the processing, you have the possibility to demand that the processing of your personal data be limited. By requesting a limitation you have, at least for a certain period, the possibility to stop IMY using the data other than to, for example, defend legal claims. You can also prevent the authority from erasing the data, for example if you need the information to claim damages.

Right to erasure ("right to be forgotten")

You can in certain cases have your personal data erased. When your personal data is needed for IMY to be able to execute its duties or are contained in an official document, IMY cannot erase the data.

Right to data portability

If IMY processes personal data relating to you to perform an agreement, you have the possibility in certain cases to be given the personal data relating to you to use it somewhere else, for example transfer the data to another data controller.

If you have comments about the Swedish Authority for Privacy Protection's processing of your personal data

You can give your comments and views about IMY's processing of your personal data. Decisions communicated by the authority in its capacity of personal data processor resulting from your exercise of your rights as described above can be appealed in a general administrative court. If you have a complaint about IMY's administration of a matter, you can lodge a complaint with the Parliamentary Ombudsmen (JO). If you wish to demand damages, you can make your demands directly to IMY or take legal action in a general court. You can also apply for damages through the Office of the Chancellor of Justice (JK), which handles claims for damages under the Tort Liability Act and the EU's General Data Protection Regulation.

About the information on this page

If the information in English is different from the Swedish version of this page, the Swedish version applies.

Latest update: 24 November 2023