How we process personal data

This information is intended to provide general information about the kinds of personal data processing for which the Swedish Authority for Privacy Protection (IMY) is the personal data controller.

Our data protection officer

If you as a data subject of the Swedish Authority for Privacy Protection wish to exercise your rights or have questions concerning the authority's processing of your personal data, you can contact the authority's data protection officer by sending an e-mail to dso@imy.se.

Alternatively, you can send a letter to:
Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm
Please mark the envelope "To the DPO at IMY"

How the Swedish Authority for Privacy Protection processes personal data

Categories of personal data that are processed

The categories of personal data that are processed are the name and contact details of those individuals who have contacted the authority. If the matter fundamentally concerns an organisation of some kind and a contact person has been designated for the organisation, the name and contact details of the contact person are processed. Matters that are registered are given a reference number.

Documents and messages received by IMY often contain personal data of various kinds. This data is handled only by the document being entered in the relevant matter. The data is not registered separately and the data in the received document is not made searchable.

Handling of sensitive personal data received by the Swedish Authority for Privacy Protection

Sensitive personal data is sometimes sent to IMY. This data is processed in order for the matter to be dealt with; however, the data is handled only by the document being entered in the relevant matter. The data is not registered separately and the data in the received document is not made searchable. The lawful basis for the processing of sensitive personal data is important public interest.

People who can see the data

Those employees of IMY who will see the data need it to perform their duties.

In addition to the disclosures of personal data that IMY needs to make as a consequence of the right of public access to official records (see above under the heading "Right of public access to official documents"), IMY in certain cases uses data processors. The data processors engaged may only process personal data in accordance with the purposes and instructions that IMY issues for the processing. The processor and anyone acting on behalf of the processor may furthermore never see more data than is necessary to carry out the service covered by the agreement with IMY. Where personal data is to be processed by a data processor, a so-called data processor agreement is drawn up. IMY uses data processors for various kinds of IT services.

As part of the cooperation under the EU's General Data Protection Regulation, personal data within the Swedish Authority for Privacy Protection's supervisory activities can be disclosed to another data protection authority inside the EU.

Period for which the personal data will be stored

As a government agency the point of departure under the archiving legislation is that the authority is to retain official documents. IMY complies with these retention rules and disposes of official documents in accordance with current record retention and disposal policy and decisions. Personal data not included in an official document is retained only for as long as it is needed for the purposes for which it is processed. Documents that are not considered to be official are for example drafts of decisions and notes that have not been archived. When a matter has been concluded, an assessment is made of what should be retained under archiving legislation. Documents that contain personal data and that are not to be retained are deleted or the personal data removed.

Application documents that do not relate to the person appointed to the position or a person who has appealed the appointment decision are deleted two years after the appointment decision has gained legal force. Spontaneous applications that do not relate to an advertised position are deleted immediately or after contact has been made with the person who submitted the application.

Documents of no or temporary importance are as a rule deleted immediately or at the latest after two months.

Personal data relating to subscribers is erased when the subscription ends.

Your rights as a data subject

You have several rights as a data subject. If you as a data subject of IMY wish to exercise your rights or have questions concerning the authority's processing of your personal data, you can contact the authority's data protection officer, e-mail dso@imy.se.

Right of access

You can request information as to whether IMY processes personal data relating to you and if so receive a copy of such data – called a register extract – together with certain more detailed information.

Right to rectification

If you consider that the personal data relating to you is inaccurate or incomplete, you can request to have the data rectified or completed.

Right of objection

When IMY processes personal data in the context of its exercise of its official authority or to be able to perform other tasks of public interest, you can object to the processing at any time. If IMY cannot show that there are compelling, authorised reasons to continue processing the data, the authority must terminate the processing.

Right to limitation of processing

In certain cases, for example if you have objected to the processing, you have the possibility to demand that the processing of your personal data be limited. By requesting a limitation you have, at least for a certain period, the possibility to stop IMY using the data other than to, for example, defend legal claims. You can also prevent the authority from erasing the data, for example if you need the information to claim damages.

Right to erasure ("right to be forgotten")

You can in certain cases have your personal data erased. When your personal data is needed for IMY to be able to execute its duties or are contained in an official document, IMY cannot erase the data.

Right to data portability

If IMY processes personal data relating to you to perform an agreement, you have the possibility in certain cases to be given the personal data relating to you to use it somewhere else, for example transfer the data to another data controller.

If you have comments about the Swedish Authority for Privacy Protection's processing of your personal data

You can give your comments and views about IMY's processing of your personal data. Decisions communicated by the authority in its capacity of personal data processor resulting from your exercise of your rights as described above can be appealed in a general administrative court. If you have a complaint about IMY's administration of a matter, you can lodge a complaint with the Parliamentary Ombudsmen (JO). If you wish to demand damages, you can make your demands directly to IMY or take legal action in a general court. You can also apply for damages through the Office of the Chancellor of Justice (JK), which handles claims for damages under the Tort Liability Act and the EU's General Data Protection Regulation.