DATA POLICY FOR IDEELL MARKNADSFÖRING I SVERIGE
Adopted in 2024
This is the General Data Protection Regulation:
The General Data Protection Regulation (GDPR) applies throughout the EU and aims to create a uniform and equivalent level of protection for personal data. The GDPR replaced the Personal Data Act (PUL), which prior to 2018 regulated how companies could collect and use personal data in Sweden. The full text of the General Data Protection Regulation is available on the Swedish Data Protection Authority's website:
Translated with DeepL.com (free version)
This Regulation shall apply to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
1. IMPORTANT DEFINITIONS
1.1 Personal data:
Any information relating to an identified or identifiable natural person, whereby an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifiers, or one or more factors specific to the natural person's physical, physiological, genetic, mental, economic, cultural, or social identity.
1.2 Processing of personal data:
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, reading, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.3 Data controller:
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
1.4 Data processor:
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
1.5 Consent of the data subject:
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. YOUR RIGHTS
In accordance with applicable legislation, you have a number of rights that allow you to obtain information about and control over your own personal data. Here we list your rights, and at the end of the document you will find contact details for Ideell marknadsföring i Sverige (Non-profit Marketing in Sweden), which you can use if you wish to exercise your rights. It is usually free of charge to request information about your data. However, if the request is manifestly unfounded or unreasonable, we may either charge a reasonable fee or choose not to comply with the request.
2.1. Right to information and access to your personal data:
You have the right to request confirmation as to whether we process personal data about you and, if so, we will inform you about how your personal data is processed. You also have the right to obtain a copy of the data we process (through a register extract).
2.2. Right to rectification:
It is important to us that the personal data we hold about you is accurate. If the data is incorrect, you have the right to contact us and request that the data be corrected. You also have the right to request that data be added if something is missing, provided that the addition is relevant to the purpose of the processing.
2.3. Right to be deleted:
You have the right to contact us to request that your personal data be deleted:
-
If the data is no longer needed for the purposes for which it was collected;
-
If the processing is based solely on your consent and you withdraw your consent;
-
If the processing is for direct marketing and you object to the processing of the data;
-
If you object to the processing of personal data that is based on a balancing of interests and there are no legitimate reasons that outweigh your interests;
-
If the processing of your data has not complied with applicable law; or
-
If erasure is required to comply with a legal obligation.
In some cases, however, we cannot comply with a request for erasure, for example if we are required by law to retain the data. If the erasure takes place, we will notify those to whom we have disclosed your data that the erasure has taken place.
2.4. Right to object:
-
You always have the right to object to your data being used for direct marketing at any time. You can do this by contacting us at Ideell marknadsföring i Sverige. If you make such an objection, we will no longer process the data for that purpose.
-
You also have the right to object to us processing your data on the basis of a balancing of interests. If we cannot demonstrate that there are compelling legitimate grounds for the processing that outweigh your reasons, the processing will cease.
2.5. Right to restriction of processing:
You have the right to contact us and request that the processing of your personal data be restricted and that the data be stored by us only in the following situations:
-
During the time it takes for us to verify the accuracy of the personal data, if you contest the accuracy of the personal data;
-
If the processing is unlawful and you oppose the erasure of the data and instead request that we restrict its use;
-
If, even though we no longer need the data, you want us to retain it so that you can use it to establish, assert or defend legal claims; or
-
Pending verification of whose legitimate interests, yours or ours, prevail if you have objected to the processing.
In some cases, however, we may not be able to comply with a request for restriction, e.g. if the data is needed to defend our rights or protect the rights of another person. If the restriction is applied, we will notify those to whom we have disclosed your data that the restriction has been applied. We will also, at your request, inform you to whom the information about the restriction has been disclosed.
2.6. Right to data portability:
You have the right to request that your personal data be provided to you in a machine-readable format and to use such personal data elsewhere. This right applies to personal data that you have provided to us and that is processed on the basis of your consent or if the processing is based on an agreement with us.
3. PROCESSING OF PERSONAL DATA
In order for us to process personal data, there must be a legal basis for doing so. This means that our processing of personal data must be based on the grounds set out in the Data Protection Regulation.
The legal bases on which our personal data processing is normally carried out are as follows:
-
Consent, which means that the person whose personal data we process has chosen to approve our processing of the data by giving their consent.
-
Contract, which means that the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
-
Legal obligation incumbent on the controller, such as reporting taxes;
-
Public interest, and also important public interest;
-
Balancing of interests, purposes relating to the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Personal data breaches must be reported to the Data Protection Authority within 72 hours of becoming aware of them, and the data subject must be informed if there is a high risk to their rights and freedoms, for example:
-
the individual loses control over their data;
-
the data subject's rights are restricted;
-
the data subject is exposed to discrimination, identity theft or fraud;
-
the data subject suffers financial loss, harmful rumours, breach of confidentiality or professional secrecy.
Expected deadlines for deletion of the various categories of data:
-
According to Swedish accounting law, the organisation's accounts must be kept for at least seven years, which means that all personal data linked to the association's accounting (i.e. receipts) may be deleted at least seven years after they were created.
-
in the case of participation in international non-profit projects and mandatory reporting to authorities and other organisations, the time limits for deletion may vary, but all necessary documentation must be kept at least until the project report has been approved and validated;
-
in the case of voluntary (with the consent of the data subject) disclosure of personal data (e.g. having contact details on a website), it should be deleted from public places or other voluntary registers within one month after the data is no longer needed for the purposes for which it was collected or if the person withdraws their consent, if the data subject's consent allowed personal data (e.g. images on social media) to be retained for a longer period.
The list of personal data processing is maintained by the association Ideell marknadsföring i Sverige (Non-profit Marketing in Sweden) and, upon request, the association can provide an extract from the register.
4. DATA SECURITY
Documents containing personal data are handled and stored in electronic systems that require a code for authorised access, and agreements or DPAs (Data Protection Agreements) with data processors are available. The data processor is responsible for maintaining adequate organisational and security solutions, reporting personal data incidents in a timely manner, establishing register lists and appointing a Data Protection Officer where required by the GDPR.
The data processor has limited liability for damages if it has not complied with the obligations under the General Data Protection Regulation (GDPR) and/or has not complied with agreements or instructions from the data controller.
Documentation may be stored outside the EU/EEA (for example, in cloud-based services) only in the following cases:
-
When there is a decision by the European Commission that, for example, a certain country outside the EU/EEA ensures an adequate level of protection.
-
When a service has taken appropriate protective measures, such as binding corporate rules (BCR) or standard contractual clauses (SCC).
-
In specific situations and individual cases, if the receiving organisation or authority guarantees an adequate level of protection (e.g. embassies, international organisations and donors).
5. DATA CONTROLLER
The association Ideell marknadsföring i Sverige is responsible for processing the personal data you provide to us. As data controller, we determine the purpose and means of processing.
Name: Ideell marknadsföring i Sverige
Organisation number: 802523-7481
Address: Tingstorget 11, 14556 Norsborg, Sverige
Telephone: 0765620938
E-mail: info@ideellmarknadsforing.se
If you have any questions or wish to exercise your rights, e.g. withdraw your consent, please contact us by email or telephone.
You always have the right to decline our direct marketing or email communications. Please call us or click on the unsubscribe link in the e-mail.
If you believe that your personal data is being processed in violation of applicable law, you can submit a complaint directly to us or to the Swedish Data Protection Authority.
Ideell marknadsföring i Sverige may change this data policy. We will announce any changes on www.ideellmarknadsforing.se and in our newsletter. We will also make all versions of the policy available to you there.