Processing personal data at the Nordic Welfare Centre
Background
The Nordic Welfare Centre is a non-profit public-sector cooperation institution under the Nordic Council of Ministers. The Nordic Welfare Centre is not subject to either the Swedish Freedom of the Press Act or the Public Access to Information and Secrecy Act. The external personal data we process is mainly related to event registrations and orders for and dispatching publications, subscriptions and newsletters. The Nordic Welfare Centre does not disclose any personal data to third parties.
The General data Protection Regulation (GDPR) entered into force in Sweden, Finland and other EU Member States on 25 May 2018. GDPR replaced national personal data legislation in each country.
The Nordic Welfare Centre is the controller of personal data, as defined in GDPR, in two countries: Finland and Sweden. Both of these countries comply with GDPR and have incorporated its provisions into national legislation. The Finnish Data Protection Act (5.12.2018/1050) and Swedish Act containing supplementary provisions to the EU General Data Protection Regulation (SFS 2018:218) describe in more detail how the two countries apply GDPR.
In Finland, the Office of the Data Protection Ombudsman is the authority tasked with supervising compliance with data protection legislation and other laws relating to the processing of personal data. In Sweden, the Swedish Authority for Privacy Protection is the supervisory authority for compliance with GDPR and Swedish data protection legislation.
The Nordic Welfare Centre processes cross-border personal data in two European Union Member States. Further information about this processing is available at:
https://www.imy.se/lagar–regler/dataskyddsforordningen/gransoverskridande-personuppgiftsbehandling/
Processing personal data
When processing personal data, the Nordic Welfare Centre complies with GDPR and applicable legislation in Sweden and Finland respectively.
Personal data means any information relating to an identified or identifiable natural person, such as a personal identity number, name, address, photograph and, in certain cases, audio recordings stored electronically.
According to GDPR, children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. As with adults, the processing of personal data concerning children must have a legal basis, i.e. be supported in law.
To ensure that the Nordic Welfare Centre is able to comply with the regulation we:
- do not collect personal data unless it is required to conduct our operations and we have a legal basis for doing so;
- store necessary external personal data in a common contact register;
- designate a responsible individual for every personal data process; and
- store personal data in a secure manner in accordance with applicable IT policy.
We maintain a register of all personal data processing. This register shows the controller at the Nordic Welfare Centre, the processor (if the personal data are being processed outside the Nordic Welfare Centre), a description of the processing of personal data, why we have collected and stored the personal data, the time limit for storing the personal data, the procedure for erasure and the legal basis on which the data is being processed.
For what do we use the personal data we have collected?
We collect personal data for specific, expressly stated and legitimate purposes. This means that the data we collect for a given stated purpose may not be used for an entirely different purpose. We collect personal data for mailshots, invitations, newsletters and press releases to journalists and followers, for recruitment purposes, human resources and payroll administration and information to tax and social insurance agencies.
How we collect and process personal data
The Nordic Welfare Centre collects personal data via Lyyti through online registrations for events or via online subscriptions to our newsletters and other publications. When the collection of personal data requires the consent of the data subject, consent is given in conjunction with registration/ordering. The Nordic Welfare Centre’s personal data processing register specifies how and on what legal basis data is collected and, where applicable, how consent is given. The register also shows who is responsible for the processing of the personal data. No one is permitted to collect personal data without the authorisation of the responsible person.
The Nordic Welfare Centre uses the Lime contact database to store and maintain information about our contacts. This tool is used to administer lists, search for contacts and to send out targeted mailshots via various channels. The purpose of Lime is to gather personal data in one database to simplify the processing of and searches for information about our contacts for all employees of the Nordic Welfare Centre who use personal data in the performance of their duties.
Storage
Where the collected data is stored depends on the rules for each register. This also applies to the length of time that data will be stored. The storage period may be affected by factors such as legal and regulatory requirements, such as the Swedish or Finnish Accounting Act. The Nordic Welfare Centre never stores personal data for longer than is necessary for the purpose it was collected for. The storage period for personal data is stated in the register of personal data processing. The register also states whether the data will be automatically erased after a given period of time.
When the Nordic Welfare Centre engages a processor to carry out processing on our behalf, storage and security that fulfils the requirements of GDPR and applicable legislation are regulated in a separate agreement.
The right to be forgotten and complaints to data protection authorities
The data subject has the right to access their personal data and to have inaccurate personal data concerning them rectified. They also have the right to withdraw their consent to the processing of their personal data and, unless there are legal obstacles to doing so, have their data erased (the right to be forgotten). If the data subject believes that the Nordic Welfare Centre is processing personal data concerning them in a manner that contravenes GDPR, they may submit a complaint to the Swedish Authority for Privacy Protection or, in Finland, the Office of the Data Protection Ombudsman.