Processing personal data at the Nordic Welfare Centre
Background
The Nordic Welfare Centre is a non-profit public-sector cooperation institution under the Nordic Council of Ministers. The Nordic Welfare Centre is not subject to either the Swedish Freedom of the Press Act or the Public Access to Information and Secrecy Act. The external personal data we process is mainly related to event registrations and orders for and dispatching publications, subscriptions and newsletters. The Nordic Welfare Centre does not disclose any personal data to third parties.
The Nordic Welfare Centre is the controller of personal data, as defined in GDPR, in two countries: Finland and Sweden. Both of these countries comply with the General Data Protection Regulation (GDPR) and have incorporated its provisions into national legislation. The Finnish Data Protection Act (5.12.2018/1050) and Swedish Act containing supplementary provisions to the EU General Data Protection Regulation (SFS 2018:218) describe in more detail how the two countries apply the GDPR.
In Finland, the Office of the Data Protection Ombudsman is the authority tasked with supervising compliance with data protection legislation and other laws relating to the processing of personal data. In Sweden, the Swedish Authority for Privacy Protection is the supervisory authority for compliance with GDPR and Swedish data protection legislation.
The Nordic Welfare Centre processes cross-border personal data in two Member States. Further information about this processing is available at: https://www.imy.se/lagar–regler/dataskyddsforordningen/gransoverskridande-personuppgiftsbehandling/.
Processing personal data
When processing personal data, the Nordic Welfare Centre complies with GDPR and applicable legislation in Sweden and Finland respectively.
Personal data means any information relating to an identified or identifiable natural person, such as a personal identity number, name, address, photograph and, in certain cases, audio recordings stored electronically.
According to GDPR, children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. As with adults, the processing of personal data concerning children must have a legal basis, i.e. be supported in law.
We collect personal data for specific, expressly stated and legitimate purposes required for the activity. This means that the data we collect for a given stated purpose may not be used for an entirely different purpose.
We keep a register of permanent registers containing processed personal data. The register shows the name of the individual at the Nordic Welfare Centre who is the controller for each register.
Personal data processing agreement
We do not disclose personal data to third parties without a personal data processing agreement. When the Nordic Welfare Centre engages a processor to carry out processing on our behalf, storage and security that fulfils the requirements of the GDPR and other applicable legislation are regulated in an agreement.
Storage and erasure
The Nordic Welfare Centre never stores personal data for longer than is necessary for the purpose it was collected for. The storage period may be affected by factors such as legal and regulatory requirements, such as the Swedish or Finnish Accounting Act.
The right to be forgotten and complaints to data protection authorities
The data subject has the right to access their personal data and to have inaccurate personal data concerning them rectified. They also have the right to withdraw their consent to the processing of their personal data and, unless there are legal obstacles to doing so, have their data erased (the right to be forgotten). If the data subject believes that the Nordic Welfare Centre is processing personal data concerning them in a manner that contravenes GDPR, they may submit a complaint to the Swedish Authority for Privacy Protection or, in Finland, the Office of the Data Protection Ombudsman.