The municipality of Älvsbyn processes personal data in accordance with the EU Data Protection Regulation (2016/679), hereinafter GDPR. Our starting point is that personal data may only be processed when necessary and justified in order to fulfil obligations and legally-based duties to data subjects. Below is a review of key concepts in data protection contexts and a description of guidelines and principles followed by employees and elected representatives in the municipality of Älvsbyn to ensure adequate protection of individual privacy.
Definition of Terms
Any kind of information that can be associated with a physical, living individual, such as name, address, real estate designation, e-mail address, registration number, photos.
Any action or series of actions taken with regards to personal data, automatic or not; collection, retrieval, registration, organisation, storing, alteration, disclosure, transmission, distribution, compilation, interconnection, deletion or destruction (please note that the list above is non-exhaustive).
Personal Data Controller
A legal person who determines the purpose and means of the organisation’s processing of personal data.
Personal Data Processor
Usually a legal person, such as an IT provider, processing personal data on behalf of the personal data controller. The personal data processor is always outside of the personal data controller’s organisation.
Data Protection Officer
A person who ensures that personal data is processed correctly and legally within the organisation. The data protection officer can be compared to an internal auditor who points out errors and shortcomings to the personal data controller.
The person to whom personal data refers.
Sensitive Personal Data/Special Category Personal Information
Information on race or ethnic origin, political views, religious or philosophical beliefs, union membership and personal data on health and sexual life.
Personal Data Controller
The Municipal Board (MB) is the personal data controller responsible for the processing of personal data in all municipal administrative units, with the exception of the Environment and Construction Office, for which the Environment and Construction Board (ECB) is the personal data controller. The personal data controller must ensure that all activities under its responsibility adopt appropriate technical and organisation measures to protect the personal data being processed.
Contact details, Personal Data Controller:
The Municipal Board in the Municipality of Älvsbyn
942 85 Älvsbyn
The Environment and Construction Board in the Municipality of Älvsbyn
942 85 Älvsbyn
Those who process personal data, either under the direct responsibility of the data controller (employees and elected representatives) or on behalf of the data controller as personal data processor (for example IT providers), must follow the data controller’s instructions in all processing of personal data. The data controller should enter into personal data processing agreements with personal data processors hired by the municipality. In these processing agreements, the data processor shall be obliged to process personal data in accordance with the data controller’s instructions and current security procedures.
Data Protection Officer
The municipal board and the environment and construction board have taken a decision where a data protection officer was appointed for the municipality of Älvsbyn (MB 2018 § 62, ECB 2018 § 44).
The task of the data protection officer is to safeguard the rights of data subjects by working to ensure that personal data is processed in a legal and correct manner within the municipality of Älvsbyn.
Contact details of the data protection officer: firstname.lastname@example.org
Tel. +46 929 17151
Legal Basis for the Processing of Personal Data
Within the municipality of Älvsbyn, personal data is only processed when necessary and justified in order to:
Execute a legal obligation against the data subject that falls on the personal data controller according to 1. The law or other constitution 2. Collective agreements 3. Decisions made pursuant to the law or other constitutions.
Perform a task of general interest. Mandatory tasks and duties performed in the municipality of Älvsbyn in accordance with the law, regulations or union law fall within the general interest.
Execute commitments as part of the exercise of authority. Here again, it is assumed that the purpose of the processing of personal data is necessary.
Perform a contract to which the data subject is party, or in order to take steps at the request of the data subject if it can be assumed that the data subject has the intention of entering into a contract.
Protect interests that are vital or of fundamental importance to the data subject. This legal basis should be used restrictively and can thus be invoked only when it is clear that no other legal basis can be applied.
If there is no support for the processing of personal data according to any of the reasons set out above, the data subjects must consent to their personal data being processed for a certain, specific purpose. The data subjects must then be informed of their rights to withdraw consent at any time. Upon the withdrawal of consent, all processing of personal data that can be attributed to the specific purpose for which the consent was obtained should cease. A condition for the consent to be considered valid is that the data subjects act on the basis of their own free will and that they have the opportunity to withdraw consent without causing any disadvantage to the person in question.
Right to Information and Access to Personal Data
An individual is always entitled to receive information about how his or her personal data is processed within the municipality of Älvsbyn. Information about the personal data processing must be provided when the data is collected, sent to another recipient, or when the data subject so requests. The information must be provided free of charge and must contain at least the following information:
Name and contact details of the controller
The purposes and legal basis of the processing
The rights of the data subject, i.e. the right to be forgotten, the right to object to the processing of personal data, the right to request correction and deletion, and the right to have personal data transferred to another principal (data portability)
How long the personal data is stored
The right to lodge a complaint with the supervisory authority
An account of how the municipality of Älvsbyn was given access to the personal data, if they were not collected by the data subject
The individual concerned also has the right to request register reports with a detailed description of how personal data is processed. The information should be provided to the data subject within a reasonable period after obtaining the personal data, or after a request for a register report has been received by the municipality of Älvsbyn, but no later than within one month.
The Individual’s Right to Have Personal Data Rectified or Deleted
A basic principle is that all personal data that is processed must be accurate. Provided that the individual’s request for rectification is founded, incorrect personal data regarding the individual in question must be rectified without undue delay. Taking the purpose of the processing into account, the individual must also be given the opportunity to supplement incomplete personal data.
In order to have personal data deleted, one of the following conditions must be fulfilled:
It is no longer necessary to process the personal data for the purposes for which it was collected.
Consent has been withdrawn and there are no other legal grounds for processing to continue.
The individual objects to the use of personal data for direct marketing and associated profiling.
The personal data must be deleted in order for the data controller to fulfil a legal obligation to which the controller is subject.
The personal data has been collected or processed in an unlawful manner.
The personal data refers to children and has been collected for the purpose of creating or maintaining a profile in a social network.
The municipality of Älvsbyn is obliged to respond to the data subject’s request for rectification and deletion within a month.
Storage and Dissemination of Personal Data
When it is no longer necessary to process personal data for a specific purpose, the data must either be stored or removed in accordance with what is stated in the document management plan for the municipality of Älvsbyn, the Swedish law on archives, or applicable special laws. The document management plan describes how general documents are handled and stored within the various municipal departments.
Älvsbyn municipality does not disclose information concerning data subjects to third parties, unless it is necessary to fulfil contractual or legal obligations concerning the data subject. In cases where personal data is disclosed to third parties, confidentiality agreements are drawn up to ensure that data is processed in a satisfactory manner.
Security when Processing Personal Data
In order to safeguard the privacy of the data subjects and maintain an adequate level of security in all processing of personal data, the municipality of Älvsbyn follows the principles of embedded data protection and data protection as standard. This means that the processing of personal data in IT systems is limited to encompassing only what is necessary to fulfil obligations that the municipality has towards the data subjects (data minimisation) and to de-identify and pseudonymise data subjects to the greatest extent possible.
Employees and elected representatives of the municipality of Älvsbyn may process and have access to personal data only insofar as they need them to fulfil their statutory duties and assignments. Sensitive personal data is processed through special authorisation checks and logging functions in order to ensure stronger protection. The use of new technology and new IT systems must always be preceded by an impact assessment in order to identify potential security risks.
Anyone who considers that the municipality of Älvsbyn processes information about him or her in violation of the Data Protection Regulation can submit a complaint to the Swedish data protection authority (Datainspektionen), the supervisory authority on data protection issues. Datainspektionen assesses whether there are grounds for initiating a supervisory procedure and the decision is notified to the person who brought the complaint.
Individuals can always contact the data protection officer for Älvsbyn municipality with questions or comments regarding the processing of personal data.
Routines in the Event of a Personal Data Incident
A personal data incident means that data that can be linked to one or more individuals has fallen into the wrong hands, been destroyed on illegal grounds, or been lost in other ways. The personal data controller for Älvsbyn municipality must report all personal data incidents to Datainspektionen within 72 hours. If a personal data processor employed by the municipality of Älvsbyn becomes aware of a personal data beach occurring on their end, they must immediately report this to the personal data controller, who in turn reports the incident to Datainspektionen.