NIR processes personal data in a secure manner in accordance with the applicable data protection laws such as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation / “GDPR”), as well as other applicable data protection laws and Swedish law.
1.1 NIR acts as the data controller when processing personal data, which means NIR alone or jointly with others determines the purposes and means for the processing of personal data. Personal data means any information relating to an identified or identifiable natural person. Processing of personal data means, including but not limited to: collecting, registering, organising, structuring, storing and processing. Processing also means alteration, production, reading, listening, using and disclosing by transfer, disseminating, changing, removing as well as deletion.
1.2 NIR is responsible for ensuring that personal data is processed correctly and in accordance with applicable Swedish law and EU law. NIR collects and processes personal data in connection with visits, participation in NIR events or registration on NIR’s home page, through contact by telephone, email or letter, when registering for NIR’s newsletter, when submitting a review of NIR or its services and when personal data is provided by third parties. NIR may also ask data subjects to fill out forms that include personal data.
1.3 NIR processes personal data for the following purposes:
(i) To administer and manage membership applications including but not limited to purchase, invoicing and payment. Also, to administer and manage contracts for consultants and suppliers. The legal ground for this is that the processing is necessary for the performance of an agreement or contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into an agreement or contract (Art. 6(1)(b) GDPR).
(ii) To contact existing and potential members and cooperation partners by email, newsletters or letters to inform about NIR’s offers, events and services. The legal ground for this is that the processing is necessary and that NIR has a legitimate interest (Art. 6(1)(f) GDPR) that is not overridden by the fundamental interests and freedoms of the data subjects.
(iii) To contact cooperation partners by email or letter to enter into a partnership/cooperation and/or in relation to administration and performance of existing agreements or contracts with cooperation partners. The legal ground for this is that the processing is necessary for the performance of an agreement or contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into an agreement or contract (Art. 6(1)(b) GDPR).
(iv) To comply with legal obligations to report to authorities and cooperation partners, grant providers and/or consultants in relation to funding, paying taxes and other fees to the relevant Swedish authorities. The legal ground is that processing is necessary for compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR).
(v) To process personal data contained in emails received from potential members, suppliers and cooperation partners for the purpose of taking steps to enter into an agreement or contract (Art. 6(1)(b) GDPR) or for the purposes that NIR has a legitimate interest to process such personal data (Art. 6(1)(f) GDPR) that is not overridden by the fundamental interests and freedoms of the data subjects.
1.4 In the event NIR processes personal data based on a data subject’s consent (Art. 6(1)(a) GDPR), NIR will first submit information to the data subject before the consent is collected.
2.1 Any personal data from data subjects will be collected and stored by NIR. Personal data may also be collected by NIR from other public sources and external partners from other countries. Personal data that may be processed by NIR includes:
(i) email address, address, first and last name, name of employer, membership number, telephone number, payment details, IP address, picture, personal settings, etc.
(ii) the use of cookie files stored on computer or telephone (or other digital device) for the purpose of identifying browser and to recognise settings and preferences. Data subjects have the right to refuse NIR’s processing of personal data through the use of cookie files.
(iii) information collected during meetings, seminars, interviews, surveys and other communication with NIR.
2.2 NIR will only process personal data necessary for the specific purpose of the processing. NIR will process privacy sensitive information and sensitive personal data, including but not limited to banking information, food intolerances and medical certificate.
3.2 NIR may also transfer personal data to a third country, i.e. a country outside the EU/EEA, or to international organisations according to applicable laws and data regulations. NIR and third parties may be based anywhere in the world, which could include countries that may not offer the same legal protections for personal data as your country of residence. NIR will follow local data protection requirements and its internal global privacy standards and NIR will apply the necessary safeguards under the applicable law of the country transferring the data for such transfers.
3.3 Personal data will be stored during the time it is necessary for NIR to fulfil its obligations and for the purposes set out above. NIR will bring necessary measures to provide the personal data with protection against unauthorised access and loss thereof. The personal data will be, dependent on the purpose for which it is collected, archived, confidentially erased or anonymised in accordance with the rules of archiving when it is no longer necessary.
3.4 As personal data will be transferred over the internet, it is important to be aware of the associated risks. In the event a personal data incident incurs, it shall be notified to NIR as soon as possible and in any event within 24 hours of becoming aware of the incident. A personal data incident means a security incident that leads to an accidental or unlawful destruction, loss or alteration, unauthorised disclosure or unauthorised access to the personal data transferred, stored or otherwise processed.
3.5 When the data subject processes its own personal data, it acts as the data controller. It is therefore important to protect and update login information, protect devices such as the telephone and computer against viruses, etc., and comply with applicable law and data protection legislations. When entering free text responses, caution must be taken to avoid entering any integrity, sensitive or unnecessary personal data.
3.6 Subject to applicable data protection legislation, NIR shall not be liable for any damages arising from the processing of personal data. In any event, NIR shall not be liable for indirect damages.
4.1 Data subjects have the right to request information about NIR’s processing of personal data. If a request is made electronically, NIR shall provide the information in an electronically readable form which is structured and commonly used. Any request from data subjects shall be answered within a reasonable period of time by NIR.
4.2 NIR shall, upon request, provide information about the purpose of the processing, what personal data is being processed, recipients of the personal data and, if possible, for how long the personal data will be stored. Upon request, NIR shall also provide information about the possibility to request deletion, rectification or alteration of the personal data, as well as how to lodge a complaint to NIR or the competent supervisory authority. Furthermore, NIR shall upon request provide information about the origin of the personal data, the existence of profiling and automatic decision-making, and any transfers to third countries. If requested, NIR shall also provide the data subjects with a copy of the processed personal data.
4.3 Data subjects have the right to object to NIR’s processing of the personal data such as, for example, when processed in connection with direct marketing. Data subjects also have the right to request deletion, restriction and rectification of the personal data. If consent is withdrawn, or if the stored personal data is incorrect or irrelevant, NIR must delete, restrict or correct such personal data.
4.4 Data subjects have the right to transfer the personal data to another data controller (data portability), as well as to lodge a complaint regarding NIR’s processing of personal data. Complaints shall be submitted to NIR and/or the competent supervisory authority according to the contact details in section 5 below.
5 Contact Details
5.1 The contact details of the competent supervisory authority, Swedish Authority for Privacy Protection (sw. Integritetsskyddsmyndigheten / “IMY”) org.nr. 202100-0050 is as follows: Box 8114, SE-104 20 Stockholm, Sweden. Imy can also be contacted by telephone, +46 (0)8-657 61 00, or by e-mail, firstname.lastname@example.org. For more information about the Swedish Authority for Privacy Protection, please visit https://www.imy.se.
5.2 NIR is a data controller and NIR’s contact details are as follows:
The International Council of Swedish Industry (Näringslivets Internationella Råd, in Swedish), org.no. 802007-5290, with the address: Box 13009, SE-103 01 Stockholm, Sweden. NIR can also be contacted by telephone at +46 (0)8 783 80 00, or by e-mail at email@example.com..