Processing of personal data by the Swedish Radiation Safety Authority

Personal data controller

The Swedish Radiation Safety Authority is the personal data controller (hereinafter “controller”) for the processing of personal data that takes place in the operations of the Authority.

As the controller, the Swedish Radiation Safety Authority is under an obligation to ensure that personal data are processed in accordance with the General Data Protection Regulation. This for example means that the Authority has the task of checking that a legal basis is in place for this processing of personal data.

Processing of personal data

The Swedish Radiation Safety Authority processes personal data in several different instances. Under the General Data Protection Regulation, processing of personal data is not allowed for any purpose that is incompatible with the original purpose for which the information was collected. If the Swedish Radiation Safety Authority plans to process personal data for a purpose other than the original purpose, the Authority is required to, prior to this processing, inform the affected parties about this situation. A breakdown is provided below on the personal data processing carried out by the Authority.

The right of public access to official records

The Swedish Radiation Safety Authority is a government agency. Consequently, our operations are subject to the right of public access to official records. Documents held by us, including personal data, normally comprise official documents that must be made available to the public upon request. The exception to this rule is work materials. In certain cases, the information may be deemed confidential and thus not disclosed.

Regulatory supervision and investigations

The Swedish Radiation Safety Authority processes personal data in conjunction with its supervisory work and investigations. This is carried out for communication purposes and processing of matters. The personal data processed comprise names and personal contact details. The legal basis for this processing is its necessity for the Authority’s performance of a task in the public interest, or that it takes place as part of our governance.

Applying for authorisation

The Swedish Radiation Safety Authority processes personal data to enable administration of licensing matters. Another requirement is documentation for invoicing of fees for licences and permits. The personal data processed constitute the name of the applicant/contact person. The legal basis for this processing is its necessity for the Authority’s performance of a task in the public interest, or that it takes place as part of our governance.

Online notification of an activity or practice

The Swedish Radiation Safety Authority processes personal data of notifiers to enable administration of these notifications, confirmation of the source of a notification, and to check that only authorised individuals are able to log onto the online service for notifications. The personal data processed comprise names, personal identity numbers, email addresses or invoicing addresses. The legal basis for this processing of personal data is its necessity for performance of a task in the public interest, or that it takes place as part of the Authority’s governance.

The online service for notifications also includes processing of certain pieces of personal information by the Authority’s personal data processor, the firm Chambersign Sverige AB. In addition, personal data are collected and disclosed to the issuer of the users’ BankID app, and the Swedish Companies Registration Office and Swedish Tax Agency, as well as the organisation that you represent as a notifier. Electronic transfer of personal data is also made to a third country, even if it is a state outside the EU/EEA, if someone belonging to your organisation is located abroad and logs onto the online service from there, or receives emails and other electronic messages from the online service.

The Svedos national dose registry

The Swedish Radiation Safety Authority processes personal data of workers for the purpose of maintaining statutory national records of radiation doses that employees are exposed to, or might be exposed to, in connection with activities involving radiation. The personal data processed comprise names and personal identity numbers. The legal basis for this processing is compliance with a legal requirement.

Placing orders for calibration of instruments for measurement of ionising radiation

The Swedish Radiation Safety Authority processes personal data to enable administration of orders placed and as documentation for invoicing of calibration fees. The personal data processed constitute the name and contact details of the person placing an order. The legal basis for this processing is its necessity for performance of the agreement entered into in conjunction with the order placed.

Liaison and cooperation, both domestically and internationally

The Swedish Radiation Safety Authority processes personal data to enable performance of assignments within the frameworks of liaison and fora of cooperation, both in Sweden and internationally. The personal data processed comprise names and personal contact details. The legal basis for this processing is its necessity for performance of a task in the public interest.

Emailings and invitations

The Swedish Radiation Safety Authority processes personal data to enable distribution of emails and to send invitations communicating different events and meetings to pertinent individuals. The personal data processed comprise names and emails. The legal basis for this processing is its necessity for performance of a task in the public interest.

Events and official visits

The Swedish Radiation Safety Authority processes personal data for administration of events such as conferences and official visits. In some cases, this includes work materials and questionnaires. The personal data processed comprise names and personal contact details of event participants, other visitors and attendees, and sometimes regarding meal preferences. The legal basis for this processing is its necessity for performance of a task in the public interest.

Photoshooting and broadcasting of live events on the Web

The Swedish Radiation Safety Authority processes personal data of speakers, panel participants and other event attendees. The personal data processed comprise names, images and voices. The legal basis for this processing is its necessity for performance of a task in the public interest, or consent.

Social media

The Swedish Radiation Safety Authority processes personal data in social media channels for the purpose of disseminating information about the Authority’s work. The personal data processed comprise names, images and voices. The legal basis for this processing is its necessity for performance of a task in the public interest, or consent.

Processing of personal data in connection with emails

Emails often contain personal data, either as part of the email address or the message itself, which can be linked to an individual. The Swedish Radiation Safety Authority processes this personal data for administration of cases and items of business, and to respond to questions from the general public, media, organisations and other interested parties. The personal data processed comprise names and personal contact details. The legal basis for this processing is its necessity for performance of tasks in the public interest.

The personal data is needed for performance of our obligations. This information is preserved for as long as this is necessary with this purpose in mind. For instance, if this information is linked to an item of official business, the data are transferred to a matter management system, where the data are stored in compliance with provisions concerning filing and archiving.

If you will be emailing to the Authority, please note the following:

• Avoid emailing if you intend to send information that is sensitive or very private. If you need to send an email containing information that is very private, use an email system that is protected using encryption so that only the intended recipient can read your information.
• If you mention a third person in your message, we may need to contact this individual to inform them that we are processing personal data concerning them. In all such cases, we carefully consider whether the work effort involved in contacting the individual and providing the information is commensurate with the importance of informing this person.

Publications

The Swedish Radiation Safety Authority processes personal data for the purpose of communicating about research, developments, and the work of the Authority in conjunction with publication of its own and external materials on our public website, where personal data about authors are provided. The personal data processed comprise names and, when relevant, the organisation and personal contact details. The legal basis for this processing is its necessity for performance of a task in the public interest, or a legal obligation.

Ordering publications

The Swedish Radiation Safety Authority processes personal data in connection with orders placed for information materials issued by the Authority. The personal data processed comprise orderers’ names, personal contact details and invoicing addresses. Here, the legal basis is performance of the agreement entered into in conjunction with the order placed.

Subscribing to news items

The Swedish Radiation Safety Authority processes personal data when subscriptions are made to the Authority’s news items. This is a prerequisite for administration of subscription accounts. The personal data processed comprise personal contact details. The legal basis for this processing is its necessity for performance of the agreement entered into in conjunction with the subscription request.

Consultants and suppliers

The Swedish Radiation Safety Authority processes personal data of consultants and suppliers for administration of contractual relationships and performance of agreements. The personal data processed comprise names, personal contact details and, provided that a legal entity has not been engaged, other data processed include personal identity numbers and account numbers. The legal basis for this processing is its necessity for performance of the contract entered into with the consultant or supplier.

Tenderers

The Swedish Radiation Safety Authority processes personal data of tenderers for administration of quotations that were not awarded a contract. The personal data processed comprise names and personal contact details. The legal basis for this processing is its necessity for performance of a task in the public interest.

Applying to courses

The Swedish Radiation Safety Authority processes personal data of lecturers and applicant attendees in connection with registration for course programmes offered by the Authority. This processing takes place to enable administration of course applications and to perform follow-ups of the Authority’s courses. The personal data processed comprise names, personal contact details and account information in the event that a fee is payable for the course. The legal basis for administration of course applications is performance of the agreement entered into in conjunction with such application. The legal basis for the processing in connection with follow-ups and evaluations is performance of a task in the public interest.

Entering into agreements

The Swedish Radiation Safety Authority processes personal data in connection with agreements entered into. The personal data processed comprise names and personal contact details. The legal basis for this processing is its necessity for performance of the agreement entered into with the contractual party.

Employment applications

The Swedish Radiation Safety Authority processes the personal data of job applicants for administration of the applications and appointment of the position. The personal data processed comprise names, personal contact details, qualifications, personal identity numbers, cover letters and CVs, and where relevant, photographs. The legal basis for this processing is its necessity for performance of a task in the public interest, or the Authority’s governance.

Applications for research funding

The Swedish Radiation Safety Authority processes personal data of applicants in connection with the Authority’s announced availability of research funding. This processing is required for administration of applications and awarding of research funding. The personal data processed comprise names, personal contact details, personal identity numbers and CVs. The legal basis for this processing is its necessity for performance of a task in the public interest, or the Authority’s governance.

Visitors to the website

The Swedish Radiation Safety Authority processes personal data of visitors to its public website. This is a prerequisite for evaluating visits. The personal data processed comprise IP addresses. The legal basis for this processing is performance of a task in the public interest.

Processing of sensitive personal data

Sometimes sensitive personal data are sent to the Swedish Radiation Safety Authority. This information is processed to enable administration of official business. Here, the data are managed by entering the information in the matter or case in question. The legal basis for this processing of sensitive personal data is the data’s significance to the public interest.

Possible access to personal data

Employees of the Swedish Radiation Safety Authority who have access to the personal data require the information for performance of their tasks. Apart from the required disclosures made by the Authority owing to the right of public access to official records (see this heading), the Authority in some cases engages personal data processors (hereinafter “processors”). The processors engaged are only allowed to process personal data as per the purposes and instructions defined by the Swedish Radiation Safety Authority for such processing. The processor, and those parties involved subject to the processor’s management, are never allowed to gain access to more information than what is required for performance of the contractual service for the Authority. When personal data are to be processed by a processor, a processor contract is to be drawn up and signed.

The Swedish Radiation Safety Authority engages a processor for various kinds of IT services and, as mentioned above, for administration of the online service for notifying the Authority of a practice or activity.

Storage of personal data by the Swedish Radiation Safety Authority

As a government agency, the assumption under archiving legislation is that the Authority is required to preserve official documents. The Swedish Radiation Safety Authority complies with these rules governing preservation, and subsequently winnows official documents as defined by applicable rules on winnowing and decisions taken. Personal data that do not belong to an official document are kept only for the duration they are needed for the purposes of the processing. Documents that are not deemed public include draft versions of decision documents and informal notes that have not been archived. When processing of an item of government business has been concluded, an assessment is made on what elements of the matter are to be preserved as per archiving legislation. Documents containing personal data that are not to be preserved are erased, or purged of personal data. Documents of negligible, or temporary significance, are as a rule winnowed from the outset.

Your rights

You have the right to:

• request information about whether the Swedish Radiation Safety Authority processes your personal data and, in such case, which personal data are being processed, regardless of the way the information was collected
• request rectification if the Authority has incorrectly processed information about you
• in certain cases, request erasure of your personal data. Once the Swedish Radiation Safety Authority has required your personal data for performance of its task, or if this information is stated on an official document, it is not possible for the Authority to delete the information.
• make an objection, for example when personal data are processed to perform a task in the public interest, or that this takes place as part of the Authority’s governance. If you are a data subject and you object to the processing in these cases, the Swedish Radiation Safety Authority is only allowed to continue processing the information if it can be demonstrated that the justification to require processing of this information outweighs your interests, rights and freedoms, or whether the processing takes place for the confirmation, exercise, or defence of legal claims.
• in certain cases, request a restriction on personal data processing, e.g. if you have objected to the processing. You may also have the right to bar the Authority from deleting the information, should you for instance need this data for the purpose of claiming damages.
• request disclosure of your personal data so they can be used by a different party, for example for transfer of this information to a different controller (the right to data portability).

Special rules apply to personal data processed by the Swedish Radiation Safety Authority for scientific and historical research purposes, or for statistics purposes.

Sending your request

Send your request concerning e.g. information or rectification to:

Swedish Radiation Safety Authority,
SE-171 16 Stockholm, Sweden

Alternatively, send an email to the Swedish Radiation Safety Authority’s registrar.

The Swedish Radiation Safety Authority’s data protection officer

The Swedish Radiation Safety Authority has a data protection officer whose functions include assistance and monitoring of compliance in relation to data protection matters in-house at the Authority. Tasks of the data protection officer include the following:

• providing information on applicable data protection provisions
• advising the organisation on various data protection matters
• monitoring the Authority’s compliance with data protection provisions
• checking of internal steering documents having a bearing on data protection
• serving as the contact point for data subjects for data protection matters, and the contact point for the supervisory authority.

Contacting the data protection officer

If you have any questions about the Swedish Radiation Safety Authority’s processing of your personal data, or would like to have more information about your rights as a data subject, you are welcome to contact our data protection officer directly by email.

Lodging a complaint with the Swedish Data Protection Authority

As a data subject, you have the statutory right to lodge a complaint with the Swedish Data Protection Authority, a supervisory authority in Sweden, as per Article 77 of the General Data Protection Regulation.

Further information

• Facts about the General Data Protection Regulation (GDPR) on the website of the Swedish Data Protection Authority
• General Data Protection Regulation (GDPR)
• Archives Act (1990:782)