Shopping cart Close cart
SEK SEK EUR EUR |
Discount | - EUR | - SEK |
Sum | EUR | SEK |
Shipping | EUR | SEK |
Vat | EUR | SEK |
Total | EUR | SEK |
SIS GENERAL PRIVACY STATEMENT
SIS protects your personal data
Protecting your personal data and your privacy is important to the Swedish Institute for Standards (“SIS”). In this general privacy statement and the category-specific information texts (e.g. regarding customers, members and job applicants) below, SIS wishes to clearly and unambiguously communicate how SIS collects, stores, uses and otherwise processes your personal data.
If SIS changes how it processes personal data, or processes personal data for new purposes, this statement and the category-specific information texts may be updated. In such cases, SIS will provide information in this regard.
Personal data
Personal data is all data and information that can identify you as a person. The crucial point is that the data, either alone or in conjunction with other data, can be linked to you as a person. Examples of personal data are your name, address, other contact details (e.g. IP or email address), date of birth, personal ID number, ID card number, bank account information, product or service orders and photographs of you.
Data controller
The Swedish Institute for Standards (corporate ID number 802410–0151) is the data controller and is therefore also responsible for how your personal data is processed. SIS has appointed a person as data controller (“SIS Data Controller”) who monitors and checks that SIS is managing your personal data in a correct and legal manner. You can get in touch with the SIS Data Controller via email to sisgdpr@sis.se, or by sending a letter to:
SIS Data Controller
Svenska Institutet för Standarder
Solnavägen 1E/Torsplan
Box 45443
SE-104 31 Stockholm, SWEDEN
Under some circumstances, the responsibility for data protection and your privacy is shared with a third party, for example banks, postal services and providers of electronic communication and social media. In these cases, SIS and the third party are joint data controllers. More information about this can be found in the information texts below for each category of data subject (e.g. if you are a customer, member or website visitor).
Sources and recipients of your personal data
The personal data processed by SIS is primarily such data that you have provided to SIS, but SIS may also obtain data from other companies and organisations, for example the Swedish Tax Agency or partners.
Your personal data is only available and accessible to those at SIS who need the data to fulfil the intended purposes of the processing. To the required extent, your data may be shared with providers (e.g. providers of IT systems) that carry out tasks for SIS, as well as with SIS’ partners. Sometimes, SIS is also obliged to submit certain data to public agencies, e.g. the Swedish Tax Agency.
SIS may also submit personal data to a third party if SIS deems it necessary to be able to: i) investigate possible legal breaches, ii) identify, contact or take legal action against someone who is possibly in breach of a contract with SIS, iii) investigate security breaches or cooperate with public agencies on a legal matter, or iv) safeguard SIS’ rights, security or property.
Purpose and legal basis
Your personal data is collected and mainly used to enter into or fulfil contracts with you (e.g. when you purchase SIS products or services), meet or assert legal obligations (e.g. under accounting rules), fulfil marketing purposes or other legitimate interests of SIS. In certain special cases, SIS may request that you give your consent to certain processing of your personal data. This consent can, however, be revoked at any time.
SIS may not collect, store, use or otherwise process your personal data without a valid legal basis, e.g. consent, fulfilment of a contract or legitimate interest. For each specific purpose, SIS informs you below of which legal basis is applicable and which rights you can exercise.
Storage period
The main principle is that SIS does not retain your personal data for longer than is necessary to fulfil the purpose of the processing. SIS therefore deletes personal data as soon as SIS no longer requires it.
The purposes for which SIS processes your personal data, the legal basis for the processing and how long SIS retains personal data is described in more detail in the information texts below for each category of data subject.
Processing outside the EU/EEA
The personal data SIS collects is generally stored and used within the EU/EEA but can also, when required, be transferred (e.g. to our IT system provider) and processed in a country outside the EU/EEA. All such transfer and processing of your personal data takes place in accordance with applicable legislation. Where relevant, the standard contractual clauses of the EU Commission are used to ensure protection equivalent to that you are guaranteed within the EU/EEA.
Your rights
You have certain statutory rights regarding SIS’ management of your personal data. This includes the right to information, the right to erasure, the right to rectification and restriction and the right to object to, for example, direct marketing. You also have the right to complain to the Swedish Authority for Privacy Protection if you consider that SIS’ processing of your personal data does not meet requirements under applicable data protection legislation. You can read more about your rights in the more comprehensive information texts below.
Complaints
If you wish to complain about how SIS processes and protects your personal data, you are entitled at any time to lodge a complaint with the Swedish Authority for Privacy Protection or other competent supervisory authority.
Updates
SIS may update this text and the information texts below. The latest versions are always available on SIS’ website (www.sis.se).
Date for this version of the General Privacy Statement: 13 January 2023
In case of discrepancies between the English and Swedish language versions of SIS Personal Data Protection Information, the Swedish version shall take precedence.
INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR CUSTOMERS OF THE SWEDISH INSTITUTE FOR STANDARDS
This information text is aimed at current or prospective customers (business customers and their representatives and contact persons as well as natural persons or sole proprietorships) of the Swedish Institute for Standards (“SIS”).
The purpose of this information text is to help you understand what SIS does with, and how SIS processes, your personal data, what obligations SIS has, and what rights you have, under the current EU General Data Protection Regulation (“GDPR”).
This information text should be read in conjunction with the general privacy notice on SIS’ processing of personal data above.
Data controller
When you or your employer or client order and purchase a product or service from SIS and you (or your employer or client) thereby provide SIS with personal data about yourself, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is also responsible for processing your personal data.
However, in some circumstances, responsibility for data protection and your privacy is shared with third parties, such as banks, postal services and electronic communication and social media providers. In these cases, SIS and the third party are joint data controllers. If you have any questions about this, please contact the SIS Data Controller – see contact details below.
Sources of your personal data
SIS collects your personal data (e.g. your name, telephone number, e-mail address, other contact details and, in the case of a sole proprietorship, your registration number) from you or your employer or client when you or your company enter into a contract with SIS. SIS may also collect corresponding and other types of personal data from you directly in connection with contact between you and SIS, e.g. during the processing of purchase and order transactions, payments and support matters, etc. The data may be presented on orders, invoices and other related communications.
In addition to the above, SIS may obtain personal data about you (e.g. title and contact details) from the following sources:
In most cases, the provision of personal data is voluntary, but if you do not provide the personal data requested by SIS, SIS may not be able to provide you or your employer or client with the requested service or product or take other desired action.
SIS will not use your personal data for any other purposes than those set out below.
If you visit the SIS website (www.sis.se), SIS may process cookies in accordance with specific information provided about this – see information text for website visitors.
Categories of recipients
Within SIS, authorized staff may only access your personal data for the purposes set out below. However, SIS may share your personal data between SIS’ various proprietary administrative systems, databases and portals, and with other parties (e.g. data processors) when necessary to fulfil purposes. Such parties (recipients) can be divided into one of the following categories: providers of goods and services (including IT providers) and partners (e.g. companies providing SIS products and services through their platforms and digital tools).
Furthermore, SIS may disclose personal data to third parties if SIS considers it necessary in order to: i) investigate possible breaches of law or contract (taking into account Art. 10 GDPR); ii) identify, contact or take legal action against someone who may be in breach of law or contract with SIS; iii) investigate security breaches or cooperate with authorities on a legal matter; or iv) protect SIS’ rights, security or property.
To the extent that a public authority requests personal data from SIS, SIS will comply with such a request if required by law.
Any disclosure of your personal data will, where applicable, be in accordance with the law, and SIS will ensure that the personal data disclosed are only processed for the purposes set out below.
Purpose and legal basis
Your data may be processed for the following purposes and on the lawful basis set out below for each purpose.
Purpose |
Legal basis |
The administration, management and execution of orders, deliveries, invoicing, communications and commitments (including support matters) under the contract SIS will enter into or has entered into with you or your employer or client for the supply or purchase of a particular product or service. |
Balancing of interests, whereby it is in the legitimate interest of SIS to provide various products and services and to administer the contract that SIS has with you or your employer or client (Art. 6(1)(f) GDPR). |
Establishment of registers of customers and representatives and contact persons for SIS’ corporate customers, including ensuring the accuracy of contact details. |
Balancing of interests, whereby it is in the legitimate interest of SIS to ensure the efficient administration of SIS’ customer relationships (Art. 6(1)(f) GDPR). |
Performance of marketing initiatives (see additional information below). |
Balancing of interests, whereby it is in the legitimate interest of SIS to promote SIS products and services (Art. 6(1)(f) GDPR). |
Provision of relevant product information. |
Balancing of interests, whereby it is in the legitimate interest of SIS to facilitate customers finding relevant products and services (Art. 6(1)(f) GDPR). |
Organising webinars, workshops, meetings and setting up surveys, using e.g. web-based tools and/or application solutions. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to provide appropriate tools and application solutions to conduct efficient business with customers (Art. 6(1)(f) GDPR). |
Carrying out a business and activity analysis (including the production of statistics, e.g. on what products or services you or your employer or client have ordered or requested and how they are used) with a view to improving/adapting business services, including product and service development. |
Balancing of interests, whereby it is in the legitimate interest of SIS to be able to conduct cost-effective and relevant business activities, including product and service development (Art. 6(1)(f) GDPR). |
Testing of new, or changes to existing, IT systems and applications relating to relevant products or services. |
Balancing of interests, whereby it is in the legitimate interest of SIS to be able to develop and improve IT systems and applications and thereby enable the development/improvement of its activities (Art. 6(1)(f) GDPR). |
Compliance with accounting and bookkeeping rules and other legal obligations. |
To fulfil legal obligations (Art. 6(1)(c) GDPR). |
Financial management. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to carry out cost-effective and relevant business activities (Art. 6(1)(f) GDPR). |
Customer service case management. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to provide customers with efficient support and case management (Art. 6(1)(f) GDPR). |
Investigating and taking legal action in connection with possible breaches of law/contract, security breaches and to protect the rights, security and property of SIS. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to investigate and take legal action in connection with breaches of law/contract etc. (Art. 6(1)(f) GDPR). |
Defence of legal claims. |
Balancing of interests, whereby it is in the legitimate interest of SIS to defend itself against legal claims (Art. 6(1)(f) GDPR). |
There may be situations where SIS may need to obtain your consent to process personal data not covered above.
Processing for marketing purposes
SIS may send targeted marketing to you as a customer, or representative/contact person of a business customer, of SIS. This may be done by post, e-mail, text message or telephone. You or your employer or client will then receive information and offers, such as monthly newsletters or information about benefits. Such information and communications may be general (sent to all customers) or targeted (sent to you based on customer category). SIS also stores information about the communications you have received and how you have acted as a customer or representative/contact person for a business customer. You can notify SIS at any time that you do not wish to receive this type of marketing.
By law, specific rules apply to certain types of automated decisions (including profiling) that have legal consequences or similarly significantly affect you. SIS will not use your data for such decisions without you having been provided with additional information and, if necessary, your consent (which can always be withdrawn) having been obtained.
Processing outside the EU/EEA
Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR drafted and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.
More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
Retention period for personal data
As a general rule, SIS will not retain your personal data for longer than is necessary for SIS to fulfil its contractual obligations towards you or your employer or client and to administer the customer relationship. In addition, SIS may need to retain certain data for a longer period in order to establish, exercise or defend legal claims. SIS may also need to keep your data for a longer period of time in order to comply with legal obligations, e.g. under tax and accounting rules.
Your rights
Under the applicable data protection legislation (Art. 7 and 15 – 21 GDPR), you have certain rights which are briefly described below.
Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you is being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).
Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).
Right to erasure (‘right to be forgotten’): You have the right, without undue delay, to have your personal data erased, either because the data are no longer necessary for the purposes for which they were collected, or because certain other stated conditions are fulfilled (e.g. you have withdrawn your consent to the processing). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).
Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data for purposes other than to defend legal claims, for example. You can also prevent SIS from deleting data, for example if you need the data to claim damages (Art. 18 GDPR).
Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so that outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).
Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).
Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).
Contact and SIS Data Controller
If you wish to exercise any of your rights as described above, have any questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:
SIS Data Controller Swedish Institute for Standards
Solnavägen 1E/Torsplan
Box 45443
SE-104 31 Stockholm, Sweden
E-mail: sisgdpr@sis.se
Complaints
If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.
Date of this version of this information notice: january 2 2023
INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE REPRESENTING OR CONTACT PERSONS OF PROVIDERS OR PARTNERS AT THE SWEDISH INSTITUTE FOR STANDARDS
This information text is aimed at representatives or contact persons of the Swedish Institute for Standards’ (“SIS”) current or prospective providers or partners, i.e. a company (your employer or client) that supplies a product or service to SIS or a company that has entered into some form of cooperation with SIS under a cooperation agreement.
The purpose of this information text is to help you understand what SIS does with, and how SIS processes, your personal data, what obligations SIS has, and what rights you have, under the current EU General Data Protection Regulation (“GDPR”).
This information text should be read in conjunction with the general privacy notice on SIS’ processing of personal data above.
Data controller
When your employer or client enters into a contract with SIS and you (or your employer or client) thereby provide SIS with personal data about you, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is also responsible for processing your personal data.
However, in some circumstances, responsibility for data protection and your privacy is shared with third parties, such as banks, postal services and electronic communication and social media providers. In these cases, SIS and the third party are joint data controllers. If you have any questions about this, please contact the SIS Data Controller – see contact details below.
Sources of your personal data
The personal data (e.g. your name, telephone number, e-mail address and other contact details and, where applicable, in the case of a sole proprietorship, your registration number) processed by SIS are mainly data that SIS collects from you or your employer or client when the company enters into a contract with SIS. SIS may also collect corresponding and other types of personal data from you directly in the context of contact and communication between you and SIS for the performance of the contract. SIS may also retrieve personal data from publicly available sources such as private and public registers (e.g. the Swedish Tax Agency’s register of sole proprietorships).
In most cases, your provision of personal data is voluntary, but if you do not provide the personal data requested by SIS, SIS may not be able to enter into or perform the contract between SIS and your employer or client or take other desired actions.
SIS will not use your personal data for any other purposes than those set out below.
If you visit the SIS website (www.sis.se) , SIS may process cookies in accordance with specific information provided about this – see information text for website visitors.
Categories of recipients
Within SIS, access to your personal data is only granted to authorized staff for the following purposes. However, SIS may share your personal data between SIS’ own administrative systems, databases and portals, and with other parties (e.g. data processors) when necessary to fulfil purposes. Such parties (recipients) can be divided into one of the following categories: providers of goods and services (including IT providers and procurement consultants) and partners (e.g. training and event organizers). Furthermore, SIS may disclose personal data to third parties if SIS considers it necessary in order to: i) investigate possible breaches of law or contract (taking into account Art. 10 GDPR); ii) identify, contact or take legal action against someone who may be in breach of law or contract with SIS; iii) investigate security breaches or cooperate with authorities on a legal matter; or iv) protect SIS’ rights, security or property.
To the extent that a public authority requests personal data from SIS, SIS will comply with such a request if required by law.
Any disclosure of your personal data will be made, where appropriate, in accordance with the law, and SIS will ensure that the personal data disclosed is processed only for the purposes set out below.
Purpose and legal basis
Your data as a representative or contact person of one of SIS’ providers or partners is processed by SIS for the following purposes and on the legal basis set out below for each purpose.
Purpose |
Legal basis |
The administration and management of tenders and the execution of orders, receipt of deliveries, payment, communication and performance of other obligations under the contract SIS will enter into, or has entered into, with your employer or client for the supply or purchase of a specific product or service or for cooperation. |
Balancing of interests, whereby it is in the legitimate interest of SIS to procure products and services, etc. and to administer the contract to which your employer or client is a party (Art. 6(1)(f) GDPR). |
Establishment of a register of contracts, representatives and contact persons of any of the SIS providers or partners. |
Balancing of interests, whereby it is in the legitimate interest of SIS to ensure efficient administration of SIS’ contractual relations with providers and partners (Art. 6(1)(f) GDPR). |
Compliance with accounting and bookkeeping rules and other legal obligations. |
To fulfil legal obligations (Art. 6(1)(c) GDPR). |
Financial management. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to carry out cost-effective and relevant business activities (Art. 6(1)(f) GDPR). |
Testing of new, or changes to existing, IT systems and applications relating to relevant products or services. |
Balancing of interests, whereby it is in the legitimate interest of SIS to be able to develop and improve IT systems and applications and thereby enable the development/improvement of its activities (Art. 6(1)(f) GDPR). |
Investigating and taking legal action in connection with possible breaches of law/contract, security breaches and to protect the rights, security and property of SIS. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to investigate and take legal action in connection with breaches of law/contract etc. (Art. 6(1)(f) GDPR). |
Defence of legal claims |
Balancing of interests, whereby it is in the legitimate interest of SIS to defend itself against legal claims (Art. 6(1)(f) GDPR). |
There may be situations where SIS may need to obtain your consent to process personal data not covered above.
Processing outside the EU/EEA
Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR drafted and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.
More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
Retention period for personal data
As a general rule, SIS will not retain your personal data for longer than is necessary for SIS to fulfil its contractual obligations towards your employer or client and to administer the contractual relationship. In addition, SIS may need to retain certain data for a longer period in order to establish, exercise or defend legal claims. SIS may also need to retain your data for a longer period of time in order to comply with legal obligations such as tax and accounting rules.
Your rights
Under the applicable data protection legislation (Art. 7 and 15 – 21 GDPR), you have certain rights which are briefly described below.
Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you is being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).
Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).
Right to erasure (‘right to be forgotten’): You have the right, without undue delay, to have your personal data erased, either because the data are no longer necessary for the purposes for which they were collected, or because certain other stated conditions are fulfilled (e.g. you have withdrawn your consent to the processing). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).
Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data for purposes other than to defend legal claims, for example. You can also prevent SIS from deleting data, for example if you need the data to claim damages (Art. 18 GDPR).
Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so that outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).
Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).
Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).
Contact and SIS Data Controller
If you wish to exercise any of your rights as described above, have any questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:
SIS Data Controller Swedish Institute for Standards
Solnavägen 1E/Torsplan
Box 45443
SE-104 31 Stockholm, Sweden
E-mail: sisgdpr@sis.se
Complaints
If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.
Date of this version of this information notice: January 2 2023
INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE REPRESENTING OR CONTACT PERSONS OF MEMBER ORGANISATIONS AT THE SWEDISH INSTITUTE FOR STANDARDS
This information text is aimed at representatives or contact persons of one of the current or prospective member organisations of the Swedish Institute for Standards (“SIS”), i.e. an organisation (your employer or client) that is, or intends to become, a member of SIS.
The purpose of this information text is to help you understand what we do with, and how we process, your personal data, what our obligations are, and what your rights are, under the current EU General Data Protection Regulation (“GDPR”).
This information text should be read in conjunction with the general privacy notice on SIS’ processing of personal data above.
Data controller
When your employer or client applies for and becomes a member of SIS and you (or your employer or client) thereby provide SIS with personal data about you, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is also responsible for processing your personal data.
However, in some circumstances, responsibility for data protection and your privacy is shared with third parties, such as banks, postal services and electronic communication and social media providers. In these cases, SIS and the third party are joint data controllers. If you have any questions about this, please contact the SIS Data Controller – see contact details below.
The sources of your personal data
The personal data (e.g. your name, telephone number and e-mail address and, in the case of a sole proprietorship, your registration number) processed by SIS are mainly data that SIS collects from you or your employer or client in connection with your organisation applying for and becoming a member of SIS, but SIS may also collect corresponding and other types of personal data from you directly when contacting and communicating with you, for example via the member portal. In the case of sole proprietorships, SIS may also retrieve personal data from publicly available sources such as the population register.
In most cases, providing the information is voluntary, but if you do not provide the personal data requested by SIS, SIS may not be able to offer your employer or client membership, offers, benefits or take other actions requested by the organisation.
If you visit the SIS website (www.sis.se), SIS may process cookies in accordance with specific information provided about this – see information text for website visitors.
Categories of recipients
Within SIS, access to your personal data is only granted to authorized staff for the purposes set out below. SIS may also share your personal data between SIS’ own administrative systems, databases and portals, and with SIS’ providers of goods and services (in particular IT providers) when necessary to fulfil the purposes set out below. Furthermore, some of your personal data is shared with other SIS members (and participants in SIS standardisation work, etc.) through, for example, the SIS web-based member portal.
If you take advantage of any offer to use other SIS products and services (e.g. the possibility to log in to tools and/or portals related to SIS engagements other than the membership itself), your personal data may be shared with others using the service (e.g. your employer or client).
Furthermore, SIS may disclose personal data to third parties if SIS considers it necessary in order to: i) investigate possible breaches of law or contract (taking into account Art. 10 GDPR); ii) identify, contact or take legal action against someone who may be in breach of law or contract with SIS; iii) investigate security breaches or cooperate with authorities on a legal matter; or iv) protect SIS’ rights, security or property.
To the extent that a public authority requests personal data from SIS, SIS will comply with such a request if required by law.
Any disclosure of your personal data will, where applicable, be in accordance with the law, and SIS will ensure that the personal data disclosed are only processed for the purposes set out below.
Purpose and legal basis
Your data as a representative or contact person of a SIS member is processed for the following purposes and on the legal basis set out below for each purpose.
Purpose |
Legal basis |
Administration and management of membership (including applications and invoicing) for member organisations and communication with members. |
Balancing of interests, whereby it is in the legitimate interest of SIS to offer and provide membership to your employer or client and to administer the membership (Art. 6(1)(f) GDPR). |
Establishment of registers of members and their representatives and contact persons, including ensuring the accuracy of contact details. |
Balancing of interests, whereby it is in the legitimate interest of SIS to ensure the efficient administration of SIS membership activities (Art. 6(1)(f) GDPR). |
Administration and use of the web-based member portal. |
Balancing of interests, whereby it is in the legitimate interest of SIS to provide a member portal to enable communication with and between members and thereby conduct efficient membership activities (Art. 6(1)(f) GDPR). |
Organisation of webinars, workshops, meetings and the drafting of surveys, as well as the implementation of voting procedures, e.g. in the context of council meetings, through the use of web-based tools and/or application solutions, etc. |
Balancing of interests, whereby it is in the legitimate interest of SIS to be able to conduct cost-effective and relevant membership activities (Art. 6(1)(f) GDPR). |
Performance of marketing initiatives (see additional information below). |
Balancing of interests, whereby it is in the legitimate interest of SIS to promote SIS products and services (Art. 6(1)(f) GDPR). |
Provision of relevant product information. |
Balancing of interests, whereby it is in the legitimate interest of SIS to facilitate members in finding relevant products and services (Art. 6(1)(f) GDPR). |
Offer to use, and when using, other SIS products and services (e.g. possibility to log in to tools and portals related to SIS engagements other than the membership itself). |
Balancing of interests, whereby it is in the legitimate interest of SIS to offer members the possibility to use certain other SIS services in order to be able to carry out efficient membership activities along with marketing activities (Art. 6(1)(f) GDPR). |
Marketing and dissemination of information to raise awareness of SIS’ activities (including publication of stories, texts and photos in which you appear prominently) on the intranet, SIS’ external website, newspapers, newsletters, social media and other media. |
Balancing of interests, whereby it is in the legitimate interest of SIS to inform of and promote the activities of SIS. (Art. 6(1)(f) GDPR). |
Use and publication of images and videos (where there is a specific focus on you) on e.g. SIS’ website, newsletters and social media for marketing and information purposes. |
Your consent (Art. 6(1)(a) GDPR). |
Compliance with accounting and bookkeeping rules (e.g. on invoicing) and other legal obligations. |
To fulfil legal obligations (Art. 6(1)(c) GDPR). |
Carrying out a business and activity analysis (including the production of statistics such as on the services and benefits used by your employer or client) in order to improve and adapt business services and membership offerings. |
Balancing of interests, whereby it is in the legitimate interest of SIS to be able to conduct cost-effective and relevant membership activities (Art. 6(1)(f) GDPR). |
Financial management. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to carry out cost-effective and relevant business activities (Art. 6(1)(f) GDPR). |
Testing of new, or changes to existing, IT systems and applications relating to relevant products or services. |
Balancing of interests, whereby it is in the legitimate interest of SIS to be able to develop and improve IT systems and applications and thereby enable the development/improvement of its activities (Art. 6(1)(f) GDPR). |
Management of membership-related issues at Member Services. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to provide efficient support and case management to members (Art. 6(1)(f) GDPR). |
Investigating and taking legal action in connection with possible breaches of law/contract, security breaches and to protect the rights, security and property of SIS. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to investigate and take legal action in connection with breaches of law/contract etc. (Art. 6(1)(f) GDPR). |
Defence of legal claims. |
Balancing of interests, whereby it is in the legitimate interest of SIS to defend itself against legal claims (Art. 6(1)(f) GDPR). |
There may be situations where SIS may need to obtain your consent to process personal data not covered above.
Processing for marketing purposes
SIS may send you targeted marketing as a representative or contact person of a member organisation. This may be done by post, e-mail, text message or telephone. Your employer or client will then receive information and offers, such as monthly newsletters or information about benefits. Such information and communications may be general (sent to all members) or targeted (sent to you based on membership category). SIS also stores information about what communications you have received and what action you have taken. You can notify SIS at any time that you do not wish to receive this type of marketing.
By law, specific rules apply to certain types of automated decisions (including profiling) that have legal consequences or similarly significantly affect you. We will not use your data for such decisions without providing you with additional information and, where necessary, obtaining your consent (which can always be withdrawn).
Processing outside the EU/EEA area
Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR, developed and approved by the EU, unless the transfer takes place to a country for which a decision of the European Commission under Article 45(3) GDPR on an adequate level of protection is in place.
More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
Retention period for your personal data
The general rule is that SIS will not retain your personal data for longer than is necessary for SIS to manage your employer’s or client’s membership, i.e. as long as the organisation is a member and you are listed as its representative or contact person. However, SIS may retain your data for the purpose of establishing, enforcing or defending legal claims. SIS may also need to keep your data for a longer period of time in order to comply with legal obligations, e.g. under tax and accounting rules.
Your rights
Under applicable data protection legislation (Art. 7 and 15 – 21 GDPR) you have certain rights, which are briefly described below.
Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you are being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR)
Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).
Right to erasure (‘right to be forgotten’): You have the right to have your personal data erased without undue delay, either because the data is no longer necessary for the purposes for which it was collected, or because certain other stated conditions are met (e.g. you have given your consent to the processing and you have the right to withdraw it). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).
Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data other than to defend legal claims, for example. You can also prevent SIS from erasing data, for example if you need the data to claim damages (Art. 18 GDPR).
Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so that outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).
Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).
Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).
Contact and SIS Data Controller
If you wish to exercise any of your rights as described above, have questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:
SIS Data Controller Swedish Institute for Standards
Solnavägen 1E/Torsplan
Box 45443
SE-104 31 Stockholm, Sweden
E-mail: sisgdpr@sis.se
Complaints
If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.
Date of this version of this information notice: January 2 2023
INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE TAKING PART IN STANDARDISATION WORK AT THE SWEDISH INSTITUTE FOR STANDARDS
This information text applies to those who are, or intend to be, participants in standardisation work at the Swedish Institute for Standards (“SIS”) through a technical committee, working group, project or similar (“Standardisation Work”).
The purpose of this information text is to help you understand what we do with, and how we process, your personal data, what our obligations are, and what your rights are, under the current EU General Data Protection Regulation (“GDPR”).
This information text should be read in conjunction with the general privacy notice on SIS’ processing of personal data above.
Data controller
When you participate in Standardisation Work, it is the legal entity the Swedish Institute for Standards (corporate ID number 802410–0151) that is the data controller and is also responsible for processing your personal data.
However, in some circumstances, responsibility for data protection and your privacy is shared with third parties, such as banks, postal services and electronic communication and social media providers. In these cases, SIS and the third party are joint data controllers. If you have any questions about this, please contact the SIS Data Controller – see contact details below.
Sources of your personal data
The personal data that SIS collects and processes is mainly the data that you provide when you become a participant in Standardisation Work. Examples of such personal data are name, address, date of birth, e-mail address, telephone number, the organisation that has appointed you as a participant and possibly your picture and, in the case of a chairperson for Standardisation Work, also your CV.
In addition to the above, SIS may obtain personal data about you through contacts and communications between you and SIS in connection with your participation in the Standardisation Work.
The provision of personal data is in most cases voluntary, but if you do not provide the personal data requested by SIS, SIS may not be able to offer you participation in the Standardisation Work.
If you visit the SIS website (www.sis.se), SIS may process cookies in accordance with specific information provided about this – see information text for website visitors.
Categories of recipients of your personal data
Within SIS, access to your personal data is only granted to authorized staff for the following purposes. In addition, SIS may share your personal data between SIS’ various administrative systems, databases and portals and with other parties (e.g. data processors) when necessary to fulfil the purposes. Such parties (recipients) can be divided into the following categories: providers of goods and services (including IT providers) and partners, such as ISO and CEN.
In addition, some of your personal data is shared with other participants in the Standardisation Work through, for example, web-based Standardisation Work portals.
If you take advantage of any offer to use other SIS products and services (e.g. the possibility to log in to tools and portals related to other SIS engagements than the standardisation work itself), your personal data may be shared with others who are using the service (e.g. your employer or client).
Furthermore, SIS may disclose personal data to third parties if SIS considers it necessary in order to: i) investigate possible breaches of law or contract (taking into account Art. 10 GDPR); ii) identify, contact or take legal action against someone who may be in breach of law or contract with SIS; iii) investigate security breaches or cooperate with authorities on a legal matter; or iv) protect SIS’ rights, security or property.
To the extent that a public authority requests personal data from SIS, SIS will comply with such a request if required by law.
Any disclosure of your personal data will be in accordance with the law, and SIS will ensure that the personal data disclosed will only be processed for the purposes set out below.
Purpose and legal basis
Your data as a participant in the Standardisation Work is processed for the following purposes and on the legal basis set out below for each purpose.
Purpose |
Legal basis |
Administration of participation in Standardisation Work (including the appointment of participants, chairpersons and experts, for example). |
Balancing of interests, whereby it is in the legitimate interest of SIS to be able to carry out efficient and professional Standardisation Work (Art. 6(1)(f) GDPR). |
The establishment of registers of participants in Standardisation Work. |
Balancing of interests, whereby it is in the legitimate interest of SIS to ensure efficient and professional administration of the Standardisation Work (Art. 6(1)(f) GDPR). |
Administration of Standardisation Work (including communication and contact with participants and preparation of minutes, ballots and other documentation. |
Balancing of interests, whereby it is in the legitimate interest of SIS to ensure efficient and professional administration of the Standardisation Work (Art. 6(1)(f) GDPR). |
Administration and use of portals. |
Balancing of interests, whereby it is in the legitimate interest of SIS to provide portals to enable communication with and between participants in the Standardisation Work and thereby perform efficient standardisation activities (Art. 6(1)(f) GDPR). |
Offers to use, and when using, other SIS products and services (e.g. possibility to log on to tools and portals related to other SIS engagements than the Standardisation Work itself). |
Balancing of interests, whereby it is in the legitimate interest of SIS to offer participants in the Standardisation Work the possibility to use certain other SIS services in order to be able to carry out effective standardisation activities and also marketing (Art. 6(1)(f) GDPR). |
Carrying out a business and activity analysis (including the production of statistics such as number of committee meetings, number of participants, etc.) in order to improve and adapt the Standardisation Work. |
Balancing of interests, whereby it is in the legitimate interest of SIS to be able to carry out cost-effective and relevant standardisation activities (Art. 6(1)(f) GDPR). |
Testing of new, or changes to existing, IT systems and applications relating to relevant products or services. |
Balancing of interests, whereby it is in the legitimate interest of SIS to be able to develop and improve IT systems and applications and thereby enable the development/improvement of its activities (Art. 6(1)(f) GDPR). |
Compliance with accounting and bookkeeping rules and other legal obligations (e.g. regarding expenses and fees) |
To fulfil legal obligations (Art. 6(1)(c) GDPR). |
Organising webinars, workshops, meetings and setting up surveys and conducting voting procedures, using for example web-based tools and/or application solutions. |
Balancing of interests, whereby it is in the legitimate interest of SIS to be able to carry out cost-effective and relevant standardisation activities (Art. 6(1)(f) GDPR). |
Marketing and dissemination of information to raise awareness of SIS’ activities (including publication of stories, texts and photos in which you appear prominently) on the intranet, SIS’ external website, newspapers, newsletters, social media and other media. |
Balancing of interests, whereby it is in the legitimate interest of SIS to inform of and promote the activities of SIS. (Art. 6(1)(f) GDPR). |
Use and publication of images and videos (that specifically focus on you) on e.g. SIS’ website, newsletters and social media) for marketing and information purposes. |
Your consent (Art. 6(1)(a) GDPR) |
Investigating and taking legal action in connection with possible breaches of law/contract, security breaches and to protect the rights, security and property of SIS. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to investigate and take legal action in connection with breaches of law/contract etc. (Art. 6(1)(f) GDPR). |
Defence of legal claims. |
Balancing of interests, whereby it is in the legitimate interest of SIS to defend itself against legal claims (Art. 6(1)(f) GDPR). |
There may be situations where SIS may need to obtain your consent to process personal data not covered above.
Processing of personal data outside the EU/EEA
Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR drafted and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.
More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
Retention period for your personal data
The main rule is that SIS does not retain your personal data for longer than is necessary for SIS to fulfil the purpose of the processing, which in principle means that your personal data will be erased once you have ceased to be a participant in the Standardisation Work. However, SIS may retain your data for the purpose of establishing, enforcing or defending legal claims. SIS may also need to retain your data for a longer period of time in order to comply with legal obligations, such as tax and accounting rules, as well as CEN and ISO regulations.
Your rights
Under the applicable data protection legislation (Art. 7 and 15 – 21 GDPR), you have certain rights which are briefly described below.
Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you is being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).
Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).
Right to erasure (‘right to be forgotten’): You have the right, without undue delay, to have your personal data erased, either because the data are no longer necessary for the purposes for which they were collected, or because certain other stated conditions are fulfilled (e.g. you have withdrawn your consent to the processing). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).
Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data for purposes other than to defend legal claims, for example. You can also prevent SIS from deleting data, for example if you need the data to claim damages (Art. 18 GDPR).
Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so that outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).
Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).
Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).
Contact and SIS Data Controller
If you wish to exercise any of your rights as described above, have questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:
SIS Data Controller Swedish Institute for Standards
Solnavägen 1E/Torsplan
Box 45443
SE-104 31 Stockholm, Sweden
E-mail: sisgdpr@sis.se
Complaints
If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.
Date of this version of this information notice: January 2 2023
INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE SEEKING EMPLOYMENT AT THE SWEDISH INSTITUTE FOR STANDARDS
This information text is aimed at those seeking employment at the Swedish Institute for Standards (“SIS”).
The purpose of this information text is to help you understand what we do with, and how we process, your personal data, what our obligations are, and what your rights are, under the EU’s current General Data Protection Regulation (“GDPR”).
This information text should be read in conjunction with the general privacy notice regarding SIS’ processing of personal data above.
Data controller
When you apply for a job at SIS, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is therefore responsible for processing your personal data.
The sources of your personal data
The personal data that SIS collects and processes are mainly information that you provide when you apply for a position at SIS, such as your name, date of birth, personal ID number, curriculum vitae, grades, photo, cover letter and recommendations from previous employers.
Personal data is also collected by SIS during the recruitment process as a result of interviews, tests, assessments and evaluations of you as a job applicant and evaluation of your experience of the recruitment process.
Personal data may also be collected from social media, such as LinkedIn, as well as the references you have provided to SIS.
Provision of personal data is voluntary. However, SIS needs this information in order to assess you as a candidate for the post in question, and the absence of certain information may affect the way in which SIS assesses your application.
In the event that you use/visit the SIS website (www.sis.se), SIS may process cookies in accordance with specific information provided about this – see information text for website visitors.
Categories of recipients of your personal data
In particular, your personal data will be shared with the recruiting manager (and possibly their manager), other specifically designated staff within the recruiting department and human resources staff handling recruitment at SIS. Personal data may also be shared with other staff if this is deemed necessary to carry out the recruitment process for the position you have applied for.
SIS may also share personal data with providers of systems and services used by SIS to carry out recruitment, such as providers of digital systems with online application facilities. There may also be times when a recruitment agency assists SIS in parts of a recruitment process.
To the extent that a public authority requests personal data from SIS, SIS will comply with such a request, if required by law, for example as part of a case concerning the application of discrimination legislation or data protection legislation.
Any disclosure of your personal data will be in accordance with the law, and SIS will ensure that the personal data disclosed will only be processed for the purposes set out below.
Purpose and legal basis
Your data as a job applicant at SIS is processed for the following purposes and on the legal basis for each purpose set out below.
Purpose |
Legal basis |
Performance of the recruitment process for the post applied for (including testing and obtaining references). |
Balancing of interests, whereby it is in the legitimate interest of SIS to assess job applicants in order to be able to recruit staff and thereby ensure that its activities are carried out in an appropriate manner (Art. 6(1)(f) GDPR). |
Evaluation and analysis of (i) the recruitment process (e.g. how SIS staff or job applicants have assessed the process) and (ii) SIS’ digital services for recruitment.
|
Balancing of interests, whereby it is in the legitimate interest of SIS to ensure that the organisation’s activities are carried out in an appropriate manner with regard to the recruitment process and the digital services used therein (Art. 6(1)(f) GDPR). |
Producing statistics and carrying out business analysis, e.g. to identify the advertisement(s) through which the applicant has become aware of the vacancy. |
Balancing of interests, whereby it is in the legitimate interest of SIS to produce statistics for the purpose of assessing whether the organisation’s activities are carried out in an appropriate manner (Art. 6(1)(f) GDPR). |
Compliance with discrimination legislation and other legal obligations. |
Processing necessary to comply with discrimination legislation and other legal obligations (Art. 6(1)(c) GDPR). |
Defence against legal claims related to the employment procedure. |
Balancing of interests, whereby it is in the legitimate interest of SIS to defend itself against legal claims (Art. 6(1)(f) GDPR). |
There may be situations where SIS may need to obtain your consent to process personal data not covered above.
Processing of personal data outside the EU/EEA
Your personal data may be transferred to SIS providers (known as data processors such as IT solution providers), or its subcontractors (known as sub-processors), for processing in countries (third countries) outside the EU/EEA. In such cases and where necessary, SIS will take appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR drafted and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.
More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
Retention period
As a general rule, SIS will not retain your personal data for longer than is necessary for SIS to fulfil the purpose of the processing. However, SIS may retain your personal data for up to 28 months after you submitted your application or longer if, during this period, a legal case is initiated concerning appointment to the post in question or other legal proceedings relating to the recruitment. These data retention criteria are based on the statute of limitations under current discrimination legislation.
Your rights
Under applicable data protection legislation (Art. 7 and 15 – 21 GDPR) you have certain rights, which are briefly described below.
Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you are being processed by SIS and, if so, to obtain access to the data (including what are known as "extracts") and certain additional information about the processing (Art. 15 GDPR)
Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to supplement incomplete personal data (Art. 16 GDPR).
Right to erasure (‘right to be forgotten’): You have the right to have your personal data erased without undue delay, either because the data is no longer necessary for the purposes for which it was collected, or because certain other stated conditions are met (e.g. you have given your consent to the processing and you have the right to withdraw it). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).
Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data other than to defend legal claims, for example. You can also prevent SIS from erasing data, for example if you need the data to claim damages (Art. 18 GDPR).
Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so which outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).
Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).
Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).
Contact and SIS Data Controller
If you wish to exercise any of your rights as described above, have any questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:
SIS Data Controller Swedish Institute for Standards
Solnavägen 1E/Torsplan
Box 45443
SE-104 31 Stockholm, Sweden
E-mail: sisgdpr@sis.se
Complaints
If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.
Date of this version of this information notice: January 2 2023
INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE PROVIDING REFERENCES FOR PERSONS SEEKING EMPLOYMENT AT THE SWEDISH INSTITUTE FOR STANDARDS
This information text is intended for those who provide references for job applicants to the Swedish Standards Institute (SIS).
The purpose of this information text is to help you understand what we do with, and how we process, your personal data, what our obligations are, and what your rights are, under the EU’s current General Data Protection Regulation (“GDPR”).
This information text should be read in conjunction with the general privacy notice on SIS’ processing of personal data above.
Data controller
When you submit references on job applicants to SIS, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is also responsible for processing your personal data.
Sources of your personal data
The personal data that SIS collects and processes is mainly data that you provide yourself through conversations and contact with the recruiting manager, HR staff or equivalent. SIS also receives contact details and possibly other information about you as a reference provider from the job applicant.
Your provision of personal data is voluntary, but if you do not provide this particular information, SIS may not be able to use you as a reference for the job applicant.
Categories of recipients of your personal data
The categories of recipients that may receive your personal data are primarily one or more managers of the department in which the job applicant has applied for a job, usually the recruiting manager, their manager and possibly a selected individual/selected individuals in the recruiting department, as well as staff from the SIS human resources department who manage or assist in recruitment. Personal data may also be shared with other staff if this is deemed necessary to carry out the recruitment process.
SIS may also share personal data with providers of systems and services used by SIS to carry out recruitment, such as IT system providers.
To the extent that a public authority requests personal data from SIS, SIS will comply with such a request, if required by law, for example as part of a case concerning the application of discrimination legislation.
Purpose and legal basis
Your data as a job applicant reference at SIS is processed for the following purposes and on the legal basis set out below for each purpose.
Purpose |
Legal basis |
Implementation of the process of obtaining references for the post applied for. |
Balancing of interests, whereby it is in the legitimate interest of SIS to recruit staff to ensure that its activities are carried out in an appropriate manner (Art. 6(1)(f) GDPR). |
Compliance with discrimination legislation and other legal obligations. |
Fulfilment of legal obligation (Art. 6(1)(c) GDPR). |
Defence against legal claims related to the employment procedure. |
Balancing of interests, whereby it is in the legitimate interest of SIS to defend itself against legal claims (Art. 6(1)(f) GDPR). |
There may be situations in which we may need to obtain your consent for the processing of personal data not covered above.
Processing of personal data outside the EU/EEA
Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR drafted and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.
More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
How long is your personal data retained?
As a general rule, SIS will not retain your personal data for longer than is necessary for SIS to fulfil the purpose of the processing. However, SIS may retain your personal data for up to 28 months after the job applicant has submitted their application to SIS, or longer if, during this period, a legal case concerning appointment to the post in question or other legal proceedings relating to the recruitment are initiated. These data retention criteria are based on the statute of limitations under current discrimination legislation.
Your rights
Under applicable data protection legislation (Art. 7 and 15 – 21 GDPR) you have certain rights, which are briefly described below.
Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you are being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).
Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).
Right to erasure (‘right to be forgotten’): You have the right to have your personal data erased without undue delay, either because the data is no longer necessary for the purposes for which it was collected, or because certain other stated conditions are met (e.g. you have given your consent to the processing and you have the right to withdraw it). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).
Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data other than to defend legal claims, for example. You can also prevent SIS from erasing data, for example if you need the data to claim damages (Art. 18 GDPR).
Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so which outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).
Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).
Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).
Contact and SIS Data Controller
If you wish to exercise any of your rights as described above, have questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:
SIS Data Controller Swedish Institute for Standards
Solnavägen 1E/Torsplan
Box 45443
SE-104 31 Stockholm, Sweden
E-mail: sisgdpr@sis.se
Complaints
If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.
Date of this version of this information notice: January 2 2023
INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE VISITING THE SWEDISH INSTITUTE FOR STANDARDS’ WEBSITE
This information text is aimed at visitors to the Swedish Institute for Standards (SIS) website (www.sis.se) using a computer, mobile phone, tablet or other similar device.
The purpose of this information text is to help you understand what SIS does with, and how SIS processes, your personal data, what obligations SIS has, and what rights you have, under the current EU General Data Protection Regulation (“GDPR”).
This information text should be read in conjunction with the general privacy notice regarding SIS’ processing of personal data above.
Data controller
When you visit the SIS website, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is also responsible for processing your personal data in connection with your visit to the website.
If you have consented to SIS using what are known as third-party cookies, such as marketing cookies, SIS will share your data with third parties (e.g. Google Analytics). SIS has a joint personal data protection responsibility with such third parties when using third party cookies in respect of the personal data processing for which SIS and the third party have jointly determined the purposes and means. If you have any questions about this, please contact the SIS Data Controller – see contact details below.
Sources of your personal data
The personal data that SIS collects and processes is that which you yourself provide when you visit the SIS website (e.g. IP address, language selection and subpages you have visited). The personal data processing that takes place when you visit the SIS website is through the use of cookies.
Categories of recipients
Within SIS, access to your personal data is restricted to authorized staff for the fulfilment of the purposes. Furthermore, SIS may share your personal data with other parties when necessary to fulfil the purposes set out below. Such recipients can be divided into one of the following categories:
Any disclosure of your personal data will be in accordance with the law, and SIS will ensure that the personal data disclosed will only be processed for the purposes set out below.
Purpose and legal basis
Your data as a visitor to the SIS website is processed for the following purposes and on the legal basis set out below for each purpose.
Purpose |
Legal basis |
Enabling basic functions to provide a functional website and the services offered on the website. |
Balancing of interests, whereby it is in the legitimate interest of SIS to provide a well-functioning website (Art. 6(1)(f) GDPR). |
Generation and processing of information that changes the way the website works or is displayed in order to determine or suggest appropriate settings on your browser, e.g. preferred language or geographical area, etc. |
Your consent (Art. 6(1)(a) GDPR). |
Generating statistics by collecting and reporting the information anonymously in order to understand how visitors interact with the website. The purpose is to enable SIS to improve and adapt the website/services and products. |
Your consent (Art. 6(1)(a) GDPR). |
Generating and processing information about individual visitors’ behaviour on the website in order to make the visitor’s experience even more relevant and to use the information for targeted marketing on various marketing channels, such as on the website, in digital channels (including social media) and in email marketing.
|
Your consent (Art. 6(1)(a) GDPR). |
There may be other situations in which we may need to obtain consent for the processing of personal data not covered above.
If you log in to use any of the SIS services when visiting the SIS website, you will receive new information about the processing, where, for example, the purposes of the processing may be different from those indicated above, depending on the type of category you log in as (e.g. customer, member or TC (technical committee) participant) – see the category-specific information texts on this page for more information.
Information about cookies
Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR, produced and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.
More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
Retention period
Your rights
Under the applicable data protection legislation (Art. 7 and 15 – 21 GDPR), you have certain rights which are briefly described below.
Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you is being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).
Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).
Right to erasure (‘right to be forgotten’): You have the right, without undue delay, to have your personal data erased, either because the data are no longer necessary for the purposes for which they were collected, or because certain other stated conditions are fulfilled (e.g. you have withdrawn your consent to the processing). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).
Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data for purposes other than to defend legal claims, for example. You can also prevent SIS from deleting data, for example if you need the data to claim damages (Art. 18 GDPR).
Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so that outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).
Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).
Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).
Contact and SIS Data Controller
If you wish to exercise any of your rights as described above, have any questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:
SIS Data Controller Swedish Institute for Standards
Solnavägen 1E/Torsplan
Box 45443
SE-104 31 Stockholm, Sweden
E-mail: sisgdpr@sis.se
Complaints
If you wish to complain about the way SIS processes and protects your personal data, you have the right to lodge a complaint at any time with the Swedish Authority for Privacy Protection (IMY) or any other competent supervisory authority in your country of residence.
The date of this version of the information notice: January 2 2023
INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE FOLLOWING THE SWEDISH INSTITUTE FOR STANDARDS ON SOCIAL MEDIA
This information text is aimed at those who are, or intend to become, a follower of one of the Swedish Institute for Standards’ (“SIS”) social media accounts (pages) (i.e. Facebook, Twitter, YouTube or LinkedIn) (“SIS Social Media Channels”).
The purpose of this information text is to help you understand what we do with, and how we process, your personal data, what our obligations are, and what your rights are, under the EU’s applicable General Data Protection Regulation (“GDPR”).
This information text should be read in conjunction with the general privacy notice regarding SIS’ processing of personal data above.
Data controller, etc.
Introduction
SIS uses Social Media Channels to communicate with you, but also to allow you to communicate with SIS and others connected to one of our accounts, make posts, like others’ posts, upload your own pictures and videos, etc. The Providers of the respective pages on SIS Social Media Channels (“Providers”), see below, record (e.g. through the use of cookies and other tracking technologies) your visits to the page and thereby process information about how you interact with the page. In addition, in this context, the Providers process other data they have about you (e.g. data that you have provided in your profile such as sex, age, industry affiliation and position, etc.). This data is compiled by the Provider and provided to SIS as what are known as “page statistics“, which helps SIS to see the behaviour, trends and demographics (e.g. age, sex and geographical area) of those who interact with the page in question. This allows SIS to improve the user experience on the page, but also to create interest-based advertising and marketing. However, SIS cannot identify you as an individual from the compiled (anonymous) statistics, and SIS does not have access to the information that the Provider collects to create the statistics.
Please note that SIS cannot track or influence all processing that takes place on the Social Media Channels. This means that further processing may be carried out by the Providers. If you wish to limit the processing, you can then make the appropriate privacy settings in your account with the respective Provider. Information on privacy settings is available from the respective Provider (see below).
Social Media Channels
SIS uses the following Social Media Channels:
Meta Platform Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland
Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA
Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, D04 W5W5 Ireland
If you would like more information about how the Providers process your personal data, you can read the Providers’ privacy or data protection policies, which you can find here:
Division of responsibilities
In general, the Provider of each Social Media Channel is the data controller and thus responsible for your personal data when you are logged in and use the Provider’s social networking services.
However, the Swedish Institute for Standards (SIS) and the respective Providers are separately and independently responsible for your personal data on the SIS page on the Social Media Channels, including personal content in the form of posted messages, reviews and posts, as well as uploaded images and videos.
When collecting and processing your personal data for the purposes of the page statistics, SIS and the Provider are joint data controllers. This means that SIS and the Provider are jointly responsible for safeguarding your legal rights and protecting your privacy. If you have any questions about this, please contact the SIS Data Controller – see contact details below.
Sources of your personal data
SIS collects information that you choose to share on SIS’ pages on the Social Media Channels, e.g. messages, posts or reviews, or if you have liked someone else’s post, uploaded a photo or a video. If you have an account with the Provider, SIS will also have access to your public information such as your user name, information in your public profile and content that you share with a public audience.
Categories of recipients of your personal data
Within SIS, access to your personal data is only granted to authorized staff for the purposes set out below. Otherwise, personal data is shared with the Providers and other followers of SIS accounts on the Social Media Channels.
Purpose and legal basis
Your data as a follower of one or more SIS accounts on the Social Media Channels are processed for the following purposes and on the legal basis set out below for each purpose.
Purpose |
Legal basis |
Collection of data via cookies. |
Consent, if you have given it to the Provider of the SIS page on the Social Media Channels (Art. 6(1)(a) GDPR). |
Page statistics. |
Balancing of interests, whereby it is in the legitimate interest of SIS as a company to create statistics for analysis and thereby be able to improve the user experience on the page, but also to create interest-based advertising and marketing (Art. 6(1)(f) GDPR). |
Communication, information sharing with and posts made by visitors, followers and other stakeholders (within the limits of what is possible on the current platform). |
Balancing of interests, whereby it is in the legitimate interest of SIS to communicate and develop relationships with SIS customers, members and other stakeholders (Art. 6(1)(f) GDPR). |
Advertising and marketing. |
Balancing of interests, whereby it is in the legitimate interest of SIS to provide information on current promotions, products and offers (Art. 6(1)(f) GDPR). |
Recruitment and selection of potential employees |
Balancing of interests, whereby it is in the legitimate interest of SIS to provide information on its activities (Art. 6(1)(f) GDPR). |
There may be situations where SIS may need to obtain your consent to process personal data not covered above.
Processing of personal data outside the EU/EEA
SIS will not process personal data outside the EU/EEA area. However, the Provider of the SIS account on Social Media may do so as part of the provision of the Social Media Channels. In such cases, the transfer and processing in a country outside the EU/EEA is the sole responsibility of the Provider and is not under the control or supervision of SIS. You can find more information on third country transfers in the respective Provider’s data protection policy (see above).
Retention period for your personal data
SIS retains communications, posts, reviews and uploaded material for as long as it is needed for the purpose, but never longer than two years. The data is then erased. The duration of the Provider’s SIS accounts on Social Media Channels is set out in the respective Provider’s data protection policy (see above).
Your rights
Under applicable data protection legislation (Art. 7 and 15 – 21 GDPR) you have certain rights, which are briefly described below. When SIS is the sole data controller for the processing of the SIS account on the Social Media Channels, you exercise your rights in relation to SIS, whereas when SIS is the joint data controller with the Provider, you have the right to exercise your rights in relation to either of the joint data controllers i.e. SIS and/or the Provider. Where the Provider is the sole data controller of the processing in question, the rights are exercised in relation to the Provider.
Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you is being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).
Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).
Right to erasure (‘right to be forgotten’): You have the right, without undue delay, to have your personal data erased, either because the data are no longer necessary for the purposes for which they were collected, or because certain other stated conditions are fulfilled (e.g. you have withdrawn your consent to the processing). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).
Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data for purposes other than to defend legal claims, for example. You can also prevent SIS from deleting data, for example if you need the data to claim damages (Art. 18 GDPR).
Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so that outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).
Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).
Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).
Contact and SIS Data Controller
If you wish to exercise any of your rights as described above, have any questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:
SIS Data Controller Swedish Institute for Standards
Solnavägen 1E/Torsplan
Box 45443
SE-104 31 Stockholm, Sweden
E-mail: sisgdpr@sis.se
Complaints
If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.
Date of this version of this information notice: January 2 2023
INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR VISITORS TO SIS OR PARTICIPANTS IN EVENTS OR TRAINING COURSES ORGANIZED BY THE SWEDISH INSTITUTE FOR STANDARDS
This information text is aimed at those visiting (“Visitor”) the SIS premises, participating or taking part (“Participant”) in any event (e.g. a seminar) or training course organized by the Swedish Institute for Standards (“SIS”).
The purpose of this information text is to help you understand what SIS does with, and how SIS processes, your personal data, what obligations SIS has, and what rights you have, under the current EU General Data Protection Regulation (“GDPR”).
This information text should be read in conjunction with the general privacy notice on SIS’ processing of personal data above.
Data controller
When you visit SIS’ premises, participate in any event or training course organized by SIS and you provide SIS with personal data in this connection, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is also responsible for processing your personal data.
However, in certain circumstances, responsibility for data protection and your privacy may be shared with third parties, such as banks, postal services and electronic communication and social media providers. In these cases, SIS and the third party are joint data controllers. If you have any questions about this, please contact the SIS Data Controller – see contact details below.
Sources of your personal data
SIS collects personal data from you (e.g. your name, telephone number, e-mail address and other contact details) when you visit SIS premises or register for any event or training course organized by SIS, but SIS may also collect additional personal data from you in connection with subsequent contact between you and SIS during the administration and processing of the visit, event or training course in question.
In addition to the above, SIS may obtain personal data about you as a Participant from the following sources:
In most cases, you provide personal data on a voluntary basis, but if you do not provide the personal data requested by SIS, SIS may not be able to offer you access to its premises or participation in events or training courses organized by SIS or take any other action that you wish SIS to take.
We do not use your personal data for purposes other than those set out below.
If you visit the SIS website (www.sis.se), SIS may process cookies in accordance with specific information provided about this – see information text for website visitors.
Categories of recipients
Within SIS, access to your personal data is only granted to authorized staff for the following purposes. However, SIS may share your personal data between different SIS administrative systems, databases and portals, as well as with other parties (e.g. data processors) when necessary to fulfil purposes. Such parties (recipients) can be divided into the following categories: providers of goods and services (including IT providers) and partners (e.g. event organizers and external teachers).
Furthermore, SIS may disclose personal data to third parties if SIS considers it necessary in order to: i) investigate possible breaches of law or contract (taking into account Art. 10 GDPR); ii) identify, contact or take legal action against someone who may be in breach of law or contract with SIS; iii) investigate security breaches or cooperate with authorities on a legal matter; or iv) protect SIS’ rights, security or property.
To the extent that a public authority requests personal data from SIS, SIS will comply with such a request if required by law.
Any disclosure of your personal data will be in accordance with the law, and SIS will ensure that the personal data disclosed will only be processed for the purposes set out below.
Purpose and legal basis
Your data as a Visitor or Participant is processed by SIS for the following purposes and on the legal basis set out below for each purpose.
Purpose |
Legal basis |
Administration, management and execution of events or training courses, including handling registrations, implementation (including documenting attendance), any invoicing, communication and other commitments related to such events and training courses. |
Performance of contracts for participation in paid events or training courses to which you are a party, or to take action at your request prior to entering into a contract (Art. 6(1)(b) GDPR).
Balancing of interests regarding unpaid training courses, whereby it is in the interest of SIS to offer customers, members and other stakeholders the opportunity to participate in events and training courses. |
Administration, documentation and management of Visitors. |
Balancing of interests, whereby it is in the legitimate interest of SIS to ensure that unauthorized persons do not enter SIS premises and that security is ensured on the premises. |
Establishment of registers of Visitors and Participants, including ensuring correct contact details. |
Balancing of interests, whereby it is in the legitimate interest of SIS to ensure the efficient administration of Visitors and Participants (Art. 6(1)(f) GDPR). |
Establishing dietary preferences. |
Your consent (Art. 6(1)(a) GDPR). |
Performance of marketing initiatives in relation to Participants (see additional information below). |
Balancing of interests, whereby it is in the legitimate interest of SIS to promote SIS products and services, including events and training courses (Art. 6(1)(f) GDPR). |
Provision of relevant product and service information, including events and training courses. |
Balancing of interests, whereby it is in the legitimate interest of SIS to facilitate the search for relevant products and services, including events and training courses, by Participants (Art. 6(1)(f) GDPR). |
Carrying out a business and activity analysis of Participants (including the production of statistics, e.g. regarding which training courses Participants have registered for or requested) in order to improve and adapt business- or activity-related services, e.g. the provision of training courses, products and services. |
Balancing of interests, whereby it is in the legitimate interest of SIS to be able to conduct cost-effective and relevant business activities (Art. 6(1)(f) GDPR). |
Testing of new, or changes to existing, IT systems and applications relating to relevant products or services. |
Balancing of interests, whereby it is in the legitimate interest of SIS to be able to develop and improve IT systems and applications and thereby enable the development/improvement of its activities (Art. 6(1)(f) GDPR). |
Compliance with accounting and reporting rules and other legal obligations relating to Participants. |
In order to fulfil a legal obligation (Art. 6(1)(c) GDPR). |
Financial management. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to carry out cost-effective and relevant business activities (Art. 6(1)(f) GDPR). |
Customer service case management. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to provide effective support and case management for Participants (Art. 6(1)(f) GDPR). |
Organising webinars, workshops, meetings and setting up surveys, using e.g. web-based tools and/or application solutions. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to provide appropriate tools and application solutions to conduct effective visitor and training activities (Art. 6(1)(f) GDPR). |
Investigating and taking legal action in connection with possible breaches of law/contract, security breaches and to protect the rights, security and property of SIS. |
Balancing of interests, whereby the legitimate interest of SIS is to be able to investigate and take legal action in connection with breaches of law/contract etc. (Art. 6(1)(f) GDPR). |
Defence of legal claims. |
Balancing of interests, whereby it is in the legitimate interest of SIS to defend itself against legal claims (Art. 6(1)(f) GDPR). |
Marketing and dissemination of information to raise awareness of SIS’ activities (including publication of stories, texts and photos in which you appear prominently) on the intranet, SIS’ external website, newspapers, newsletters, social media and other media. |
Balancing of interests, whereby it is in the legitimate interest of SIS to inform of and promote the activities of SIS. (Art. 6(1)(f) GDPR). |
Use and publication of images and videos (that specifically focus on you) on e.g. SIS’ website, newsletters and social media) for marketing and information purposes. |
Your consent (Art. 6(1)(a) GDPR) |
There may be situations where SIS may need to obtain your consent to process personal data not covered above.
Processing for marketing purposes
SIS may send you targeted marketing as a Participant. This may be done by post, e-mail, text message or telephone. You will then receive information and offers, such as information about upcoming events or training courses. Such information and communications may be general (sent to all Participants) or targeted (sent to you based on a particular category). SIS also stores information about the communications you have received and how you have acted as a Participant. You can notify SIS at any time that you do not wish to receive this type of marketing.
By law, specific rules apply to certain types of automated decisions (including profiling) that have legal consequences or similarly significantly affect you. SIS will not use your data for such decisions without you having been provided with additional information and, if necessary, your consent (which can always be withdrawn) having been obtained.
Processing outside the EU/EEA
Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR drafted and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.
More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
Retention period for personal data
As a general rule, SIS will not retain your personal data for longer than is necessary for SIS to fulfil the purposes of the processing mentioned above. In addition, SIS may need to retain certain data for a longer period in order to establish, exercise or defend legal claims. SIS may also need to retain your data for a longer period of time in order to comply with legal obligations, e.g. under tax and accounting rules.
Your rights
Under applicable data protection legislation (Art. 7 and 15 – 21 GDPR) you have certain rights, which are briefly described below.
Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you are being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).
Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to supplement incomplete personal data (Art. 16 GDPR).
Right to erasure (‘right to be forgotten’): You have the right to have your personal data erased without undue delay, either because the data is no longer necessary for the purposes for which it was collected, or because certain other stated conditions are met (e.g. you have given your consent to the processing and you have the right to withdraw it). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).
Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data other than to defend legal claims, for example. You can also prevent SIS from erasing data, for example if you need the data to claim damages (Art. 18 GDPR).
Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so which outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).
Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).
Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).
Contact and SIS Data Controller
If you wish to exercise any of your rights as described above, have any questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or enquiry to the SIS Data Controller by letter or e-mail to:
SIS Data Controller Swedish Institute for Standards
Solnavägen 1E/Torsplan
Box 45443
SE-104 31 Stockholm, Sweden
E-mail: sisgdpr@sis.se
Complaints
If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.
Date of this version of this information notice: January 2 2023