Personal data processing

INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR CUSTOMERS OF THE SWEDISH INSTITUTE FOR STANDARDS

This information text is aimed at current or prospective customers (business customers and their representatives and contact persons as well as natural persons or sole proprietorships) of the Swedish Institute for Standards (“SIS”). 

The purpose of this information text is to help you understand what SIS does with, and how SIS processes, your personal data, what obligations SIS has, and what rights you have, under the current EU General Data Protection Regulation (“GDPR”).

This information text should be read in conjunction with the general privacy notice on SIS’ processing of personal data above.

Data controller

When you or your employer or client order and purchase a product or service from SIS and you (or your employer or client) thereby provide SIS with personal data about yourself, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is also responsible for processing your personal data.

However, in some circumstances, responsibility for data protection and your privacy is shared with third parties, such as banks, postal services and electronic communication and social media providers. In these cases, SIS and the third party are joint data controllers. If you have any questions about this, please contact the SIS Data Controller – see contact details below.

Sources of your personal data

SIS collects your personal data (e.g. your name, telephone number, e-mail address, other contact details and, in the case of a sole proprietorship, your registration number) from you or your employer or client when you or your company enter into a contract with SIS. SIS may also collect corresponding and other types of personal data from you directly in connection with contact between you and SIS, e.g. during the processing of purchase and order transactions, payments and support matters, etc. The data may be presented on orders, invoices and other related communications.

In addition to the above, SIS may obtain personal data about you (e.g. title and contact details) from the following sources:

• other SIS registers in which you may appear (e.g. membership registers), and
• publicly available sources such as private and public registers (e.g. registers of companies providing business, market and customer information).

In most cases, the provision of personal data is voluntary, but if you do not provide the personal data requested by SIS, SIS may not be able to provide you or your employer or client with the requested service or product or take other desired action.

SIS will not use your personal data for any other purposes than those set out below.

If you visit the SIS website (www.sis.se), SIS may process cookies in accordance with specific information provided about this – see information text for website visitors.

Categories of recipients

Within SIS, authorized staff may only access your personal data for the purposes set out below. However, SIS may share your personal data between SIS’ various proprietary administrative systems, databases and portals, and with other parties (e.g. data processors) when necessary to fulfil purposes. Such parties (recipients) can be divided into one of the following categories: providers of goods and services (including IT providers) and partners (e.g. companies providing SIS products and services through their platforms and digital tools).

Furthermore, SIS may disclose personal data to third parties if SIS considers it necessary in order to: i) investigate possible breaches of law or contract (taking into account Art. 10 GDPR); ii) identify, contact or take legal action against someone who may be in breach of law or contract with SIS; iii) investigate security breaches or cooperate with authorities on a legal matter; or iv) protect SIS’ rights, security or property.

To the extent that a public authority requests personal data from SIS, SIS will comply with such a request if required by law.

Any disclosure of your personal data will, where applicable, be in accordance with the law, and SIS will ensure that the personal data disclosed are only processed for the purposes set out below.

Purpose and legal basis

Your data may be processed for the following purposes and on the lawful basis set out below for each purpose.

There may be situations where SIS may need to obtain your consent to process personal data not covered above.

Processing for marketing purposes

SIS may send targeted marketing to you as a customer, or representative/contact person of a business customer, of SIS. This may be done by post, e-mail, text message or telephone. You or your employer or client will then receive information and offers, such as monthly newsletters or information about benefits. Such information and communications may be general (sent to all customers) or targeted (sent to you based on customer category). SIS also stores information about the communications you have received and how you have acted as a customer or representative/contact person for a business customer. You can notify SIS at any time that you do not wish to receive this type of marketing.

By law, specific rules apply to certain types of automated decisions (including profiling) that have legal consequences or similarly significantly affect you. SIS will not use your data for such decisions without you having been provided with additional information and, if necessary, your consent (which can always be withdrawn) having been obtained.

Processing outside the EU/EEA

Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR drafted and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.

More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

Retention period for personal data

As a general rule, SIS will not retain your personal data for longer than is necessary for SIS to fulfil its contractual obligations towards you or your employer or client and to administer the customer relationship. In addition, SIS may need to retain certain data for a longer period in order to establish, exercise or defend legal claims. SIS may also need to keep your data for a longer period of time in order to comply with legal obligations, e.g. under tax and accounting rules.

Your rights

Under the applicable data protection legislation (Art. 7 and 15 – 21 GDPR), you have certain rights which are briefly described below.

Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you is being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).

Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).

Right to erasure (‘right to be forgotten’): You have the right, without undue delay, to have your personal data erased, either because the data are no longer necessary for the purposes for which they were collected, or because certain other stated conditions are fulfilled (e.g. you have withdrawn your consent to the processing). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).

Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data for purposes other than to defend legal claims, for example. You can also prevent SIS from deleting data, for example if you need the data to claim damages (Art. 18 GDPR).

Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so that outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).

Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).

Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).

Contact and SIS Data Controller

If you wish to exercise any of your rights as described above, have any questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:

SIS Data Controller Swedish Institute for Standards

Solnavägen 1E/Torsplan

Box 45443

SE-104 31 Stockholm, Sweden

E-mail: sisgdpr@sis.se

Complaints

If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.

Date of this version of this information notice: january 2 2023

INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE REPRESENTING OR CONTACT PERSONS OF PROVIDERS OR PARTNERS AT THE SWEDISH INSTITUTE FOR STANDARDS

This information text is aimed at representatives or contact persons of the Swedish Institute for Standards’ (“SIS”) current or prospective providers or partners, i.e. a company (your employer or client) that supplies a product or service to SIS or a company that has entered into some form of cooperation with SIS under a cooperation agreement.

The purpose of this information text is to help you understand what SIS does with, and how SIS processes, your personal data, what obligations SIS has, and what rights you have, under the current EU General Data Protection Regulation (“GDPR”).

This information text should be read in conjunction with the general privacy notice on SIS’ processing of personal data above.

Data controller

When your employer or client enters into a contract with SIS and you (or your employer or client) thereby provide SIS with personal data about you, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is also responsible for processing your personal data.

However, in some circumstances, responsibility for data protection and your privacy is shared with third parties, such as banks, postal services and electronic communication and social media providers. In these cases, SIS and the third party are joint data controllers. If you have any questions about this, please contact the SIS Data Controller – see contact details below.

Sources of your personal data

The personal data (e.g. your name, telephone number, e-mail address and other contact details and, where applicable, in the case of a sole proprietorship, your registration number) processed by SIS are mainly data that SIS collects from you or your employer or client when the company enters into a contract with SIS. SIS may also collect corresponding and other types of personal data from you directly in the context of contact and communication between you and SIS for the performance of the contract. SIS may also retrieve personal data from publicly available sources such as private and public registers (e.g. the Swedish Tax Agency’s register of sole proprietorships).

In most cases, your provision of personal data is voluntary, but if you do not provide the personal data requested by SIS, SIS may not be able to enter into or perform the contract between SIS and your employer or client or take other desired actions.

SIS will not use your personal data for any other purposes than those set out below.

If you visit the SIS website (www.sis.se) , SIS may process cookies in accordance with specific information provided about this – see information text for website visitors.

Categories of recipients

Within SIS, access to your personal data is only granted to authorized staff for the following purposes. However, SIS may share your personal data between SIS’ own administrative systems, databases and portals, and with other parties (e.g. data processors) when necessary to fulfil purposes. Such parties (recipients) can be divided into one of the following categories: providers of goods and services (including IT providers and procurement consultants) and partners (e.g. training and event organizers). Furthermore, SIS may disclose personal data to third parties if SIS considers it necessary in order to: i) investigate possible breaches of law or contract (taking into account Art. 10 GDPR); ii) identify, contact or take legal action against someone who may be in breach of law or contract with SIS; iii) investigate security breaches or cooperate with authorities on a legal matter; or iv) protect SIS’ rights, security or property.

To the extent that a public authority requests personal data from SIS, SIS will comply with such a request if required by law.

Any disclosure of your personal data will be made, where appropriate, in accordance with the law, and SIS will ensure that the personal data disclosed is processed only for the purposes set out below.

Purpose and legal basis

Your data as a representative or contact person of one of SIS’ providers or partners is processed by SIS for the following purposes and on the legal basis set out below for each purpose.

There may be situations where SIS may need to obtain your consent to process personal data not covered above.

Processing outside the EU/EEA

Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR drafted and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.

More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

Retention period for personal data

As a general rule, SIS will not retain your personal data for longer than is necessary for SIS to fulfil its contractual obligations towards your employer or client and to administer the contractual relationship. In addition, SIS may need to retain certain data for a longer period in order to establish, exercise or defend legal claims. SIS may also need to retain your data for a longer period of time in order to comply with legal obligations such as tax and accounting rules.

Your rights

Under the applicable data protection legislation (Art. 7 and 15 – 21 GDPR), you have certain rights which are briefly described below.

Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you is being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).

Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).

Right to erasure (‘right to be forgotten’): You have the right, without undue delay, to have your personal data erased, either because the data are no longer necessary for the purposes for which they were collected, or because certain other stated conditions are fulfilled (e.g. you have withdrawn your consent to the processing). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).

Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data for purposes other than to defend legal claims, for example. You can also prevent SIS from deleting data, for example if you need the data to claim damages (Art. 18 GDPR).

Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so that outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).

Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).

Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).

Contact and SIS Data Controller

If you wish to exercise any of your rights as described above, have any questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:

SIS Data Controller Swedish Institute for Standards

Solnavägen 1E/Torsplan

Box 45443

SE-104 31 Stockholm, Sweden

E-mail: sisgdpr@sis.se

Complaints

If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.

Date of this version of this information notice: January 2 2023

INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE REPRESENTING OR CONTACT PERSONS OF MEMBER ORGANISATIONS AT THE SWEDISH INSTITUTE FOR STANDARDS

This information text is aimed at representatives or contact persons of one of the current or prospective member organisations of the Swedish Institute for Standards (“SIS”), i.e. an organisation (your employer or client) that is, or intends to become, a member of SIS.

The purpose of this information text is to help you understand what we do with, and how we process, your personal data, what our obligations are, and what your rights are, under the current EU General Data Protection Regulation (“GDPR”).

This information text should be read in conjunction with the general privacy notice on SIS’ processing of personal data above.

Data controller

When your employer or client applies for and becomes a member of SIS and you (or your employer or client) thereby provide SIS with personal data about you, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is also responsible for processing your personal data.

However, in some circumstances, responsibility for data protection and your privacy is shared with third parties, such as banks, postal services and electronic communication and social media providers. In these cases, SIS and the third party are joint data controllers. If you have any questions about this, please contact the SIS Data Controller – see contact details below.

The sources of your personal data

The personal data (e.g. your name, telephone number and e-mail address and, in the case of a sole proprietorship, your registration number) processed by SIS are mainly data that SIS collects from you or your employer or client in connection with your organisation applying for and becoming a member of SIS, but SIS may also collect corresponding and other types of personal data from you directly when contacting and communicating with you, for example via the member portal. In the case of sole proprietorships, SIS may also retrieve personal data from publicly available sources such as the population register.

In most cases, providing the information is voluntary, but if you do not provide the personal data requested by SIS, SIS may not be able to offer your employer or client membership, offers, benefits or take other actions requested by the organisation.

If you visit the SIS website (www.sis.se), SIS may process cookies in accordance with specific information provided about this – see information text for website visitors.

Categories of recipients

Within SIS, access to your personal data is only granted to authorized staff for the purposes set out below. SIS may also share your personal data between SIS’ own administrative systems, databases and portals, and with SIS’ providers of goods and services (in particular IT providers) when necessary to fulfil the purposes set out below. Furthermore, some of your personal data is shared with other SIS members (and participants in SIS standardisation work, etc.) through, for example, the SIS web-based member portal.

If you take advantage of any offer to use other SIS products and services (e.g. the possibility to log in to tools and/or portals related to SIS engagements other than the membership itself), your personal data may be shared with others using the service (e.g. your employer or client). 

Furthermore, SIS may disclose personal data to third parties if SIS considers it necessary in order to: i) investigate possible breaches of law or contract (taking into account Art. 10 GDPR); ii) identify, contact or take legal action against someone who may be in breach of law or contract with SIS; iii) investigate security breaches or cooperate with authorities on a legal matter; or iv) protect SIS’ rights, security or property.

To the extent that a public authority requests personal data from SIS, SIS will comply with such a request if required by law.

Any disclosure of your personal data will, where applicable, be in accordance with the law, and SIS will ensure that the personal data disclosed are only processed for the purposes set out below.

Purpose and legal basis

Your data as a representative or contact person of a SIS member is processed for the following purposes and on the legal basis set out below for each purpose. 

There may be situations where SIS may need to obtain your consent to process personal data not covered above.

Processing for marketing purposes

SIS may send you targeted marketing as a representative or contact person of a member organisation. This may be done by post, e-mail, text message or telephone. Your employer or client will then receive information and offers, such as monthly newsletters or information about benefits. Such information and communications may be general (sent to all members) or targeted (sent to you based on membership category). SIS also stores information about what communications you have received and what action you have taken. You can notify SIS at any time that you do not wish to receive this type of marketing.

By law, specific rules apply to certain types of automated decisions (including profiling) that have legal consequences or similarly significantly affect you. We will not use your data for such decisions without providing you with additional information and, where necessary, obtaining your consent (which can always be withdrawn).

Processing outside the EU/EEA area

Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR, developed and approved by the EU, unless the transfer takes place to a country for which a decision of the European Commission under Article 45(3) GDPR on an adequate level of protection is in place.

More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

Retention period for your personal data

The general rule is that SIS will not retain your personal data for longer than is necessary for SIS to manage your employer’s or client’s membership, i.e. as long as the organisation is a member and you are listed as its representative or contact person. However, SIS may retain your data for the purpose of establishing, enforcing or defending legal claims. SIS may also need to keep your data for a longer period of time in order to comply with legal obligations, e.g. under tax and accounting rules.

Your rights

Under applicable data protection legislation (Art. 7 and 15 – 21 GDPR) you have certain rights, which are briefly described below.

Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you are being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR)

Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).

Right to erasure (‘right to be forgotten’): You have the right to have your personal data erased without undue delay, either because the data is no longer necessary for the purposes for which it was collected, or because certain other stated conditions are met (e.g. you have given your consent to the processing and you have the right to withdraw it). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).

Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data other than to defend legal claims, for example. You can also prevent SIS from erasing data, for example if you need the data to claim damages (Art. 18 GDPR).

Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so that outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).

Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).

Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).

Contact and SIS Data Controller

If you wish to exercise any of your rights as described above, have questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:

SIS Data Controller Swedish Institute for Standards

Solnavägen 1E/Torsplan

Box 45443

SE-104 31 Stockholm, Sweden

E-mail: sisgdpr@sis.se

Complaints

If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.

Date of this version of this information notice: January 2 2023

INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE TAKING PART IN STANDARDISATION WORK AT THE SWEDISH INSTITUTE FOR STANDARDS

This information text applies to those who are, or intend to be, participants in standardisation work at the Swedish Institute for Standards (“SIS”) through a technical committee, working group, project or similar (“Standardisation Work”).

The purpose of this information text is to help you understand what we do with, and how we process, your personal data, what our obligations are, and what your rights are, under the current EU General Data Protection Regulation (“GDPR”).

This information text should be read in conjunction with the general privacy notice on SIS’ processing of personal data above.

Data controller

When you participate in Standardisation Work, it is the legal entity the Swedish Institute for Standards (corporate ID number 802410–0151) that is the data controller and is also responsible for processing your personal data.

However, in some circumstances, responsibility for data protection and your privacy is shared with third parties, such as banks, postal services and electronic communication and social media providers. In these cases, SIS and the third party are joint data controllers. If you have any questions about this, please contact the SIS Data Controller – see contact details below.

Sources of your personal data

The personal data that SIS collects and processes is mainly the data that you provide when you become a participant in Standardisation Work. Examples of such personal data are name, address, date of birth, e-mail address, telephone number, the organisation that has appointed you as a participant and possibly your picture and, in the case of a chairperson for Standardisation Work, also your CV.

In addition to the above, SIS may obtain personal data about you through contacts and communications between you and SIS in connection with your participation in the Standardisation Work.

The provision of personal data is in most cases voluntary, but if you do not provide the personal data requested by SIS, SIS may not be able to offer you participation in the Standardisation Work.

If you visit the SIS website (www.sis.se), SIS may process cookies in accordance with specific information provided about this – see information text for website visitors.

Categories of recipients of your personal data

Within SIS, access to your personal data is only granted to authorized staff for the following purposes. In addition, SIS may share your personal data between SIS’ various administrative systems, databases and portals and with other parties (e.g. data processors) when necessary to fulfil the purposes. Such parties (recipients) can be divided into the following categories: providers of goods and services (including IT providers) and partners, such as ISO and CEN.

In addition, some of your personal data is shared with other participants in the Standardisation Work through, for example, web-based Standardisation Work portals.

If you take advantage of any offer to use other SIS products and services (e.g. the possibility to log in to tools and portals related to other SIS engagements than the standardisation work itself), your personal data may be shared with others who are using the service (e.g. your employer or client).

Furthermore, SIS may disclose personal data to third parties if SIS considers it necessary in order to: i) investigate possible breaches of law or contract (taking into account Art. 10 GDPR); ii) identify, contact or take legal action against someone who may be in breach of law or contract with SIS; iii) investigate security breaches or cooperate with authorities on a legal matter; or iv) protect SIS’ rights, security or property.

To the extent that a public authority requests personal data from SIS, SIS will comply with such a request if required by law.

Any disclosure of your personal data will be in accordance with the law, and SIS will ensure that the personal data disclosed will only be processed for the purposes set out below.

Purpose and legal basis

Your data as a participant in the Standardisation Work is processed for the following purposes and on the legal basis set out below for each purpose.

There may be situations where SIS may need to obtain your consent to process personal data not covered above.

Processing of personal data outside the EU/EEA

Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR drafted and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.

More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

Retention period for your personal data

The main rule is that SIS does not retain your personal data for longer than is necessary for SIS to fulfil the purpose of the processing, which in principle means that your personal data will be erased once you have ceased to be a participant in the Standardisation Work. However, SIS may retain your data for the purpose of establishing, enforcing or defending legal claims. SIS may also need to retain your data for a longer period of time in order to comply with legal obligations, such as tax and accounting rules, as well as CEN and ISO regulations.

Your rights

Under the applicable data protection legislation (Art. 7 and 15 – 21 GDPR), you have certain rights which are briefly described below.

Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you is being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).

Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).

Right to erasure (‘right to be forgotten’): You have the right, without undue delay, to have your personal data erased, either because the data are no longer necessary for the purposes for which they were collected, or because certain other stated conditions are fulfilled (e.g. you have withdrawn your consent to the processing). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).

Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data for purposes other than to defend legal claims, for example. You can also prevent SIS from deleting data, for example if you need the data to claim damages (Art. 18 GDPR).

Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so that outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).

Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).

Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).

Contact and SIS Data Controller

If you wish to exercise any of your rights as described above, have questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:

SIS Data Controller Swedish Institute for Standards

Solnavägen 1E/Torsplan

Box 45443

SE-104 31 Stockholm, Sweden

E-mail: sisgdpr@sis.se

Complaints

If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.

Date of this version of this information notice: January 2 2023

INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE SEEKING EMPLOYMENT AT THE SWEDISH INSTITUTE FOR STANDARDS

This information text is aimed at those seeking employment at the Swedish Institute for Standards (“SIS”).

The purpose of this information text is to help you understand what we do with, and how we process, your personal data, what our obligations are, and what your rights are, under the EU’s current General Data Protection Regulation (“GDPR”).

This information text should be read in conjunction with the general privacy notice regarding SIS’ processing of personal data above.

Data controller

When you apply for a job at SIS, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is therefore responsible for processing your personal data.

The sources of your personal data

The personal data that SIS collects and processes are mainly information that you provide when you apply for a position at SIS, such as your name, date of birth, personal ID number, curriculum vitae, grades, photo, cover letter and recommendations from previous employers.

Personal data is also collected by SIS during the recruitment process as a result of interviews, tests, assessments and evaluations of you as a job applicant and evaluation of your experience of the recruitment process.

Personal data may also be collected from social media, such as LinkedIn, as well as the references you have provided to SIS.

Provision of personal data is voluntary. However, SIS needs this information in order to assess you as a candidate for the post in question, and the absence of certain information may affect the way in which SIS assesses your application.

In the event that you use/visit the SIS website (www.sis.se), SIS may process cookies in accordance with specific information provided about this – see information text for website visitors.

Categories of recipients of your personal data

In particular, your personal data will be shared with the recruiting manager (and possibly their manager), other specifically designated staff within the recruiting department and human resources staff handling recruitment at SIS. Personal data may also be shared with other staff if this is deemed necessary to carry out the recruitment process for the position you have applied for.

SIS may also share personal data with providers of systems and services used by SIS to carry out recruitment, such as providers of digital systems with online application facilities. There may also be times when a recruitment agency assists SIS in parts of a recruitment process.

To the extent that a public authority requests personal data from SIS, SIS will comply with such a request, if required by law, for example as part of a case concerning the application of discrimination legislation or data protection legislation.

Any disclosure of your personal data will be in accordance with the law, and SIS will ensure that the personal data disclosed will only be processed for the purposes set out below.

Purpose and legal basis

Your data as a job applicant at SIS is processed for the following purposes and on the legal basis for each purpose set out below.

There may be situations where SIS may need to obtain your consent to process personal data not covered above.

Processing of personal data outside the EU/EEA

Your personal data may be transferred to SIS providers (known as data processors such as IT solution providers), or its subcontractors (known as sub-processors), for processing in countries (third countries) outside the EU/EEA. In such cases and where necessary, SIS will take appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR drafted and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.

More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

Retention period

As a general rule, SIS will not retain your personal data for longer than is necessary for SIS to fulfil the purpose of the processing. However, SIS may retain your personal data for up to 28 months after you submitted your application or longer if, during this period, a legal case is initiated concerning appointment to the post in question or other legal proceedings relating to the recruitment. These data retention criteria are based on the statute of limitations under current discrimination legislation.

Your rights

Under applicable data protection legislation (Art. 7 and 15 – 21 GDPR) you have certain rights, which are briefly described below.

Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you are being processed by SIS and, if so, to obtain access to the data (including what are known as "extracts") and certain additional information about the processing (Art. 15 GDPR)

Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to supplement incomplete personal data (Art. 16 GDPR).

Right to erasure (‘right to be forgotten’): You have the right to have your personal data erased without undue delay, either because the data is no longer necessary for the purposes for which it was collected, or because certain other stated conditions are met (e.g. you have given your consent to the processing and you have the right to withdraw it). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).

Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data other than to defend legal claims, for example. You can also prevent SIS from erasing data, for example if you need the data to claim damages (Art. 18 GDPR).

Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so which outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).

Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).

Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).

Contact and SIS Data Controller

If you wish to exercise any of your rights as described above, have any questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:

SIS Data Controller Swedish Institute for Standards

Solnavägen 1E/Torsplan

Box 45443

SE-104 31 Stockholm, Sweden

E-mail: sisgdpr@sis.se

Complaints

If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.

Date of this version of this information notice: January 2 2023

INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE PROVIDING REFERENCES FOR PERSONS SEEKING EMPLOYMENT AT THE SWEDISH INSTITUTE FOR STANDARDS

This information text is intended for those who provide references for job applicants to the Swedish Standards Institute (SIS).

The purpose of this information text is to help you understand what we do with, and how we process, your personal data, what our obligations are, and what your rights are, under the EU’s current General Data Protection Regulation (“GDPR”).

This information text should be read in conjunction with the general privacy notice on SIS’ processing of personal data above.

Data controller

When you submit references on job applicants to SIS, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is also responsible for processing your personal data.

Sources of your personal data

The personal data that SIS collects and processes is mainly data that you provide yourself through conversations and contact with the recruiting manager, HR staff or equivalent. SIS also receives contact details and possibly other information about you as a reference provider from the job applicant.

Your provision of personal data is voluntary, but if you do not provide this particular information, SIS may not be able to use you as a reference for the job applicant.

Categories of recipients of your personal data

The categories of recipients that may receive your personal data are primarily one or more managers of the department in which the job applicant has applied for a job, usually the recruiting manager, their manager and possibly a selected individual/selected individuals in the recruiting department, as well as staff from the SIS human resources department who manage or assist in recruitment. Personal data may also be shared with other staff if this is deemed necessary to carry out the recruitment process.

SIS may also share personal data with providers of systems and services used by SIS to carry out recruitment, such as IT system providers.

To the extent that a public authority requests personal data from SIS, SIS will comply with such a request, if required by law, for example as part of a case concerning the application of discrimination legislation.

Purpose and legal basis

Your data as a job applicant reference at SIS is processed for the following purposes and on the legal basis set out below for each purpose.

There may be situations in which we may need to obtain your consent for the processing of personal data not covered above.

Processing of personal data outside the EU/EEA

Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR drafted and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.

More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

How long is your personal data retained?

As a general rule, SIS will not retain your personal data for longer than is necessary for SIS to fulfil the purpose of the processing. However, SIS may retain your personal data for up to 28 months after the job applicant has submitted their application to SIS, or longer if, during this period, a legal case concerning appointment to the post in question or other legal proceedings relating to the recruitment are initiated. These data retention criteria are based on the statute of limitations under current discrimination legislation.

Your rights

Under applicable data protection legislation (Art. 7 and 15 – 21 GDPR) you have certain rights, which are briefly described below.

Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you are being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).

Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).

Right to erasure (‘right to be forgotten’): You have the right to have your personal data erased without undue delay, either because the data is no longer necessary for the purposes for which it was collected, or because certain other stated conditions are met (e.g. you have given your consent to the processing and you have the right to withdraw it). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).

Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data other than to defend legal claims, for example. You can also prevent SIS from erasing data, for example if you need the data to claim damages (Art. 18 GDPR).

Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so which outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).

Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).

Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).

Contact and SIS Data Controller

If you wish to exercise any of your rights as described above, have questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:

SIS Data Controller Swedish Institute for Standards

Solnavägen 1E/Torsplan

Box 45443

SE-104 31 Stockholm, Sweden

E-mail: sisgdpr@sis.se

Complaints

If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.

Date of this version of this information notice: January 2 2023

INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE VISITING THE SWEDISH INSTITUTE FOR STANDARDS’ WEBSITE

This information text is aimed at visitors to the Swedish Institute for Standards (SIS) website (www.sis.se) using a computer, mobile phone, tablet or other similar device.

The purpose of this information text is to help you understand what SIS does with, and how SIS processes, your personal data, what obligations SIS has, and what rights you have, under the current EU General Data Protection Regulation (“GDPR”).

This information text should be read in conjunction with the general privacy notice regarding SIS’ processing of personal data above.

Data controller

When you visit the SIS website, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is also responsible for processing your personal data in connection with your visit to the website.

If you have consented to SIS using what are known as third-party cookies, such as marketing cookies, SIS will share your data with third parties (e.g. Google Analytics). SIS has a joint personal data protection responsibility with such third parties when using third party cookies in respect of the personal data processing for which SIS and the third party have jointly determined the purposes and means. If you have any questions about this, please contact the SIS Data Controller – see contact details below.

Sources of your personal data

The personal data that SIS collects and processes is that which you yourself provide when you visit the SIS website (e.g. IP address, language selection and subpages you have visited). The personal data processing that takes place when you visit the SIS website is through the use of cookies.

Categories of recipients

Within SIS, access to your personal data is restricted to authorized staff for the fulfilment of the purposes. Furthermore, SIS may share your personal data with other parties when necessary to fulfil the purposes set out below. Such recipients can be divided into one of the following categories:

• providers of services for analytical and statistical tools, and
• communication and marketing platforms.

Any disclosure of your personal data will be in accordance with the law, and SIS will ensure that the personal data disclosed will only be processed for the purposes set out below.

Purpose and legal basis

Your data as a visitor to the SIS website is processed for the following purposes and on the legal basis set out below for each purpose.

There may be other situations in which we may need to obtain consent for the processing of personal data not covered above.

If you log in to use any of the SIS services when visiting the SIS website, you will receive new information about the processing, where, for example, the purposes of the processing may be different from those indicated above, depending on the type of category you log in as (e.g. customer, member or TC (technical committee) participant) – see the category-specific information texts on this page for more information.

Information about cookies

Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR, produced and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.

More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

Retention period

Your rights

Under the applicable data protection legislation (Art. 7 and 15 – 21 GDPR), you have certain rights which are briefly described below.

Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you is being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).

Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).

Right to erasure (‘right to be forgotten’): You have the right, without undue delay, to have your personal data erased, either because the data are no longer necessary for the purposes for which they were collected, or because certain other stated conditions are fulfilled (e.g. you have withdrawn your consent to the processing). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).

Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data for purposes other than to defend legal claims, for example. You can also prevent SIS from deleting data, for example if you need the data to claim damages (Art. 18 GDPR).

Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so that outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).

Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).

Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).

Contact and SIS Data Controller

If you wish to exercise any of your rights as described above, have any questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:

SIS Data Controller Swedish Institute for Standards

Solnavägen 1E/Torsplan

Box 45443

SE-104 31 Stockholm, Sweden

E-mail: sisgdpr@sis.se

Complaints

If you wish to complain about the way SIS processes and protects your personal data, you have the right to lodge a complaint at any time with the Swedish Authority for Privacy Protection (IMY) or any other competent supervisory authority in your country of residence.

The date of this version of the information notice: January 2 2023

INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR THOSE FOLLOWING THE SWEDISH INSTITUTE FOR STANDARDS ON SOCIAL MEDIA 

This information text is aimed at those who are, or intend to become, a follower of one of the Swedish Institute for Standards’ (“SIS”) social media accounts (pages) (i.e. Facebook, Twitter, YouTube or LinkedIn) (“SIS Social Media Channels”).

The purpose of this information text is to help you understand what we do with, and how we process, your personal data, what our obligations are, and what your rights are, under the EU’s applicable General Data Protection Regulation (“GDPR”).

This information text should be read in conjunction with the general privacy notice regarding SIS’ processing of personal data above.

Data controller, etc.

Introduction

SIS uses Social Media Channels to communicate with you, but also to allow you to communicate with SIS and others connected to one of our accounts, make posts, like others’ posts, upload your own pictures and videos, etc. The Providers of the respective pages on SIS Social Media Channels (“Providers”), see below, record (e.g. through the use of cookies and other tracking technologies) your visits to the page and thereby process information about how you interact with the page. In addition, in this context, the Providers process other data they have about you (e.g. data that you have provided in your profile such as sex, age, industry affiliation and position, etc.). This data is compiled by the Provider and provided to SIS as what are known as “page statistics“, which helps SIS to see the behaviour, trends and demographics (e.g. age, sex and geographical area) of those who interact with the page in question. This allows SIS to improve the user experience on the page, but also to create interest-based advertising and marketing. However, SIS cannot identify you as an individual from the compiled (anonymous) statistics, and SIS does not have access to the information that the Provider collects to create the statistics.

Please note that SIS cannot track or influence all processing that takes place on the Social Media Channels. This means that further processing may be carried out by the Providers. If you wish to limit the processing, you can then make the appropriate privacy settings in your account with the respective Provider. Information on privacy settings is available from the respective Provider (see below).

Social Media Channels

SIS uses the following Social Media Channels:

• Facebook with the following Provider (data controller):

Meta Platform Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland

• LinkedIn with the following Provider (data controller):

LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland

• Twitter with the following Provider (data controller):

Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA

• YouTube with the following Provider (data controller):

Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, D04 W5W5 Ireland

If you would like more information about how the Providers process your personal data, you can read the Providers’ privacy or data protection policies, which you can find here:

• Facebook: Meta Privacy Policy  
• LinkedIn: LinkedIn Privacy Policy
• Twitter: Twitter Privacy Policy
• YouTube: Google Privacy Policy

Division of responsibilities

In general, the Provider of each Social Media Channel is the data controller and thus responsible for your personal data when you are logged in and use the Provider’s social networking services.

However, the Swedish Institute for Standards (SIS) and the respective Providers are separately and independently responsible for your personal data on the SIS page on the Social Media Channels, including personal content in the form of posted messages, reviews and posts, as well as uploaded images and videos.

When collecting and processing your personal data for the purposes of the page statistics, SIS and the Provider are joint data controllers. This means that SIS and the Provider are jointly responsible for safeguarding your legal rights and protecting your privacy. If you have any questions about this, please contact the SIS Data Controller – see contact details below.

Sources of your personal data

SIS collects information that you choose to share on SIS’ pages on the Social Media Channels, e.g. messages, posts or reviews, or if you have liked someone else’s post, uploaded a photo or a video. If you have an account with the Provider, SIS will also have access to your public information such as your user name, information in your public profile and content that you share with a public audience.

Categories of recipients of your personal data

Within SIS, access to your personal data is only granted to authorized staff for the purposes set out below. Otherwise, personal data is shared with the Providers and other followers of SIS accounts on the Social Media Channels.

Purpose and legal basis

Your data as a follower of one or more SIS accounts on the Social Media Channels are processed for the following purposes and on the legal basis set out below for each purpose.

There may be situations where SIS may need to obtain your consent to process personal data not covered above.

Processing of personal data outside the EU/EEA

SIS will not process personal data outside the EU/EEA area. However, the Provider of the SIS account on Social Media may do so as part of the provision of the Social Media Channels. In such cases, the transfer and processing in a country outside the EU/EEA is the sole responsibility of the Provider and is not under the control or supervision of SIS. You can find more information on third country transfers in the respective Provider’s data protection policy (see above).

Retention period for your personal data

SIS retains communications, posts, reviews and uploaded material for as long as it is needed for the purpose, but never longer than two years. The data is then erased. The duration of the Provider’s SIS accounts on Social Media Channels is set out in the respective Provider’s data protection policy (see above).

Your rights

Under applicable data protection legislation (Art. 7 and 15 – 21 GDPR) you have certain rights, which are briefly described below. When SIS is the sole data controller for the processing of the SIS account on the Social Media Channels, you exercise your rights in relation to SIS, whereas when SIS is the joint data controller with the Provider, you have the right to exercise your rights in relation to either of the joint data controllers i.e. SIS and/or the Provider. Where the Provider is the sole data controller of the processing in question, the rights are exercised in relation to the Provider.

Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you is being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).

Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to complete incomplete personal data (Art. 16 GDPR).

Right to erasure (‘right to be forgotten’): You have the right, without undue delay, to have your personal data erased, either because the data are no longer necessary for the purposes for which they were collected, or because certain other stated conditions are fulfilled (e.g. you have withdrawn your consent to the processing). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).

Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data for purposes other than to defend legal claims, for example. You can also prevent SIS from deleting data, for example if you need the data to claim damages (Art. 18 GDPR).

Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so that outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).

Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).

Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).

Contact and SIS Data Controller

If you wish to exercise any of your rights as described above, have any questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or inquiry to the SIS Data Controller by letter or e-mail to:

SIS Data Controller Swedish Institute for Standards

Solnavägen 1E/Torsplan

Box 45443

SE-104 31 Stockholm, Sweden

E-mail: sisgdpr@sis.se

Complaints

If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.

Date of this version of this information notice: January 2 2023

INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA FOR VISITORS TO SIS OR PARTICIPANTS IN EVENTS OR TRAINING COURSES ORGANIZED BY THE SWEDISH INSTITUTE FOR STANDARDS

This information text is aimed at those visiting (“Visitor”) the SIS premises, participating or taking part (“Participant”) in any event (e.g. a seminar) or training course organized by the Swedish Institute for Standards (“SIS”).

The purpose of this information text is to help you understand what SIS does with, and how SIS processes, your personal data, what obligations SIS has, and what rights you have, under the current EU General Data Protection Regulation (“GDPR”).

This information text should be read in conjunction with the general privacy notice on SIS’ processing of personal data above.

Data controller

When you visit SIS’ premises, participate in any event or training course organized by SIS and you provide SIS with personal data in this connection, the legal entity the Swedish Institute for Standards (corporate ID number 802410-0151) is the data controller and is also responsible for processing your personal data.

However, in certain circumstances, responsibility for data protection and your privacy may be shared with third parties, such as banks, postal services and electronic communication and social media providers. In these cases, SIS and the third party are joint data controllers. If you have any questions about this, please contact the SIS Data Controller – see contact details below.

Sources of your personal data

SIS collects personal data from you (e.g. your name, telephone number, e-mail address and other contact details) when you visit SIS premises or register for any event or training course organized by SIS, but SIS may also collect additional personal data from you in connection with subsequent contact between you and SIS during the administration and processing of the visit, event or training course in question.

In addition to the above, SIS may obtain personal data about you as a Participant from the following sources:

• Other SIS registers in which you may appear (e.g. membership registers).
• SIS may also collect personal data on an ongoing basis from publicly available sources such as private and public registers (e.g. registers from companies providing business, marketing and customer information).

In most cases, you provide personal data on a voluntary basis, but if you do not provide the personal data requested by SIS, SIS may not be able to offer you access to its premises or participation in events or training courses organized by SIS or take any other action that you wish SIS to take.

We do not use your personal data for purposes other than those set out below.

If you visit the SIS website (www.sis.se), SIS may process cookies in accordance with specific information provided about this – see information text for website visitors.

Categories of recipients

Within SIS, access to your personal data is only granted to authorized staff for the following purposes. However, SIS may share your personal data between different SIS administrative systems, databases and portals, as well as with other parties (e.g. data processors) when necessary to fulfil purposes. Such parties (recipients) can be divided into the following categories: providers of goods and services (including IT providers) and partners (e.g. event organizers and external teachers).

Furthermore, SIS may disclose personal data to third parties if SIS considers it necessary in order to: i) investigate possible breaches of law or contract (taking into account Art. 10 GDPR); ii) identify, contact or take legal action against someone who may be in breach of law or contract with SIS; iii) investigate security breaches or cooperate with authorities on a legal matter; or iv) protect SIS’ rights, security or property.

To the extent that a public authority requests personal data from SIS, SIS will comply with such a request if required by law.

Any disclosure of your personal data will be in accordance with the law, and SIS will ensure that the personal data disclosed will only be processed for the purposes set out below.

Purpose and legal basis

Your data as a Visitor or Participant is processed by SIS for the following purposes and on the legal basis set out below for each purpose.

There may be situations where SIS may need to obtain your consent to process personal data not covered above.

Processing for marketing purposes

SIS may send you targeted marketing as a Participant. This may be done by post, e-mail, text message or telephone. You will then receive information and offers, such as information about upcoming events or training courses. Such information and communications may be general (sent to all Participants) or targeted (sent to you based on a particular category). SIS also stores information about the communications you have received and how you have acted as a Participant. You can notify SIS at any time that you do not wish to receive this type of marketing.

By law, specific rules apply to certain types of automated decisions (including profiling) that have legal consequences or similarly significantly affect you. SIS will not use your data for such decisions without you having been provided with additional information and, if necessary, your consent (which can always be withdrawn) having been obtained.

Processing outside the EU/EEA

Your personal data may be transferred to SIS’ providers (known as data processors, such as IT solution providers), or their subcontractors (known as sub-processors), for processing in countries outside the EU/EEA (third countries). SIS will then, where necessary, adopt appropriate safeguards under Article 46(2) GDPR to protect your data, such as the use by SIS of specific standard contractual clauses under Article 46(2)(c) GDPR drafted and approved by the EU, unless the transfer is made to a country for which a decision of the European Commission under Article 45(3) GDPR on the adequacy of the level of protection is in place.

More information on the Commission’s approved standard contractual clauses can be found at Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

Retention period for personal data

As a general rule, SIS will not retain your personal data for longer than is necessary for SIS to fulfil the purposes of the processing mentioned above. In addition, SIS may need to retain certain data for a longer period in order to establish, exercise or defend legal claims. SIS may also need to retain your data for a longer period of time in order to comply with legal obligations, e.g. under tax and accounting rules.

Your rights

Under applicable data protection legislation (Art. 7 and 15 – 21 GDPR) you have certain rights, which are briefly described below.

Right of access: You have the right of access to your personal data, which means that you have the right to obtain confirmation as to whether personal data concerning you are being processed by SIS and, if so, to obtain access to the data (including what are known as “extracts”) and certain additional information about the processing (Art. 15 GDPR).

Right to rectification: You have the right to have inaccurate personal data concerning you rectified without undue delay. Taking into account the purpose of the processing, you also have the right to supplement incomplete personal data (Art. 16 GDPR).

Right to erasure (‘right to be forgotten’): You have the right to have your personal data erased without undue delay, either because the data is no longer necessary for the purposes for which it was collected, or because certain other stated conditions are met (e.g. you have given your consent to the processing and you have the right to withdraw it). However, SIS may have a legal obligation (e.g. under accounting rules) to retain certain data (Art. 17 GDPR).

Right to restriction: In certain circumstances, you have the right to request that the processing of your personal data be restricted. By requesting a restriction, you have the possibility, at least for a certain period of time, to prevent SIS from using the data other than to defend legal claims, for example. You can also prevent SIS from erasing data, for example if you need the data to claim damages (Art. 18 GDPR).

Right to object: When the processing is carried out on the basis of the legitimate interest of SIS, you have the right to object to the processing of your personal data at any time. In such cases, SIS will stop processing the data unless SIS has legitimate grounds for doing so which outweigh your interests and rights, or if the processing is due to legal claims (Art. 21 GDPR).

Right to withdraw consent: Where processing is based on consent, you have the right to withdraw this consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) (Art. 7 GDPR).

Right to data portability: Under certain circumstances, you have the right to obtain your personal data, which you have provided to SIS, in a structured and machine-readable format, and to have them transferred to another data controller (Art. 20 GDPR).

Contact and SIS Data Controller

If you wish to exercise any of your rights as described above, have any questions regarding the processing of your personal data or wish to contact the SIS Data Controller, please send a request or enquiry to the SIS Data Controller by letter or e-mail to:

SIS Data Controller Swedish Institute for Standards

Solnavägen 1E/Torsplan

Box 45443

SE-104 31 Stockholm, Sweden

E-mail: sisgdpr@sis.se

Complaints

If you wish to complain about how SIS processes and protects your personal data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority at any time.

Date of this version of this information notice: January 2 2023