Integrity and the processing of personal data

Swedish Wood represents the Swedish sawmill industry and forms part of the Swedish Forest Industries Federation’s professional organisation. Arbio AB, which is responsible for formulating policy, is a cooperative venture between The Swedish Forestry Association, The Swedish Graphic Industries’ Federation, The Federation of Swedish Forestry and Agricultural Employers and The Swedish Federation of Wood and Furniture Industry.

You are always welcome to get in touch with us if you have any questions about how we process your personal data. Contact details can be found at the end of this statement.

What are personal data and what is processing of personal data?

Everything which can be traced, directly or indirectly, to a living physical person is covered by the concept of personal data. It is not merely a question of name and personal ID number but also includes, for example, images and e-mail addresses.

The processing of personal data comprises everything that involves personal data in IT systems, irrespective of whether it relates to mobile units or computers. It concerns, for example gathering, registering, structuring, storing, processing and transmission. In certain cases such things as occur outside of IT systems can also be regarded as processing. This applies when it is a question of records.

Responsibility for personal data

Where the processes which take place as part of Arbio AB’s operations are concerned, Arbio AB and the respective associations are jointly responsible for personal data. (Arbio AB 556067-2924, The Swedish Forestry Association 802495-1009, The Swedish Graphic Industries’ Federation 802004- 3736, The Federation of Swedish Forestry and Agricultural Employers802001-9892, The Swedish Federation of Wood and Furniture Industry 802003-5773, Box 555 25, SE-102 04 Stockholm, Sweden). For certain processes, such as e.g. the membership register, we employ a joint system together with our member organisations. The responsibility between us and the member organisations is then regulated by agreement.

Which of your personal data do we gather and why?

General
We primarily process your name, your e-mail address, your telephone number and your position. Occasionally further data can be processed, such as if you are a member of the Swedish Riksdag or a local politician, but only if you can be deemed to have made such data public yourself. For certain services you may also, but not obligatorily, state your areas of interest. If you create a user account with us then we shall also process your logging-in data.

We process your personal data with the aim of providing the services and products you have requested (for example a newsletter or participation in a training facility). We shall also process your data in order to take care of, and administer, our relationship with you as well as, where appropriate, in order to administer the agreement with you or with your employer. We can also advise you about our courses, events and other things which we perceive as being in both your and our interest.

In addition we may use your personal data in order to inform you of products and services which we are able to offer and which may be of interest to you. If you are a professional we can also inform you of products and services from our member organisations and partners.

If you are a professional then analysis and processing of the data (including that used for profiling purposes) to which we have access (such as information in connection with the ordering of services or products or participation in seminars or activities arranged by us) will take place. The aim is to provide you with more suitable and relevant information. Arbio AB/the associations always process your personal data in accordance with applicable legislation. We process your personal data when this is necessary in order to fulfil an agreement with you or to reply to your requests for service or when we have some other legitimate and justified interest in processing your personal data, e.g. an interest in being able to market our services.

If Arbio AB/the associations were to process your personal data for some purpose which requires your consent then such consent will be obtained in advance. It may be obligatory to provide certain personal data, for example in order for us to be able to provide a service or to fulfil some other request from you. This will then be stated or be shown in connection with the data being gathered.

For co-workers in member companies

Where co-workers in member companies are concerned we may process personal datain a manner other than that referred to above. This is primarily connected to the employer’s membership and applies to different contact persons. Information regarding contact persons may be needed in order to administer the membership and questions which are connected to it. It may, for example, concern contact persons in respect of negotiations or data relating to membership in various working groups.

From which sources do we obtain personal data?

The gathering of your personal data occurs, for example, when you state your details in connection with signing up for a newsletter, taking part in a seminar and other events, ordering services and/or products from us and contacting us. Also, when the company where you work applies for and/or takes part in a recruitment campaign, data can be gathered relating to persons in leading roles in the company. We sometimes obtain data from third parties.

Who might we share your personal data with?

Personal data assistance
In a number of situations it is necessary for us to enlist the aid of other parties in order to be able to carry out our work. This occurs, for example, when we make use of various IT suppliers. They are to be regarded as our personal data assistants.

Arbio AB/the associations are responsible for concluding agreements with all personal data assistants and issue instructions regarding how these are to deal with personal data. Naturally we check all personal data assistants in order to ensure that they are able to provide adequate guarantees concerning security and confidentiality regarding the personal data.

When personal data assistants are appointed this is done only in respect of the purposes which are compatible with the objectives which we ourselves have concerning the processing.

Independent players who are responsible for personal data
We also share your personal data with certain other independent players who are responsible for personal data. This can refer to authorities, such as the Swedish Tax Agency, as well as other member organisations. Certain data are also provided for statistical purposes.

When your personal data are shared with an independent player responsible for personal data, the organisation’s integrity policy and personal data processing apply.

We may additionally provide personal data to our member organisations (and their companies) to the extent that this is necessary in order for the cooperation between the organisations to function. We can additionally appoint suppliers and partners to carry out tasks for Arbio AB/the associations’ account, for example in order to provide IT services or to assist with marketing, analyses or statistics. The undertaking of these services can involve these recipients having access to your personal data.

Arbio AB/the associations may also release personal data to third parties, such as e.g. the police or some other authority, if this relates to the investigation of a crime or if we are otherwise obliged to provide such information pursuant to the law or a ruling by an authority.

Where are your personal data processed?

We always strive towards your personal data being processed within the EU/EEA but, occasionally, this is not possible.

For certain IT support the data may be supplied to a country outside the EU/EEA. This applies, for example, if we share your personal data with a personal data assistant who, either themself or through a sub-contractor, is established or stores data in a country outside the EU/EEA. In our capacity as being responsible for personal data we are also responsible for taking all reasonable legal, technical and organisational measures to ensure that these processes take place in accordance with provisions within the EU/EEA.

When personal data are processed outside the EU/EEA the level of protection is guaranteed either through a decision by the EU Commission that the country in question ensures an adequate level of protection or through the employment of so-called appropriate security measures. These include, for example, ”Privacy Shield” , the use of ”Binding Corporate Rules” and other agreement solutions. If you require additional information about these protective measures please feel free to contact us. Standardised model clauses for data transfer, adopted by the EU Commission, are also available on the EU Commission’s website.

How long do we save your personal data for?

We never save your personal data for longer than what is necessary for the respective purposes. We have drawn up deletion routines in order to ensure that personal data are not saved for longer than is required for the specific purpose. How long this is will depend on the reason for the processing. Legislation requires certain accounting data, for example, to be saved for at least seven years, while data relating to special diets are deleted within a few weeks after the event has concluded. 

What are your rights through being registered?

Through being registered you have a number of rights according to current legislation. To see how to proceed in order to exercise these rights, see the section “Exercise your rights” below. Listed below are the registered person’s rights.

Right to register extract (right of access)
If you wish to know which personal data we process relating specifically to you, you can ask to have access to the data. When you submit such a request we can ask a number of questions in order to ensure that there is an efficient handling of your request. We shall also take measures to ensure that the data are being requested by, and provided to, the right person.

Right to correction
If you discover that something is wrong you have the right tor require your personal data to be corrected. You can also supplement any incomplete personal data. In certain cases you may make corrections yourself, which we will then inform you about.

Right to deletion
You can ask us to delete the personal data we process about you if, for example:

• The data are no longer necessary for the purposes for which they were processed.
• You object to a balancing of interests that we have made, based on our justified interest, where your reason for objecting weighs more heavily than our justified interest.
• Personal data is processed in an illegal manner.
• Personal data has been gathered concerning a child (under 13 years) for whom you have parental responsibility.
• The data has been gathered on the basis of your consent and you wish to withdraw your consent.

We can, however, have the right to deny your request if there are legal obligations which prevent us from immediately deleting certain personal data. It may also be the case that the processing is necessary in order for us to be able to establish, assert or defend legal claims. If we are prevented from deleting your personal data we will block the personal data from being able to be used for purposes other than that purpose which has meant that they cannot be deleted.

Right to restriction
You have a right to request a restriction of our processing of your personal data. If you consider that the personal data we process about you are not correct you can request a restricted processing during the time that we need in order to check whether the personal data are correct.

If, and when, we no longer need your personal data for the determined purpose, our routine is normally for the data to be deleted. If you require them in order to determine, assert or defend a legal claim, you can request restricted processing of the data we hold. This means that you can request us not to clean and delete your data.

If you have protested against a weighing of interest regarding a justified interest which we have cited as legal grounds, you can request restricted processing during such time as we need in order to check whether our justified interest weighs more heavily than your interests in having the data deleted.

If the processing has been restricted in accordance with any of the above situations, we may only process the data, other than the actual storing, in order to determine, assert or defend legal claims, in order to protect another’s rights or in the event of you having granted your consent.

Right to raise objections to certain types of processing
You will always have a right to object to all processing of personal data which is based on a weighing of interests. You also have the right to avoid direct marketing.

Right to data portability
As one who is registered, you have a right to data portability if our right to process your personal data is based on either your consent or the fulfilment of an agreement with you. A prerequisite to data portability is that the transfer is technically possible and can be effected by automated means.

Handling your rights
Applications for register extracts, or if you wish to exercise any of your other rights, shall be made in writing and carry the signature of the person to whom the extract refers. We shall respond to your wishes without unnecessary delay and no later than within 30 days. Send your request to GDPR-gruppen, Arbio AB, Box 555 25, SE-102 04 Stockholm.

How do we process personal identity numbers?

As far as possible we avoid processing personal identity numbers. In certain cases, however, this is justified primarily with regard to our need for a secure identification. With regard to the processing of personal identity numbers in the form of organisation numbers for individual commercial activity, then this processing is required for as long as the organisation is a member through the organisation number comprising the personal identity number.

How are your personal data protected?

We work actively towards ensuring that personal data are processed in a secure manner. This is applied through both technical and organisational protective measures.

Supervisory authority

The Swedish Data Protection Authority (which is shortly to change its name to The Swedish Privacy Protection Authority) is the responsible authority for monitoring the application of the legislation concerning data protection. If you consider that we have acted incorrectly you can contact  The Swedish Data Protection Authority, see datainspektionen.se

Contact us in the event of questions regarding how we process personal data!

If you have questions about how we process personal data or have a request in accordance with the above rights, you are always welcome to get in touch with us at:

gdpr@arbio.se

We may make changes to our integrity policy. The latest version of the integrity policy will always be found here on our website.