The most common questions and answers relating to how we handle personal data in accordance with the GDPR at the Swedish Association of Graduate Engineers.
GDPR stands for General Data Protection Regulation. This is an EU regulation that is directly applicable in Sweden as if it were a Swedish law. It replaces the Personal Data Act, which will cease to apply when the GDPR has come into force. Just like the Personal Data Act, the GDPR regulates the right to process personal data within organisations and the manner in which this is done.
The GDPR comes into force on 25 May 2018.
The Swedish Authority for Privacy Protection is the supervisory authority for data protection issues, and their website includes information on the GDPR. It is also possible to contact the Swedish Authority for Privacy Protection and ask questions. They have published material containing information on the rules applicable to data protection and privacy at places of work. Visit the website www.imy.se.
Confederation lawyer Ola Sundström is responsible for preparations prior to the introduction of the GDPR at the Swedish Association of Graduate Engineers. It is also possible to contact the confederation's data protection officer if you have any questions relating to the processing of personal data. If you have any general questions on the confederation's data protection work, you can email these to firstname.lastname@example.org.
According to the GDPR, organisations that process sensitive data must appoint a data protection officer. The Swedish Association of Graduate Engineers regularly processes sensitive personal data in the form of union affiliation as part of its core activities, and therefore we belong to the category of organisations that must appoint a data protection officer. The data protection officer is an expert in data protection issues and supports the organisation in such work. This officer has a higher level of independence in respect of the personal data controller, and has a statutory duty to monitor the organisation's data protection work. Anyone whose personal data is processed by the Swedish Association of Graduate Engineers has the right to consult the data protection officer and obtain information about how we handle this data. The Swedish Association of Graduate Engineers' data protection officer is employed by the Swedish Confederation of Professional Associations but has not yet taken over the position and can be contacted on +46 8 613 48 00 until further notice.
The GDPR replaces the Personal Data Act. The regulations are worded identically to a great extent, but some differences have been introduced. The elimination of what is known as the rule on improper use is one important difference. Unstructured material such as Word documents, emails, etc. was not covered by the Personal Data Act previously, but these are covered by the GDPR. This means that the provisions also apply to personal data in running text, in emails, online or in case management systems.
The new administrative fines are an important difference. The intention is for the personal data processing provisions to have a greater impact than the previous regulations, and therefore it has been stated that the administrative fines will be higher than the fines/damages specified in the Personal Data Act.
Another difference is that personal data controllers will have extended information obligations. This means that data subjects must receive information on what processing takes place, and will also have certain rights to have their personal data deleted, or to be forgotten by organisations.
Personal data is defined in Article 4.1 of the GDPR as any information that can be linked directly or indirectly with a natural person who is alive. This may, for example, include names, personal ID numbers , e-mail addresses, IP addresses, pictures, fingerprints or more abstract descriptions such as "Confederation director at the Swedish Association Of Graduate Engineers".
Legal responsibility for how personal data is processed rests with the Swedish Association of Graduate Engineers. Responsibility for the processing of personal data for Swedish Association of Graduate Engineers members rests with the confederation on a central level, even if the data is handled by the local academic association. In this case, the academic association processes the personal data on behalf of the confederation.
A personal data processor is a natural person or legal entity, public authority, institution or other body that processes personal data on behalf of the personal data controller.
The Swedish Association of Graduate Engineers has agreements with a number of stakeholders who constitute personal data processors for the confederation. For example, these include our IT suppliers who administer our case management systems and member registers. Other confederations within the Swedish Confederation of Professional Associations may also represent our members at places of work where these confederations are larger than the Swedish Association of Graduate Engineers or local associations that represent members locally at the place of work. Personal data processors are also stakeholders who administer mailings of Ny Teknik magazine and publications to safety representatives. We also have personal data processor agreements with insurance companies that administer group insurance policies and insurance offers to the confederation's members.
Members are entitled to receive information on the personal data processing performed by the confederation when this data is collected and when members request this information. This information must include information on what processing has been done by the personal data controller. This information must be summarised and comprehensible to members, and submitted in clear, unambiguous language. Information to members must not include personal data that the member him/herself has submitted to the confederation if it is clear that the member is already familiar with this, but it must include data that has been obtained from elsewhere, such as SPAR or similar. Members always have the right to view information on who the personal data controller is, the purpose of the handling, whether the data has been shared with another party and whether the data has been transferred outside the EU/EEA.
In everyday parlance, a register extract makes one think of authorities that keep registers, such as tax registers, registers of suspects, etc. In the sense of the GDPR, a register extract means a compilation of the personal data processing undertaken by the confederation as specified in the section above. Register extract information must be submitted as soon as possible, and the amount of time required to submit the information must not exceed one month. If a member wishes to receive several register extracts at brief intervals, the confederation will be entitled to charge for this.
According to the GDPR, members have the right to be "forgotten". This means that information relating to them will be removed from our systems. It is not possible to be forgotten while you remain a member of the confederation, but you can be forgotten when your membership has been terminated. If a previous member wishes to be forgotten, he/she must contact the office of the Swedish Association of Graduate Engineers.
If your union duties involve specifying which members are part of the association, you can submit this information to your employer. For example, you have to specify which members are to be subject to a pay review or redundancy negotiations. If a member would prefer their employer to remain unaware of his/her trade union affiliation, you cannot represent him/her. From a GDPR perspective, it should be possible to be a "secret member" of the local association, but this means that the member cannot be represented in negotiations or salary reviews, and also that the employer is not obliged to apply the Swedish Association of Graduate Engineers' collective agreement for that member.
The GDPR does not explicitly regulate that issue. That said, employers always have the right to process personal data if there is a legal duty to fulfil. Labour law-related acts and collective agreements that require the employer to provide data prior to certain Codetermination Act-related negotiations and pay mapping work include various legal duties. Different employers and employer confederations assess the matter differently, but it is clear that the employer may submit personal data if it has a legal duty to do so.
The Swedish Association of Graduate Engineers is the personal data controller, and the local association is a personal data processor. There is a contractual relationship between the local association and the confederation. For this reason, sharing data between the two levels is lawful. Of course, such processing must also be subject to the purpose of the processing and be necessary in order to pursue union activities. Special precautions must be taken when sensitive personal data or personal data that includes personal ID numbers is sent. This may involve encryption or password protection. All personal data processing, in particular with regard to sensitive personal data, must only be shared if necessary.
Local list of members must be kept up to date, and data must be purged if any member leaves the confederation or switches to a new place of work. Old lists of members may be retained for the time necessary to be able to defend yourself against legal claims, such as claims for damages. If the Excel files are part of the union activities, these may be retained for as long as they are part of the activities.
You can use the servers provided at the place of work unless your employer objects. The Swedish Association of Graduate Engineers makes no assessment other than by stating it is possible to continue to use the employer's servers and email for handling members' personal data within the scope of the union assignment.
All email sent out collectively to members risks revealing union affiliation. Therefore, mailings to multiple members must always be sent in a manner which prevents other recipients' email addresses being displayed. If the email contains sensitive personal data or personal ID numbers, we strongly recommend encrypting and password-protecting it. If it is possible to avoid using personal ID numbers, this should be done.
Pictures of people constitute personal data if people can be identified. If we want to process pictures by means of storage, and primarily by means of publication on the website or on social media, you must always obtain consent for this.
Elected representatives in high positions within the confederation, members of the confederation board and academic associations are considered to have published their union affiliation and must therefore expect their pictures to be published. If there is any uncertainty, elected representatives must also be asked for their consent prior to processing and publication.
All data must be stored securely. If it is retained in hardcopy format, it must be kept under lock and key in areas to which access is restricted.
The pay review is an important element of union work, and we are allowed to process personal data as part of this so that we can protect our members' interests. The general measures for secure storage and handling are also applicable in this regard. We have been asked whether people are allowed to save personal data from previous pay reviews in order to see developments over time for individual members. In our view, this is also lawful as long as the member has not terminated his/her membership or switched to a new employer.
You can retain all negotiation reports while a member has a legal opportunity to make legal claims against the confederation in connection with disputes. This is determined by the period of limitation applies. In Swedish law, a period of limitation of ten years is applicable unless specified otherwise by law or agreement. In other words, you can retain negotiation reports for ten years after completed local negotiations, and where applicable for ten years after completed central negotiations.
Yes, you will still be able to view and compile lists of members within your local association. However, at the moment, we have no solution for searching for a specific member.
This work is not completed yet, so this is unclear as things stand at present.
If you process personal data for employees in order to attempt to recruit these, you can process this data pursuant to proportionality balancing. This means that you have the right to use the lists in your recruitment work. If an employee has clearly and unambiguously stated that he/she does not wish to be recruited, however, you must remove their name from the list.