Logotype The Swedish NAO, link to startpage.

How the Swedish NAO processes personal data

In every form of contact with us, your privacy is important to us. You can get in touch via the contact and order form on our website, email, subscription to our newsletter, or the vacancies application form.

Here you can find information about how and why we process personal data and our legal basis for processing personal data. You can read about your rights under the regulations and who to contact if you have questions or complaints.

Person typing on laptop, detail.

Photo: Maskot

What is personal data?

Personal data refers to any information that can be directly or indirectly related to a natural person. The Swedish National Audit Office is the Personal Data Processor for the processing of personal data for which we determine the purposes and means. We process personal data in situations such as our auditing, our recruitment of new employees, in our replies to letters and queries, and when we send newsletters to subscribers.

EU General Data Protection Regulation (GDPR)

The personal data that we process is protected under the GDPR and the Act on supplementary provisions to the EU General Data Protection Regulation (2018:218).

Read more about the GDPR on the website of the Swedish Authority for Privacy Protection

How does the principle of public access to official documents affect the GDPR?

The Swedish National Audit Office is a public authority. Therefore, all matters sent to us become official documents, even those sent via email or via a form on our website. We release them on request, unless the information is subject to secrecy.

We are not allowed to find out the identity of the person requesting access to official documents unless it is of decisive importance for how we are to assess the secrecy provisions.

The basic premise under the Archives Act is that agencies are to preserve official documents. The Swedish National Audit Office deletes official documents in accordance with rules for disposal and decisions. Personal data that does not form part of an official document is saved only as long as necessary for the purposes for which it is processed.

Legal basis: why does the Swedish National Audit Office collect personal data?

To process personal data, the Swedish National Audit Office must have legal support provided by the GDPR, that is, a legal basis, for processing. We often apply the legal basis known as the public interest, or the exercise of official authority, since our remit is set out in law and other legislation. Other legal bases include when personal data processing is necessary for the performance of a contract with the data subject, for compliance with a legal obligation, protection of the vital interests of the data subject, and following a balance of interests. In some cases, we process personal data based on the data subject’s consent.

We may collect personal data about you in the following situations:

When you contact the Swedish National Audit Office via the contact form on our website

  • Information: Name and email address.
  • Purpose: To contact you when replying to a question you asked and submitted via the contact form on our website.
  • Legal basis: Performance of a task carried out in the public interest.

Email to the Swedish National Audit Office

  • Information: Name and email address.
  • Purpose: To contact you when replying to a question or comment that you submitted via email.
  • Legal basis: Performance of a task carried out in the public interest.

Newsletter to subscribers

  • Information: Email address.
  • Purpose: To be able to send you our newsletter, if you have chosen to subscribe to news from our website.
  • Legal basis: For the performance of the contract you entered into with us when you signed up for a subscription and thereby to our subscriber register.

Recruitment

  • Information: Name, contact information, educational background, work experience or other personal data that you choose to include in your application.
  • Purpose: To process your application documents in connection with recruitments of advertised positions via our website.
  • Legal basis: Processed by virtue of performing a task carried out in the public interest.

Within auditing

  • Information: For example, audit data in the form of financial information about employees who appear in an agency’s payroll register or data as a basis for statistical compilations, often register data from other agencies or collected survey data. In our reports, data is presented in such a way that individuals cannot be identified.
  • Purpose: In order to carry out our duties, that is, to perform audits, we may need to process audit data.
  • Legal basis: To comply with a legal obligation or perform a task carried out in the public interest.

Registration to a webinar

  • Information: Name and email address.
  • Purpose: To enable us to administer participation in Swedish National Audit Office webinars.
  • Legal basis: For the performance of the contract entered into in connection with your registration for a webinar.

To keep in mind in your contact with us

Do not submit sensitive data, nor privacy-sensitive information, unless we have requested it. If you need to send an email with sensitive data, use email that is protected by special encryption so that only your intended recipient can read the information.

If you mention another person, we may need to contact that person to inform that the Swedish National Audit Office is processing personal data about them. In each individual case, we evaluate whether the effort to reach the person and give them the information is proportionate to how important it is that the person receives the information.

From what sources do we retrieve your personal data?

We collect information about you via our website, via email, and through questionnaire surveys. In the course of our audits, we may collect data via register data from other agencies, or in the form of contact information to staff whom we communicate with during the audit.

In the course of our recruitments, we collect personal data via our supplier of digital recruitment services, ReachMee. Follow the link below to read more (in Swedish) about how we process your personal data in connection with recruitment.

Information about consent on the ReachMee website (in Swedish)

How long do we keep your personal data?

How long we keep your data depends on what we use it for. We save your personal data as long as it is necessary for us to fulfil a commitment to you, for example so that we can answer you when you have asked us a question. In other situations, we save the data for a long period due to archival requirements. We never save your personal data longer than necessary, or longer than is necessary to fulfil our purpose of collecting it.

  • If the data in a question concerns a matter that we are working on, we transfer the data to a case management system (register) where we store it in line with archival regulations.
  • We store emails sent to or from the Swedish National Audit Office for one month in the form of a log file that specifies the recipient, the time and the subject line.
  • We keep personal data in connection with recruitments for up to 24 months.
  • If you choose to subscribe to monitoring of vacancies via ReachMee, we save your data for one month.

Who can access data at the Swedish National Audit Office?

Those who read your data are employees at the Swedish National Audit Office who need them to carry out their duties. We work on the principle that the only people who have access to your personal data are those who actually need them for processing for the specified purpose. When people other than Swedish National Audit Office employees need to process personal data in order to carry out their duties, we sign a special agreement with them, known as a personal data processor agreement. This involves people such as external consultants, IT staff, and system suppliers.

People whom we engage as Personal Data Processors may only process personal data in accordance with the purposes and instructions provided by the Swedish National Audit Office for the processing. The Personal Data Processor and those operating under the Personal Data Processor’s management may not access more information than necessary for them to carry out what they have agreed with the Swedish National Audit Office.

How do we protect your personal data?

We classify the IT systems in which we process personal data from an information security perspective to ensure confidentiality, and to protect privacy and access to personal data.

Your rights

The GDPR grants you several rights related to your personal data.

If you would like to exercise your rights or if you have questions about our processing of your personal data, send an email to registrator@riksrevisionen.se, or a letter to the Swedish National Audit Office, Box 6181, SE-102 33 Stockholm.

Data Protection Officer at the Swedish National Audit Office (DPO)

If you have questions about our processing of your personal data, you can also write or call Daniel Lindén Remstam, Data Protection Officer at the Swedish National Audit Office.

Contact the Data Protection Officer via the email form below or via post addressed to the Swedish National Audit Office, Data Protection Officer, Box 6181, SE-102 33 Stockholm. You can also call on phone number +46 8 5171 40 00 (switchboard).




The right of access

You can request an answer as to whether the Swedish National Audit Office is processing personal data related to you. If we are processing personal data related to you, you have the right to receive a copy of your personal data that we are processing, known as a register extract.

The right to rectification

If you believe that the personal data related to you is inaccurate or incomplete, you can request to have the data rectified or completed.

The right to object to processing

You have the right to object (to protest) to our processing of personal data within the exercise of our official authority or for the performance of a task carried out in the public interest. We must stop using your personal data unless we are able to demonstrate compelling, legitimate reasons for the processing.

The right to restrict processing

You can request that we limit the way we process your personal data under certain conditions, for example if you have objected to the processing. If you make a request for restriction, you can stop us from processing your personal data for a period of time, except for uses such as defence of legal requirements. You can also oppose the erasure of the personal data, for example if you need the data to claim damages.

The right to erasure (the right to be forgotten)

You can ask to have your personal data deleted under certain conditions. However, we cannot erase your personal data if they are needed for us to be able to fulfil our assignment, or if they form part of an official document.

The right to data portability

If we process personal data about you for the performance of a contract, you can obtain your personal data under certain conditions for use elsewhere, for example to send the data to another Personal Data Controller.

Read more about your rights on the Swedish Authority for Privacy Protection website

If you have comments on our processing of your personal data

You can submit comments on the Swedish National Audit Office’s processing of your personal data. You can appeal to a general administrative court if we make a decision in our capacity as Personal Data Controller on account of you exercising your rights as above.

If you wish to file a complaint concerning the Swedish National Audit Office’s handling, you can submit it to the Parliamentary Ombudsmen.

If you wish to claim damages, you can write directly to the Swedish National Audit Office, bring an action in a general court, or apply for damages to the Chancellor of Justice, who handles claims for compensation under the Tort Liability Act and the EU General Data Protection Regulation.

You can also write or call to the Swedish Authority for Privacy Protection if you wish to file a complaint about the Swedish National Audit Office’s processing of your personal data. The Swedish Authority for Privacy Protection verifies that others comply with the rules on personal data processing. They monitor how the EU General Data Protection Regulation is applied.

Contact the Swedish Authority for Privacy Protection

Why does the Swedish National Audit Office website use cookies?

A cookie is a small text file stored in your computer when you browse a website to ensure optimal functioning.

Read more about how we use cookies

Updated: 01 November 2023

Contact form

Send your questions or comments via the form below and we will make sure that they reach the right member of staff. Please state if your question concerns the information on this particular page.

What is your question about?
What is your question about?