Personal data and the GDPR
In every form of contact with us, your personal privacy is important to us. You can contact us using the contact and order forms on the website, by email, by subscribing to our newsletter or through our vacancies application form.
Here, you can read about how and why we process personal data and our legal basis for doing so. You can read about you rights under the regulations and who to contact if you have questions or complaints.
What is personal data?
Personal data refers to any information that can be directly or indirectly related to a natural person. The Swedish National Audit Office is the personal data controller for the processing of personal data for which we determine the purposes and means. We process personal data in situations such as our auditing, when recruiting new employees, in our replies to letters and queries, and when we send newsletters to subscribers.
The EU General Data Protection Regulation (GDPR)
When we process your personal data, it is protected under the GDPR and the Act on supplementary provisions to the EU General Data Protection Regulation (2018:218).
Read more about the GDPR on the website of the Swedish Authority for Privacy Protection
The principle of public access
The Swedish National Audit Office is a public authority. Therefore, all matters sent to us become official documents, even those sent by email or using a form on our website. We will disclose them on request – provided the information is not subject to secrecy.
We may not find out the identity of the person requesting access to official documents unless it is crucial to our assessment of secrecy protection.
The basic premise under the Archives Act is that government agencies are to preserve official documents. The Swedish National Audit Office deletes official documents in accordance with rules for disposal and decisions. Personal data that does not form part of an official document is saved only as long as necessary for the purposes for which it is processed.
Why does the Swedish National Audit Office collect personal data?
To process personal data, the Swedish National Audit Office must have legal support provided by the GDPR; that is, a legal basis, for processing the data. We often apply the legal basis known as the public interest, or the exercise of official authority, since our remit is set out in law and other legislation. Other legal bases include when personal data processing is necessary for the performance of a contract with the data subject, for compliance with a legal obligation, protection of the fundamental interests of the data subject, and following weighing up interests. In some cases, we process personal data based on the data subject’s consent.
We may collect personal data about you in the following situations:
When you contact the Swedish National Audit Office using the contact form on our website
- Information: Name and email address.
- Purpose: To contact you when replying to a question you asked and submitted using the contact form on our website.
- Legal basis: Performance of a task carried out in the public interest.
Email to the Swedish National Audit Office
- Information: Name and email address.
- Purpose: To contact you when replying to a question or comment that you submitted by email.
- Legal basis: Performance of a task carried out in the public interest.
Newsletter for subscribers
- Information: Email address.
- Purpose: To be able to send you our newsletter, if you have chosen to subscribe to news from our website.
- Legal basis: For the performance of the contract you entered into with us when you signed up for a subscription and thereby to our subscriber register.
In our auditing activities
- Information: For example, audit data in the form of financial information about employees who appear in an agency’s payroll register or data as a basis for statistical compilations, often register data from other agencies or collected survey data. In our reports, data is presented such that individuals are not identifiable.
- Purpose: In order to perform our duties; that is, to conduct audits, we may need to process audit data.
- Legal basis: To comply with a legal obligation or perform a task carried out in the public interest.
Considerations when contacting us
Do not submit sensitive data or privacy-sensitive information unless we have requested it. If you need to send an email with sensitive data, use email that is protected by special encryption so that only your intended recipient can read the information.
If you mention another person, we may need to contact that person to inform them that the Swedish National Audit Office is processing personal data about them. In each individual case, we evaluate whether the effort to reach the person and give them the information is proportionate to how important it is for the person to receive the information.
From what sources do we collect your personal data?
We collect information about you through our website, emails and questionnaire surveys. In the course of our audits, we may collect data through register data from other agencies, or in the form of contact information for staff with whom we communicate during the audit.
How long do we keep your personal data?
How long we keep your data depends on what we use it for. We save your personal data for as long as is necessary to enable us to fulfil a commitment to you, for example so that we can answer you when you have asked us a question. In other situations, we save the data for a long period due to archiving requirements. We never save your personal data longer than necessary, or longer than is necessary to fulfil our purpose for collecting it.
- If the data in a question concerns a matter that we are working on, we transfer the data to a case management system (register) where we store it in line with archiving regulations.
- We store emails sent to or from the Swedish National Audit Office for one month in the form of a log file that specifies the recipient, the time and the subject line.
- We keep personal data in connection with recruitments for up to 24 months.
Who may access personal data?
Employees at the Swedish National Audit Office who access personal data need it to perform their duties. Only officials at the Swedish National Audit Office who need to process your personal data may access it. When people other than Swedish National Audit Office employees need to process personal data in order to carry out their duties, we sign a special agreement with them – a personal data processor agreement. This can involve people such as external consultants, IT staff, and system suppliers.
People whom we engage as personal data processors may only process personal data in accordance with the purposes and instructions assigned to them by the Swedish National Audit Office for such processing. The personal data processor and those operating under the personal data processor’s management may not access more information than is necessary for them to carry out what they have agreed with the Swedish National Audit Office.
How we protect your personal data
We assign information security classifications to the IT systems in which we process personal data, to ensure confidentiality, protect privacy and protect access to personal data.
Your rights
The GDPR grants you several rights related to your personal data. If you would like to exercise your rights or if you have questions concerning our processing of your personal data, send an email to registrator@riksrevisionen.se, or a letter to the Swedish National Audit Office, Box 6181, SE-102 33 Stockholm.
Data Protection Officer at the Swedish National Audit Office (DSO/DPO)
If you have questions about our processing of your personal data, you can also write or call Daniel Lindén Remstam, Data Protection Officer at the Swedish National Audit Office.
Contact the Data Protection Officer using the email form below or by regular post addressed to the Swedish National Audit Office, Data Protection Officer, Box 6181, SE-102 33 Stockholm. You can also call on tel. +46 8 5171 40 00 (switchboard).
The right of access
You can request information as to whether the Swedish National Audit Office has processed personal data relating to you. If so, you have the right to receive a copy of such data (an extract from the register).
The right to rectification
If you consider that the personal data related to you is inaccurate or incomplete, you may request to have the data rectified or supplemented.
The right to objection
You have the right to object to our processing of personal data within the exercise of our official authority or to enable the performance of a task carried out in the public interest. We will discontinue processing your personal data unless we are able to demonstrate that there are compelling, legitimate reasons to continue doing so.
The right to restriction of processing
In certain cases, you have the right to demand that we restrict processing of your personal data, for example if you have objected to the processing. If you make a request for restriction, you can restrict us from processing your personal data for a certain period of time, other than to, for example, defend legal claims. You can also oppose the erasure of the personal data, for example if you need the data to claim damages.
The right to erasure (“right to be forgotten”)
In certain cases, you may have your personal data deleted. However, we will not be able to delete your personal data if we need it to enable performing our remit, or if the data forms part of an official document.
Right to data portability
If we process personal data about you for the performance of a contract, under certain cases, you have the right to receive your personal data for use elsewhere, for example if you wish to transfer the data to another personal data controller.
If you have any comments on how we process your personal data
You can submit comments on the Swedish National Audit Office’s processing of your personal data. You can appeal to a general administrative court if we make a decision in our capacity of personal data controller because you exercised your rights as described above.
If you have a complaint about the Swedish National Audit Office’s processing, you can lodge a complaint with the Parliamentary Ombudsmen.
If you wish to claim damages, you can write directly to the Swedish National Audit Office, take legal action in a general court, or apply for damages to the Chancellor of Justice, who handles claims for compensation under the Tort Liability Act and the EU General Data Protection Regulation.
You can also write or call to the Swedish Authority for Privacy Protection if you wish to file a complaint about the Swedish National Audit Office’s processing of your personal data. The Swedish Authority for Privacy Protection verifies that others comply with the personal data processing rules. They monitor how the EU General Data Protection Regulation is applied.
The use of cookies on the Swedish National Audit Office’s website
A cookie is a small text-based file that we store on your computer when you browse our website to ensure optimal functioning.