The Privacy Policy of the Nordic Privacy Arena 2021 City of Stockholm, Sweden

The Swedish Dataprotection Forum (Forum för Dataskydd) (the association) exists to promote reliable data processing. This year we organize an annual data protection conference in the Nordic Region, the Nordic Privacy Arena (NPA) 2021. The NPA conference will feature two full days of fascinating discussions, meetings, speeches and networking to explore relevant topics. At the NPA conference, one of our priorities is to ensure that your privacy is protected when we process your personal data.

This privacy policy explains how we gather and use your personal data in compliance with the EU’s Regulation 2016/679 on General Data Protection (GDPR) and other applicable/supplementary legislation. This applies to all of our processing of personal data relating to you (such as your name, address, contact number etc). This privacy policy further describes your rights and how you can exercise them. It is important to us that you acquaint yourself with and understand the privacy policy, and feel comfortable with our processing of your personal data. You are always welcome to contact the association if you have any questions.

We need to use your personal data to be able to operate and meet our obligations and responsibilities in relation to the organization of the NPA conference to which you are a participant.

What is personal data and what does the processing of personal data mean?

Personal data refers to any kind of information that can be directly or indirectly related to an identified/identifiable natural person. The processing of personal data covers all operations that are performed on the personal data, whether actively or passively, for the means of e.g., collection, registrations, storage, alteration, erasure etc (cf Art 4(2) GDPR).

Who is responsible for the personal data processing?

Forum för Dataskydd, company reg. no 802473-2110, address Grevgatan 34, 114 53 Stockholm, Sweden, is the data controller that is responsible for the processing of personal data performed within the framework of the NPA conference.

What does the association do with personal data?

The following points provide a list of data categories, purposes and its storage period for which the association processes personal data and information on the legal basis are provided below. This is not an exhaustive list and should be seen as common examples of data processing by the association. Please note that personal data can also be stored for a longer period due to legal obligations such as for book-keeping purposes, and that multiple purposes can be applicable to a certain form of personal data processing, such as book-keeping and membership management.

Purpose Personal data processing Storage period Legal basis
1. User login and User management User ID. User Login Name. User Nice Name. User Email. User Registration Date. User Display Name. User Nickname. User First Name. User Last Name. The data are stored from registration until the activity is performed. However, they are stored at most two years from performance of the activity. Contract. Collection of your personal data is necessary in order for us to fulfil the association’s duties toward you as a participant of the conference.
2. Session Tokens Expiration date. IP. User Agent. Last Login. The data are stored while you are a participant of the conference and for up to a year after that. Data is removed a year after the conference. Contract. Collection of your personal data is necessary in order for us to fulfil the association’s duties toward you as a participant of the conference.
3. Administration connected to participation in the conference Name. Personal identity number, where applicable. Contact data. Organizational affiliation. Your correspondence (in connection with participation in the conference). The data are stored from registration until the activity is performed. However, they are stored at most two years from performance of the activity. Depending on the activity in question, lists of participants (containing names and personal identity numbers) and other information included in meeting minutes, may be archived after that. Contract. Collection of your personal data is necessary in order for us to fulfil the association’s duties toward you as a member, participant, speaker, or co-organizer of the activities.
4. Payment information Stripe payment ID. Stripe customer ID. Billing First name. Billing Last Name. Billing Company Name. Billing Address. Billing City. Billing Zip Code. Billing Country. Phone Number. Email address The data are stored from registration until the activity is performed. However, such personal data can be for five years in accordance with the Swedish Money Laundering Act (2017:630, Chapter 5(3)), and at most seven years in accordance with the Swedish Accounting Act (1999:1078, Chapter 7(2)). Contract. Collection of your personal data is necessary in order for us to fulfil the association’s duties toward you as a participant of the conference.
5. Order information Order number. Order date. Order total. Items purchased. IP Address. Browser user agent. Billing address. Shipping address (always same as billing address). Phone number. Email address. The data are stored from registration until the activity is performed. However, such personal data can be for five years in accordance with the Swedish Money Laundering Act (2017:630, Chapter 5(3)), and at most seven years in accordance with the Swedish Accounting Act (1999:1078, Chapter 7(2)). Contract. Collection of your personal data is necessary in order for us to fulfil the association’s duties toward you as a participant of the conference.

However, such personal data can be for five years in accordance with the Swedish Money Laundering Act (2017:630, Chapter 5(3)), and at most seven years in accordance with the Swedish Accounting Act (1999:1078, Chapter 7(2)). Contract. Collection of your personal data is necessary in order for us to fulfil the association’s duties toward you as a participant of the conference.

All other personal information is collected and processed according to the association’s privacy policy. Read more here.

The entities that your data are shared with

As to be able to organize the NPA conference, we have obligations and duties that may lead to the disclosure of personal data to other parties, e.g. the parties that is:

Our internal relations

  • Employees/members of the association.
  • Auditors for review of the association’s books and management.

Suppliers

  • Financial consultant: For management of participation register.
  • Supplier used for the internal work within the association, such as document storage, e-mail, etc.
  • Companies that offer payment solutions (payment gateway companies, banks, and other payment service suppliers).
  • Supplier of website: For operation and support of website.
  • IT supplier: For operation and support of IT systems.
  • Lawyers, legal counsel, in case of disputes and other legal matters.

Public and authorities

  • Authorities or other bodies from which the association asks for funding.
  • Governmental and municipal authorities, if we are required to do so under law, in order to apply for funding or upon suspicion of crime.
  • Any party required pursuant to a legal statute.

Do we transfer personal data to third countries?

Within the context of the NPA conference activities, the association may transfer personal data to international organizations or third countries, i.e. countries outside of the EU/EEA. The association will take all reasonable legal, organizational and technical measures necessary to achieve an appropriate level of protection for your personal data.

Your rights regarding your personal data

You, as the data subject, have several rights that you can at any time exercise your rights by using the association’s contact information provided below. The following points thereby provides an overview on the rights that you are entitled to enjoy (cf Chapter 3 GDPR):

Right to access

You have the right to access your personal data. This means that you have the right to get an extract from the register detailing the association’s processing of your personal data. The association shall, upon request of an extract from the register, provide you with a copy of the processed personal data and information about the processing.

For any further copies requested by you, the association may charge a reasonable fee based on administrative costs. Requests for an extract from the register are sent to info@dpforum.se.

Right to rectification/correction

You have the right to get your personal data corrected if they are inaccurate, incomplete or misleading, and the right to restrict processing of the personal data until they are changed.

Right to restriction of processing

You have the right to request that the processing of personal data be limited only to processing for certain specific purposes. The right of limitation applies in the following cases:

  • If the personal data is incorrect and the association needs time to verify the accuracy of the data.
  • If you object to the processing or request the restriction of the use performed by the association, in which case the processing shall be limited until the justification for your objection and the association’s compelling reasons have been weighed.
  • If the personal data is no longer needed for the association’s activities, but you request that it continues to be stored in case it will be needed to make legal claims.
  • If you believe that the association should delete your personal data but the association for some reason is unable to accommodate your request.

Right to erasure/deletion

Under certain circumstances, you have the right to be erased if: The data is no longer needed for the purpose for which it is processed. You withdraw your consent for certain processing and there is no other legal basis for the processing by the association. You object to personal data processing performed following a weighing of interests and there are no legitimate reasons that outweigh your interests. The processing is for the purpose of direct marketing and you object to the processing of the data. The personal data is processed unlawfully. Erasure is required to fulfil a legal obligation.

Right to object

You have the right, at any time, to object to the association’s processing of your personal data. If there is no compelling reason for the association to continue to process your personal data, e.g. in order to comply with any legal requirements, the association shall then no longer process the data. You also have the right to withdraw consent and object to direct marketing.

Right to data portability

You have the right in some cases to retrieve the personal data you provided to us and transfer those data to another controller, where technically feasible.

Right to complain to the supervisory authority

If you have any input or questions regarding our personal data processing, you can address them to info@dpforum.se. In case you consider that the processing of personal data has been unlawful, as a data subject, you have the right to lodge a complaint with the supervisory authority. In Sweden, the Swedish Data Protection Authority is the supervisory authority that is responsible for monitoring how your personal data are processed. The Swedish Data Protection Authority, Box 8114, SE-104 20 Stockholm, Sweden. Email: datainspektionen@datainspektion.se. Tel: +46 (0)8 657 61 00.

Children’s personal data

Another part of the association’s priorities is to protect children’s rights over their personal data while using the internet. The website and the conference are not directed to children. Personal data of children therefore are not knowingly collected or used in any circumstances. We encourage parents and guardians to observe, participate in, and/or monitor and guide children’s online activity.

Contact information

If you have questions about the processing of your personal data, please contact the association using the contact below.

Personal Data Controller

Forum för Dataskydd, Company reg. no 802473-2110. Address: Grevgatan 34, 5 tr, 114 53 Stockholm. Email: info@dpforum.se. You can also contact our data protection officer using the contact details below.

Changes to the privacy policy

Forum för Dataskydd reserves the right to make changes to the privacy policy. The latest version of the privacy policy can always be found here on the website. In case of any changes that are significant for our undertakings toward you as the data subject during the course of ongoing personal data processing, you will receive information through our homepage and by email (if you have provided us with an email).