Processing of personal data at The Nordic Africa Institute
As of May 25, 2018, the Personal Data Act has been replaced by a European Union regulation called the General Data Protection Regulation (GDPR).
In comparison to previous legislation, the GDPR is stricter. The aim is for individual citizens to gain greater control over how companies and authorities handle their personal data.
As a government agency, the Nordic Africa Institute is responsible for handling personal data in accordance with current data protection legislation.
If you have questions about how we treat your personal information, please contact our Data Protection Officer. (Contact details can be found at the end of this document)
What is personal data and what is meant by processing personal data?
Personal data is any information that directly or indirectly identifies a physical living person. Personal information may include: name, email address, phone number, photo, audio recording and IP number. Processing of personal data is a collective term for collecting, recording, storing, processing and disseminating various types of personal data.
Why do we process personal data?
We process personal data to fulfill the mission we have as a government agency. Our mission is to 1) conduct and promote research on modern Africa, 2) produce and disseminate relevant research-based knowledge to decision-makers, scholars, students, the media and the public, and 3) document and make available literature and other documents relevant to Africa research. All processing of personal data within the agency is done in order to promote this work in some way.
The most common reasons we treat personal data is that you
- Sign up for conferences and other events that we organise
- Subscribe to our newsletter, our policy notes or our email service for journalists
- Order books and printed materials
- Ask questions via email or web form
- Apply for scholarships
- Apply for an open position
- Are employed by us
- Are a user of our library
- For any other reason, contact or cooperate with us
For more detailed information about how we process personal data, please go the bottom of this document.
By what right do we treat personal data?
All personal data processing shall have a legal basis laid down in the General Data Protection Regulation.
The authority's main legal basis is the information of public interest because our personal data processing is based on a public service mission, laid down by law. In cases where we need to process personal data in order to conclude an agreement, we rely on fulfilment of agreement. Additionally, the basis of legal obligation is applicable to us when we process personal data due to certain legislation, such as archives or accounting laws.
You can read more about the legal bases of the Data Protection Regulation and on the Swedish Data Protection Authority (DPA) website.
What personal data do we treat?
Only the personal information we need to fulfill our mission is processed. For example, it may be
- Name, address, telephone number and e-mail address to contact you or to answer your question
- Bank and account information to pay or send an invoice
- Personal information required when applying for an open position
- Social Security Number (called Personal Identity Number in Sweden), when needed to determine your identity
How are personal data protected and who can share them?
We are responsible for the protection of the processing of personal data and for limiting access to personal data. This is usually ensured through authorization management in the IT systems where the data is recorded and stored. Only authorized persons have access to the data. Sometimes the data is stored in specially protected areas, for example in lockable cabinets.
Most of the information available to the authority is general documents. If your personal information is in a public document, anyone requesting the document may access your personal information, unless a secrecy clause in the Public Access to Information and Secrecy Act (2009: 400) prevents this.
How long is your personal data saved?
We save your personal information as long as we need it to fulfill the purpose, or as long as required by law. For example, if you subscribe to our newsletter, our event notifications, our policy notes or our email service for journalists, we will keep a record of your email address for as long as you are a subscriber. If you no longer want any of these messages, your personal information will be deleted.
Personal data in public documents are dealt with in accordance with the rules of the Freedom of The Press Act (1949: 105), the Archives Act (1990: 782) and the National Archives Act. In many cases, this means that your personal data may be saved for between two years and all future in our archives.
What do the rights look like?
The General Data Protection Regulation gives you as individual a number of rights.
- Right of access
You are entitled to know what personal data we process about you.
- The right to rectification
You are entitled to request that your personal data be corrected if they are incorrect.
- The right to erasure
You are entitled to have your personal data deleted if the information is no longer required to fulfill the purpose for which they were collected.
- The right to limit your personal data
You are entitled to request that the processing of your personal data be limited.
- The right to object to processing
You have the right to object to the processing of your personal data.
You are also entitled to complain to the Swedish Data Protection Authority, which is the supervisory authority for processing personal data.
There may be provisions in other legislation that apply to data protection legislation, which means that certain rights regarding the processing of personal data are not fully applied. For example, when the rules on archiving of public documents apply to a document, record or register, be it digital or non-digital, it might mean that we cannot delete personal data, even upon a direct request.
SE-751 47 UPPSALA
Data protection officer
Detailed information about how we process personal data (under development)
We process personal data to be able to fulfil library services — primarily library loans and remote access to e-resources — and the contractual obligations connected to these. You provide your personal data when you register for the services. These include but are not limited to: name, contact details, affiliation, patron type (for loan rules and statistics), personal identity number (or equivalent).
By signing in to our library search tool you can, by yourself, manage loans and requests, and update some details registered in your library patron account. These accounts are normally valid 4 years, but can be renewed by making a request to our library staff. Accounts are automatically deleted 1 year past their expiration date. You are welcome to apply again should your account have been deleted.
Remote access to a selection of e-resources is provided on an annual basis, and personal data that you have registered for this purpose is deleted accordingly.
Since we are a public authority, information sent to us become official documents (under the Public Access to Information and Secrecy Act, SFS 2009:400), but e-mails sent to the library main e-mail address as a part of our reference service are normally deleted annually. There may be exceptions. Data regarding library loans, book reservations and use of information technology is protected by chapter 40, § 3 in above mentioned law.