The EU General Data Protection Regulation - GDPR
Processing of personal data
Personal data is information that can be linked to an identified or identifiable person, such as the person's name, address, personal identity number, e-mail address, images and vehicle registration number.
Personal data may be processed:
- When clear consent has been received
- To fulfill an agreement
- To comply with a legal obligation
- To protect vital interests (of decisive importance)
- To carry out a task in the public interest (exercise of public authority)
- When there is a legitimate interest that outweighs the individual’s need for protection
Göteborgsregionens Internationella Skola AB, hereinafter referred to as ISGR, processes personal data in accordance with the Data Protection Regulation GDPR (EU) no. 2016/679,which enters into force on 25 May 2018. The data subject's personal privacy is extremely important to us and we focus on ensuring that all personal data is processed in accordance with the principles of secrecy, privacy, accessibility and sustainability. We are aware that it is not appropriate to send sensitive personal data or personal identity numbers by e-mail unless the contents are encrypted. We also adopt overall measures to establish authorisations in the organisation to ensure secure, controlled processing of personal data. Only authorised persons will have the right and the ability to process the personal data for the specific purpose in question.
If a security breach occurs that may mean a serious risk to the rights of our pupils, guardians or staff, we inform the persons affected and report it to the Data Protection Authority in accordance with the GDPR.
Why and how do we process personal data?
We process personal data for the purpose of identifying pupils, guardians or staff. Our processing of personal data is carried out by competent employees. We use professional software and systems with high levels of security to store, process and protect the data subjects’ personal data.
Only a few persons with the right authorisations are permitted to process and gain access to any sensitive data in our system. Physical documents containing sensitive personal data are stored under lock and key in a secure place when they are not being processed by authorised employees.
Employees at ISGR are obliged to observe professional secrecy. The employees have a duty to maintain professional secrecy with regard to external persons and businesses and also internally among colleagues. The duty to maintain professional secrecy does not cease when their employment ends.
What personal data does ISGR process?
Processed data can be categorised as follows:
- Administrative data on pupils, guardians and staff such as the person's name, address, telephone number, e-mail address and personal identity number. This includes, inter alia, data that is necessary to carry on educational activities and data that forms part of the exercise of public authority (public interest). It also includes data processed in departments such as finance, salaries and personnel administration, etc.
- Health information on pupils
What basis for processing does ISGR use?
Some personal data must be processed in order to exercise public authority. This applies, among other things, to a person's name, personal identity number, contact details, grading material and grades. It also applies to personal data in agreements and personal data required to comply with legal obligations.
If an agreement between a data subject and us requires us to process health information or other sensitive personal data on the data subject, we will obtain consent before we process it. The data subject may withdraw his or her consent at any time and the processing of the personal data ceases. Processing of personal data that took place when the consent was active will not be affected by the withdrawal of consent. Nevertheless, we will delete the personal data in question if we have no other legal basis or legal obligation to continue storing the data.
Who do we supply personal data to?
Personal data can be supplied to public authorities if such derives from a statutory obligation with regard to reporting, information or disclosure.
We can disclose personal data to a third party if the personal data regulations so allow. In some cases, it is necessary for us to disclose personal data on a data subject as part of the exercise of public authority or to comply with legal requirements. When we disclose personal data to a third party in accordance with the regulations, the data subject is informed of that disclosure.
If it is necessary for us to engage and use a personal data processor, the personal data processor only processes personal data in accordance with detailed instructions from ISGR. This is to safeguard the data subject's rights and protect his or her privacy. Any third party that receives personal data from us is obliged to observe professional secrecy in accordance with an agreement.
For how long do we store personal data on a data subject?
We do not store personal data for longer than is necessary in order to fulfil the purpose of the processing or for longer than is required for the exercise of public authority. Personal data is deleted as soon as regulations on the exercise of public authority so allow, legal obligations have been met and the purpose of the processing of the data has been fulfilled.
Right to transparency, correction, deletion and transfer of data
Right to require transparency:
A data subject has a right to transparency with regard to the data we process on him or her. That means that the person identified has a right to be informed of the purpose and the basis for processing that we use, what specific data we process, what recipients or categories of recipient the personal data is forwarded to, for how long the personal data is stored and where the data was obtained.
Right to require correction and deletion:
If a data subject believes that ISGR has registered data on him or her that is inaccurate or incomplete, that person has a right to request correction of the personal data in question.
The data subject can ask us to remove personal data on him or her if the personal data is no longer necessary to fulfil the purpose of the processing; if the data subject withdraws his or her consent when consent has been used as the basis for processing; if the data subject opposes the processing and there are no other legal bases to continue processing the data; or if the data has been processed unlawfully. The data subject also has a right to object to the processing of his or her personal data if the person in question considers that we are carrying out any incorrect action in relation to the personal data.
Right to transfer of data:
A data subject has a right to receive the personal data we have stored on him or her in a structured manner and in a machine-readable format. The data subject also has a right to ask us to transfer data that we have received from him or her to another personal data controller if it is technically possible and if the processing of the personal data is based on consent, an agreement or public interest.
Data Protection Officer (DPO):
Any questions on how we process personal data or what rights a data subject has in accordance with this policy will be answered by our Data Protection Officer by e-mail or telephone:
031-708 92 23
The DPO has an obligation to maintain professional secrecy and is obliged to prevent others from gaining access to or knowledge of personal information unless consent has been received. Professional secrecy also applies after the work has been completed.
Personal data controller
The personal data controller, ISGR, determines the purpose for which the personal data is processed, in addition to processing that is not governed by law as part of the exercise of public authority. ISGR, in its role as personal data controller, reviews and registers the processes and systems that process personal data and carries out internal checks and risk assessments to ensure compliance with the Data Protection Regulation, GDPR.
ISGR ensures that all possible personal data processors and suppliers comply with the GDPR and adopt all necessary measures to process personal data in a safe, secure manner. The personal data controller can be contacted by post:
Göteborgsregionens Internationella Skola AB
411 33 Göteborg
Responsible supervisory authority?
The Data Protection Authority's task is to check compliance with the Data Protection Regulation, GDPR. In the event of any suspected breach of the regulations, a written enquiry should be sent to the Data Protection Authority. Postal address: Datainspektionen, Box 8114, 104 20 Stockholm.