What is personal data?
Personal data is any information or identifier relating to a natural living person.
In other words, personal data may be: name, age, gender, ethnicity, length, eye color, email address, physical address, phone number, biometric data such as fingerprints, etc.
What is processing of personal data?
Processing of personal data is any operation performed on personal data.
In other words, a processing can be: collection, registration, storage, reading, usage, erasing, dissemination or provision otherwise etc. It is primarily the digital automated processing of personal data that is covered by GDPR, but personal data included in a register or intended to be included in a paper-based register can also be covered by the rules.
When does SMHI process personal data?
SMHI processes personal data in a variety of contexts.
- When you visit our website we process your personal data.
- When we arrange conferences we process the participants' names and email addresses.
- When we interact with other companies and/or government agencies we have contact information to employees there.
- When the public sends questions to our customer service or
- when someone visits SMHI and register with their name at the reception we process these personal data.
- When you subscribe to one of our newsletters or when you write to us on one of our social media platforms, we process personal data in relation to these actions.
Email to SMHI
As SMHI is a governmental authority and as such is governed by the principle of Public access to official documents, generally all information received - by e-mail and otherwise – are official documents. Depending on what the email message contains – including the personal data in it - it will either be entered into the official journal, archived or destructed in accordance with a disposal decision. All actions are in accordance with law and regulations on the area, including the rules and guidelines relating to disposal of official documents and archiving.
What laws are there, regarding personal data management?
The EU General Data Protection Regulation ("GDPR") and the Swedish Data Protection Act, together with other regulations such as the Freedom of the Press Act, the Fundamental Law of Freedom of Expression and other national laws, govern the processing of personal data. The purpose of GDPR is to protect personal integrity when processing personal data. On May 25, 2018, the GDPR replaced the previous law in the area - the Personal Data Act.
All processing of personal data shall be in accordance with the fundamental principles of personal privacy protection set out in the GDPR. In short, the principles stipulate that personal data shall be handled legally and safely, that personal data may only be collected for legitimate purposes and the purposes should not be described in general terms, that more personal data than is necessary to achieve the purpose they have been collected to achieve is not collected and that you cannot keep the data longer than necessary. In addition, however, as a government agency, SMHI has an obligation to preserve information for the future, so we cannot erase personal data that we are legally obliged to archive. Personal data may not be processed later in a manner that is inconsistent with the purposes set for the initial processing. SMHI is responsible for its personal data management and to demonstrate compliance with the regulation.
More information can be found on the Data Protection Authority’s website (In Swedish)
Some examples of SMHI’s processing of personal data
Example 1
You contact SMHI via "Ask us" on our website. You can choose to sign the question with your name. However, you must enter your email address when you ask the question so we can contact you. Your name - if you choose to sign with your name - will then be published on our website along with your question, but the email address will not be published nor will it be released to third parties. The question will then be handled in accordance with applicable laws and regulations i.e. be registered in SMHI’s official registry and then archived or destructed in accordance with a disposal decision.
Example 2
Someone calls SMHI to ask a question. The call will be forwarded to one of our experts. Name, phone number and / or email address will be saved by our customer service and in some cases by the expert who answers the question. Depending on how the answer is given, it can be filed in SMHI’s official registry and archived in accordance with applicable regulations or it will be destructed in accordance with a disposal decision.
Example 3
Someone writes something on SMHI's social media - facebook, twitter, instagram. As a rule, posts are seen as official documents as they are submitted to SMHI through the publication on SMHI's digital channels. Personal data provided in connection with this post may be filed in SMHI’s official diary and archived or destructed in accordance with a disposal decision. In cases where the Electronic Notice Board Act (1998:112) applies, SMHI immediately removes content that violates this Act, see SMHI's policy about the same: kundo.se/org/smhi/content-policy/
Example 4
When you apply for a job at SMHI, SMHI processes the personal information you provide in connection with your application. Application documents are also covered by the Public Access to Information principle and may be disclosed, should anyone request to see them. Personal data in the application is not processed for a longer period of time than required by law, i.e. personal data related to those who are not offered the job will be destructed in accordance with a disposal decision.
How we process your personal information
SMHI is the controller of the processing of personal data here on this website and in our business in general. As a controller, SMHI is responsible for that the processing of data carried out either by SMHI or by a processor is in accordance with applicable laws and regulations. Furthermore, as a controller, SMHI has obligations to the person whose personal data is processed.
Legal processing your personal information
All processing of personal data by SMHI is based on laws and regulations. We do not process personal data unless the processing is lawful. There should also be a defined and specific purpose for the processing in question. On our website, we describe in general terms how SMHI assesses the lawfulness of different types of processing, but we may also inform more specifically in some situations when personal data is collected.
SMHI is responsible for ensuring that the personal data we process are correct and up to date and that the data are relevant to the purpose of the processing.
As a governmental authority, we have a legal obligation to preserve information about our business for the future, which means that in cases when information containing personal data is archived, we save your personal data in our archive as well. All archiving is carried out in accordance with rules and guidelines for archiving and disposal of official documents.
As a governmental authority, SMHI has an official duty to carry out specific actions. SMHI’s official duty forms the legal basis for processing the necessary personal data in order to fulfill this duty. Duty of public interest is described in the Data Protection Act. SMHIs Duty of public interest is described in laws and regulations, but assignments that the authority undertakes on a voluntary basis, if SMHI considers that it constitutes a task of general interest, falls within the scope of the general duty to be fulfilled and hence constitutes a Duty of public interest.
Some examples of where SMHI’s official duty emanates from; the Swedish constitution, government regulations, public administration and confidentiality laws, SMHI's instruction, SMHI's letter of appropriation, which SMHI receives annually, activities organized by SMHI to disseminate our expertise areas meteorology, climate science, hydrology and oceanography.
SMHI also conducts business activities, as stipulated in SMHI's instruction. This means that what SMHI’s business department does is also to be considered necessary to fulfill a Duty of public interest. Where SMHI has entered into an agreement with a customer SMHI’s processing of personal data is necessary to fulfill the agreement as well as fulfilling a Duty of public interest.
In addition, SMHI conducts applied research within the scope of its area of expertise; therefore SMHI also processes the personal data necessary for conducting this research of general interest.
Data protection legislation and public access to information principle
The GDPR regulates the protection of personal data, but there is also national legislation that complements the regulation in EU’s member states. In Sweden, the supplementary legislation act is called Law (2018: 218) with Supplementary Provisions to the EU General Data Protection Regulation (the Data Protection Act). Furthermore, there are national provisions that together constitute the Principle of Public access to information principle, namely the Freedom of Expression Act in combination with the Public access to information and Privacy Act (2009:400), which regulates the disclosure of public documents. The Public access to information principle is not affected by GDPR, except that disclosure of public documents containing personal data may be refused if it could be assumed that a disclosure would result in the personal data being handled in violation of the GDPR (Chapter 21, Section 7, OSL).
How SMHI protects your personal information
As a governmental authority, SMHI has, for example, the MSB's regulations (MSBFS 2016: 1, ) to comply with in regards to information security.
At SMHI we work to protect your data and to ensure that the right people have access to the right information at the right time. This may include technical solutions for protection against malicious code, but it may also concern the training of our personnel in handling of personal data.
We have been working systematically with information security in relation to personal data for many years, and we are periodically reviewed by an external actor to get a receipt on that the correct level of security is maintained.
Your rights
If your personal data is processed by SMHI, you are entitled to receive information about how we process your data and to get incorrect information corrected.
Right to request information
You are entitled to receive free information and access to the personal data that SMHI is processing about you. You also have the right to request incorrect information about you corrected and in some cases you may have the right to request that your personal data is erased, however this is only possible where the legal ground for processing is consent or if processing is necessary in order to fulfill a contract.
Complaint regarding SMHI's handling of personal data
If you believe that SMHI has processed your personal data incorrectly, you have the right to notify it to Datainspektionen. Click here to access the Datainspektionens complaint handling page (In Swedish): www.datainspektionen.se/dataskyddsreformen/dataskyddsforordningen/de-registrertadesrattigheter/klagomal/
You can also contact one of our Data Protection Officers at the email address dataskyddsombud@smhi.se
if you have comments on SMHI’s personal data management.
Personal data on social media
SMHI uses several social media to both reach out with information and to engage in dialogue with the public. Because SMHI is a governmental authority, comments and posts on our pages in social media are official documents which also include the personal information that accompanies the comment and / or the post. SMHI reserves the right to remove comments or posts that are offensive.