Revised and accepted by the board at 20190827
What is in this policy?
This policy describes how Trast insamlingsstiftelse (Trast in the remaining document) manages personal data for you as a customer. Your integrity and privacy is an integral part of our core business and we take elaborate and documented steps to make sure your personal data is safe with us and treated according to current data protection legislation and recommendations, in particular the General Data Protection Regulation GDPR.
Personal data for customers
To provide its services Trast collects and store national identification numbers and links them to public online accounts using strong digital identification. These links are very sensitive and Trast takes every precaution to assert that they remain confidential.
Trast is a trust as defined in Swedish law and one of the statutes defines that personal data cannot be sold to external parties or made use of in any commercial way. The only time the links are shared outside the trust is when prompted by an ongoing investigation by national or international law enforcement where the identity of an account is required to investigate potential criminal actions.
Personal Data Controller
Trast Insamlingsstiftelse c/o Alberius, Djurgårdsvägen 1, 75646 Uppsala is the data protection officer for Trast and is responsible for processing the personal data collected from customers.
Get in contact with Trast
If you have questions regarding our processing of personal data or if you want to exercise your rights as stated in the GDPR you are very welcome to get in contact with our data protection officer Stina Lindblad at email@example.com.
What personal data do we process?
Personal data includes any information that can be linked to you, either directly or indirectly using secondary data sources. This includes e.g. names, addresses, phone numbers et cetera. When you communicate with Trast using email, phone or other means of communication we process information that you include in the communication. When you link an account to Trast we store your national identification number.
For which purposes do we process data and what is our legal ground to do so?
We process data collected through incoming communication for our justified business interest to manage communication with Trast for the following purposes:
- To assess if we are allowed to process the personal data in question and if so, which internal system or location the data should be stored in for continued processing.
- To communicate with you and answer questions and requests.
We process your personal data under the legal ground of managing our business for the following purposes:
- Manage meetings
We process your personal data under the legal ground of entering and/or fulfilling a contract for the following purposes:
- To manage discussions and negotiations when entering a contract
- To provide your national identification number to national or international law enforcement pending a valid legal investigation connected to your linked online identity.
Who can access your personal data?
Trast is a fund according to Swedish law and cannot legally, even disregarding the GDPR, share your data with anyone or use it internally for commercial purposes. Trast will never, now or in the future, sell or otherwise commercially use your personal data. When necessary non-sensitive personal data can be shared with Trast corporate IT systems like email and calendar services.
Your national identification number and its linked online accounts can only be shared with national or international law enforcement with ongoing investigations concerning one or more of your linked accounts.
How do we protect your data?
Trast has employed technical and organisational security measures to protect the personal data we process from loss, abuse, unauthorized access, exposure, editing and deletion. This includes but is not limited to 2-factor authentication for all personnel and physical hardware keys for technical personnel with access to national identification numbers and account links. The Trast organisation and IT is designed and built from the ground up with the GDPR in mind and Trast has also a designated data protection officer. In the cases where Trast uses external providers to process data on our behalf we have entered into contracts with them to assert adequate data protection according to this policy.
In cases where data needs to be used outside its primary use, e.g. operational metrics and other statistics, it will be anonymized.
Where are my data processed?
Your personal data is mainly handled within the EES. In cases where the data is processed outside the EES it is processed in accordance with current data protection legislation.
For how long do we store your data?
We store your data only as long as they are needed for the purposes for which they were collected or as long as regulated by law.
How can you affect our processing of personal data?
You have the right to get access to information regarding which personal data about you that we process. You have the right to request changes of inaccurate data. You exercise your rights by contacting us at firstname.lastname@example.org. Under certain conditions you also have the right to request deletion of data, limiting our processing of your personal data and object to our processing of your data. You also have the right to file a complaint to Datainspektionen, see instructions at their website.