Group 2

Privacy policy and processing of personal data

We respect your personal integrity and consistently strive to maintain the highest level of data protection. Our privacy policy explains how we gather and process your personal data. It also includes information on your rights, and how to exercise them. You are always welcome to contact us should you have any questions.

We want you to feel secure in how we handle your personal data, which is why we are open about how we collect and process the information on you. We ensure that your personal information is always protected by us and that the processing meets the requirements of the Data Protection Regulation GDPR and in internal guidelines. As a public authority, we are also required to have a Data Protection Officer reviewing these rules.

In our privacy policy we explain how we collect and use your personal information. It also explains what rights you have and how you might exercise them. It is important that you have access to and understand the privacy policy and that you feel confident in our treatment of your personal data. You are always welcome to contact us should you have any questions.

What is personal data?

Personal data is any information which can be used to identify a person who is alive. This can be personal identity number, name and address. Photographs taken and sound recorded of individuals which is processed on a computer can also be personal data event though no names are mentioned. Encrypted information and various types of electronic identities (for e.g. IP-address and cookies) is personal data if they can be linked to a natural person.

What is processing personal data?

Processing personal data is everything that happens with the data. Every measure that is taken with the personal data is processing, regardless if it is automated or not. Common processes are for example: collecting, registering, organising, structuring, changing, storing, handling, spreading, transmitting and deleting.

What personal data do we collect from our visitors and for what purpose?

Purchases in our online shop and with Rights and Reproductions

Purpose

To handle orders or purchases in our online shop and with Rights and Reproductions.

Data processing carried out

  • Delivery (including notifications and contact regarding the delivery)
  • Handling payment
  • Handling refund and warranty claims

Personal data categories

  • Name
  • Contact information (address, email and telephone number)
  • Payment information
  • Purchase information (for e.g. which item has been purchased and if the item is being delivered to another address).

Legal basis

Execution of contract. The collection of your personal data is required for us to execute our commitment in accordance with the purchase agreement. If the data is not submitted our measures cannot be carried out and we will be forced to reject the purchase.

Storage period

From the time that purchase has been completed (including delivery and payment) and for a time up to 24 months thereafter to be able to handle any refunds and warranty claims.

Bookings of space and services

Purpose

To handle bookings of space and services, for example tours and classes.

Data processing carried out

  • Receiving bookings, re-booking and cancellations.
  • Sending out booking confirmations.
  • Communications regarding the booking.
  • Handling payment.

Personal data categories

  • Name
  • Contact information (email and telephone number, invoice address)
  • Corporate ID-number/ personal identity number
  • Any other comments you choose to submit

Legal basis

Execution of contract. The collection of your personal data is required for us to execute our commitment in accordance with the service contract. If the data is not submitted our measures cannot be carried out and we will be forced to reject your booking.

Storage period

Up until the service is carried out.

The organisation’s legal obligations

Purpose

To carry out the organisation’s legal obligations.

Data processing carried out

Necessary processing for compliance with the organisation’s legal obligations under legal requirements, rulings or by decision of public authority (for e.g. Accounting Act, Archive Act, rules on product liability and product safety).

Personal data categories

  • Name
  • Personal identity number (where applicable)
  • Contact information (for e.g. email and telephone number).
  • Payment information

Legal basis

Legal obligation. This collection of personal data is required by law. If the data is not submitted then our legal duty cannot be carried out and we are forced to reject your purchase or booking.

Storage period

In accordance with corresponding law. For Accounting Act it is 7 years.

Service matters and questions

Purpose

To handle service matters and questions.

Data processing carried out

  • Communication and response to questions regarding information service (via telephone, email, feedback forms or digitally, including social media).
  • Investigation of complaints and questions.

Personal data categories

  • Name or username
  • Contact information (for e.g. email and telephone number).
  • Your correspondence

Legal basis

Public interest and exercising official power as public authority. The processing is required for us to handle our duty as government organisation and answer questions regarding our operations and our premises.

Storage period

Until the service matter is completed.

Information to specific stakeholders

Purpose

To inform specific stakeholders about our work.

Data processing carried out

  • Collection of personal data of those who wish to subscribe to newsletters or receive other types of correspondence.
  • Newsletter, press releases, event invitations and publications to specific stakeholders and lists. Physical and digital correspondence.

Personal data categories

  • Name
  • Email address
  • Postal address
  • Telephone number (in certain cases, for communication regarding correspondence)

Legal basis

Consent. The processing is required to deliver newsletters, press releases and other correspondences to those who voluntarily have subscribed to these. If the data is not submitted or withdrawn then we can no longer provide the correspondence to the receiver.

Storage period

Until the subscriber no longer wants to receive the correspondence.

Information to the public

Purpose

To inform the public of our operations.

Data processing carried out

Information on current lecturers, exhibiting artists, class and conference organisers and curators, as well as, photographs and video recorded of artists, curators, staff and audience (where applicable). To be used on the museum’s official communication channels such as website, correspondence and in social media.

Personal data categories

  • Name and work title
  • Images
  • Sound and video recordings
  • Contact information (where applicable)

Legal basis

Public interest and exercising official power as public authority. The processing is required for Moderna Museet to describe its operations and execute its official mission.

Storage period

Until the information is obsolete or no longer needed.

To make available and convey our collection

Purpose

To be able to display, make available and convey our collection.

Data processing carried out

  • Collection and registration of personal data regarding purchased, donated and art works on loan.
  • Registration of owner history, provenance.

Personal data categories

  • Name
  • Contact information (address, studio information, telephone number, email)
  • Birth year
  • Place of birth and place of work

Legal basis

Public interest and exercising official power as public authority. The processing is required for Moderna Museet to execute its official mission.

Storage period

In accordance with Archive Act and the Public Access to information and secrecy act.

Donations and loans

Purpose

To handle donations or lending out or works of art on loan.

Data processing carried out

  • Collection of data regarding institutions or people lending and borrowing works.
  • Correspondence with artists, institutions, donators, sales people and lenders.
  • Collections of company and personal data for those who transport and handle the art works.

Personal data categories

  • Name
  • Contact information (email, address, telephone number)

Legal basis

Agreement. The processing is necessary to receive, lend or lend out works of art.

Storage period

As long as an agreement is current and valid. For the agreement in accordance with the Public and Privacy Act and the Archive Act. (Paragraph on the Authority’s legal obligations)

Research enquiries

Purpose

To handle research enquiries.

Data processing carried out

  • Collection of personal data for visitors of archives and special collections.
  • Correspondence between Moderna Museet and the enquirer.

Personal data categories

  • Name
  • Contact information (email or telephone number)
  • Personal identity number (when viewing an item)
  • Institution or similar

Legal basis

Public interest and exercising official power as public authority. The processing is required to handle enquiries and requests to view archive documents and items from the collection. The data is used for security reasons and for Moderna Museet to carry out its official mission to make the collection available.

Storage period

Until the visit is completed and the items are returned and controlled.

Participation at events

Purpose

To carry out and manage participation at events

Data processing carried out

  • Collection and registration of those who wish to attend openings and press previews.
  • Managing attendees at openings and press previews (ticking off attendance lists)

Personal data categories

  • Name
  • Email
  • Address

Legal basis

Public interest and exercising official power as public authority. The processing is required to go through with the events and for the museum to carry out its official mission.

Storage period

Until the events are completed.

To recruit and hire staff

Purpose

To recruit and hire staff.

Data processing carried out

  • Collection of personal data from job applications
  • Communication regarding interviews

Personal data categories

  • Name
  • Personal identity number
  • Contact information (address, email, telephone number)

Legal basis

Public interest and exercising official power as public authority. The processing is required for the museum to fill vacancies and for the museum to carry out its official mission.

Storage period

Until the recruiting is completed and for a time of up to 24 months after the hiring is finalized.

Sponsorship and support

Purpose

To handle sponsorship and support to the museum.

Data processing carried out

  • Collection of personal data from those who enter into a sponsor agreement, partnership or are a member of a museum support group.
  • Event invitations, publications and information on specific activities.
  • Communication regarding the sponsor- or membership.

Personal data categories

  • Name
  • Address
  • Email address
  • Telephone number

Legal basis

Execution of contract. The processing is required for us to fulfil our commitment in accordance with sponsor- and member agreements.

Storage period

For the duration of the sponsor- or membership and for a time up to 12 month after that.

Who is responsible for the personal data we collect?

Moderna Museet, corporate ID-number 202100-5059, Slupskjulsvägen 7-9, 111 49 Stockholm, is responsible for all personal data which the organisation collects.

Where do we get your personal data?

Beyond the data that you submit to us, or that we collect on you from your purchase, we can come to collect personal data while documenting our operations and events. In these instances the data that is collected is photographs, as well as, sound and video recordings.

Who do we share your personal data with?

Personal data controller

Where it is vital for us to be able to offer our services we will share your personal data with companies which are so-called personal data controllers to us. A personal data controller is a company that handles information on our behalf and in accordance with our instructions. We have personal data controllers helping us with:

  1. Marketing and information (services for newsletters and correspondence, media and web agencies, distribution)
  2. Transport (logistics and delivery companies)
  3. Booking and service (to manage various events, guided tours and classes)
  4. IT-services (companies that handle basic operations, tech support and maintenance of IT-solutions)

Your personal data is shared with a personal data controller only when the objective is consistent with the purposes of collecting the data (for e.g. in order to fulfil our commitment in accordance with an agreement or in exercising our official power as public authority). We have written agreements with all personal data controllers where it is stated that they guarantee the safety and security of the personal data that is being processed and where they agree to comply with our security demands and restrictions, as well as, demands regarding international transfer of personal data.

Companies which are independently responsible for personal data

We also share personal data with certain companies who are independently responsible for personal data. This means that we do not control how the information given to them is processed. These are:

  1. State authority (the police, tax authority or other state authorities) if we are required to do so by law or because of a suspected crime.
  2. Companies which offer payment services (payment facilitators, banks and other payment service provider).

Where do we process your data?

We always strive to so all of our data processing within the EU/EES – area and all of our own IT-systems and all of the personal data controllers we hire are within this area. During support and maintenance of our systems your data may be used by one of our service providers, we ensure that there always is a data protection policy in place so that the receiver processes the data in the same secure way we do.

In cases where data is used outside of the EU, for e.g. by one of our service providers, we ensure that there are safeguards and protective measures in place, for e.g. data transmission agreements, so that the receiver processes the data in the same secure way that we do.

What are your rights when we have your personal data?

Right of access (extraction from register)

We are always open and transparent about how we carry out data processing with your personal data and you can at any time request access to the data.

Right of rectification

You can always request that your personal data be corrected if the data is incorrect. Within the framework of the stated purpose you have the right to supplement any incomplete personal data.

The right of erasure

You can request that we erase the personal data we have on you if:

  • The data is no longer necessary for the purposes for which they were collected or processed.
  • The personal data has been processed in an unlawful way.
  • Personal data must be deleted to comply with a legal obligation we are subject to.

We have the right to refuse your request if there are obligations that prevent us from immediately deleting certain personal data. These obligations come from accounting and tax regulation legislation, bank- and money laundering legislation, but also from consumer rights legislation.

It may also be possible that processing is necessary for us to determine, enforce or defend legal claims. Should we be prevented from meeting a request for deletion, we will instead block personal data from being used for purposes other than the purpose that prevents the requested deletion.

The right to restriction

You have the right to request that our processing of your personal data be restricted. If you dispute that the personal data we process is accurate, you may request restricted treatment during the time we need to check whether your personal data is correct.

The right to data portability

If our right to process your personal data is based on either your consent or fulfilment of an agreement with you, you have the right to ask to have the information relating to you and that you have provided to us transferred to another data controller (known as data portability). A prerequisite for data portability is that the transfer is technically possible and can be automated.

How do we handle personal identity numbers?

We will only process your personal identification number when it is clearly motivated for the purpose, necessary for secure identification, or if there is any other significant reason. We will always minimise the use of your personal identification number by using, when possible, your date of birth instead.

How are your personal data protected?

We use IT systems to protect the privacy, integrity and access to personal data. We have taken special security measures to protect your personal data against illegal or unauthorised treatment (such as unauthorised access, loss, destruction or damage). Only those persons who actually need to process your personal data to fulfil our stated purposes have access to them.

What is the easiest way to contact us regarding questions data protection?

We take data protection very seriously and as an authority, we are also obliged to have a special data protection officer dealing with these issues. You can reach them at dataskydd@modernamuseet.se

Offentlighetsprincipen

Moderna Museet är en statlig myndighet och det innebär att meddelanden som skickas till oss kan bli allmänna handlingar.

This privacy policy is a living document and content may change. The latest version is always available on this site.

Published 18 April 2018 · Updated 26 June 2018