The Forest is the Best Place

Alexander Calder, The Forest is the Best Place, 1945 Donation 1958 from Friends of Moderna Museet. Photo: Prallan Allsten / Moderna Museet © 2016 Calder Foundation, New York / Bildupphovsrätt 2016

Privacy policy and processing of personal data

We safeguard your personal integrity and constantly strive for a high level of data protection. In our privacy policy, we explain how we collect and use your personal information. It also explains what rights you have, and how you might exercise them. You are always welcome to contact us should you have any questions.

We want you to feel secure in how we handle your personal data. Therefore, we are open about how we collect and process the information we store about you. We ensure that your personal information is always protected by us, and that the processing meets the requirements of the General Data Protection Regulation (GDPR) and in internal guidelines. As a government agency, we are also required to have a Data Protection Officer reviewing that these rules are met.

In our Privacy Policy, we explain how we collect and use your personal information, the purpose of our data collection, how we handle data, how long we store it, and the legal basis we apply in various situations. It also explains what rights you have, and how you might exercise them. It is important that you have access to and understand the privacy policy, and that you feel confident in our treatment of your personal data. You can always contact us if you have any questions.

What is personal data?

Personal data is any information that can be used to identify a person who is alive. This can be personal information such as identity number, name and address. Photos taken and audio recordings of individuals, which are processed on a computer can also be personal data, even when no names are mentioned. Encrypted information and various types of electronic identities (e.g. IP address and cookies) are personal data if they can be linked to a natural person.

What is processing of personal data?

Processing of personal data is everything that happens with the data. Every measure that is taken with the personal data is processing, regardless of whether it is automated or not. Common processes include: collection, registering, organising, structuring, changing, storing, handling, spreading, transmitting and deleting.

What personal data do we collect from our visitors and for what purpose?

Purchases of admission tickets

Purpose
To handle the sale of pre-booked admission tickets via our website.

Processing that takes place

  • Payment transactions
  • Delivery of ticket information
  • Refunds and warranty claims

Personal data categories

  • Name
  • Contact information (when ordering physical tickets, address, delivery address, telephone number; when ordering e-tickets, e-mail address and telephone number)
  • Billing information
  • Purchase information (e.g. what ticket was ordered)

Legal basis
Execution of contract. The collection of your personal data is required for us to execute our commitment in accordance with the purchase agreement. If the data are not submitted, our measures cannot be carried out and we will be forced to reject the purchase.

Storage period
From the time that the purchase has been completed (including delivery and payment) and for a time up to 24 months thereafter, to handle any refunds and warranty claims.

Purchases in our online shop and with Rights and Reproductions

Purpose
To handle orders or purchases in the online shop or with Rights and Reproductions.

Data processing carried out

  • Delivery (including notifications and contacts regarding the delivery)
  • Handling payment
  • Handling refunds and warranty claims

Personal data categories

  • Name
  • Contact details (address, e-mail and telephone number)
  • Payment information
  • Purchase information (e.g. which item has been purchased and if the item is being delivered to another address)

Legal basis
Execution of contract. The collection of your personal data is required for us to execute our commitment in accordance with the purchase agreement. If the data are not submitted, our measures cannot be carried out and we will be forced to reject the purchase.

Storage period
From the time that the purchase has been completed (including delivery and payment) and for a time up to 24 months thereafter, to handle any refunds and warranty claims.

Bookings of space and services

Purpose
To handle bookings of space and services, for example tours and classes.

Data processing carried out

  • Receiving bookings, re-booking and cancellations.
  • Sending out booking confirmations.
  • Communications regarding a booking.
  • Handling payment.

Personal data categories

  • Name
  • Contact information (e-mail and telephone number, invoice address)
  • Corporate ID number /personal identity number
  • Any other comments you choose to submit.

Legal basis
Execution of contract. This collection of data is required for us to execute our commitment in accordance with the service agreement. If the personal data is not submitted, our measures cannot be carried out and we will be forced to reject the service.

Storage period
Up until the service is carried out.

The government agency’s legal obligations

Purpose
To carry out the government agency’s legal obligations.

Data processing carried out
Necessary processing for compliance with the agency’s legal obligations under legal requirements, rulings or by decision pf government agency (e.g. accounting law, archive law, rules on product liability and product safety).

Personal data categories

  • Name
  • Personal identity number (where applicable)
  • Contact information (e.g. e-mail address and telephone number)
  • Payment information

Legal basis
Legal obligation. This collection of personal data is required by law. If the data is not submitted, our legal duty cannot be carried out and we are forced to reject your purchase or booking.

Storage period
In accordance with corresponding law. For Accounting law this is seven years.

Service matters and questions

Purpose
To handle service matters and questions

Data processing carried out

  • Communication and response to questions to the information service (via telephone, e-mail, feedback forms or digitally, including social media).
  • Investigation of complaints and questions.

Personal data categories

  • Name or username
  • Contact information (e.g. e-mail address and telephone number)
  • Your correspondence

Legal basis
Public interest and exercising official authority as a government agency. The processing is required for us to handle our duty as a government agency and to answer questions regarding our operations and premises.

Storage period
Until the service matter is completed.

Information to specific stakeholders

Purpose
To inform specific stakeholders about our operations

Data processing carried out

  • Collection of personal data of those who wish to subscribe to newsletters or receive other types of correspondence.
  • Newsletters, press releases, event invitations and publications to specific stakeholders and lists. Physical and digital correspondence.

Personal data categories

  • Name
  • Postal address
  • E-mail address
  • Telephone number (in certain cases, for communication regarding correspondence)

Legal basis
Consent. The processing is required to deliver newsletters, press releases and other correspondences to those who voluntarily have subscribed to these. If the data is not submitted or withdrawn, then we can no longer provide the correspondence to the recipient.

Storage period
Until the subscriber no longer wants to receive the correspondence.

Information to the public

Purpose
To inform the public about our operations.

Data processing carried out
Information on current lecturers, exhibiting artists, class and conference organisers and curators, and photographs and video recordings of artists, exhibition staff and audience (where applicable). To be used in the Museum’s official communication channels, such as website, correspondence and in social media.

Personal data categories

  • Name and work title
  • Images
  • Sound and video recordings
  • Contact information (where applicable)

Legal basis

Public interest and exercising official authority as a government agency. The processing is required for Moderna Museet to describe its operations and exercise its official authority.

Storage period
Until the information is obsolete or no longer needed.

Making our collection accessible

Purpose
To be able to exhibit and convey and provide access to our collections.

Data processing carried out

  • Collection and registration of personal data regarding purchased, donated works and works on loan.
  • Registration of owner history, provenance.

Personal data categories

  • Name
  • Contact information (postal address, studio information, telephone number, e-mail)
  • Birth year
  • Country of birth and work

Legal basis
Public interest and exercising official authority as a government agency. The processing is required for Moderna Museet to exercise its official authority.

Storage period
In accordance with archival law and the Public Access to Information and Secrecy Act.

Donations, lending out or works of art on loan

Purpose
To handle donations, lending out or works of art on loan.

Data processing carried out

  • Collection of data regarding institutions or people loaning, lending or donating works of art.
  • Correspondence with architects, designers, artists, institutions, donors, dealers and lenders.
  • Collection of company and personal data for those who transport and handle the works of art.

Personal data categories

  • Name
  • Contact information (e-mail address, postal address, telephone number)

Legal basis
Agreement. The processing is necessary to receive, lend or lend in works of art.

Storage period
For correspondence: as long as the agreement is current and valid. For agreements: in accordance with the Public Access to Information and Secrecy Act and archival law. See the section on ‘The government agency’s legal obligations’.

Research enquiries

Purpose
To handle research enquiries.

Data processing carried out

  • Collection of personal data for visitors to archives and special collections.
  • Correspondence between Moderna Museet and the enquirer to the archives.

Personal data categories

  • Name
  • Contact information (e-mail or telephone number)
  • Personal identity number (when viewing an item)
  • Institution or similar

Legal basis
Public interest and exercising official authority as a government agency. The processing is required to handle requests to view archive documents and items from the collection. The data is used for security reasons and for Moderna Museet to exercise its mission to make the collection available.

Storage period
Until the visit is completed and items are returned and inspected.

Participation at events

Purpose
To carry out and manage participation at events.

Data processing carried out

  • Collecting and recording those who wish to attend events
  • Managing attendees at events (ticking off attendance lists)

Personal data categories

  • Name
  • E-mail

Legal basis
Public interest and exercising official authority as a government agency. The processing is required for Moderna Museet to carry out the event and to exercise its official authority.

Storage period
Until the events are completed.

Participation in press previews

Purpose
To carry out and manage press previews.

Data processing carried out

  • Collecting and recording those who wish to attend press previews
  • Managing attendees at press previews (ticking off attendance lists)

Personal data categories

  • Name
  • E-mail
  • Postal address

Legal basis
Public interest and exercising official authority as a government agency. The processing is required for Moderna Museet to carry out the press preview and to exercise its official authority.

Storage period
Until the press preview is completed.

Recruiting and hiring staff

Purpose
To recruit and hire staff.

Data processing carried out

  • Collection of personal data from job applications
  • Communication regarding interviews

Personal data categories

  • Name
  • Personal identity number
  • Contact information (address, e-mail, telephone number)

Legal basis
Public interest and exercising official authority as a government agency. The processing is required for Moderna Museet to fill vacancies and for the Museum to carry out its official mission.

Storage period
Until recruitment is completed and for a time of up to 24 months after the hiring is finalised.

Sponsorship and support

Purpose
To handle sponsorship and support for Moderna Museet.

Data processing carried out

  • Collection of personal data for those who enter into a sponsor agreement, partnership or are members of a Museum support group.
  • Event invitations, publications and information on specific activities.
  • Communication regarding sponsorship and membership.

Personal data categories

  • Name
  • Address
  • E-mail
  • Telephone number

Legal basis
Execution of contract. The processing is required for us to fulfil our commitment in accordance with sponsorship and membership agreements.

Storage period
For the duration of the sponsorship or membership and for a period of up to 12 months after its expiration.

Who is responsible for the personal data we collect?

Moderna Museet, corporate ID number 202100-5091, Slupskjulsvägen 7–9, 111 49 Stockholm, is responsible for all personal data collected by the organisation.

Where do we get your personal data?

In addition to the data you submit to us, or that we collect from you when you make purchases, we can come to collect data when we document our activities and events.

In these instances, the data that is collected consists of photographs, sound recording and video recordings.

Whom do we share your personal data with?

Personal data controller

Where it is vital for us to be able to offer our services, we will share your personal data with companies that are so-called personal data controllers to us. A personal data controller is a company that handles data on our behalf and in accordance with our instructions. We have personal data controllers helping us with:

  1. Marketing and information (services for newsletters and correspondence, media and web agencies, distribution)
  2. Transport (logistics and delivery companies)
  3. Bookings and service (to manage various events, guided tours and classes)
  4. Bookings and payment of admission tickets (to manage online ticket purchases)
  5. IT services (companies that handle basic operations, technical support and maintenance of IT solutions)

Your personal data is shared with a personal data controller only when this is consistent with the purposes for which the data were collected (e.g. to fulfil our commitment in accordance with an agreement or to exercise our official authority as a government agency). We have written agreements with all personal data controllers where it is stated that they guarantee the safety and security of the personal data that is handled, and where they agree to comply with our security demands and restrictions and the demands regarding international transfer of personal data.

Companies that are independently responsible for personal data

We also share your personal data with certain companies that are independently responsible for your personal data. These companies are independent personal data controllers, meaning that we do not control how the information given to the them is processed.

  1. Government agencies (the police, tax authorities or other government agency) if we are required by law to do so, or on grounds of a suspected crime.
  2. Companies that provide payment services (payment facilitator, bank or other payment service provider)

Where do we process your data?

We always strive to do all our personal data processing within the EU/EEA area, and all our own IT systems and the personal data controllers we contract are within the EU/EEA. During support and maintenance of our systems, when your data may be used by one of our service providers, we ensure that there is always a data protection policy in place, so that the receiver processes the data in the same secure way we do.

In cases where your data is used outside the EU, e.g. by one of our service providers, we always ensure that protection measures such as data transfer agreements are in place to regulate that the recipient processes data in the same secure way that we do.

What are your rights when we have your personal data?

Right of access (extract from register)

We are always open and transparent about how we handle your personal data, and you can at any time request access to the data.

Right of rectification

You can request that your personal data be corrected if the information is incorrect. Within the framework of the stated purpose, you also have the right to supplement any incomplete personal data.

Right to erasure

You can request that we erase the personal data we have on you if:

  • you wish them to be erased from a register that requires your consent
  • the data is no longer necessary for the purposes for which it was originally collected or processed
  • the personal data has been processed in an unlawful way
  • personal data must be deleted to comply with a legal obligation we are subject to

We have the right to refuse your request if there are legal obligations that prevent us from immediately erasing certain personal data. These obligations come from accounting and tax legislation, bank- and money laundering legislation, but also from consumer rights legislation.

It may also be possible that processing is necessary for us to determine, enforce or defend legal claims. Should we be prevented from meeting a request for deletion, we will instead block your personal data from being used for purposes other than the those that prevent the requested erasure.

Right to restriction

You have the right to request that our processing of your personal data be restricted. If you dispute that the personal data we process is accurate, you may request restricted processing during the time we need to check whether your personal data is correct.

Right to data portability

If our right to process your personal data is based on either your consent or fulfilment of an agreement with you, you have the right to request that the information relating to you and that you have provided to us be transferred to another data controller (known as data portability). A prerequisite for data portability is that the transfer is technically possible and can be automated.

How do we handle personal ID numbers?

We will only process your personal identity number when it is clearly motivated for the purpose, necessary for secure identification, or if there is any other significant reason. We will always minimise the use of your personal identification number by using your date of birth when this is sufficient information.

How is your personal data protected?

We use IT systems to protect the confidentiality and integrity of, and access to personal data. We have taken special security measures to protect your personal data against illegal or unauthorised processing (e.g. unlawful access, loss, destruction or damage). Only those persons who actually need to process your personal data to fulfil our stated purposes have access to it.

Moderna Museet uses two different types of cookies on the website: necessary cookies and cookies for statistics and analysis. Read more about cookies and change your consent

This privacy policy is a living document and content may change. The latest version is always available on this site. The privacy policy’s latest update was 2020-10-20.

Published 18 April 2018 · Updated 18 March 2024