Personal Data
Our privacy policy provides overarching information about the personal data processing for which Infrastruktur i Umeå AB (INAB) is responsible and how we ensure that your personal data is processed in accordance with applicable data protection legislation. We also describe your rights and how to exercise them.
Privacy Policy
1. Data Controller & Contact Information
1.1 Introduction
Infrastructure in Umeå AB is committed to protecting your personal privacy and personal data. We strive for a high level of data protection and adhere to the applicable laws, industry regulations, and other related standards that exist to protect the privacy and rights of individuals. This policy aims to explain the personal data we collect about you and its intended use to demonstrate how we ensure that your personal data is handled in accordance with applicable data protection legislation.
1.2 Data Controller
Infrastruktur i Umeå AB (556040-6315) is the data controller for the processing of your personal data.
1.3 Contact Us
If You Want to Exercise Your Rights or Have Questions About Data Protection, INAB ensures that all data we process is accurate. This naturally applies to all the personal information we handle. You are welcome to contact us if you wish to exercise your rights or have questions about privacy and data protection:
Our contact details:
Visiting address:
Fredsgatan 21
903 47 Umeå, Sweden
Postal address:
Kaserngatan 2
903 47 Umeå, Sweden
Telephone: +46 90 16 68 00
E-mail: inab@umea.se
Contact details for our data protection officer:
Daniel Glaad
Telephone: +46 73 620 01 25
E-mail: dso.ukf@insatt.com
If you have complaints about our processing or are not satisfied with the response you have received, according to data protection legislation, you have the right to file a complaint regarding our processing of your personal data to the Swedish Authority for Privacy Protection (IMY).
Contact details IMY:
Swedish Authority for Privacy Protection
Box 8114
104 20 Stockholm, Sweden
Phone: +46 8 657 61 00
E-mail: imy@imy.se
More information about the current data protection legislation is available at www.imy.se
External link..
As a registered individual, you have certain rights. These rights are laid out in the General Data Protection Regulation and are detailed below.
When you wish to exercise your rights, you are welcome to contact us; contact details are provided in section 1.3 of this policy.
When you exercise your rights, our starting point is to comply with your request and respond to you within one month from the time you contact us. Handling may take up to three months if the volume or complexity of the case requires it. In such cases, we will inform you.
We will always respond to your request in writing. The different rights you may have when we process personal data about you are described below. Depending on the legal basis for our processing and the purpose of the processing, there may be exceptions or limitations to your ability to exercise your rights. If the request is manifestly unfounded or excessive, especially if it is repetitive, we may either charge a fee or refuse to comply with the request. We will then be able to demonstrate that the request is manifestly unfounded or excessive.
2.1 Information
You have the right to information about how we process your personal data. More information on the right to information can be found on the IMY's website External link..
2.2 Access to Your Personal Data Record Extract
You have the right to request confirmation from us on whether personal data concerning you are being processed and, in such cases, access to the personal data we are processing about you, a so-called record extract.
More information on the right to access can be found on the IMY's website External link..
2.3 Request to Have Your Data Erased
You have the right to request that your data be erased. Upon such a request, we will delete data that is no longer necessary for the purpose for which it was collected. We will also delete your data if you withdraw your consent to the processing. In some cases, we are not able to delete your personal data. This may be because the data is still necessary for the purpose for which it was collected, our interest in continuing to process the data outweighs your interest in having it deleted, or because we are required by law to retain it.
More information on the right to erasure can be found on the IMY's website External link..
2.4 Request to Restrict Processing Under Certain Circumstances
You have the right to request that our processing of your personal data be restricted under certain circumstances.
The possibility of restriction applies if:
a) you contest the accuracy of the personal data;
b) the processing is unlawful, and you oppose the erasure of the data and instead request the restriction of their use;
c) we no longer need the data, but you require them to establish, exercise, or defend legal claims; or
d) you have objected to processing pursuant to Article 21.1, pending the verification whether our legitimate grounds override yours.
More information on the right to request restriction of processing can be found on the IMY's website External link..
2.5 Request the Right to Data Portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another data controller.
More information on the right to data portability can be found on the IMY's website External link..
2.6 Request Correction of Inaccurate Data
You have the right to have inaccurate personal data concerning you corrected without undue delay. Depending on the purposes of the processing, you also have the right to have incomplete personal data completed.
More information on the right to request correction can be found on the IMY's website External link..
2.7 Right to Object to Processing
For reasons relating to your situation, you have the right at any time to object to the processing of personal data concerning you based on Article 6.1(f) of the General Data Protection Regulation, legitimate interest. The right to object includes processing that involves profiling, among other things.
More information on the right to object to processing can be found on the IMY's website External link..
2.8 Right to Object to Decisions Based Solely on Automated Processing
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects on you or similarly significantly affects you.
More information on the right to object to decisions based solely on automated processing can be found on the IMY's website External link..
3. What Personal Data Do We Collect, What Is It Used For, And On What Legal Basis?
In this section, we inform you about how we process your personal data. The information is divided into different categories to make it easier for you to find what applies to you.
We process the personal data that is provided to us, for example, in connection with the signing of a contract or when individuals visit or register on our websites and through our use of cookies, provide personal data in connection with events and fairs, or provide information through other forms of communication, such as in writing/email, telephone calls, or social media. In addition to the personal data that you provide to us, your data may be updated against the population register at the Swedish Tax Agency. This may be necessary to ensure that the information is accurate and for contracts to be fulfilled.
3.1 Purposes for which your personal data is processed
Purpose of the processing – what we do and why | Which personal data is processed for the purpose, and where it comes from | Legal basis for personal data processing according to GDPR | If your personal data is shared and with which recipient | When we delete your data See Section 5 for more information on storage and deletion |
|---|---|---|---|---|
For processing you as a private customer (individual consumer/sole trader) or you as a contact/representative for a legal entity: · To manage the customer relationship according to our agreements, including billing · For the preparation or administration of the services that we have agreed upon with you (for example, credit information from credit reporting companies, business assessment, or debt collection management) · To ensure your identity · To communicate with you through various channels | From you: Name, phone number, and email. For sole traders (individuals), also include their address and personal identification number.
| If you are a private customer (individual consumer/sole trader), the processing is based on our agreement with you (Article 6(1)(b) GDPR). If you are a contact/representative for our customer, the processing is based on our legitimate interest (Article 6(1)(f) GDPR) to uphold the customer relationship with your employer.
| See Section 4. | Your personal data is stored for as long as the customer relationship with you as a private customer or with your employer persists and thereafter for the period required or permitted according to the legislation and practice in force at any time. |
For processing you as a private supplier (individual/sole trader) or as a contact/representative for a legal entity: · To manage the supplier relationship and for us to fulfil our commitments to the supplier, such as through contract management or billing. · To communicate with you through various channels. | From you: Name, phone number, and email. For sole traders (individuals), also: Address and personal identification number.
| If you are a sole trader (individual), the processing is based on our agreement with you (Article 6(1)(b) GDPR). If you are a contact/representative for our supplier, the processing is based on our legitimate interest (Article 6(1)(f) GDPR) to fulfil the agreement or supplier relationship that arises, for example, from an order that we place with the supplier. | See Section 4. | Your personal data is stored for as long as the supplier relationship with you as a private supplier or with your employer persists and thereafter for the period required or permitted according to the legislation and practice in force at any time. |
To conduct procurement processes where you submit a bid as an individual/sole trader or are, for example, a consultant, project manager, site manager, or supervisor for a bidder that is a legal entity. | From the bidder: The information provided in your CV, such as name, phone number, and email address, as well as details of education, professional experience, and other merits claimed in the bid. | We rely on the legal basis of legitimate interest (Article 6(1)(f) GDPR). | See Section 4. | Your personal data is stored for as long as the purpose for which it was collected requires it and the period required or permitted according to the legislation and practice in force at any time. See further in section 5. |
For processing in a case with legal relevance | From you: Name, telephone number, email, address, personal identification number. Where applicable, also provide property designation, pictures, and any additional information you provide us. | Legal obligation (Article 6(1)(c) GDPR) or Legitimate interest (Article 6(1)(f) GDPR). | See Section 4. | Your personal data is stored for as long as the purpose for which they were collected requires it and the time required or permitted according to current legislation and practice. Further details in Section 5. |
To be able to carry out an event organized by us that you register for. | From you: Name, email address, and telephone number. Where applicable, also include your birth number or personal identification number (if required for, e.g., a travel booking) and any dietary preferences/allergies. | Legitimate interest (Article 6(1)(f) GDPR). | See Section 4. | Your personal data is stored for as long as the purpose for which they were collected requires it and the time required or permitted according to current legislation and practice. Further details in Section 5. |
To communicate with you through various channels, such as newsletters, you have opted to subscribe to or respond to your incoming questions and comments and to assist you in other ways depending on your reason for contacting us. | From you: Primarily name, telephone number, and email. Where applicable, also provide your address, personal identification number, property designation, pictures, and any additional information you provide us. | Legitimate interest (Article 6(1)(f) GDPR). | See Section 4. | Your personal data is stored for as long as the purpose for which they were collected requires it and the time required or permitted according to current legislation and practice. Further details in Section 5. |
To ensure functionality for you as a visitor to our websites (inab.umea.se and northernaccess.se). Our websites use cookies, which are small text files that, in some cases, collect your IP address. On our websites, we only use strictly necessary cookies. You can read more about our use of cookies in our Cookie Policy, which you can find here (link to another website). | Whether and, if so, which of your personal data we process depends partly on your browser settings and partly on the settings you made when you landed on the website. You can read more about which cookies we use in our Cookie Policy, which you can find here | We rely on the legal basis of our legitimate interest in providing you with a functioning website (Article 6(1)(f) GDPR) and, in some cases, your consent to us collecting information about you (Article 6(1)(a) GDPR). | See our cookie policy, which you can find here | See our cookie policy, which you can find here |
Camera surveillance in connection with our properties is used to prevent, inhibit, and investigate crimes, prevent disturbances, increase personal safety, and ensure that emergency evacuation can take place safely through free emergency exits. More information about our camera surveillance can be found in connection with the respective property that is under surveillance.
| Image/video material from surveillance cameras. | We rely on the legal basis of legitimate interest (Article 6(1)(f) GDPR). | See Section 4. More information about our camera surveillance can be found in connection with the respective property that is under surveillance. | Material from camera surveillance is normally stored for a maximum of 3 days but may, in some cases, be stored for 30 days. More information about our camera surveillance can be found in connection with the respective property that is under surveillance.
|
To process job applications to the extent required for the current recruitment process or for processing a spontaneous application/interest notification that you have submitted. | From you who applied or submitted an interest notification: The processing includes the documentation you send to us and information from referees, recruitment companies, information from other people who have tipped us off about you or companies that assist us with various forms of personality and competence tests, notes from interviews, and any work samples and tests. | We rely on the legal basis of legitimate interest (Article 6(1)(f) GDPR). | See Section 4. | Your personal data is stored as long as the recruitment for a specific position is ongoing and an additional two years with reference to the discrimination law so that we can demonstrate the grounds on which the employment decision was made. Spontaneous applications/interest notifications are stored with us for two years before they are deleted.
|
4. Recipients of Personal Data
Personal data we process about you may be disclosed to authorities as prescribed by law and to any partners providing support services to us. This may also be necessary when delivering a service from us. Additional examples of recipients are service providers, such as those assisting us with IT services (companies managing necessary operations, technical support, and maintenance of our IT solutions). Furthermore, data we process about you may be disclosed as required to fulfil our obligations to you as the registered individual. Your personal data may also be shared with our parent company, Umeå Municipal Company AB (UKF) or other companies within the UKF group.
Data processors
If data is transferred to someone processing your personal data on behalf of INAB (so-called data processors), we provide instructions on how the receiving party should handle the personal data and confidentiality. If your personal data is shared with a company that is independently responsible for personal data, the receiving company's privacy policy applies.
Principle of Public Affairs
INAB is subject to the principle of public access, and information in public documents can be disclosed to those who request it unless the information is confidential. Your personal data will not be used for direct marketing purposes, known as profiling.
If you have protected identity or wish to remain anonymous
If you have a secrecy mark or protected registration, you must be very careful with how you handle your details. If possible, avoid sharing protected personal data with us. If you need to share protected information with us, you must also inform us that you have a protected registration or a secrecy mark. We do not have access to the registration database and cannot know in advance if you have protected personal data.
However, if you have fictitious personal details, you should not inform us but instead follow the Police recommendations to not reveal your real identity.
Remember that if you want to leave a comment or contact us anonymously, you should not provide any personal details (for example, in emails) because these details are recorded as public documents and are generally public.
Social media
When you interact with or contact us via social media, such as LinkedIn, information and personal data are always transferred to a third party (i.e., the company/organization that operates the social media platform you use). We cannot regulate this, but we are happy to answer your questions on social media. If you do not want a third party to collect the information you send to us, we recommend that you contact us by phone at +46 90 16 68 00 instead.
Your personal data is stored as long as the supplier relationship persists and thereafter for the time required or permitted according to current legislation and practice. If your personal data are referenced in invoice documentation, they will be retained for seven years in accordance with the Accounting Act. Contracts, correspondence, and documents regarding delivery from your employer where personal data appear are stored for the time that rights and obligations (including any liability and claims) persist according to the contract we have entered into with your employer, by law and current practice. If you terminate your employment with our supplier, we will delete your personal data when we receive information about it from you or your employer.
We keep your data as long as necessary to fulfil our contractual obligations towards you and according to statutory storage periods for each purpose. These obligations come from, for example, public access and confidentiality legislation, accounting and tax legislation, banking and anti-money laundering legislation, and the Archives Act. The processing may also be necessary for us to establish, exercise, or defend legal claims.
This means, among other things, that we will remove or anonymize your data (so that they cannot be linked to you personally or used for other purposes) and other information in our databases when the transactions in the contract are finalized. This is provided that the information is no longer necessary for the purpose for which it was collected or that it is deemed to have archival value based on the Archives Act. Data necessary to fulfil a contract or other legal basis, such as collected meter readings, information about contracts, invoiced products, and services, cannot always be restricted or deleted.
How we handle your social security number
We will only process your social security number when it is clearly justified considering the purpose, necessary for secure identification, or if there is some other considerable reason. We always minimize the use of your social security number as much as possible.
To protect your privacy and your personal data, we may require you to identify yourself in connection with our assistance.
Security
INAB uses IT systems to protect the confidentiality, integrity, and access to personal data. We take specific physical, technical, and organizational security measures to protect your personal data from unauthorized or unlawful processing (such as unauthorized use, loss, destruction, or damage). Only those who actually need to process your personal data to fulfil our stated purposes have access to them. We continuously adapt our security measures to the ongoing technical development in relation to reasonableness and the volume and sensitivity of personal data.
6.Transfer of Personal Data Outside the EU/EEA
You have the option to limit the use of cookies, and you can find more information about this in our cookie policy, which you can find here (link to another website).
We and our data processors store personal data on servers located within the EU/EEA. Even though the personal data are stored within the EU/EEA, in some cases, personal data may be transferred to a third country, for example, when an IT supplier that we have contracted with needs to process the data outside the EU/EEA to provide their service (such as through a group company in the USA).
If personal data are transferred to a third country (including the USA), we always take appropriate protective measures to best protect your personal data. Such appropriate protective measures may include:
- Ensuring that the EU Commission has decided that the country to which the personal data is transferred achieves an "adequate" level of protection equivalent to the protection level ensured by the General Data Protection Regulation.
- Entering the EU Commission's standard contractual clauses with the recipient of the personal data in the third country. When personal data are transferred to a third country based on the EU Commission's standard contractual clauses, we assess whether there is legislation in the receiving country that affects the protection of your personal data. If necessary, we take specific technical and organizational measures so that the protection of your data remains during the transfer to the relevant country outside the EU/EEA. Due to American security legislation, however, there is a certain risk that American authorities, for the purpose of combating crime or defending national security, may access personal data transferred to the USA even though we take technical and organizational security measures.
You can contact us and request a copy of the protective measures. You can find our contact details in Chapter 1.3 of this policy.
7. Changes to this Privacy Policy
We reserve the right to make changes to this privacy policy to the extent we deem them necessary based on changes to our personal data processing and to fulfil new legal requirements, interpretations of legal requirements, technical requirements, or to address problems or disturbances. If personal data processing is regulated in an agreement with a customer, however, the contractual provisions apply until they are changed, unless it is incompatible with law or other legally binding provisions. If there are major changes to our handling of personal data, you will be notified personally. The latest version of the privacy policy is always available on our website.