How the Swedish Forest Agency processes personal data
The Swedish Forest Agency is the public authority in charge of forest-related issues. Our mission is to promote that the management of the Swedish forests leads to that the objectives of the Swedish forest policy is attained. This often means that we must handle your personal data. To be able to process your personal data we must have a justified legal basis and a clearly defined purpose for the processing
We protect your personal data
In order to be justified the processing has to meet certain criteria. Among other things we must:
- have a clearly defined purpose for collecting your personal data
- not collect more data than necessary
- ensure that the data is correct
- not store your data for longer than necessary
- ensure that we process the data securely. For example, to prevent unauthorized access or loss of information.
When the Swedish Forest Agency process your personal data, we take appropriate security measures to ensure that your personal data is kept safe. For example:
- We work to minimize the amount of personal data we collect and store so that only the necessary information is kept.
- We work to ensure that the digital systems we use for handling your personal data are as secure as possible as well as produce policies and guidelines to ensure that your personal data is handled as securely as possible.
To ensure that your personal data is kept secure at all times, the processing is carried out in accordance with applicable data protections laws and our internal guidelines and policies. We have also appointed a data protection officer who is responsible for overseeing that we adhere to rules, guidelines and policies.
What is personal data and what does processing of personal data mean?
Personal data is any information that can be used to identify a person. For example:
- Personal identity number
- IP number
- Case number
- Residential geographic location
- Images that can be used to identify you
Processing of personal data means all activities that involves personal data. Such operations may include the collection, registration, matching or printing of data.
The Swedish Forest Agency is the controller of your personal data. This means that the Swedish Forest Agency is responsible for processing your personal data in accordance with the new General Data Protection Regulation (GDPR). GDPR replaces the Swedish Personal Data Act (PUL) and came into force on May 25th, 2018.
If you have any questions you may contact us directly by phone at 036-35 93 00, by e-mail at firstname.lastname@example.org, or by mail at the following address: Skogsstyrelsen 551 83 Jönköping. We also have a data protection officer who you may contact at email@example.com
From where do we collect your personal data?
- From you directly. Personal data is for example processed when you communicate with us, when you submit a notification or an application.
- From external actors. In order to fulfil our obligations we sometimes need to gather personal data from other parties, for example other agencies like Sweden's county administrative boards, the Swedish Board of Agriculture, the National Heritage Board, the Swedish Environmental Protection Agency and Lantmäteriet.
What personal data do we process and for what purpose?
The Swedish Forest Agency handles personal data in many different contexts and a full account of all contexts is not possible within the framework of this general information. The Swedish Forest Agency will provide you with specific information as to why we process your personal data for each specific processing. We will also inform you of the legal ground for the specific processing of your personal data. The following paragraph exemplifies our most common reasons for processing your personal data.
Exercise of public authority
We need your personal data to be able to make decisions in various cases which concern our activities, for example when you have notified us of a cutting operation. We may then handle your personal data such as address information, property unit designation, your personal identity number, or geographical data for the area where your property is located. This processing of your personal data is carried out as part of our exercise of public authority.
The Swedish Forest Agency has also been commissioned by the Government to promote that the Swedish forestry policy is put into practice by those who own and manage forests. This may involve us informing you of our activities and giving advice on issues which the agency is responsible for. For example, we may arrange specific meetings with forest owners. Therefore, there might be a public interest for processing your personal data in various contexts, for example if we must handle your address information when we send out information about our training opportunities, our magazine, and so on.
As we are a large agency we also have a great number of employees. To manage payment of salaries, requests for time off, and other similar employment issues, we also need to process the personal data of our employees. This processing lies outside the core business activities of the agency. The processing is only carried out when the Swedish Forest Agency considers it necessary and when our legitimate interest for processing your personal data outweighs the reasons for not processing it. This is often referred to as grounds of legitimate interest.
The Swedish Forest Agency may also request your consent to process your personal data. This means that we cannot process your personal data without obtaining your consent. Your consent shall then be explicitly given. You will also receive information about how to withdraw your consent. Please note that as we are a public authority there may be limitations as to what personal data we are able to erase once you have consented and your personal data has become part of public documents.
In some cases, we act as a contracting party in various contractual relationships. We then have a legal ground for processing your personal data when the processing is necessary for fulfilling a contractual agreement with you.
Fulfilling a legal obligation
There are also laws and regulations which dictate that we must process your personal data for our activities, for example the Bookkeeping Act. In this case we process your personal data order to fulfil a legal obligation.
Parties that we share your information with
- Various agencies. The Swedish Forest Agency cooperates with several agencies because of our activities. We may share your information with, for example, Sweden's county administrative boards, and others.
- Courts, opposite parties etc. In case of legal disputes, we may transfer your personal data to other parties.
- As we are a public authority, most of the documents that comes in to the agency and are available here are public documents. The documents that we draw up, for example various decisions, become public documents. According to the Swedish Constitution, every Swedish citizen has the right to access public documents. Your Personal data which is part of public documents and which is not covered by professional secrecy, may be disclosed by the agency on request.
- In certain cases, the Swedish Forest Agency needs external help with handling the information that we process. These external services or parties may, for example, include cloud-based services for storing information, cooperative efforts with hired consultants, or purchases of different IT systems, such as our payroll service. Those who help us with these services are called processors. When using processors, the Swedish Forest Agency establishes a data processing agreement which ensures that the processors process your personal data in accordance with our instructions and adhere to the same level of security as the Swedish Forest Agency when handling the data.
How long is my data stored for?
It depends on the type of data and the context in which the data is used. The Swedish Forest Agency is obliged to follow the rules and regulations set out in the GDPR, meaning that we, among other things, shall apply the storage limitation principle. According to this principle, personal data may not be stored for longer than is necessary for the purpose stated.
The Swedish Forest Agency is working to minimize the amount of personal data used in our activities. Yet at the same time, as the Swedish Forest Agency is a public authority, most of our documents are so called public documents. Our public documents shall be kept in order and may not be erased without specific rules stated in the Archive Act. This means that the Swedish Forest Agency may not remove documents or personal data unless stated in the Archives Act.
When we process your personal data, you have certain rights. Your rights may differ depending on the legal basis for our processing of the personal data. As a public authority, we also must adhere to the principle of public access to official records and the Archive Act, which may limit your rights in certain cases.
Access to your personal data
You have the right to request information about:
- the purpose for processing your personal data
- what personal data we process
- to whom we disclose the data to and to whom we may disclose the data to
- how long we store the personal data
- how to rectify, erase or limit our processing of your personal data, or to object to our processing
- your right to file a complaint with the Swedish Authority for Privacy Protection
- where we gather your information from, if not gathered from you directly
If you consider your personal data to be erroneous or incomplete, you have the right to rectify the information and, in some cases, also to complete your personal data.
Withdraw your consent to future processing
To the extent where we are relying on your consent to process our personal data, you have, at any time, the right to withdraw your consent to future processing. This means that if you withdraw you consent, we will not be able use your data in the future.
In some circumstances, you have the right to have your personal data erased. However, the erasure cannot interfere with our requirement to keep public documents or the rules and regulations stated in the Archive Act. Also, the right to have your personal data erased does not apply if we process the data as part of our exercise of public authority or if we process the data for the purpose of public interest.
In some cases, you may also request that the processing of your personal data be limited.
You have the right to receive the personal data, which you have provided to the agency, in a structured, commonly used and machine-readable format and to transfer them to another controller if the processing is based on consent and is automated.
Contact information and complaints
To exercise your rights or if you have any queries about our processing of your personal data, you may contact the Swedish Forest Agency or our data protection officer. You can find our contact information under the heading "Controller". If you were not satisfied with the answer received, you have the right to file a complaint with the Swedish Authority for Privacy Protection.