Privacy Policy
At ArkDes we safeguard your personal integrity and constantly strive for a high level of data protection. We want you to feel secure in how we handle your personal data, which is why we are open about how we collect and process the information on you.
We ensure that your personal data is always protected with us and that the processing meets the requirements of the General Data Protection Regulation (GDPR) and internal guidelines.
As an authority, we are also obliged to have a data protection officer who reviews that these rules are followed. In this privacy policy, we explain how we collect and use your personal information. It also describes your rights and how to proceed to exercise them. It is important that you read and understand the privacy policy and feel secure in our processing of your personal data. You can always contact us with any questions.
According to archival legislation, public authorities are required to preserve public documents. ArkDes preserves and disposes of public documents in accordance with applicable rules and decisions. Personal data contained in public documents are kept as long as required by archival legislation.
Personal data that are not part of a public document are only stored as long as they are necessary for the purposes for which they are processed.
What personal data do we collect from our visitors and for what purpose?
Data processing carried out
• Handling payment
• Digital delivery (including communication regarding the delivery)
Personal data categories
• Name
• Contact information (name, address, email and telephone number)
• Payment information
Legal basis
Execution of contract. The collection of your personal data is required for us to execute our commitment in accordance with the purchase agreement. If the data is not submitted our measures cannot be carried out and we will be forced to reject the purchase.
Data processing carried out
• Receiving bookings, re-booking and cancellations
• Sending out booking confirmations
• Communications regarding the booking
• Handling payment
Personal data categories
• Name
• Contact information (email and telephone number, invoice address)
• Corporate ID-number/ personal identity number
• Any other comments you choose to submit
Legal basis
Execution of contract. The collection of your personal data is required for us to execute our commitment in accordance with the service contract. If the data is not submitted our measures cannot be carried out and we will be forced to reject your booking.
Data processing carried out
Necessary processing for compliance with the organization’s legal obligations under legal requirements, rulings or by decision of public authority (for e.g. accounting law, archive law, rules on product liability and product safety).
Personal data categories
• Name
• Personal identity number (where applicable)
• Contact information (name, address, email and telephone number)
• Payment information
Legal basis
Legal obligation. This collection of personal data is required by law. If the data is not submitted then our legal duty cannot be carried out and we are forced to reject your purchase or booking.
Data processing carried out
• Communication and respons to questions regarding information service (via telephone, email, feedback forms or digitally, including social media).
• Investigation of complaints and questions.
Personal data categories
• Name or username
• Contact information (for e.g. email and telephone number)
• Your correspondence
Legal basis
Public interest and exercising official power as public authority. The processing is required for us to handle our duty as government organization and answer questions regarding our operations and our premises.
Data processing carried out
• Collection of personal data of those who wish to subscribe to newsletters or receive other types of correspondence.
• Sending out newsletters, press releases and event invitations to special interest groups and lists.
Personal data categories
• Name
• Email address
• Postal address
• Telephone number (in certain cases, for communication regarding correspondence)
Legal basis
Consent. The processing is required to deliver newsletters, press releases and other correspondences to those who voluntarily have subscribed to these. If the data is not submitted or withdrawn then we can no longer provide the correspondence to the receiver.
Data processing carried out
Information on current lecturers, exhibiting artists, class and conference organizers and curators, as well as, photographs and video recorded of architects, designers, curators, staff and audience (where applicable). To be used on the museum’s official communication channels such as website, correspondence and in social media.
Personal data categories
• Name and work title
• Images
• Sound and video recordings
• Contact information (where applicable)
Legal basis
Public interest and exercising official power as public authority. The processing is required for ArkDes to describe its operations and execute its official mission.
Data processing carried out
Collection and registration of personal data regarding purchased, donated and objects on loan. Registration of owner history, provenance.
Personal data categories
• Name
• Contact information (address, telephone number, email)
• Birth year
Legal basis
Public interest and exercising official power as public authority. The processing is required for ArkDes to execute its official mission.
Data processing carried out
Collection of data regarding institutions or people lending, borrowing or donating objects. Correspondence with architects, designers, artists, institutions, donators, sales people and lenders. Collections of company and personal data for those who transport and handle the objects.
Personal data categories
• Name
• Contact information (address, telephone number, email)
Legal basis
Agreement. The processing is necessary to receive, lend or lend out objects.
Data processing carried out
Collection of personal data for visitors of archives and special collections. Correspondence between ArkDes and the enquirer.
Personal data categories
• Name
• Contact information (address, telephone number, email)
• Institution or similar
Legal basis
Public interest and exercising official power as public authority. The processing is required to handle enquiries and requests to view archive documents and items from the collection.
Data processing carried out
Collections of personal data when obtaining a library card. Communication with the lender and ArkDes regarding reservations and loans which are overdue.
Personal data categories
- Name
• Contact information (address, telephone number, email)
• Birth year (to be able to differentiate between people with the same name)
Legal basis
Contract. As a library card holder at ArkDes you have made an agreement with ArkDes. The processing is necessary for us to fulfil our part of the agreement and lend out books.
Storage period
For as long as you have a contract and use our services. We delete your data a year after your last loan.
Data processing carried out
• Collection and registration of those who wish to attend openings and press previews
• Managing attendees at openings and press previews (ticking off attendance lists)
Personal data categories
• Name
• E-mail address
Legal basis
Public interest and exercising official power as public authority. The processing is required to go through with the events and for the museum to carry out its official mission.
Data processing carried out
• Collection of personal data from job applications
• Communication regarding interviews
Personal data categories
• Name
• Personal identity number
• Contact information (address, email, telephone number)
Legal basis
Public interest and exercising official power as public authority. The processing is required for the museum to fill vacancies and for the museum to carry out its official mission.
Data processing carried out
• Registration of participation in a project or exhibition.
Personal data categories
• Name
• Contact information (address, postal address, email address and telephone number)
Legal basis
Consent.
What is personal data?
Personal data is any information which can be used to identify a person who is alive. This can be civil registration number, name and address. Photographs taken and sound recorded of individuals which is processed on a computer can also be personal data event though no names are mentioned. Encrypted information and various types of electronic identities (for e.g. IP-address and cookies) is personal data if they can be linked to a natural person.
Who is responsible for the personal data we collect?
ArkDes is responsible for all personal data which the organization collects.
What is processing personal data?
Processing personal data is everything that happens with the data. Every measure that is taken with the personal data is processing, regardless if it is automated or not. Common processes are for example: collecting, registering, organizing, structuring, changing, storing, handling, spreading, transmitting and deleting.
Where do we get your personal data?
Beyond the data that you submit to us, or that we collect on you from your purchase, we can come to collect personal data while documenting our operations and events. In these instances the data that is collected is photographs, as well as, sound and video recordings.
Who do we share your personal data with?
Personal data controller. Where it is vital for us to be able to offer our services we will share your personal data with companies which are so-called personal data controllers to us. A personal data controller is a company that handles information on our behalf and in accordance with our instructions.
We have personal data controllers helping us with:
- Marketing and information (services for newsletters and correspondence, media and web agencies, distribution)
- Transport (logistics and delivery companies)
- Booking and service (to manage various events, guided tours and classes)
- IT-services (companies that handle basic operations, tech support and maintenance of IT-solutions)
Your personal data is shared with a personal data controller only when the objective is consistent with the purposes of collecting the data (for e.g. in order to fulfil our commitment in accordance with an agreement or in exercising our official power as public authority). We have written contracts with all personal data controllers where it is stated that they guarantee the safety and security of the personal data that is being processed and where they agree to comply with our security demands and restrictions, as well as, demands regarding international transfer of personal data.
Companies which are independently responsible for personal data
We also share personal data with certain companies who are independently responsible for personal data. This means that we do not control how the information given to them is processed.
- State authority (the police, tax authority or other state authorities) if we are required to do so by law or because of a suspected crime.
- Companies which offer payment services (payment facilitators, banks and other payment service provider).
Where do we process your data?
We always strive to so all of our data processing within the EU/EES – area and all of our own IT-systems and all of the personal data controllers we hire are within this area. During support and maintenance of our systems your data may be used by one of our service providers, we ensure that there always is a data protection policy in place so that the receiver processes the data in the same secure way we do.
In cases where data is used outside of the EU, for e.g. by one of our service providers, we ensure that there are safeguards and protective measures in place, for e.g. data transmission agreements, so that the receiver processes the data in the same secure way that we do.
What are your rights when we have your personal data?
Right of access (extraction from register). We are always open and transparent about how we carry out data processing with your personal data and you can at any time request access to the data.
Right of rectification. You can always request that your personal data be corrected if the data is incorrect. Within the framework of the stated purpose you have the right to supplement any incomplete personal data.
The right of erasure. You can request that we erase the personal data we have on you if:
- The data is no longer necessary for the purposes for which they were collected or processed.
- The personal data has been processed in an unlawful way.
- Personal data must be deleted to comply with a legal obligation we are subject to.
We have the right to refuse your request if there are obligations that prevent us from immediately deleting certain personal data. These obligations come from accounting and tax regulation legislation, bank- and money laundering legislation, but also from consumer rights legislation.
It may also be possible that processing is necessary for us to determine, enforce or defend legal claims. Should we be prevented from meeting a request for deletion, we will instead block personal data from being used for purposes other than the purpose that prevents the requested deletion.
The right to restriction. You have the right to request that our processing of your personal data be restricted. If you dispute that the personal data we process is accurate, you may request restricted treatment during the time we need to check whether your personal data is correct.
The right to data portability. If our right to process your personal data is based on either your consent or fulfilment of a agreement with you, you have the right to ask to have the information relating to you and that you have provided to us transferred to another data controller (known as data portability). A prerequisite for data portability is that the transfer is technically possible and can be automated.
How do we handle personal identification numbers?
We will only process your personal identification number when it is clearly motivated for the purpose, necessary for secure identification, or if there is any other significant reason. We will always minimize the use of your personal identification number by using, when possible, your date of birth instead.
How are your personal data protected?
We use IT systems to protect the privacy, integrity and access to personal data. We have taken special security measures to protect your personal data against illegal or unauthorized treatment (such as unauthorized access, loss, destruction or damage). Only those persons who actually need to process your personal data to fulfil our stated purposes have access to them.
What is the easiest way to contact us regarding questions on data protection?
We take data protection very seriously and as an authority, we are also obliged to have a special data protection officer dealing with these issues. You can reach the data protection officer at dataskydd@arkdes.se.
This privacy policy is a living document and content may change. Last updated 2024.01.26.