Privacy Policy for ArkDes

At ArkDes we safeguard your personal integrity and constantly strive for a high level of data protection. We want you to feel secure in how we handle your personal data, which is why we are open about how we collect and process the information on you.

We ensure that your personal information is always protected by us and that the processing meets the requirements of the Data Protection Regulation GDPR and in internal guidelines. As a public authority, we are also required to have a Data Protection Officer reviewing these rules.

What is personal data and what is processing personal data?

Personal data is any information which can be used to identify a person who is alive. This can be civil registration number, name and address. Photographs taken and sound recorded of individuals which is processed on a computer can also be personal data event though no names are mentioned. Encrypted information and various types of electronic identities (for e.g. IP-address and cookies) is personal data if they can be linked to a natural person.

Processing personal data is everything that happens with the data. Every measure that is taken with the personal data is processing, regardless if it is automated or not. Common processes are for example: collecting, registering, organizing, structuring, changing, storing, handling, spreading, transmitting and deleting.

Who is responsible for the personal data we collect?

ArkDes, corporate ID-number 202100-3427, Slupskjulsvägen 9, 111 49 Stockholm, is responsible for all personal data which the organization collects.

 

What personal data do we collect from our visitors and for what purpose?

To handle orders of images from the collection

Data processing carried out
• Handling payment
• Digital delivery (including communication regarding the delivery)

Personal data categories
• Name
• Contact information (name, address, email and telephone number)
• Payment information

Legal basis
Execution of contract. The collection of your personal data is required for us to execute our commitment in accordance with the purchase agreement. If the data is not submitted our measures cannot be carried out and we will be forced to reject the purchase.

Storage period
From the time that purchase has been completed (including delivery and payment) and for a time up to 24 months thereafter to be able to handle any refunds and warranty claims.

 

To handle bookings of space and services, for example tours and classes

Data processing carried out
• Receiving bookings, re-booking and cancellations
• Sending out booking confirmations
• Communications regarding the booking
• Handling payment

Personal data categories
• Name
• Contact information (email and telephone number, invoice address)
• Corporate ID-number/ personal identity number
• Any other comments you choose to submit

Legal basis
Execution of contract. The collection of your personal data is required for us to execute our commitment in accordance with the service contract. If the data is not submitted our measures cannot be carried out and we will be forced to reject your booking.

Storage period
Up until the service is carried out.

To carry out the organizations legal obligations

Data processing carried out
Necessary processing for compliance with the organization’s legal obligations under legal requirements, rulings or by decision of public authority (for e.g. accounting law, archive law, rules on product liability and product safety).

Personal data categories
• Name
• Personal identity number (where applicable)
• Contact information (name, address, email and telephone number)
• Payment information

Legal basis
Legal obligation. This collection of personal data is required by law. If the data is not submitted then our legal duty cannot be carried out and we are forced to reject your purchase or booking.

Storage period
In accordance with corresponding law. For Accounting law it is 7 years.

 

To handle service matters and questions

Data processing carried out
• Communication and respons to questions regarding information service (via telephone, email, feedback forms or digitally, including social media).
• Investigation of complaints and questions.

Personal data categories
• Name or username
• Contact information (for e.g. email and telephone number).
• Your correspondence

Legal basis
Public interest and exercising official power as public authority. The processing is required for us to handle our duty as government organization and answer questions regarding our operations and our premises.

Storage period
Until the subscriber no longer wants to receive the correspondence.

 

To inform specific stakeholders about our work

Data processing carried out
• Collection of personal data of those who wish to subscribe to newsletters or receive other types of correspondence.
• Sending out newsletters, press releases and event invitations to special interest groups and lists.

Personal data categories
• Name
• Email address
• Postal address
• Telephone number (in certain cases, for communication regarding correspondence)

Legal basis
Consent. The processing is required to deliver newsletters, press releases and other correspondences to those who voluntarily have subscribed to these. If the data is not submitted or withdrawn then we can no longer provide the correspondence to the receiver.

Storage period
Until the subscriber no longer wants to receive the correspondence.

 

To inform the public of our operations

Data processing carried out
Information on current lecturers, exhibiting artists, class and conference organizers and curators, as well as, photographs and video recorded of architects, designers, curators, staff and audience (where applicable). To be used on the museum’s official communication channels such as website, correspondence and in social media.

Personal data categories
• Name and work title
• Images
• Sound and video recordings
• Contact information (where applicable)

Legal basis
Public interest and exercising official power as public authority. The processing is required for ArkDes to describe its operations and execute its official mission.

Storage period
Until the information is obsolete or no longer needed.

 

To be able to display, make available and convey our collection

Data processing carried out
Collection and registration of personal data regarding purchased, donated and objects on loan. Registration of owner history, provenance.

Personal data categories
• Name
• Contact information (address, telephone number, email)
• Birth year

Legal basis
Public interest and exercising official power as public authority. The processing is required for ArkDes to execute its official mission.

Storage period
In accordance with archival law and the Public Access to information and secrecy act.

 

To handle donations or lending out or objects on loan

Data processing carried out
Collection of data regarding institutions or people lending, borrowing or donating objects. Correspondence with architects, designers, artists, institutions, donators, sales people and lenders. Collections of company and personal data for those who transport and handle the objects.

Personal data categories
•  Name
•  Contact information (email, address, telephone number)

Legal basis
Agreement. The processing is necessary to receive, lend or lend out objects.

Storage period
For as long as the correspondence is current and valid. For contracts in accordance with archival law and the Public Access to information and secrecy act. Se paragraph on Legal obligation.

 

To handle research enquiries

Data processing carried out
Collection of personal data for visitors of archives and special collections. Correspondence between ArkDes and the enquirer.

Personal data categories
• Name
• Contact information (email or telephone number)
• Institution or similar

Legal basis
Public interest and exercising official power as public authority. The processing is required to handle enquiries and requests to view archive documents and items from the collection.

Storage period
For the year of activity.

 

To handle the borrowing of books

Data processing carried out
Collections of personal data when obtaining a library card. Communication with the lender and ArkDes regarding reservations and loans which are overdue.

Personal data categories
• Name
• Contact information (email, address, telephone number)
• Birth year (to be able to differentiate between people with the same name)

Legal basis
Contract. As a library card holder at ArkDes you have made an agreement with ArkDes. The processing is necessary for us to fulfil our part of the agreement and lend out books.

Storage period
For as long as you have a contract and use our services. We delete your data a year after your last loan.

 

To carry out and manage participation at events

Data processing carried out
• Collection and registration of those who wish to attend openings and press previews
• Managing attendees at openings and press previews (ticking off attendance lists)

Personal data categories
• Name
• E-mail address

Legal basis
Public interest and exercising official power as public authority. The processing is required to go through with the events and for the museum to carry out its official mission.

Storage period
Until the events are completed.

 

To recruit and hire staff

Data processing carried out
• Collection of personal data from job applications
• Communication regarding interviews

Personal data categories
• Name
• Personal identity number
• Contact information (address, email, telephone number)

Legal basis
Public interest and exercising official power as public authority. The processing is required for the museum to fill vacancies and for the museum to carry out its official mission.

Storage period
Until the recruiting is completed and for a time of up to 24 months after the hiring is finalized.

 

ArkDes handling of participation in projects or exhibitions through open calls

Data processing carried out

• Registration of participation in a project or exhibition.

Personal data categories
• Name
• Contact information (address, postal address, email address and telephone number)

Legal basis
Consent

Storage period
Until the project/exhibition has ended or until the participant wants to be deregistered.

 

Where do we get your personal data?

Beyond the data that you submit to us, or that we collect on you from your purchase, we can come to collect personal data while documenting our operations and events. In these instances the data that is collected is photographs, as well as, sound and video recordings.

 

Who do we share your personal data with?

Personal data controller. Where it is vital for us to be able to offer our services we will share your personal data with companies which are so-called personal data controllers to us. A personal data controller is a company that handles information on our behalf and in accordance with our instructions. We have personal data controllers helping us with:

1. Marketing and information (services for newsletters and correspondence, media and web agencies, distribution)
2. Transport (logistics and delivery companies)
3. Booking and service (to manage various events, guided tours and classes)
4. IT-services (companies that handle basic operations, tech support and maintenance of IT-solutions)

Your personal data is shared with a personal data controller only when the objective is consistent with the purposes of collecting the data (for e.g. in order to fulfil our commitment in accordance with an agreement or in exercising our official power as public authority). We have written contracts with all personal data controllers where it is stated that they guarantee the safety and security of the personal data that is being processed and where they agree to comply with our security demands and restrictions, as well as, demands regarding international transfer of personal data.

Companies which are independently responsible for personal data. We also share personal data with certain companies who are independently responsible for personal data. This means that we do not control how the information given to them is processed. These are:

1. State authority (the police, tax authority or other state authorities) if we are required to do so by law or because of a suspected crime.
2. Companies which offer payment services (payment facilitators, banks and other payment service provider).

 

Where do we process your data?

We always strive to so all of our data processing within the EU/EES – area and all of our own IT-systems and all of the personal data controllers we hire are within this area. During support and maintenance of our systems your data may be used by one of our service providers, we ensure that there always is a data protection policy in place so that the receiver processes the data in the same secure way we do.

In cases where data is used outside of the EU, for e.g. by one of our service providers, we ensure that there are safeguards and protective measures in place, for e.g. data transmission agreements, so that the receiver processes the data in the same secure way that we do.

What are your rights when we have your personal data?

Right of access (extraction from register). We are always open and transparent about how we carry out data processing with your personal data and you can at any time request access to the data.

Right of rectification. You can always request that your personal data be corrected if the data is incorrect. Within the framework of the stated purpose you have the right to supplement any incomplete personal data.

The right of erasure. You can request that we erase the personal data we have on you if:

• The data is no longer necessary for the purposes for which they were collected or processed.
• The personal data has been processed in an unlawful way.
• Personal data must be deleted to comply with a legal obligation we are subject to.

We have the right to refuse your request if there are obligations that prevent us from immediately deleting certain personal data. These obligations come from accounting and tax regulation legislation, bank- and money laundering legislation, but also from consumer rights legislation.

It may also be possible that processing is necessary for us to determine, enforce or defend legal claims. Should we be prevented from meeting a request for deletion, we will instead block personal data from being used for purposes other than the purpose that prevents the requested deletion.

The right to restriction. You have the right to request that our processing of your personal data be restricted. If you dispute that the personal data we process is accurate, you may request restricted treatment during the time we need to check whether your personal data is correct.

The right to data portability. If our right to process your personal data is based on either your consent or fulfilment of a agreement with you, you have the right to ask to have the information relating to you and that you have provided to us transferred to another data controller (known as data portability). A prerequisite for data portability is that the transfer is technically possible and can be automated.

 

How we handle personal identification numbers

We will only process your personal identification number when it is clearly motivated for the purpose, necessary for secure identification, or if there is any other significant reason.  We will always minimize the use of your personal identification number by using, when possible, your date of birth instead.

 

Cookies

General information about cookies
A cookie is a small text file that the website requests to store on the visitor’s computer and contains information. The browser saves the information in a particular location on your computer and returns the information in the cookie to the site visited at each request of pages / images from the site. Cookies on this site are used to enhance the user experience and optimization of the site.

There are two types of cookies
One type, called permanent cookie, saves a file that is left on the visitor’s computer. For example, it is used to customize a site according to the visitor’s wishes, choices and interests, as well as for statistical follow-up.

The other type is called session cookie. While a visitor is on a webpage a cookie is temporarily stored in the visitor’s computer’s memory. Session cookies disappear when you close your browser. ArkDes website uses both session cookies and permanent cookies. Regardless of the type of cookie used on this site, no personal information about the visitor (such as e-mail address or name) is saved. General information about cookies and the Electronic Communications Act is available at the The Swedish Post and Telecom Authority’s website (www.pts.se).

Avoiding cookies
If you do not accept the use of cookies, you can turn off cookies through your browser’s security settings. You can also set the browser to get a warning every time the site tries to put a cookie on your computer. Through the browser, previously stored cookies can also be deleted.   

See the browser’s help pages for more information on how to view which cookies are stored in your browser, how to delete them, and make settings for whether or not cookies are accepted.

 

How are your personal data protected?

We use IT systems to protect the privacy, integrity and access to personal data. We have taken special security measures to protect your personal data against illegal or unauthorized treatment (such as unauthorized access, loss, destruction or damage). Only those persons who actually need to process your personal data to fulfil our stated purposes have access to them.

 

What is the easiest way to contact us regarding questions data protection?

We take data protection very seriously and as an authority, we are also obliged to have a special data protection officer dealing with these issues. You can reach the data protection officer at dataskydd@arkdes.se

This privacy policy is a living document and content may change. The latest version is always available on this site.