Privacy Policy

This Policy describes the personal data processing that RISE performs as a data controller in the companies listed below. This means that the RISE company that processes the personal data is the legal entity that is ultimately responsible for the processing and determines the purposes and means of such processing.

The RISE Group includes the following wholly and partly owned companies:

• RISE Research Institutes of Sweden AB, 556464-6874
• AstaZero AB, 556802-4946
• RISE Lignodemo AB, 556139-9485
• Innventia UK Ltd, 6 270 672
• Institut de la Corrosion RCS, 441396595
• SSPA Sweden AB, 556224-1918
• MoRe Research Örnsköldsvik AB, 556599-2277
• RISE ACREO AB, 556534-9007
• RISE Processum AB, 556641-7357
• RISE Fire Research, 982 930 057
• RISE PFI AS, 986 164 901
• SEEL Swedish Electric Transport Laboratory AB, 559155-5536

RISE processes personal data about recipients of RISE marketing material ("Recipients"), in connection with:

• The Recipient or their employer or client has or has had a business relationship with RISE, or has had discussions/negotiations with RISE about such a relationship
• The Recipient or their employer or client has registered the Recipient for one of RISE's courses/lectures/seminars or other events (“Events”)
• The Recipient or their employer or client has expressed the Recipient's interest in receiving newsletters, invitations and surveys from RISE
• The Recipient has visited RISE's website www.ri.se (read more about cookies on www.ri.se)

Personal data processed by RISE

The personal data that RISE processes about its Recipients includes name, address, telephone number, e-mail address, social security number, IP address and any media on which the Recipient may appear, such as recordings and reproductions of Events, such as audio, image and film. In addition, in some cases, additional personal data provided to RISE by the Recipient or their employer or client is processed.

From which sources RISE obtains Recipients' personal data

In addition to the information that the Recipient himself or herself provides to RISE, RISE may also collect personal data from the Recipient's employer or client, from public records or from other third parties with whom RISE collaborates in the context of its assignment and the Events.

Purpose and legal basis

On the basis of a contract or legitimate interest as a legal basis, RISE processes personal data for the following purposes:

• To manage and carry out Events for which the Recipient or their employer or client has registered the Recipient, including related communication, administration and dissemination of information.

This processing is required in order for RISE to be able to fulfil its obligations under the agreement entered into with, or discussed or negotiated with, RISE.

When the agreement is entered into with the Recipient's employer or client, the processing is instead carried out on the basis of RISE's legitimate interest as a legal basis, where RISE's interest in fulfilling its obligations and safeguarding its rights under the entered or negotiated agreement is not deemed to be a major intrusion into the Recipient's privacy and that the Recipient can reasonably expect this processing.

On the basis of legitimate interest, RISE also processes personal data for the following purposes:

• Communication regarding invitations to and information about RISE's upcoming Events.
• Marketing of RISE's activities and projects by publishing the documentation on RISE's internal and external communication channels, such as www.ri.se, social media, etc.

If RISE considers that this processing is in RISE's legitimate interest, does not disproportionately infringe on the Recipient's privacy, and if RISE assumes that the Recipient can reasonably expect this processing, the processing will be carried out on the basis of legitimate interest as a legal basis.

To whom personal data is disclosed

Only persons within RISE who, within the framework of their employment, have access to the systems where the personal data is processed have access to these. 

RISE may disclose personal data to data processors who processes personal data on RISE´s behalf, such as suppliers of provision, support and maintenance of IT and cloud services, suppliers of market and customer surveys, etc. 

RISE shares Recipients' personal data with other companies within the RISE Group if it is necessary to enable the RISE Group to use the same IT system, e.g. financial systems, customer registers, etc., in order to coordinate its assignments in an efficient manner. RISE may publish the Recipient's personal data (such as photos taken at Events) on the internet, e.g. on www.ri.se, social media, etc., meaning that this personal data may become visible to the visitors to the relevant websites. 

RISE may also share Recipients' personal data with third parties who are independent data controllers, such as third parties with whom RISE collaborates within the framework of its assignment, insurance companies in the event of an injury that has occurred, authorities if such disclosure is required by law, etc.

Storage times and disposal

RISE processes Recipients' personal data for as long as it is necessary in relation to the purposes for which they were collected. 

The personal data processed for marketing purposes is erased after 18 months from the last time RISE sent a newsletter or other marketing to the Recipient. 

The personal data processed for Event purposes is erased 12 months after the Recipient's participation in the Event in question. Information regarding allergies will be erased immediately after the completion of the Event.

RISE processes personal data about members of RISE's research or collaboration network ("Member"), in connection with the Member or his or her employer having or having had a business relationship with RISE regarding the Member's membership in the RISE network or having or having had discussions/negotiations with RISE regarding such a business relationship.

Personal data processed by RISE

The personal data that RISE processes about its members is name, telephone number, email address and social security number, which RISE has received from you or your employer or client.

From which sources RISE obtains Members' personal data

In addition to the information that the Member himself or herself provides to RISE, RISE may also collect personal data from the Member's employer or client, from public registers or from other third parties with whom RISE collaborates within the scope of its assignment.

Purpose and legal basis

On the basis of a contract or legitimate interest, RISE processes personal data for the following purposes:

• Manage and implement the current contractual relationship regarding the various networks to which the Member or their employer or client has reported the Member's participation, as well as various communication, follow-up and administration in connection with the Member's participation in these networks.
• Invoice processing and payments related to membership in the networks.

This processing is required in order for RISE to be able to fulfil its obligations under the agreement entered into with, or discussed or negotiated with, RISE. If the agreement is entered into with the Member's employer or client, this processing is instead carried out on the basis of RISE's legitimate interest as a legal basis, where RISE's interest in fulfilling its obligations and safeguarding its rights under the entered or negotiated agreement is not deemed to be a major intrusion into the Member's privacy and that the Member can reasonably expect this processing

On the basis of legitimate interest, RISE also processes personal data for the following purposes:

• Marketing of RISE's operations, projects and events.
• establishing, exercising and defending legal claims.
• Comply with applicable laws and regulations, e.g. the Accounting Act.
• Implementation, management, administration and, follow-up and evaluation of customer surveys.

If RISE considers that this processing is in RISE's legitimate interest, does not disproportionately infringe on the Member's privacy, and if RISE assumes that the Member can reasonably expect this processing, the processing will be carried out on the basis of legitimate interest as a legal basis.

To whom personal data is disclosed

RISE applies appropriate technical and organisational security measures to protect personal data against loss, misuse and unauthorized access, among other things. Only persons within RISE who, within the framework of their employment, have access to the systems where the personal data is processed have access to these. 

RISE shares personal data with data processors who handle information on behalf of RISE regarding, for example, suppliers of provision, support and maintenance of IT and cloud services, suppliers of market and customer surveys, etc. 

RISE shares Members' personal data with other companies within the RISE Group if it is necessary to enable the RISE Group to use the same IT system, e.g. financial systems, customer registers, etc., in order to coordinate its assignments in an efficient manner. 

RISE may also share Members' personal data with third parties who are independent data controllers, e.g. third parties with whom RISE collaborates within the framework of its assignment, other network members, insurance companies in the event of an injury that has occurred, authorities if such disclosure is required by law, etc.

Storage times and disposal

RISE processes Members' personal data for as long as it is necessary in relation to the purposes for which it was collected. 

Personal data that is saved for purposes linked to a business relationship is retained for as long as there are rights and obligations to safeguard in such a business relationship and as long as there are legal obligations for RISE to retain the data. 

After that, the personal data will be erased. The personal data processed for marketing purposes is erased after 18 months.

Here you will find information about the collection, processing, storage and sharing of personal data relating to job applicants and candidates ("Candidates"). RISE, or the company that has been explicitly stated as the data controller regarding the recruitment or future employment ("Data Controller"), processes personal data about the Candidate, on the grounds that he/she:

• Visit our careers page and/or
• Join our candidate network, create a profile in our recruitment tool and receive information about current or future vacancies with us, and/or
• Apply for a position with us, through our Careers Site or a third-party service, and/or
• Be recommended by our employees or partners, as they consider the profile to be of interest to our current or future vacancies.
• This Policy also describes what rights you have when we process your personal data, and how you can exercise these rights.

Personal data processed by RISE

The personal data that the Data Controller processes is name, address, telephone number, e-mail address, social security number, photograph, educational background, professional experience and CV, information from any references, other information provided in application documents or otherwise in the recruitment process, any results from recruitment tests such as MAP and Matrigma, and any interview notes. 

In the recruitment process, the Candidate is advised not to submit any so-called sensitive personal data (e.g. gender, religious beliefs or otherwise) as this data is not relevant to the recruitment process. If the Candidate has nevertheless chosen to submit such data, the Data Controller will process and, at its sole discretion, erase it, based on the lawful basis relied on at the time of collection and the voluntary consent the Candidate is deemed to have provided when submitting such data. 

When Candidates visit our careers site, we collect information about the Candidate's device, such as IP address, browser type and version, session behaviour, traffic source, screen resolution, preferred language, geographic location, operating system, and device settings/usage. We also collect technical and statistical data about the Candidate's use of websites, such as information about which URLs he visits and his activity on the website. Read more in our cookie policy on www.ri.se.

From which sources RISE obtains Candidates' personal data

In addition to the information that the Candidate himself provides to RISE, RISE may also collect personal data from other sources, such as other companies within the RISE Group and the Swedish Tax Agency. Some data is collected at the time of employment and other data is collected on an ongoing basis during the period of employment.

Purpose and legal basis

On the basis of RISE's legitimate interest, RISE processes personal data for the following purposes:

Review the application documents and assess and evaluate the Candidate as a Candidate based on the information that he/she has provided to the Data Controller in their application documents individually and in relation to other candidates. Manage the recruitment administration around communication with the Candidate, booking of interviews and keeping interview notes. Carry out personality tests in the recruitment process and analyse and assess the results. Storing information about the Candidate's use of the Careers Site, using cookies and other tracking technologies to ensure the security of the Careers Site and for the proper functioning of the Site. Read more in our cookie policy on www.ri.se. 

This processing is necessary for the Data Controller to be able to recruit Employees with the right skills for the business, which constitutes the Data Controller's legitimate interest.

On the basis of consent, RISE processes personal data for the following purposes:

• Save the Candidate's personal data in the Data Controller's candidate network in order to be able to inform about any future vacancies.
• Storing information about the Candidate's use of the Careers Site, using cookies and other tracking technologies in order to optimize websites, keep statistics and carry out marketing activities. Read more in our cookie policy on www.ri.se.

If the Data Controller intends to carry out these processings, special consent will be obtained before they begin.

On the basis of a legal obligation, RISE processes personal data for the following purposes:

• Negotiate with the relevant trade unions when appointing managers with personnel responsibility
• To safeguard the Data Controller's rights under the Discrimination Act, and
• Other legal obligations.

To whom Candidates' personal data is disclosed

The Data Controller may disclose personal data to other companies within the Group to enable the processing of personal data for the above purposes.

The Data Controller may disclose personal data to data processors who handle information on behalf of the Data Controller, such as suppliers of provision, support and maintenance of IT and cloud services, suppliers of recruitment tools and recruitment services, etc. 

The Data Controller may disclose personal data to other actors who are independent data controllers, if such disclosure is required by applicable law, or because the Data Controller has a legitimate interest in disclosing these, such as trade unions, authorities, third parties in order to safeguard the Data Controller's rights, for example in connection with labour law disputes, etc.

Storage times and disposal

The personal data processed for the purpose of filling an advertised position is retained for as long as the recruitment process is ongoing, and to the extent necessary for the Data Controller to be able to defend any legal claims. After that, the data will be erased, unless the Candidate has given their consent to the storage period being extended, e.g. by applying for a new advertised position with us or joining our Candidate Network. 

If the Candidate does not proceed from the initial recruitment process and has given their consent to be contacted for future vacancies, we will retain their personal data for as long as their consent. If the Candidate only connects to our Candidate Network, we will retain the Candidate's personal data for as long as the Candidate gives their consent. 

If the Candidate is recommended by our employees or partners, the personal data will be retained for as long as the Candidate gives their consent. The storage times for cookies are set out in our cookie policy on www.ri.se.

Here you will find information about the collection, processing, storage and sharing of personal data relating to employees, regardless of their type of employment ("Employees"). RISE processes Employees' personal data in accordance with what is stated in this information text. Some parts only apply to employees, other parts also apply to consultants, contractors, interns and degree projects.

Personal data processed by RISE

The personal data that RISE processes about its Employees is name, date of birth, social security number (or equivalent), employment number, gender, telephone number, address, e-mail address, position, organisational affiliation, photographs, date of employment, time of termination, reason for resignation, period of employment, managerial role, employment rate, nationality, citizenship, language preference, worker/salaried employee, education/competence, level of education, highest completed education and, where required other basic personal data.

Personnel Management:
Next of kin and contact details of the same, working hours, cost centre, qualifications, evaluations, work performance, where applicable written warnings, job evaluation, salary information, bank account number, tax information, holiday balance, insurance and pension insurance information, trade union membership, collective agreement affiliation, health information, absence, sick leave, capacity to work, rehabilitation measures, workrelated incidents, residence permit, work permits, travel information, corporate card numbers, travel invoices and allowances and, where required, other personal data for human resource management.

Communication & Security:
Personal data required to give Employees access to RISE premises, computer systems and networks, including work e-mail, IP addresses and user IDs for login, computer numbers, device IDs, system access logs in the RISE IT environment, as well as other types of personal data that are logged when using computer systems and networks and when entering RISE premises. 

Customer service and support information, such as questions from the Employee or its manager/HR regarding the Employee's employment or IT equipment or support provided to the Employee in relation to these.

From which sources RISE obtains Employees' personal data

In addition to the information the employee provides to RISE, RISE may also collect personal data from other sources, such as the Swedish Tax Agency. Some data is collected at the time of employment while other data is collected on an ongoing basis during the period of employment.

Purpose and legal basis for processing Employees' personal data

On the basis of a contract and legal obligation, RISE processes personal data for the following purposes:

• administration (registration of employees in IT systems, management and payment of salaries, salary review, leave, absence, time reporting, benefits, internal reports, statistics, project follow-up, general administration of employment, contact lists, organizational chart, training, handling of taxes and social security contributions, accounting, etc.)
• pension, insurance, work environment and rehabilitation matters (handle investigation and notification of occupational injury, contact with occupational health care, pension provisions, etc.)
• matters related to labour law and trade union cooperation (negotiating or conducting consultations with trade unions, conducting performance appraisals and salary reviews, giving notice and notice of termination of fixed-term employment, handling dismissal, applying rules on priority and preferential rights, conducting investigations and implementing measures against harassment under the Discrimination Act, etc.)
• Compliance with laws, regulations, and rules

This processing is required in order for RISE to be able to fulfil its obligations under the employment contract and applicable collective agreements and to comply with the regulations of labour law and work environment law, data protection legislation, protective security legislation, as well as other laws, regulations and rules that are mandatory for RISE's operations.

On the basis of RISE's legitimate interest, RISE processes personal data for the following purposes:

• Switchboard and reception solutions
• IT support management (providing and maintaining support and tools necessary for the effective implementation, planning, analysis and follow-up of tasks, e.g., licences, permissions, applications, subscriptions, databases, contact lists and telephone directory, etc.)
• enable business travel, hotels, accommodation and event participation
• third-party relationships (managing relationships, commitments, obligations, instructions, etc. to third parties, e.g. financiers, clients, partners and other business relationships)
• research and development-related activities (project applications, reporting, statistics, publication and archiving of project results, intellectual property protection of inventions, etc.)
• recruitment-related activities (managing, publishing, and administering recruitment advertisements)
• communication and marketing (dissemination of information and knowledge and other marketing of RISE's activities and projects in RISE's internal and external communication channels – e.g. on RISE's intranet, internet, social media, etc.)
• support and communication in connection with the employment and performance of the Employee's duties and performance
• skills development (mapping of tasks, skills and training, analyses of educational attainment, skills development measures, evaluation and assessments, training measures, etc.)
• Benefits management (enabling the offering, offering, administering, and maintaining benefits agreements and benefits management)
• security and confidentiality (controlling and counteracting unauthorized intrusion into the RISE Group's premises and IT environment, logging of login and login attempts as well as activities in the RISE IT environment, use of access cards, contact with relatives in the event of an emergency, etc.)
• establishing, exercising or defending legal claims;
• regulatory compliance (control and follow-up of internal compliance with RISE policies and Code of Conduct applicable at any given time, investigate any illegal activities, handle any reports of violations in RISE´s whistleblowing system, etc.)
• business development (evaluate and develop RISE's operations, conduct employee surveys, etc.)
• carry out tasks within the framework of RISE's assignment

If RISE considers that the processing is in RISE's legitimate interest, does not disproportionately infringe on the Employee's privacy, and if RISE considers that the processing is within the framework of the employee's employment/assignment at RISE and assesses that the Employee can reasonably expect this processing, the processing will be carried out on the basis of a balancing of interests as a legal basis. 

If processing does not meet these conditions, or if consent is required under the Data Protection Legislation, specific consent is obtained before the processing is carried out.

To whom Employees' personal data is disclosed

Only persons within RISE who need to process personal data in accordance with the purposes stated above have access to the data.

RISE shares personal data with other companies within the RISE Group, e.g. if it is necessary to enable the RISE Group to use the same IT system, e.g. financial system, business system, HR system, payroll system, etc., in order to be able to manage Group-wide support functions in an efficient manner. 

RISE may disclose personal data to personal data processors who handle information on behalf of RISE, e.g. providers of occupational health care, management and employee surveys, recruitment services, benefits portal, payroll administration, IT and cloud services, etc.

RISE may also share personal data with independent data controllers if such disclosure is required for the purpose for which the data was collected, e.g. the Swedish Social Insurance Agency, the Swedish Migration Agency and other authorities, third parties with whom RISE has or is expected to have a contractual relationship (e.g. customer and partner partners, providers of occupational health care, insurance solutions, travel management, logistics, transport, hotels, conferences, advertising and media agencies, social media, etc.), or other third parties if required for the purpose for which the data was collected. 

In the event that RISE shares personal data with third parties, RISE will take all reasonable measures to ensure that appropriate safeguards are in place to ensure an appropriate level of protection for the personal data required by the Data Protection Legislation.

Storage times and disposal

RISE processes Employees' personal data for as long as it is necessary in relation to the purposes for which they were collected.

Certain personal data is erased in connection with the termination of the employment or assignment. Other personal data is retained for a longer period of time because there are legal obligations for RISE to continue to process these, e.g. to draw up an employer's certificate or to prove that correct tax deductions have been made, or because RISE needs to retain the personal data in order to safeguard its rights. 

As the possibilities to direct claims against RISE expire (statute of limitations), these will be eliminated. 

Information about length of employment is retained until the employee has reached retirement age, and the basis for contributions to pension insurance is saved for as long as the employee is alive.

Here you will find information about the collection, processing, storage and sharing of personal data relating to contact persons at customers or business partners ("Contact Persons"). RISE processes personal data belonging to Contact Persons, in connection with the fact that the Contact Person or their employer or client has or has had a business relationship with RISE or is in or has had discussions/negotiations with RISE about a future business relationship.

Personal data processed by RISE

The personal data that RISE processes about its Contact Persons includes name, address, telephone number, e-mail address and, in some cases, social security number. In addition, in some cases, additional personal data provided to RISE is processed by the Contact Person or their employer or client.

From which sources RISE obtains Contact Persons' personal data

In addition to the information that the Contact Person provides to RISE, RISE may also collect personal data from the Contact Person's employer or client, from public registers or from other third parties with whom RISE collaborates within the framework of its assignment.

 Purpose and legal basis

On the basis of a contract or legitimate interest, RISE processes Contact Persons' personal data for the following purposes:

• Implementation, management, administration, follow-up, etc. of the business relationship in question and its deliveries, associated communication by telephone, e-mail, text message or other communication channels, as well as invoice processing and payment purposes.

This processing is required in order for RISE to be able to fulfil its obligations under the agreement entered into with, or discussed or negotiated with, RISE. 

If the agreement is entered into with the Contact Person's employer or client, this processing is instead carried out on the basis of RISE's legitimate interest as a legal basis, where RISE's interest in fulfilling its obligations and safeguarding its rights under the entered or negotiated agreement is not deemed to be a major intrusion into the Contact Person's privacy and that the Contact Person can reasonably expect this processing.

On the basis of legitimate interest, RISE also processes the personal data of Contact Persons for the following purposes:

• Implementation, management, administration and, follow-up and evaluation of customer surveys.
• Marketing of RISE's operations, projects and events.
• Establishing, exercising and defending legal claims;
• Comply with applicable laws and regulations, e.g. the Accounting Act

To whom personal data is disclosed

Only persons within RISE who, within the framework of their employment, have access to the systems where the personal data is processed have access to these. 

RISE may disclose personal data to data processors who handle information on behalf of RISE, e.g. suppliers of provision, support and maintenance of IT and cloud services, suppliers of e.g. market and customer surveys, etc. 

RISE shares Contact Persons' personal data with other companies within the RISE Group if it is necessary to enable the RISE Group to use the same IT system, e.g. financial systems, customer registers, etc., in order to coordinate its assignments in an efficient manner. 

RISE may also share the personal data of the Contact Persons with third parties who are independent data controllers, e.g. third parties with whom RISE collaborates within the framework of its assignment, the National Board of Housing, Building and Planning in the context of certification, insurance companies in the event of an injury that has occurred, authorities if such disclosure is required by law, etc.

Storage times and disposal

RISE processes the personal data of Contact Persons for as long as it is necessary in relation to the purposes for which they were collected. 

Personal data that is saved for purposes linked to a business relationship is retained for as long as there are rights and obligations to safeguard in such a business relationship and as long as there are legal obligations for RISE to retain the data. After that, the personal data will be erased. 

The personal data processed for marketing purposes is erased after 18 months.

RISE processes personal data belonging to contact persons at RISE Tenderers and Suppliers ("Contact Persons"), in connection with the Contact Person or their employer or client having or having had a business relationship with RISE or having or having held discussions/negotiations with RISE about a future business relationship.

Personal data processed by RISE

The basic personal data that RISE processes about its Contact Persons includes name, address, telephone number, e-mail address, CV and, in some cases, social security number. In addition, in some cases, additional personal data provided to RISE is processed by the Contact Person or their employer or client.

From which sources RISE obtains Contact Persons' personal data

In addition to the information that the Contact Person himself provides to RISE, RISE may also collect personal data from the Contact Person's employer or client.

Purpose and legal basis

On the basis of a contract or legitimate interest, RISE processes Contact Persons' personal data for the following purposes:

• Manage, analyse and administer submitted tenders and communication in relation to the tender, as well as award contracts to the winning bidder.
• Manage, administer and fulfill orders and communication in connection with orders or regarding other matters that may arise in connection with the offer or the awarded agreement.
• Implementation, management, administration, follow-up, etc. of the business relationship in question and its deliveries, associated communication by telephone, e-mail, text message or other communication channels, as well as invoice processing and payment purposes.

This processing is required in order for RISE to be able to fulfil its obligations under the agreement entered into with, or discussed or negotiated with, RISE. 

If the agreement is entered into with the Contact Person's employer or client, this processing is instead carried out on the basis of RISE's legitimate interest as a legal basis, where RISE's interest in fulfilling its obligations and safeguarding its rights under the entered or negotiated agreement is not deemed to be a major intrusion into the Contact Person's privacy and that the Contact Person can reasonably expect this processing.

On the basis of legitimate interest, RISE also processes the personal data of Contact Persons for the following purposes:

• Implementation, management, administration, follow-up and evaluation of supplier surveys.
• Marketing of RISE's operations, projects and events.
• Comply with applicable laws and regulations, e.g. the Accounting Act. • establishing, exercising and defending legal claims;

The Contact Person should reasonably be able to expect this processing that is not deemed to be a major intrusion into the Contact Person's privacy.

To whom personal data is disclosed

RISE applies appropriate technical and organisational security measures to protect personal data against loss, misuse and unauthorized access, among other things. Only persons within RISE who, within the context of their employment, have access to the systems where the personal data is processed have access to these.

RISE lämnar ut personuppgifter till personuppgiftsbiträden som hanterar information för RISE räkning, t.ex. leverantörer av tillhandahållande, support och underhåll av IT- och molntjänster, leverantörer av bl.a. leverantörsundersökningar, etc.

RISE shares personal data with other companies within the RISE Group if it is necessary to enable the RISE Group to use the same IT system (e.g. financial systems, supplier registers, etc.), in order to coordinate its assignments in an efficient manner. 

RISE shares personal data with third parties who are independent data controllers, e.g. third parties with whom RISE collaborates within the context of its assignment, insurance companies in the event of an injury that has occurred, authorities if such disclosure is required by law, etc

Storage times and disposal

RISE processes personal data for as long as it is necessary in relation to the purposes for which it was collected. 

Personal data that is saved for purposes linked to a business relationship is retained for as long as there are rights and obligations to safeguard in such a business relationship and as long as there are legal obligations for RISE to retain the data. After that, the personal data will be erased.

Here you will find information about the collection, processing, storage and sharing of personal data regarding persons who visit, access or stay on RISE's premises ("Visitors").

Personal data processed by RISE

The personal data that RISE processes about its visitors includes the name and the Visitor's company, employer or client.

From which sources RISE obtains members' personal data

In addition to the information that the Visitor himself provides to RISE, RISE may also collect personal data from other sources, such as the Visitor's employer.

Purpose and legal basis

On the basis of RISE's legitimate interest, RISE processes personal data for the following purposes: security and confidentiality purposes (e.g. to ensure that no visitors are on RISE's premises in the event of a fire or other security incident, or to establish, exercise or defend RISE's rights regarding security and confidentiality). RISE considers that this processing is in RISE's legitimate interest and does not disproportionately infringe on the Visitor's privacy. RISE also considers that this processing is within the framework of the visit to or access to RISE's premises and assumes that the Visitor can reasonably expect this processing.

To whom personal data is disclosed

Only persons within RISE who need to process personal data in accordance with the purposes stated above have access to the data. 

RISE discloses personal data to personal data processors who handle information on behalf of RISE regarding, for example, suppliers of IT systems. 

RISE discloses personal data to third parties if RISE is obliged to disclose the data according to applicable law, to authorities or other third parties in order to safeguard RISE's interests, for example in the event of burglary in RISE's premises or other security incidents that have occurred, or in connection with emergencies where the health and safety of Visitors or other persons is at risk.

Storage times and disposal

RISE processes Visitors' personal data for as long as it is necessary in relation to the purposes for which it was collected. 

Certain personal data is erased in connection with the end of the visit. Other personal data is retained for up to 3 months because RISE needs to keep the personal data in order to safeguard its rights regarding security and confidentiality.

Here you will find information about the collection, processing, storage and sharing of personal data regarding participants ("Participants") in research projects, collaborative projects, centres or research studies ("Research Projects"). RISE processes personal data belonging to Participants in Research Projects in connection with the Participant or their employer or client participating or having participated in Research Projects (or in the application thereof).

Personal data processed by RISE

The basic personal data that RISE processes about its Participants is name, address, telephone number, e-mail address, photograph, social security number, financial information (e.g. salary and bank account number), CV and level of education.

From which sources RISE obtains Participants' personal data

In addition to the personal data that RISE collects from the Participant himself, RISE may also collect personal data from the Participant's employer or client, from public registers, from other project parties, or from other third parties with whom RISE collaborates within the framework of its assignment.

Purpose and legal basis

On the basis of an agreement or legitimate interest, RISE processes participants' personal data for the following purposes:

• Apply for Research Projects and compensation for such.
• Plan, carry out and administer Research Projects and associated communication through telephone, e-mail, text message or other communication channels.

This processing is required in order for RISE to be able to fulfil its obligations under the agreement entered into with, or discussed or negotiated with, RISE regarding the Research Project. If the agreement is entered into with the Participant's employer or client, this processing is instead carried out on the basis of RISE's legitimate interest as a legal basis, where RISE's interest is to fulfil its obligations and take advantage of its rights under the entered or negotiated agreement. The processing cannot be considered to significantly infringe on the Participant's privacy and is something that the Participant can reasonably expect through their participation in Research Projects.

On the basis of legitimate interest, RISE Participants' personal data also processes for the following purposes:

• Fulfil commitments to the research funder (e.g. reporting and accounting) and any contractual commitments to other parties participating in the Research Project in question (e.g. payment of remuneration).
• Internal and external communication of the Research Project, e.g. on the RISE intranet, www.ri.se, social media and other relevant communication channels.
• Comply with research ethics principles (e.g. archiving of research material, Good Laboratory Practice, Good Manufacturing Practice, etc.)
• RISE's upcoming Research Project and its associated activities.
• Marketing of RISE's operations, projects and events.
• Conducting and evaluating customer and market research.
• establishing, exercising and defending legal claims;
• Comply with applicable laws and regulations, e.g. the Accounting Act.

This processing is done with the support of RISE's legitimate interest, where RISE's interest in developing expertise and collaborative networks as a research institute to contribute to strengthening Swedish industry and contributing to sustainable growth constitutes RISE's legitimate interest.

On the basis of consent, RISE processes Participants' personal data for the following purposes:

• Evaluate how study results differ between different categories of data subjects, e.g. differences between the different genders or other so-called sensitive or privacy-sensitive personal data.
• If such processing is to be carried out, RISE obtains the Participant's special consent before the processing is carried out.

To whom personal data is disclosed

Only persons within RISE who, within the framework of their employment, have access to the systems where the personal data is processed have access to these. 

RISE shares Participants' personal data with other companies within the RISE Group if it is necessary to enable the RISE Group to use the same IT system, e.g. financial systems, customer registers, etc., in order to coordinate its assignments in an efficient manner. 

RISE may disclose personal data to data processors who handle information on behalf of RISE, e.g. suppliers of provision, support and maintenance of IT and cloud services, suppliers of e.g. market and customer surveys, etc. 

RISE may also share certain personal data belonging to Participants with third parties who are independent data controllers, e.g. third parties with whom RISE collaborates within the framework of its assignment, research funders, third parties who participate in the Research Project or who for other reasons have an interest in the Research Project, insurance companies in the event of an injury that has occurred, authorities if such disclosure is required by law, etc.

Storage times and disposal

RISE processes Participants' personal data for as long as it is necessary in relation to the purposes for which they were collected. After that, the personal data will be erased. 

Personal data retained for purposes linked to Research Projects is retained for as long as there are rights and obligations to safeguard in such a contractual relationship, for as long as the research funder requires, and as long as there are legal obligations or research ethics principles for RISE to retain the data, e.g. as long as RISE needs to be able to repeat experiments and research implementation where there is relevance and interest in the results and impact of the Research Project, etc. 

Personal data that is processed for the establishment, exercise and defence of legal claims and to comply with applicable laws and regulations, e.g. the Accounting Act, is retained for as long as such claims are at risk of becoming relevant, and for as long as such laws and regulations are to be complied with.

All employees undergo basic data protection training, to ensure awareness and understanding of the importance of handling personal data correctly.

Employees are also provided with the instructions and procedures they need for each of them to be able to carry out their work in line with the Data Protection Legislation.

Detailed information about each type of processing of personal data that occurs in processes, IT systems, etc. within RISE's operations is documented in RISE record of processing activities. The list is administered by the Data Protection Officer and is kept regularly updated as a comprehensive register in accordance with the requirements of Article 30 GDPR. 

The list is presented to the supervisory authority upon request.

Each processing of personal data must have a specified legal basis, e.g. based on a balancing of interests or through the data subject's consent to the processing. No personal data may be processed at RISE without an identified and appropriate legal basis.

Personal data may only be processed for specific and clearly defined purposes, and only to the extent necessary, in accordance with Data Protection Legislation. Any further processing of already collected personal data for new purposes must always be preceded by compatibility assessment and consulted with RISE Legal.

The personal data processed within the business should only be available on a need-toknow basis. Sensitive personal data is subject to stricter authorisation restrictions than less sensitive data.

Personal data that is no longer required for the purpose for which it was collected – and which RISE is not obliged to retain for other reasons – must be erased on an ongoing basis in accordance with current deletion procedures.

All individuals whose personal data is processed by RISE have the right to information about how their personal data is processed in accordance with the Data Protection Act. 

You have the right to receive information about what personal data about you that RISE processes. Upon request, you may obtain a free copy of this information in the form of a register extract. The register extract includes information on the purpose of the processing, the categories of personal data processed, the Recipients of the data, the duration of the data, the source of the data collected and the use of automated decision-making. 

In addition, information is also provided within the framework of specific processes, such as when registering for events, starting Research Projects, during recruitment processes and when signing employment contracts.

If RISE processes your personal data on the basis of a balancing of interests as a legal basis, you have the right to object to this processing at any time. In order for us to continue to process your personal data after such an objection, we must be able to demonstrate a compelling legitimate reason that outweighs your interests, rights or freedoms. If such a reason does not exist, we may only process the data for the establishment, exercise or defence of legal claims. 

You also have the right to object to your personal data being used for direct marketing, including profiling, i.e. analysis of personal data that forms the basis for marketing activities. Direct marketing includes all forms of outreach marketing, such as by mail, email, and text message. If you object to the processing of your data for direct marketing purposes, we will immediately cease such processing.

You have the right to request that we restrict the processing of your personal data if the processing is unlawful and you oppose the erasure of the data, but instead want us to restrict its use. You can also request restriction if we no longer need the personal data for the purposes for which it was collected, but you need it to establish, exercise or defend legal claims. 

If you believe that the personal data we process about you is incorrect, you have the right to request restriction of processing for the time we need to verify the accuracy of the data. 

If you have objected to processing based on a balancing of interests, you have the right to request limited processing during the time we investigate whether our legitimate interests outweigh your interests in having the data erased.

If we decide to restrict processing, we may only – in addition to storing the personal data – process it for the establishment, exercise or defence of legal claims, to protect the rights of others, or if you have given your consent.

You have the right to request that we correct inaccurate personal data or complete incomplete data about you.

You have the right to request that we transfer personal data about you to another data controller (data portability). However, we can only comply with such a request under certain conditions: the processing must be based on consent or be necessary. In order to fulfil a contract, the processing must take place automatically, and the transfer must be technically feasible.

You have the right to request that we erase personal data about you if one of the following applies:

a) The personal data is no longer necessary for the purposes for which it was collected or processed. 
b) You withdraw your consent and there is no other legal basis for the processing. 
c) You object to a balancing of interests and your reason outweighs our legitimate interest. 
d) You object to processing for direct marketing purposes. 
e) The personal data is processed unlawfully. 
f) The personal data must be erased in order to comply with a legal obligation to which we are subject. 
g) Personal data of a child under the age of 13, for whom you have parental responsibility, has been collected in connection with the provision of information society services. 

However, we may deny your request for erasure if we need to process the data in order to comply with a legal obligation, for example under the Accounting Act. Furthermore, we may refuse if the processing is necessary for the establishment, exercise or defence of legal claims. 

If we are unable to comply with your request for erasure, we will ensure that the personal data is only processed for the purpose that prevents the deletion.

If you have given consent to a specific processing of your personal data, you can withdraw this consent at any time. The withdrawal is made by contacting us in writing, either by mail to RISE Research Institutes of Sweden AB, Box 857, 501 15 Borås, Sweden, or by e-mail to dpo@ri.se.

All personal data held at RISE is protected in accordance with Article 32 of the GDPR, through secure servers or other appropriate technical and organisational security measures. RISE applies appropriate technical and organisational security measures to protect personal data against, among other things, loss, misuse and unauthorized access in accordance with Article 32 of the GDPR. 

Only persons within the RISE organisation, or within other companies within the RISE Group, who need to process personal data in accordance with the purposes stated above, have access to the data.

It occurs that RISE discloses personal data to third parties who are the independent data controller, for example when hiring a supplier, in applications for/reporting of research projects, insurance investigations, certification contexts, etc. 

There must always be a legal basis for such disclosure and the data subjects must have been informed that their data is disclosed outside RISE.

RISE shall only engage personal data processors who, by taking appropriate technical and organisational measures, can guarantee that the requirements of the GDPR are also met when another party processes personal data on our behalf. There must be written processing agreements with all suppliers and other personal data processors.

RISE strives to always process the data subjects' personal data within the EU/EEA. Since RISE uses services provided by, for example, Microsoft and their cloud solutions for storing data, personal data may sometimes be transferred to and processed by suppliers or subcontractors in third countries. 

In order to ensure that the data subjects' personal data are processed in a secure manner, transfers are only made to countries that the European Commission considers having an adequate level of protection. If a transfer is made to a country without an adequate level of protection, this is based on standard contractual clauses approved by the European Commission.

For more information on these clauses and which countries have an adequate level of protection, please visit the European Commission's website. 

To ensure that the processing is carried out with an adequate level of protection, other approved mechanisms may also be used, such as Binding Corporate Rules (BCRs). We also ensure, through processing agreements and clear instructions to our suppliers and subcontractors, that they take all necessary legal, technical and organisational measures to guarantee that personal data is handled in a secure manner.