Processing of personal data - employees
Read about the collecting, processing, storage and transfer of personal data of individually identifiable employees of RISE, including present, former and future employees, regardless of the form of the employment, as well as hired labor.
RISE Research Institutes of Sweden AB (RISE), as data controller, processes personal data regarding employees, consultants and other coworkers (hereinafter referred to as “employees”) in accordance with this information. Some sections only apply to employees employed by RISE, other sections also apply to consultants, contractors, trainees and students.
Personal data processed by RISE
Basic personal data:
The basic personal data of the employee that RISE processes may include name, personal security number (swe: personnummer) or similar, employing ID (swe: anställningsnummer), gender, phone number, address, e-mail address, job title, organizational affiliation, date of employment, date of termination of employment, reason for termination of employment, years employed, managing role, employment, nationality, citizenship, language preference, worker/officer, education/competence, level of education, highest completed education, and other basic personal data if required.
Next of kin and contact details for the same, working hours, cost centre, qualifications, evaluations, work performance, written warnings where applicable, vacation balance, evaluation of working position, salary information, bank account number, taxing information, details of insurance and pension insurance, union membership, affiliation of collective agreement, health, absence, sickness leaves, work ability, rehabilitation measures, work related incidents, residence permit, work permit, travel information, business card numbers, travel invoices and allowances, and other personal data if required for the personnel management.
Communication and security:
Personal data required for the employees to access RISE premises, IT system and network, i.a. work e-mail, IP addresses and user-ID, computer-ID, device-ID, logging of logins in RISE IT environment, and other personal data logged when using IT system and network, and when entering RISE premises. Information about customer service and support, such as questions from the employee or its manager/HR relating to the employee's employment or IT equipment or support given to the employee in relation to these.
From which sources the personal data is collected
In addition to the information transferred to RISE from the employee, RISE may also collect personal data from other sources, e.g. Skatteverket. Some data is collected by the time of employment, and other data is collected throughout the period of employment.
Purpose and lawful basis
Based on contract and legal obligation, RISE processes personal data for the following purposes:
- General personnel management (e.g. registration in salary system, management and payment of salary and salary revision, leave, absence, benefits, education, management of taxes and social fees, etc.)
- Pension matters and insurance matters
This processing is needed for RISE to be able to fulfill its contractual rights and obligations according to the employment contract and applicable collective agreements and compliance with labor law regulations.
Based on legal obligation, RISE processes personal data for the following purposes:
- working environment and rehabilitation matters (e.g. handling of investigations and reports regarding work injuries, communication with company healthcare, etc.)
- labor law regulation matters (e.g. negotiate or deliberate with trade union organizations, conduct personal performance discussions and salary review, give notice of and notice of termination of temporary employment, termination of employment, application of order of priority and precedency, investigation and actions against harassments according to the act of discrimination (swe: Diskrimineringslagen) etc.)
- trade union cooperation
- handle IT incidents (e.g. report personal data incident to the relevant data protection authority, handle activities in IT systems, etc.)
This processing is needed for RISE to be able to comply with applicable labor and work environment regulations and applicable personal data protection regulation.
Based on the legitimate interest of RISE, RISE processes personal data for the following purposes:
- contact lists and digital reception solutions (e.g. making contact information visible in RISE internal telephone directory, on the intranet and RISE external website, in connection with the entrance at the current location of employment, etc.)
- contact with next of kin in case of emergency
- educate employees
- handle system access
- provide and maintain IT support and other working tools
- handle relations, undertakings, obligations, instructions etc. towards third parties in connection with RISE business relations (e.g. assignments, projects, applications, reporting, deliveries, etc.)
- handle relations, undertakings, obligations, instructions etc. towards RISE financiers, partners etc.
- enable and manage business trips
- handle, publish and administrate recruitment ads
- distribution of information and knowledge and internal cooperation via RISE internal communication channels (e.g. e-mail, intranet, medarbetarportalen, Yammer, etc.)
- handle questions and support connected to the employment and the performance thereof
- enable offering, offer, administrate and uphold agreements regarding benefits and benefit management
- determine, assert, and defend legal claims
- monitoring compliance with RISE policies and Code of Conduct, which are applicable at any given time, and investigating suspected unauthorized activities
- handle notifications received regarding any violation in RISE whistleblower system
Based on the legitimate interest of RISE or consent of the employee, RISE processes personal data for the following purposes:
- marketing of RISE business on the internet, intranet, social media, internal and external newsletters, etc.
- analyses regarding level of education, register and maintain information regarding e.g. education and experience in competence databases
If RISE considers such processing falls within the legitimate interest of RISE, and not disproportionality infringes the integrity of the employee, and if RISE considers such processing falls within the framework of the employment and that the employee should reasonably expect such processing, RISE will base the personal data processing on the legal ground legitimate interest. If the processing does not satisfy such conditions, or if consent is needed according to applicable personal data protection regulation, RISE will ask for a special consent for such personal data processing.
To whom the personal data is disclosed
RISE applies appropriate technical and organizational security measures to protect personal data against e.g. loss, misuse and unauthorized access. Only persons within RISE who need to process the personal data in accordance with the above stated purposes will have access to the data.
RISE transfer personal data to third parties within the RISE company group if necessary, e.g. for being able to use the same IT-system, economy system, enterprise resource planning, HR-system, salary system, etc. to manage RISE company group common support functions.
RISE may transfer personal data to third parties acting as data processors, e.g. supplier of company health care, leadership- and employee surveys, recruitment services, benefit portal, payroll administration, IT and cloud services, etc.
RISE may transfer personal data to third parties acting as data controllers of such transfer is necessary for the purpose of why the information was collected, e.g. Försäkringskassan, Migrationsverket and other authorities, third parties with whom RISE have or intend to have a business relationship (e.g. customer and partner, supplier of company health care, insurance solutions, travel management, logistics, transport, hotels, conferences, advertising and media agencies, social media, etc.), or other third parties if required for the purpose for which the information was collected.
If RISE transfer personal data to any third party, RISE will in all cases use all reasonable endeavors to ensure that there are appropriate safeguards in place which provide adequate levels of protection the personal data as required by applicable data protection laws.
Storage and disposal
RISE processes the personal data as long as it is necessary for the purposes for which the personal data was collected.
Certain personal data will be deleted in connection with the termination of the employment. Other personal data will be processed for a longer period of time due to legal obligations for RISE to continue the processing, e.g. to establish employer’s certificate or to prove correct tax deduction, or for RISE to exercise its rights. As the opportunities to make a claim lapses, the data will be deleted.
Information regarding number of years employed will be processed until the employee reaches the age of pension, and information regarding pension insurance payments are processed as long as the employee is alive.
Transfer to third countries
RISE strives to process personal data within the EEA. In cases where RISE is transferring or processing personal data outside the EEA, RISE will ensure an adequate level of protection in accordance with applicable legislation.
Legal rights as an employee
The employee has certain legal rights as regards RISE personal data processing, as described in this section. To exercise these rights, please contact RISE Data Protection Officer, see contact details below.
Right to information
The employee has the right to request information regarding RISE processing of its personal data.
Right to rectification
The employee may request for RISE to rectify inaccurate information.
Right to erasure and limitation
The employee has in some cases right to request for RISE to delete the personal data, e.g. if the data is no longer needed for the purpose for which it was collected, or if the employee rejects to a legitimate interest of RISE.
The employee also has the right to request for RISE to limit the processing of the personal data. It is not always possible to meet such a request, e.g. if the processing is needed in order to fulfil a legal obligation, or to determine, assert, and defend legal claims.
If personal data is processed based on an agreement or consent of the employee, the employee may have the right to receive a copy of the personal data in a structured format and in some cases get these transferred to another data controller.
The employee has the right not to be the subject of a decision that is completely based on some form of automated decision-making, if the decision can have legal consequences for the individual or in a similar way affects the individual to a considerable degree.
Lodge a complaint
The employee has the right to lodge a complaint to the Swedish Data Protection Authority if the employee suspects that RISE is processing personal data relating to the employee in a way that contravenes the General Data Protection Regulation.
The personal data processor for the processing is RISE Research Institutes of Sweden AB (company registration number 556464-6874), with mailing address: Box 857 501 15 Borås Sweden.