Processing of personal data - employees
Read about the collecting, processing, storage and transfer of personal data of individually identifiable employees of RISE, including present, former and future employees, regardless of the form of the employment, as well as hired labor.
RISE Research Institutes of Sweden AB (RISE), as data controller, processes personal data regarding employees, consultants and other coworkers (hereinafter referred to as “employees”) in accordance with this information. Some sections only apply to employees employed by RISE, other sections also apply to consultants, contractors, trainees and students. If you are employed or hired by any affiliated company of RISE, some of your personal data jointly by RISE and the employing or hiring RISE affiliated company.
Personal data processed by RISE
Basic personal data:
The basic personal data of the employee that RISE processes may include personal security number (swe: personnummer) or similar, employing ID (swe: anställningsnummer), gender, phone number, address, e-mail address, job title, organizational affiliation, date of employment, date of termination of employment, reason for termination of employment, years employed, managing role, employment, nationality, citizenship, language preference, worker/officer, education/competence, level of education, highest completed education, and other basic personal data if required.
Next of kin and contact details for the same, working hours, cost centre, qualifications, evaluations, work performance, written warnings where applicable, vacation balance, evaluation of working position, salary information, bank account number, taxing information, details of insurance and pension insurance, union membership, affiliation of collective agreement, health, absence, sickness leaves, work ability, rehabilitation measures, work related incidents, residence permit, work permit, travel information, business card numbers, travel invoices and allowances, and other personal data if required for the personnel management.
Communication and security:
Personal data required for the employees to access RISE Group premises, IT system and network, i.a. work e-mail, IP addresses and user-ID, computer-ID, device-ID, logging of logins in RISE Group IT environment, and other personal data logged when using IT system and network, and when entering RISE Group premises. Information about customer service and support, such as questions from the employee or its manager/HR relating to the employee's employment or IT equipment or support given to the employee in relation to these.
From which sources the personal data is collected
In addition to the information transferred to RISE from the employee, RISE may also collect personal data from other sources, e.g. other companies within the RISE Group and Skatteverket. Some data is collected by the time of employment, and other data is collected throughout the period of employment.
Purpose and lawful basis
RISE processes the above mentioned personal data for the purposes stated below. Please note that this list is exemplifying and not exhaustive.
Based on contract and legal obligation, RISE processes personal data a.i for the following purposes:
- personnel management (registration in IT system, management and payment of salary and salary revision, leave, absence, time reporting, benefits, internal reports, statistics, project follow up, general administration of the employment, contact lists, organization charts, education, management of taxes and social fees, accounting etc.)
- pension-, insurance-, working environment and rehabilitation matters (handling of investigations and reports regarding work injuries, communication with company healthcare, pension provisions, etc.)
- labor law regulation matters and trade union cooperation (e.g. negotiate or deliberate with trade union organizations, conduct personal performance discussions and salary review, give notice of and notice of termination of temporary employment, termination of employment, application of order of priority and precedency, investigation and actions against harassments according to the act of discrimination (swe: Diskrimineringslagen) etc.)
- compliance of laws, regulations and rules
This processing is needed for RISE to be able to fulfill its contractual rights and obligations according to the employment contract and applicable collective agreements and compliance with labor law regulations, applicable personal data protection regulation, security protection laws, and other laws, regulations and rules that are mandatory for RISE business.
Based on the legitimate interest of RISE, RISE processes personal data i.a. for the following purposes:
- telephone exchange and reception solutions contact lists and digital reception solutions (e.g. making contact information visible in RISE internal telephone directory, on the intranet and RISE external website, in connection with the entrance at the current location of employment, etc.)
- managing IT support (providing and maintaining support and tools necessary for effective implementation, planning, analyzing and follow-up of work tasks, e.g. licenses, permissions, applications, subscriptions, databases, contact lists and telephone directory, etc.)
- enable and manage business trips, hotel, and event participation
- third-party relations (handle relations, undertakings, obligations, instructions etc. towards third parties, e.g. financiers, clients, partners and other business relations)
- research and development related activities (project applications, reporting, statistics, publication and archiving of project results, intellectual property protections of inventions, etc.)
- Recruitment related activities (manage, publish and manage recruitment ads)
- communication and marketing (information and knowledge dissemination and other marketing of RISE activities and projects in RISE internal and external communication channels – e.g. on RISE intranet, internet, social media, etc.)
- support and communication in connection with the employment and performance of the employee´s working duties and performance
- competence development (mapping of work task, competence and education, analyzes concerning level of education, competence development measures, evaluation and assessments, education measures, etc.)
- benefit management (enable offering, offering, administering and maintaining benefits and benefits agreements)
- security and confidentiality (controlling and prevent unauthorized access to the RISE Group premises and IT environment, logging of login and logon attempts and activities in RISE IT environment, use of access cards, contact with next of kin in case of emergency, etc.)
- determine, assert, and defend legal claims
- compliance (control and monitoring internal compliance with RISE policies and Code of Conduct, which are applicable at any given time, and investigating suspected unauthorized activities, deal with any incoming reports of violations in RISE whistleblower system, etc.)
- business development (evaluate and develop RISE business, conduct employee surveys, etc.)
If RISE considers that the processing falls within the legitimate interest of RISE, and not disproportionality infringes the integrity of the employee, and if RISE considers such processing falls within the framework of the employment/engagement and that the employee should reasonably expect such processing, RISE will base the personal data processing on the legal ground legitimate interest. If the processing does not satisfy such conditions, or if consent is needed according to applicable personal data protection regulation, RISE will ask for a special consent for such personal data processing.
To whom the personal data is disclosed
RISE applies appropriate technical and organizational security measures to protect personal data against e.g. loss, misuse and unauthorized access. Only persons within the RISE Group who need to process the personal data in accordance with the above stated purposes will have access to the data.
RISE transfer personal data to third parties within the RISE Group if necessary, e.g. for being able to use the same IT-system, economy system, enterprise resource planning, HR-system, salary system, etc. in order to be able to manage RISE Group common support functions effectively and for other RISE Group collaboration.
RISE may transfer personal data to third parties acting as data processors, e.g. supplier of leadership- and employee surveys, recruitment services, benefit portal, payroll administration, IT and cloud services, etc.
RISE may transfer personal data to third parties acting as data controllers of such transfer is necessary for the purpose of why the information was collected, e.g. Försäkringskassan, Migrationsverket and other authorities, third parties with whom RISE have or intend to have a business relationship (e.g. customer and partner, supplier of company health care, insurance solutions, travel management, logistics, transport, hotels, conferences, advertising and media agencies, social media, etc.), or other third parties if required for the purpose for which the information was collected.
If RISE transfer personal data to any third party, RISE will in all cases use all reasonable endeavors to ensure that there are appropriate safeguards in place which provide adequate levels of protection the personal data as required by applicable data protection laws.
Storage and disposal
RISE processes the personal data as long as it is necessary for the purposes for which the personal data was collected.
Certain personal data will be deleted in connection with the termination of the employment. Other personal data will be processed for a longer period of time due to legal obligations for RISE to continue the processing, e.g. to establish employer’s certificate or to prove correct tax deduction, or for RISE to exercise its rights. As the opportunities to make a claim lapses, the data will be deleted.
Information regarding number of years employed will be processed until the employee reaches the age of pension, and information regarding pension insurance payments are processed as long as the employee is alive.
Transfer to third countries
RISE strives to process personal data within the EEA. In cases where RISE is transferring or processing personal data outside the EEA, RISE will ensure an adequate level of protection in accordance with applicable legislation.
Legal rights as an employee
The employee has certain legal rights as regards RISE personal data processing, as described in this section. To exercise these rights, please contact RISE Data Protection Officer, see contact details below.
Right to information
The employee has the right to request information regarding RISE processing of its personal data.
Right to rectification
The employee may request for RISE to rectify inaccurate information.
Right to erasure and limitation
The employee has in some cases right to request for RISE to delete the personal data, e.g. if the data is no longer needed for the purpose for which it was collected, or if the employee rejects to a legitimate interest of RISE.
The employee also has the right to request for RISE to limit the processing of the personal data.
It is not always possible to meet such a request, e.g. if the processing is needed in order to fulfil a legal obligation, or to determine, assert, and defend legal claims.
If personal data is processed based on an agreement or consent of the employee, the employee may have the right to receive a copy of the personal data in a structured format and in some cases get these transferred to another data controller.
The employee has the right not to be the subject of a decision that is completely based on some form of automated decision-making, if the decision can have legal consequences for the individual or in a similar way affects the individual to a considerable degree.
Lodge a complaint
The employee has the right to lodge a complaint to the Swedish Data Protection Authority if the employee suspects that RISE is processing personal data relating to the employee in a way that contravenes the General Data Protection Regulation.
To exercise the legal rights described in this section, please contact RISE Data Protection Officer at firstname.lastname@example.org, or at
RISE Research Institutes of Sweden AB
Att: RISE DPO/Dataskyddsombud
501 15 Borås
The personal data processor for the processing is RISE Research Institutes of Sweden AB (company registration number 556464-6874), with mailing address: Box 857 501 15 Borås Sweden.