Processing of personal data

The National Historical Museums (SHM) protect your personal integrity and want you to feel secure in how we process your personal data. This text describes how we collect and process personal data, what rights you have, and how you can exercise them. You are always welcome to contact us if you have any questions.

SHM is a government authority. This means that, as a general rule, messages sent to us become official documents that are registered and recorded. If a request is made to access an official document, a confidentiality assessment is always carried out in accordance with the Public Access to Information and Secrecy Act before any information is disclosed.

Processing of Personal Data

Data Controller

SHM is the data controller for the processing of personal data for which the authority determines the purposes and means.

The National Historical Museums
Box 5428
SE-114 84 Stockholm

Telephone: +46 (0)8-519 556 00
Email: registrator@shm.se

Contact Regarding Data Protection Matters

If you have questions about how we process your personal data or wish to exercise your rights in relation to our processing of personal data, you may contact our Data Protection Officer by emailing the address below:

Email: dataskyddsombud@shm.se

What Personal Data Do We Process?

When you visit, contact, or otherwise interact with us, you may provide personal data. We process personal data only when we have a clear purpose and a legal basis. Below is an overview of the purposes for which personal data is processed and the corresponding legal bases.

Bookings of Premises and Activities

To manage bookings of premises, educational activities, guided tours, and programme activities, we process personal data such as names and contact details. The legal basis for the processing is that it is necessary for the performance of a contract that has been entered into.

Camera Surveillance for Security

SHM uses camera surveillance to ensure the safety of visitors, staff, and objects. In this context, personal data in the form of image and video recordings is processed. The surveillance is used to prevent, deter, and detect crime and to assist in criminal investigations. The legal basis for this processing is that it is necessary for the performance of a task carried out in the public interest.

Purchases of Goods and Services

To manage orders and purchases of e-tickets, publications, photographs, and goods from our museum shops, we process personal data such as names and contact details. If you purchase an annual pass, we may in certain cases also process your personal identity number and telephone number if this is required to administer the pass. The legal basis for the processing is that it is necessary for the performance of the contract that has been entered.

Visits to the Authority’s Websites

The authority’s websites use the analytics tool Matomo to gain an understanding of how visitors use the websites. The purpose is to improve the content, navigation, and structure of the websites.

How the Authoriy handles cookies

Personal Data in Film, Video, Printed Material, or Social Media

To provide information about our activities, we may process personal data such as names, contact details, job titles, still images, and audio and video recordings. The data may be used in printed materials such as reports, brochures, and newsletters. It may also be published on our websites and on social media. The legal basis for publication is normally that it is necessary for the performance of a task carried out in the public interest. Where this does not apply, consent is obtained.

Personal Data in Newsletters

SHM uses the analytics tool Ungapped to gain an understanding of how subscribers engage with our newsletters. The purpose is to improve the content of our email communications and our website. The legal basis for this processing is that it is necessary for the performance of the contract entered into when you sign up as a subscriber. You may unsubscribe at any time.

Personal Data in Questions, Enquiries, and Feedback

To respond to questions about our activities and to manage enquiries via telephone, email, or other digital channels, we process names and contact details of individuals who contact us. The legal basis for this processing is that it is necessary for the performance of a task carried out in the public interest.

Personal Data in Our Collections and Archives

To catalogue, conduct scholarly work on, and make our collections accessible, we process information relating to objects’ ownership history and provenance, such as the names of former owners and their year of birth. In certain cases, personal images included in the authority’s photographic collections are also processed. Images and information about objects may be published on SHM’s website. The legal basis for this processing is that it is necessary for the performance of a task carried out in the public interest.

Contemporary Documentation

When we document contemporary society (so-called contemporary documentation), we process personal data such as names, contact details, still images, moving images, and audio recordings. The information is used to preserve cultural heritage for the present, the future, and for research. The legal basis for this processing is that it is necessary for the performance of a task carried out in the public interest.

Sensitive Personal Data

Sensitive personal data is processed only when you have clearly made the data public yourself or when there is an important public interest in processing the data. When processing is based on an important public interest, it is always grounded in applicable legislation and carried out only when necessary for the stated purpose.

Gifts, Donations, and Loans to or from Our Collections

We process personal data in order to administer gifts and donations as well as incoming and outgoing loans of objects of cultural-historical value. The processing is necessary in order to enter into agreements in these matters and to administer those agreements.

Visits to the Collections for the Study of Objects

During research visits and other visits to the collections, names and any institutional affiliation are recorded. The data is used to document which individuals have had access to the collections and is stored for ten years. The data is also used as a basis for statistics in the authority’s annual report; for this purpose, the information is anonymised. The legal basis for this processing is that it is necessary for the performance of a task carried out in the public interest.

Archaeological Contract Activities and Sales and Support

Within archaeological contract activities, we may process and retain personal data such as names, contact details, property designations, and photographs. The data is processed as part of the handling and documentation of assignments. The legal basis for this processing is that it is necessary for the performance of a task carried out in the public interest.

Support for the Intrasis System

When administering the Intrasis system, contact details are processed. The processing is necessary for the performance of a contract in which the registered customer is a party.

Applications for Employment

Names and contact details submitted in job applications are registered and retained. Personal data in application documents submitted during a recruitment process is stored for two years. For the individual who is offered the position, the application documents are retained.

Personal data submitted in unsolicited applications is stored for two years. The data is processed to administer applications and to carry out recruitment processes. The legal basis for this processing is that it is necessary for the performance of a task carried out in the public interest.

Procurement

When purchasing goods and services, we comply with public procurement regulations. In connection with a procurement process, we process personal data in order to communicate with suppliers and manage the matter. The legal basis for this processing is that it is necessary to comply with a legal obligation.

Once a contract has been entered into with a supplier, we process personal data in order to administer and follow up on the contract, for example through contract management and invoice handling. The legal basis for this processing is that it is necessary for the performance of the contract that has been entered into.

Automated Decision-Making

SHM does not make any decisions based solely on automated processing.

How Long Your Personal Data Is Stored

Under archival legislation, the general principle is that a government authority must preserve official documents. SHM complies with these rules and disposes of official documents in accordance with established disposal decisions and applicable regulations.

Personal data that is not included in official documents is not stored for longer than necessary to fulfil the purpose of the processing. In certain cases, however, personal data must be retained for a longer period due to other legislation, such as the Accounting Act (1999:1078), which sets specific retention requirements.

Recipients and Data Processors

As a general rule, your personal data is processed only by us. In addition to disclosures required under the principle of public access to information, SHM in some cases uses data processors. Categories of recipients include providers of IT operations, case-management systems, and booking and point-of-sale systems. The data processors engaged process the information on our behalf and in accordance with our instructions.

Transfer of Personal Data to Third Countries

As a general rule, we process your personal data only within the EU/EEA. When we publish information about our activities or when you access our content on social media (for example Meta, Google/YouTube, LinkedIn), data may be transferred to countries outside the EU/EEA. Such transfers take place in accordance with the platforms’ own terms and are normally based on EU decisions on an adequate level of protection (where applicable for the relevant recipient) or on the EU’s Standard Contractual Clauses (SCCs) combined with supplementary protective measures.

Right to Rectification, Erasure, or Restriction

You have the right to request that incorrect or incomplete personal data be corrected. You may also request that the processing of the data be restricted until it has been corrected. In certain cases, you have the right to have your personal data erased. This right does not apply where the data must be retained in order for the authority to fulfil its mandate or where the data forms part of an official document that must be preserved by law.

Right of Access

You have the right to receive information about which personal data we process about you. If you wish to access this information, you may request a register extract, either in writing or by email. To enable us to process your request, you must provide your full name, personal identity number, and contact details. For security reasons, the register extract is always sent to your registered address, so that no unauthorised person gains access to your personal data.

Questions and Complaints

If you have any questions about the processing of your personal data, you are welcome to contact us using the contact details above.

If you are not satisfied with the response you receive from us, you have the right to lodge a complaint with the supervisory authority, the Swedish Authority for Privacy Protection:

Swedish Authority for Privacy Protection
https://www.imy.se/