Management of personal data

When does SMHI process personal data?

SMHI processes personal data in a variety of contexts.

• When you visit our website we process your personal data.
• When we arrange conferences we process the participants' names and email addresses.
• When we interact with other companies and/or government agencies we have contact information to employees there.
• When the public sends questions to our customer service or
• when someone visits SMHI and register with their name at the reception we process these personal data.
• When you subscribe to one of our newsletters or when you write to us on one of our social media platforms, we process personal data in relation to these actions.

More information about the regulations concerning personal data processing can be found on the Swedish Authority for Privacy Protection (IMY) website (Swedish). External link.

How we process your personal information

SMHI is the controller of the processing of personal data here on this website and in our business in general.

As a controller, SMHI is responsible for that the processing of data carried out either by SMHI or by a processor is in accordance with applicable laws and regulations. Furthermore, as a controller, SMHI has obligations to the person whose personal data is processed.

Legal processing your personal information

All processing of personal data by SMHI is based on laws and regulations. We do not process personal data unless the processing is lawful. There should also be a defined and specific purpose for the processing in question. On our website, we describe in general terms how SMHI assesses the lawfulness of different types of processing, but we may also inform more specifically in some situations when personal data is collected.

SMHI is responsible for ensuring that the personal data we process are correct and up to date and that the data are relevant to the purpose of the processing.

As a governmental authority, we have a legal obligation to preserve information about our business for the future, which means that in cases when information containing personal data is archived, we save your personal data in our archive as well. All archiving is carried out in accordance with rules and guidelines for archiving and disposal of official documents.

General Interest

As a governmental authority, SMHI has an official duty to carry out specific actions. SMHI’s official duty forms the legal basis for processing the necessary personal data in order to fulfil this duty. Duty of public interest is described in the Data Protection Act. SMHIs Duty of public interest is described in laws and regulations, but assignments that the authority undertakes on a voluntary basis, if SMHI considers that it constitutes a task of general interest, falls within the scope of the general duty to be fulfilled and hence constitutes a Duty of public interest. Some examples of where SMHI’s official duty emanates from; the Swedish constitution, government regulations, public administration and confidentiality laws, SMHI's instruction, SMHI's letter of appropriation, which SMHI receives annually, activities organised by SMHI to disseminate our expertise areas meteorology, climate science, hydrology and oceanography.

In addition, SMHI conducts applied research within the scope of its area of ​​expertise; therefore SMHI also processes the personal data necessary for conducting this research of general interest.

Agreement

SMHI also conducts business activities, as stipulated in SMHI's instruction. This means that what SMHI’s business department does is also to be considered necessary to fulfil a Duty of public interest. Where SMHI has entered into an agreement with a customer SMHI’s processing of personal data is necessary to fulfil the agreement as well as fulfilling a Duty of public interest.

Data protection legislation and public access to information principle

The GDPR regulates the protection of personal data, but there is also national legislation that complements the regulation in EU’s member states.

In Sweden, the supplementary legislation act is called Law (2018: 218) with Supplementary Provisions to the EU General Data Protection Regulation (the Data Protection Act). Furthermore, there are national provisions that together constitute the Principle of Public access to information principle, namely the Freedom of Expression Act in combination with the Public access to information and Privacy Act (2009:400), which regulates the disclosure of public documents.

The Public access to information principle is not affected by GDPR, except that disclosure of public documents containing personal data may be refused if it could be assumed that a disclosure would result in the personal data being handled in violation of the GDPR (Chapter 21, Section 7, OSL).

Email to SMHI

As SMHI is a governmental authority and as such is governed by the principle of Public access to official documents, generally all information received - by e-mail and otherwise – are official documents. Depending on what the email message contains – including the personal data in it - it will either be entered into the official journal, archived or destructed in accordance with a disposal decision. All actions are in accordance with law and regulations on the area, including the rules and guidelines relating to disposal of official documents and archiving.

Personal data on social media

SMHI uses several social media to both reach out with information and to engage in dialogue with the public. Because SMHI is a governmental authority, comments and posts on our pages in social media are official documents which also include the personal information that accompanies the comment and / or the post. SMHI reserves the right to remove comments or posts that are offencive.

How SMHI protects your personal information

As a governmental authority, SMHI has, for example, the MSB's regulations (MSBFS 2020:06) to comply with in regards to information security.

MSBFS 2020:6 regulations on information security for government agencies External link.

At SMHI we work to protect your data and to ensure that the right people have access to the right information at the right time. This may include technical solutions for protection against malicious code, but it may also concern the training of our personnel in handling of personal data.

We have been working systematically with information security in relation to personal data for many years, and we are periodically reviewed by an external actor to get a receipt on that the correct level of security is maintained.

Your rights

If your personal data is processed by SMHI, you are entitled to receive information about how we process your data and to get incorrect information corrected.

Right to request information

You are entitled to receive free information and access to the personal data that SMHI is processing about you. You also have the right to request incorrect information about you corrected and in some cases you may have the right to request that your personal data is erased, however this is only possible where the legal ground for processing is consent or if processing is necessary in order to fulfil a contract.

Complaint regarding SMHI's handling of personal data

If you believe that SMHI has processed your personal data incorrectly, you have the right to notify it to Datainspektionen.

Click here to access the Datainspektionens complaint handling page (In Swedish) External link.

You can also contact one of our Data Protection Officers if you have any comments regarding the handling of personal data.

Send an email to SMHI's Data Protection Officer