The Policy, adopted by Mistra’s Board on 18 May 2018, complies with the new General Data Protection Regulation (GDPR), https://gdpr-info.eu/ will be reviewed at least once a year and is subject to amendment.
When the term ‘personal data’ is used in this Policy, it refers to all particulars that relate directly or indirectly to a living natural person.
Principle of public access to official documents
All Mistra’s activities are subject to the principle of public access to official documents. A document received, drawn up or stored by Mistra is thus an official document. An official document is a public document unless it is protected by secrecy legislation.
Handling and processing of personal data by Mistra and its purpose
Mistra collects information about a person’s name, title, professional qualifications, organisation, contact details, payments, citizenship and ID documents.
The purpose of processing personal data is to enable Mistra to fulfil its mission to support research; carry out agreements; pay fees; appoint working groups; initiate and quality-assure research; assess applications; answer enquiries; implement programmes; take funding decisions; implement and issue information about asset management; disseminate ideas and knowledge; administer appointments; assess costs and undertake other administrative tasks; and engage in its other activities.
Mistra’s legal basis for processing personal data is, as a rule, a matter of public interest. In cases where obtaining personal data is necessitated by an agreement, this is the legal basis for the data processing. Regarding Mistra’s external information flows, for example, but also in other parts of its activities, Mistra considers itself to have a legitimate interest in administering such flows. Mistra is also obliged to handle certain personal particulars for legal reasons, an example being the obligation to provide information to fund managers under legislation on money laundering. In cases where personal data handled by Mistra cannot be categorised in any of the above ways, Mistra obtains consent from the persons registered (‘data subjects’). Where Mistra’s processing of their personal data is based on consent or legitimate interest, data subjects may notify Mistra if they no longer wish Mistra to process the data.
Mistra does not process personal data for longer than necessary to fulfil the purpose of collecting the data. The period for which the information is retained depends mainly on whether Mistra and the data subject are currently engaged in cooperation, whether retention of the data is required by law and the purpose of the processing.
Transfer of personal data
Mistra’s processing of personal data takes place mainly in Sweden or within the EU/EEA. However, personal data may be transferred to and from third countries (non-members of the EU or EEA) in cases where this is necessary to enable Mistra to fulfil its remit of supporting research and managing its own assets.
Mistra may disclose personal data if this is necessary for compliance with applicable laws or requirements imposed by government agencies; to safeguard Mistra’s legal interests; or because the documents concerned are public and, as such, deemed not to be subject to obligations of secrecy or confidentiality.
For certain services, Mistra engages external enterprises, which may then come to handle personal data on Mistra’s behalf.
Data subjects’ rights
Data subjects have the following rights regarding Mistra’s processing of their personal data: the right of access to registered personal particulars, the right to be informed about how these particulars are handled, the right to rectification or erasure, the right to restriction of processing and the right to object to processing; and the right to data portability (‘the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided’, according to the GDPR). Data subjects are also entitled to submit complaints with the Swedish Data Protection Authority regarding Mistra’s handling of their own personal data.
Mistra has taken the appropriate technical or organisational measures to protect personal data from processing that is not authorised or allowed, and from destruction or modification; and also to ensure that only personal particulars that are necessary for the specific respective purpose for which they have been collected are processed.
Collection of personal data from users of Mistra’s website
If Mistra’s website is used without any information being sent to us, we collect only the personal data that the user’s browser sends to our servers. To enable a user to access our website, Mistra collects the IP address, date and time of the enquiry, UTC (time difference from GMT), content of the enquiry (particular page viewed), access status and/or HTTP status code, amount of data transferred on each occasion, provenance of the enquiry (the website from which it comes), browser type, operating system and interface, and the language and version of the browser program. The above-mentioned data are necessary to display Mistra’s website and to ensure its stability and security.
Cookies are used on Mistra’s website. A cookie is a small text file that is stored on the user’s device and allows tracking of the user’s choices on the website. The user’s browser settings determine whether cookies are stored or not. If cookies are not allowed to be stored, the website may not work properly or at all.
Analysis of website use
Contact details for questions and comments on Mistra’s processing of personal data, or to invoke any of the data subjects’ rights:
The Foundation for Strategic Environmental Research (Mistra)
Sveavägen 25, 8th floor
SE–111 34 Stockholm, Sweden
Phone: +46 (0)8-791 1020
Adopted by Mistra’s Board on 18 May 2018, December 07 2018 and December 11 2019.