Privacy policy

1 Introduction


1.1 Background and purpose

This privacy policy applies to Scandinavian Mountains Airport AB (556699-6418) or another company that is part of the same group as the now mentioned company (hereinafter “SMA”, “we”, “our”, “us”). The privacy policy has been adopted by management and updated as necessary. The policy constitutes general information about how the company processes internal and external personal data. The person responsible for personal data is responsible for ensuring that the policy is updated annually and, if necessary, in accordance with a decision by management. Personal data is handled within the company and its operations. The information is processed, among other things, for the company to be able to fulfill agreements entered into with customers, suppliers and employees and due to obligations under law. As a starting point, SMA’s customers are responsible for personal data for all processing of personal data that is done under agreements between us and our customers. For such processing, the company enters into a personal data assistant agreement with its customers and processes the data under instructions from and on behalf of the customer.

This general privacy policy (the “Privacy Policy”) applies when we process personal data for our own account, ie when SMA is responsible for personal data. The privacy policy applies to all employees and hired staff with us, including company management, salaried employees, employees and other persons who act for or on behalf of the company. The overall purpose of this privacy policy is to establish roles and responsibilities within our organization, and to establish the norms and principles that will ensure that the collection and processing of personal data within the company takes place in accordance with applicable Data Protection legislation (as defined below).


1.2 Definitions and glossary

Processing (of personal data) is any measure or series of measures taken in respect of personal data, whether they take place automatically or not, e.g. collection, registration, organization, storage, processing, modification, limitation, adjustment, deletion or destruction, disclosure by transmission, dissemination or other provision of data, compilation or co-ordination. Processing register refers to the register that every system owner within the company is obliged to transfer personal data processing in accordance with Article 30 of the GDPR. We use the “GDPR Hero” solution to maintain our Treatment Register.

Data protection law refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“GDPR”) and any other national or European law, Regulation or directives that from time to time apply to the company’s processing of personal data.

Personal information is any information that relates to an identified or identifiable natural person who is alive. Identifiable natural person means a person who can be directly or indirectly identified specifically by reference to an identifier such as a name, identification number, location information or online identifiers or one or more factors specific to the natural person’s physical, physiological, genetic, mental, economic, cultural or social identity. The person responsible for personal data is the legal person who alone or together with others determines the purposes and means for the processing of personal data.


A personal data assistant is a legal person who processes personal data on behalf of the person responsible for personal data, e.g. SMA’s IT suppliers. The Privacy Protection Authority (IMY) carries out checks in connection with complaints from individuals, information in the media or on its own initiative. Measures include field inspections and inspections by means of surveys or other checks by e-mail, telephone or letter.


2. Basic principles for SMA’s personal data processing


We must comply with current data protection legislation when processing personal data. We shall only process personal data in a legal, correct and transparent manner in relation to the data subject and the person responsible for personal data. This means i.a. that our personal data processing must follow the following basic principles:

Documented personal data liability: For each processing of personal data, where we determine the purpose and means, the company is deemed to be responsible for personal data. The responsibility for processing personal data within the company must be documented in a Processing Register.

• Legal basis: Any processing of personal data must be carried out on the basis of a documented legal basis.

• Purpose limitation: The data must be collected for specific, explicitly stated purposes and may not later be processed in an incompatible manner.

• Data minimization: Only personal data that is adequate, relevant and not too extensive in relation to the purpose shall be collected.

• Correctness: The information must be correct and up-to-date and it must be possible to track changes.

• Storage minimization: The data may not be stored longer than required in relation to the purpose, see also point 5.

• Confidentiality: Personal data must be protected by appropriate technical and organizational security measures to prevent unauthorized or unauthorized processing and loss, destruction or distortion of the data. See also point 6.


3. When the processing of personal data is legal


3.1 General legal basis

The processing of personal data is only legal if at least one of the following conditions is met:

• The data subject has given his consent to his personal data being processed for one or more specific purposes.

The processing is necessary to fulfill an agreement to which the data subject is a party or to take action at the request of the data subject before such an agreement is entered into.

• The processing is necessary to fulfill a legal obligation incumbent on the person responsible for personal data.

• The processing is necessary to protect interests that are of fundamental importance to the data subject or to another natural person.

• The processing is necessary to perform a task of general interest or as part of the personal data controller’s exercise of authority.

• The processing is necessary for purposes relating to the legitimate interests of the data controller or a third party, unless the data subject’s interests or fundamental rights and freedoms outweigh and require the protection of personal data.

The legal basis for our processing of personal data must be determined and documented in the Personal Data Officer’s Processing Register. In case of uncertainty, consult with our Personal Data Officer.

3.2 Legal basis for personal data processing when recruiting

The processing is necessary to be able to handle the application from you who are looking for work with us and is based on the consent that you give in connection with your application. We have no interest in knowing trade union membership, beliefs, sexual orientation, political opinions, any illnesses or other information that is not relevant to the recruitment, and it is therefore important that you do not provide such sensitive personal information in connection with your application or in a later communication in the recruitment process. Social security number should not be sent with, date of birth is sufficient. For certain specific treatments, you may receive additional, supplementary or deviating, information about individual processing of your data. SMA can save your personal data for the purpose of future recruitments. In the event of an objection to the processing of your personal data for that purpose, please contact SMA as below.


4. Rights of the data subject


A fundamental aspect of the Data Protection Act is that it contains certain statutory and mandatory rights for the data subjects whose personal data are processed. If a person wants to know what information is registered about him or her, the person must submit a written and personally signed request to SMA. The registered person also has the right to revoke any consent given. The revocation of consent shall not affect the legality of treatment based on consent, before it is revoked.

The registered person has the right to:

• You have the right to access your personal data, which means that you have the right to receive confirmation of whether personal data concerning you is processed and, if so, access to the personal data and certain additional information about the processing.

• You have the right to data portability, which means that in certain circumstances you have the right to receive such personal data about you that you have provided to us, in order for you to be able to transfer the personal data to another person responsible for personal data.

• You have the right to correct, delete or restrict the processing of your personal data and the right to object to the processing.

• You have the right to complain to your national data protection authority (in Sweden IMY) if the processing of your personal data does not meet the requirements of EU / EEA data protection legislation.

• You have the right to withdraw your consent if and to the extent that you have given special consent to certain treatment.

• You have the right to object regarding the balancing of interests when treatment takes place on the basis of so-called balancing of interests according to art. 6.1 in GDPR.

• You have the right to object to direct marketing when processing your personal data. Then the personal data will no longer be processed for such purposes.


5. Storage and thinning of personal data


According to the Data Protection Act, personal data may not be stored longer than is permitted by law, or otherwise necessary for the purposes for which the data is processed. Data that can no longer be stored must be permanently deleted and destroyed (thinning). Under special conditions, thinning can be carried out by anonymizing personal data instead of destroying it. Anonymisation means that all information that makes it possible to trace the data to a registered person is irrevocably deleted.


If there are special laws or regulations that require the storage of personal data for a certain period of time, such as in e.g. in the tax, accounting or money laundering legislation, such provisions apply before the Data Protection Act. The Accounting Act states, for example, that accounting information must be stored for seven years from the year in which the financial year ended. The main rule within the company is that personal data that is not covered by special laws or regulations (in addition to the Data Protection Act) must be thinned out when we no longer need the data to fulfill the purpose of the processing.



6. Security when processing personal data


6.1 General

SMA shall take appropriate technical and organizational measures to prevent personal data from being destroyed, altered or distorted. This means that a security assessment needs to be made from case to case and that different treatments / systems require different levels of security measures depending on the information’s sensitivity, intrusion risk (and other risks) and vulnerability.


6.2 Risk analysis


Before we start processing personal data, an initial risk analysis must be carried out to take a position on:

• Which technical and organizational security measures are appropriate for the treatment in question, based on an assessment of information sensitivity, relevant risks and vulnerability.

• If the processing is adapted from the outside and meets our requirements regarding built-in data protection (privacy by design) and information security.

• If the processing is likely to entail a high risk for the data subjects’ rights and freedoms, e.g. through the use of new technology or because the data subjects can not be expected to know that they will be the subject of the processing. If such a high risk is identified, our Personal Data Controller must be informed and decide whether further analysis in the form of an impact assessment (Data Protection Impact Assessment) is necessary.

For detailed risk matrix, see Information Security Instructions SMA


7. Transfer of personal data


Personal data can be transferred to external parties with or without an assistant agreement, depending on whether the recipient processes the data on behalf of SMA or on its own behalf. In all cases, there must be a legal basis for the transfer and only the information that needs to be transferred. The transfer must be documented in an appropriate manner.


7.1 Transfer to personal data assistants

SMA may transfer personal data to an external party, which processes personal data on our behalf and according to instructions from us. Such an external party is a personal data assistant to us and must always sign an assistant agreement with SMA. Our Personal Data Manager is responsible for keeping such templates updated in accordance with applicable Data Protection legislation from time to time.


7.2 Transfer to parties with their own personal data responsibility

SMA may transfer personal data to another external party, which has its own personal data responsibility, provided that we have a legal basis for such transfer. Such a legal basis may, for example, be that the transfer constitutes a legal obligation for us, or a customer agreement that gives us the right to transfer the data.


7.3 Transfer of personal data to a third country

If and to the extent that our personal data processing means that personal data is transferred to, stored or otherwise processed outside the EU / EEA area, further measures are required for the processing to be legal. It is sufficient that the personal data is accessible from a place outside the EU / EEA, or that a certain infrastructure or resource is located outside the EU / EEA, for further measures to be necessary. When transferring personal data outside the EU / EEA area, the data subject must be informed of the purpose and scope of the transfer. The measures we take to ensure that personal data processing outside the EU / EEA is legal must always be documented and approved by our Personal Data Manager.


7.4 Authority’s request for information

SMA and its employees are obliged to provide information about our personal data processing and related circumstances if the Privacy Protection Authority requests it. Other authorities may also have the right to receive information that contains personal data from us, for example the Swedish Enforcement Agency, the Swedish Tax Agency or the Swedish Environmental Crime Agency. There may also be an obligation to disclose information to the police or prosecutor during a preliminary investigation of a crime, whereby information shall only be disclosed at the written request of the preliminary investigation leader or prosecutor.


In addition to regular and mandatory transfers of personal data to authorities that we have a legal obligation to report (eg salary data to the Swedish Tax Agency and information on sick leave to the Swedish Social Insurance Agency), personal data must be disclosed to authorities only after consultation with our Personal Data Officer. Our Personal Data Manager is responsible for contact with the Privacy Protection Authority. All contacts with the Privacy Protection Authority, or other authorities regarding questions about personal data processing, on behalf of SMA must be referred to our Personal Data Officer.


8. Reporting


Our Personal Data Controller shall annually or, if necessary, report to management on our processing of personal data and, in addition, immediately report to management if serious deficiencies, privacy risks or problems arise.

The report shall contain the results of the follow-up and control of personal data carried out in accordance with this Privacy Policy, including:

• If the processing is adapted from the outside and meets our requirements regarding built-in data protection (privacy by design) and information security.

• The number of personal data incidents that occurred

• Our compliance with applicable Data Protection legislation and this Privacy Policy.

• Any contacts with the Privacy Protection Authority; and

• Changes in current Data Protection legislation and supervisory practices regarding the processing of personal data.


9. Contact information


If you have questions about the processing of your personal data or about cookies, or if you want to exercise your rights that have been stated above, you are welcome to contact us as below.

Scandinavian Mountains Airport AB (org. No. 556699-6418),

Airport Road 4

780 67 Sälen

Phone number: 076-1361061