ARN's processing of personal data

Since May 25, 2018, the EU General Data Protection Regulation (GDPR) applies for the processing of personal data. The following is a description of how ARN processes personal data.

About the EU's General Data Protection Regulation – the GDPR

The acronym GDPR stands for General Data Protection Regulation. The regulation applies as law in Sweden, and replaces the Personal Data Act (PuL). One of the purposes of the General Data Protection Regulation is to protect the personal information of individuals. The General Data Protection Regulation also aims to create a consistent and equivalent level for the protection of personal data within the EU. The General Data Protection Regulation has been developed in order to modernize and adapt the rules on the protection of personal data in our digital society.

ARN is the data controller

The National Board for Consumer Disputes (ARN) is the data controller; it is responsible for the processing of personal data.

Contact information

The National Board for Consumer Disputes
PO Box 174
101 23 Stockholm

Email address: arn@arn.se

Telephone: 08-508 860 00

What are personal data?

Personal data are all information that can be directly or indirectly linked to a living person. Examples of personal data include your name, address, email address, IP address and a person's state of health. Images (photos, video) are also considered to be personal data, if a person in the image is clearly identifiable.

What does the processing of personal data entail?

The processing of personal data, may entail, e.g., the collection, storage, transmission, pooling, and deletion of personal data.

Examples of the processing of personal data in civil cases

ARN collects personal data from consumers who submit a complaint. It then stores the data in ARN’s case management system. During the exchange of correspondence in a case, the complaint and other documents, are transmitted. These documents may also contain personal data about the company that is the defendant in the case. The documents that the company submits are transmitted to the complainant. Because ARN is an e-authority, transmission often occurs via email, but sometimes it is executed via post. When the decision is written, personal data may be collected in a single document. The documents in the case expire (are expunged) two years after the case has been closed. The decision is archived indefinitely.

The principle of public access to official records – the right to request public documents

ARN is a government authority. Documents sent to ARN or created by the authority become so-called “public documents.” According to the principle of public access to official records, the requester usually has the right to access the documents. In certain isolated cases, ARN may protect information in documents so that certain personal data are not disclosed. The Public Access to Information and Secrecy Act determines which information ARN may protect.

Which personal data does ARN process in civil cases?

When a complaint is made, ARN collects the name, address, email address, phone number, age and gender of the complainant. ARN also processes other personal data supplied to the authority.

Sensitive personal data

Sometimes ARN becomes privy to sensitive personal data. These data may include information about a person’s ethnic background, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetic information, and biometric data that unambiguously identifies a person.

You should avoid submitting unnecessary sensitive personal data about yourself or anyone else.

The purpose and legal basis for ARN’s processing of personal data in civil cases

Pursuant to the mission ARN has received from the Swedish government, ARN requires personal information in order to be able to deal with disputes. ARN has also been commissioned to report statistics on the sex, age and place of residence of complainants.
The processing of personal data which ARN performs in the course of its handling of disputes is supported by the legal basis that the authority is conducting a task of public interest. When we process sensitive personal data, we do so in order to be able to handle the case or comply with our obligations under the law. The legal basis for the processing of sensitive personal data is important public interest.

Who becomes privy to personal data in civil cases?

ARN employees have access to the data in order to perform their job functions. These persons include case preparation lawyers, administrative staff or board members. In the course of the handling of the case, the complainant and the reported company become privy to the documents in the case.

As a rule, the processing of personal data is carried out within the EU/EEA, but if one party is outside this area then tasks may be transmitted there (third country).

Pursuant to the principle of public access to official records, documents held by ARN and containing personal data may be disclosed to the person who requests this; for more information see the heading The principle of public access to official records – the right to request public documents.

How long does ARN store personal data in civil cases?

Pursuant to archiving regulations, ARN is required to store documents in civil cases for two years after the case is closed. The documents are then culled (expunged). The decisions will be stored indefinitely.

The processing of personal data in incoming emails and post

ARN is required to take care of the information that is submitted to the authority. This is partly because ARN provides a public service.

Documents related to a case are transferred to ARN’s case management system. All emails in ARN’s inbox, arn@arn.se, are expunged after three months. Content in other email inboxes is expunged after one year.

Emails and letters that are not related to a civil case are printed out and stored at ARN’s offices for two years. The documents are then culled (expunged). Temporary documents and documents of minor importance are not saved.

The processing of personal data during recruitment

During the recruitment process, we process the personal data you provide, such as your name, address information, age, previous employers and education. References and interview notes may also be processed during the recruitment process.

ARN uses this data to handle your application. This processing is necessary to ARN’s ability to fulfil a task of public interest, or to fulfil a contract.

The data are available to the people at the ARN who work with recruitment, such as the HR Manager, recruitment managers, and union representatives.

If you are hired, your application documents are stored in your personal file until further notice. Otherwise, the application documents are stored for two years after the conclusion of the recruitment process. The documents are then culled (expunged). If an employment decision is appealed, the data are transmitted to the Swedish Appeals Board.

Application documents in connection with unsolicited applications or internship applications are culled (expunged) as soon as this information is no longer needed.

Subscribers

Personal data you provide when you wish to subscribe to our decisions are processed by us in order for us to be able to manage your subscription. The legal basis for this processing is that ARN is performing a task of public interest. Email addresses will be stored for as long as the subscription remains ongoing. Personal data supplied to us so that we can receive payment are stored in accordance with the archiving policies for financial documents.

The processing of personal data about third parties

Sometimes people submit information about people other than themselves. If this information is necessary to our ability to perform our mission or meet our obligations under other laws, we process this personal data. In such case, we assess whether the person in question should be informed of the processing.

Your rights

You have the opportunity to contact ARN and:

• Request access to the personal data (about you) which ARN processes (extract from the records). In your request, you should clearly specify which information you wish to receive. We will normally respond to your request within one month.
• Request a rectification, expungement, or limitation of the processing of your personal data.
• Object to the processing of your personal data.

Because there are special rules regarding the handling of public documents, some of these rights are limited.

Data protection officer

If you have questions or comments about ARN’s personal data processing, you may contact the authority's data protection officer by sending an email to dso@arn.se

Complaints

If you are dissatisfied with ARN’s processing of your personal data, you may file a complaint with the Swedish Authority for Privacy Protection (IMY). Contact information can be found at www.imy.se. The website also features further information about the General Data Protection Regulation.