Privacy policy

Stockholm Business Region protects registered rights, and below is a description of how SBR processes your personal data in accordance with applicable data protection legislation.

This data protection information is intended for anyone who comes into contact with SBR’s operations and describes how we process your personal data, your data protection rights under the General Data Protection Regulation (GDPR) and how you can exercise those rights.

Stockholm Business Region is responsible for the processing of personal data

Stockholm Business Region AB, corporate IT number 556491–6798 and address Fleminggatan 4, SE-102 26 Stockholm, is a wholly owned company of the City of Stockholm and part of Stockholms Stadshus AB.

The Privacy Policy describes the processing of personal data carried out by Stockholm Business Region and its subsidiaries as companies that are data controllers within Stockholm Business Region AB (hereinafter referred to as “SBR”). The subsidiaries Visit Stockholm AB and Invest Stockholm AB are currently dormant companies.

Contact details for SBR’s Data Protection Officer

SBR’s Data Protection Officer works to provide advice and ensure that the operation complies with data protection legislation. You can contact SBR’s Data Protection Officer if you have any questions regarding the processing of your personal data or if you wish to exercise your rights. These rights are described in more detail below.Data Protection Officer: funktionsbrevlada.dso@stockholm.se

Swedish Freedom of information

SBR is subject to the Freedom of the Press Act, and laws as public access to information and secrecy and the archives act. The handling of public records and the personal data contained therein may therefore be handled according to legal obligations. This means, among other things, that messages sent to SBR normally become public records. SBR is obliged, upon request, to disclose information in public records after a confidentiality review. The rules on the publicity of public documents and archiving regulations may limit certain rights that you have as a data subject.

What are personal data and processing?

Personal data is information that can be directly or indirectly linked to a living person. Examples of personal data include name, address, phone number and email address. Under certain circumstances, information such as IP numbers or other information combined together may also constitute personal data.

Processing of personal data includes all handling of personal data, such as collection, registration, purging and storage.

Which personal data do we process?

Information you provide to us. For example, when you participate in our events, sign up for our mailing lists for events and newsletters or interact with us on social media, we may collect:

• Personal and contact information – name, address, email address, phone number, role/title, photo and image/video, which organisation or company you belong to, occupation and online ID. If you participate in one of our focus groups, we may also collect information such as gender, place of residence, education and nationality.
• Guides – name, address, email address, phone number, role/title, photo, image/video, personal ID number, occupation, which organisation or company you belong to, language skills.

Information we collect about you. If, for example, you are a public figure, journalist, or work as a contact person at a company, visit one of our websites, participate at an event or have chosen to receive newsletters, we may actively collect the following information about you:

• Personal and contact information – name, email address, mobile phone number, role/title, organisation or company you belong to, occupation, photo, online ID
• Information about how you interact with our websites – how you use our websites.
• Device information – for example, IP address, language settings, browser settings, time zone, operating system, platform and screen resolution. Read more in cookie settings.
• Which events you have participated in and future event requests
• When you have consented to processing and which newsletters you have received

Information from third parties. We may also collect personal data from someone other than you (a so-called third party). The information we collect from third parties is as follows:

Address details from public registers to ensure that we have the correct address details for you.

If you belong to a specific target group that we want to reach, we may also collect personal data about you from other marketing organisations.

The purpose (aim) of our processing of personal data

SBR processes personal data as part of its municipal mandate to market and develop Stockholm as a place to establish business and a tourist destination under the brand Stockholm – The Capital of Scandinavia, in close collaboration with the business community, academia and other institutions, organisations, municipalities and government agencies.Below is a more detailed description.

Purpose and legal basis for each type of processing

• Manage and develop digital communication; for example, communicating on social media, writing press releases for journalists and conducting international and national marketing. Legal basis for processing: Performance of contracts and legitimate interests.
• Provide business services; for example by organising and holding training courses and conferences, as well as providing industry support, startup services and other advisory services, as well as dealing with investment inquiries. Legal basis for processing: Performance of contracts and legitimate interests.
• Conduct surveys, follow up and analyse; ongoing statistics, market intelligence and customer satisfaction surveys. Legal basis for processing: Legitimate interests.
• Manage external dialogue; responding to comments, complaints and legal claims. Legal basis for processing: Legal obligation and legitimate interests.
• Manage projects; manage and implement various projects, such as Stockholm Archipelago. Legal basis for processing: Performance of contracts and legitimate interests.
• Collaborate with the business community; for example, by arranging international business meetings, business seminars, collaborating with the City’s departments and actors in the destination, investing in the startup sector or marketing Stockholm. Legal basis for processing: Performance of contracts and legitimate interests.
• Provide events and tourist services; for example, by answering questions via email or managing exhibitors and issuing invitations to events, providing information about authorised tourist guides and archipelago guides, and issuing licences for guides. Legal basis for processing: Performance of contracts, legitimate interests and legal obligations.
• Cultivate and manage the brand; for example, by marketing Stockholm to talented workers from abroad, producing promotional films for Stockholm or inviting foreign press and travel agencies to get to know the city. Legal basis for processing: Performance of contracts and legitimate interests.
• Direct mail; We may also contact you with mailings about events and what is happening in the city if you have at any time expressed an interest in such information, consented to it, or if we have deemed there to be a legitimate interest in sending you information in your professional capacity, for example if you are a journalist, blogger or contact person in a relevant organisation. You can always contact us and tell us that you do not want to receive information from us via info.sbr@stockholm.se. Legal basis for processing: consent or legitimate interest, depending on whether you are in contact with us as a private individual or in your professional capacity.

If SBR, as a municipal company, performs an administrative task on behalf of a municipal agency that is the responsibility of the City of Stockholm, the legal basis of public interest may be applied instead of the legal basis of legitimate interest as described above.

Right to withdraw consent

If SBR processes your personal data based on your consent, you have the right to withdraw your consent at any time. This means that SBR must cease the current processing of personal data. Withdrawing your consent does not, however, affect the legality of the processing of personal data before the consent was withdrawn. If you wish to withdraw your consent, please contact us at info.sbr@stockholm.se.

With whom might we share personal data?

When we share personal data, we ensure that the recipient processes it in accordance with applicable data protection legislation. If a supplier is engaged to process personal data on behalf of SBR, a personal data processing agreement is signed with our instructions on how the personal data may be processed. We have processors who assist us with IT services for operation, technical support and maintenance. Media agencies and advertising agencies may also process personal data on our behalf in connection with the printing and distribution of marketing materials.

We also share personal data with organisations that are independent controllers, such as partners, other committees, councils and companies within the City of Stockholm, other municipalities, government agencies and social media when we respond and interact with you.

Personal data is shared within the City of Stockholm in order to fulfil its municipal mandate, for example to provide startup services to companies.

Personal data is shared with partners, such as industry organisations or other actors in the business community, for example hotels and restaurants, in order to promote collaboration and the establishment of business activities.

We may also share personal data with government agencies, such as the police and the Swedish Tax Agency, when we are required to share data by law or if there is a suspicion of crime.

Where we process your personal data and transfer to third countries

We always strive to process personal data within the EU/EEA. In certain situations, however, personal data may be transferred to and processed in countries outside the EU/EEA by a processor (supplier) or sub-processor (subcontractor) to SBR. All such transfers will take place in accordance with applicable data protection legislation.

The grounds for transfer under the General Data Protection Regulation that are mainly used for transfers to third countries are the EU Commission’s adequacy decisions and, in their absence, the EU Commission’s standard contractual clauses with additional safeguards.If you would like further information about or a copy of the safeguards taken in connection with a transfer to a third country to protect your personal data, you can contact us at info.sbr@stockholm.se.

For how long do we save your personal data?

We never store your personal data for longer than is necessary for the respective purpose. However, as a municipal company, SBR must comply with applicable archiving legislation governing how long information containing personal data may be stored and whether it may be erased or must be preserved for the future.Personal data of minor or temporary significance is erased when it is no longer relevant according to the applicable decision to purge for the City of Stockholm.

Your rights as a data subject

The General Data Protection Regulation (GDPR) strengthens your rights regarding how we may handle your personal data. You may exercise the following rights, and more information about your rights is provided below.

Right to information

You have the right to receive information based on the GDPR when your personal data is processed. We do this by providing this data protection information and answering questions if you contact us.

Right of access

You have the right to be informed, upon request and without undue delay, about whether or not SBR is processing personal data concerning you and, if so, to receive a copy of the personal data that is being processed. Information is provided in the form of a register extract in accordance with Article 15 of the GDPR.To ensure that you are the person entitled to request personal data under the GDPR, we may ask you for additional information.

Right to rectification

You have the right to have incorrect or incomplete information about yourself corrected. You can also supplement your information.

Right to erasure

You have the right to contact the City of Stockholm and request that your personal data be erased. Erasure can and may only take place under certain specific conditions.

• If the personal data is no longer necessary for the purposes for which it was collected or processed.
• If you withdraw your consent on which the processing of personal data is based in accordance with Article 6(1)(a) (legal basis) or Article 9(2)(a) (sensitive personal data)
• You object to a balancing of interests we have performed based on the legal basis of legitimate interest, and your reason for objection outweighs our legitimate interest.
• You object to processing for direct marketing purposes.
• Personal data has been processed unlawfully.
• Personal data must be erased in order to comply with a legal obligation to which SBR is subject.

The right to erasure is also limited by public access and confidentiality legislation, as well as the Swedish Archives Act.

Right to restriction

Under certain circumstances, you have the right to request that our processing of your personal data be restricted. For example, if you question whether the personal data is accurate or if we no longer need it for our purposes, but you need it to be able establish, exercise or defend legal claims. This means that you can request that we do not erase your personal data.

If you object to processing we carry out on the basis of a balancing of legitimate interests, you may request that we restrict the processing for the period we need in order to verify whether our legitimate interests outweigh your interests in having the data erased.

If the processing is restricted as described above, we may not do anything else with your personal data, other than storing it, to establish, exercise or defend legal claims or to protect the rights of others, unless we request your specific consent.

Right to data portability

If we process your personal data based on your consent or as part of an agreement with you in an automated manner, you may in certain cases have the right to request that this information be provided to you in a machine-readable format—for example, to transfer it to another data controller.

Right to object to certain types of processing

You have the right to object to SBR’s processing of your personal data. This right applies to personal data processed for the performance of a task carried out in the public interest or for purposes related to a legitimate interest.

You always have the right to opt out of direct marketing (for example, when an organisation contacts a customer directly via email, text message or newsletter. Marketing activities where a customer has actively chosen to use a service or otherwise contacted an organisation to find out more about its services are not considered direct marketing).

In order to continue processing your data when you have objected to a balancing of interests, we must be able to demonstrate a compelling legitimate reason for the processing that outweighs your interests. If this is not possible, we may only process the data to establish, exercise or defend legal claims.

The rules on the public availability of public documents in the Swedish Freedom of the Press Act may impose restrictions on some of your rights described above.

Contact with the data controller

Contact the data controller if, for example, you:

• want to exercise your rights, e.g. request a data extract
• have questions about how we process your personal data

info.sbr@stockholm.se and +46 8 508 28 000 (switchboard)

Contact with the Data Protection Officer (DPO)

SBR’s Data Protection Officer provides advice and ensures that the organisation complies with data protection legislation. You can contact the DPO directly if, for example, you:

• have comments or complaints about how your personal data is handled
• wish to contact the DPO without going through the organisation

The Data Protection Officer is independent in their role and can be contacted directly.Email: funktionsbrevlada.dso@stockholm.se

Submit complaints to the Swedish Authority for Privacy Protection

The Swedish Authority for Privacy Protection (IMY) is a supervisory authority responsible for monitoring the application of data protection legislation. If you believe that a business that is a controller is handling personal data incorrectly, you can submit a complaint to them.For more information about your rights and how complaints are handled, see Data protection for private individuals | IMY.