Personal Data Policy
Malmö Opera
1. About Malmö Opera
2. Personal Data Policy
3. How does MO process personal data?
4. Lawfulness and storage period
4.1 Employees
4.2 Recruitment
4.3 Production contracts, Business partners, etc
4.4 Customers
4.5 Suppliers
5. Sensitive data/ Classification of data
6. Period for erasure or retention of data
7. The rights of the data subject
7.1 Access, rectification and erasure
7.2 Right to data portability
7.3 Right to revoke consent
7.4 Rights in relation to profiling
7.5 Right to complain to the Swedish Data Protection Authority
8. Changes to this Policy
9. Contact Information
1. About Malmö Opera
Malmö Opera is the heart and voice of musical drama in Skåne. It was inaugurated in 1944, at the centre of the Öresund region. The stage is one of the largest in Europé and the amphitheatre-shaped auditorium seats 1500 visitors. We perform classic, modern and contemporary musical drama. Malmö Opera employs a full time staff of some 270 and an additional 500-700 part time employees per year. We produce in excess of 300 performances for our main stage, our youth- and child-division and our tours.
Region Skåne owns 90 percent of Malmö Opera through Region Skåne Holding AB. The remaining 10 percent is owned by the City of Malmö.
2. Personal Data Policy
For the purpose of performing our cultural-political assignment and carrying out our activities as cultural producer, event organiser and employer (among other roles), Malmö Opera (hereinafter referred to as MO) processes personal data.
The information in this document, including “MO Register List” (appendix 1) and the register of personal data processors, “MO Personal Data Processors” (appendix 2), represents MO’s Personal Data Policy.
In this policy we account for the registers and documents in the business which contain personal data, the data that is processed and the purpose of the processing. We account for the lawfulness of the processing and the period of time after which the data is erased or retained. We also describe the rights of the data subject (the person whose data we process).
In a number of cases when we process personal data, we do so for the purpose of complying with statutory or contractual requirements or requirements that are necessary in order to enter into an agreement or contract with, for example, an employee, business partner or supplier. If the data subject does not provide us with the data we request, this could mean that we are unable to enter into an agreement or fulfil our obligations under an existing agreement with the data subject.
This personal data policy consists of:
- Malmö Opera’s processing of personal data (this document)
- MO Register List (appendix 1)
- MO Personal Data Processors (appendix 2)
3. How does MO process personal data?
When MO processes and stores personal data, this shall always be done in a lawful, correct, transparent and appropriate manner, and only to the extent MO deems necessary.
MO shall always process personal data in a manner that avoids violating the data subject’s personal integrity. In all cases of personal data processing MO is careful to ensure that the personal data is protected by appropriate security measures.
If the data subject feels any doubt or concern about providing a certain piece of data, the data subject is welcome to contact MO (please see the details at the end of this document under Contact Information) so that we can provide him or her with further information.
From time to time, MO may need to provide information to a relevant third party (including, but not limited to, situations where we have a legal obligation to do so). In order to ensure that your personal data is processed in a safe and secure manner in each such case, MO has a procedure whereby an agreement (personal data processor agreement or equivalent) is entered into with every external party that processes personal data on behalf of MO.
Our personal data processors’ servers are most often located within the EU. In certain cases our subcontractors (or their respective subcontractors) have business operations outside the EEA. We work with different methods to ensure adequate security, for example by applying the EU Commission’s standard contractual clauses for data transfer, or by choosing suppliers who are affiliated with Privacy Shield (for the transfer of data to the USA).
Information about the personal data processors we use is available in appendix 2, MO Personal Data Processors.
4. Lawfulness and storage period
Depending on the purpose for which personal data is received by MO (employment, business partner, customer, etc.), the legal grounds for the processing and the periods for erasure/retention of personal data vary. MO does not process data for a longer period than is necessary in relation to the purposes of the processing, and we carry out regular reviews of the personal data we possess and erase the data that is no longer required. For more information on lawfulness and storage period, please see appendix 1, MO Register List.
Personal data may also need to be stored more generally in order to ensure compliance with legal obligations, for example when it comes to bookkeeping. If such an obligation exists, the personal data may be saved pursuant to some other applicable piece of legislation.
4.1 Employees
Employees’ personal data is processed in order to comply with obligations pursuant to law, collective agreements and/or for the entering into and performance of individual contracts.
The personal data that is processed consists primarily of name, personal ID number, telephone number, bank details, documentation for the payment of salaries and benefits, address, information about next of kin, qualifications, experience and development, absence, sickness and any rehabilitation. The recipients of the data are managers, co-workers within the HR and accounting departments, IT and (if applicable) internal or external parties who administer salaries and other benefits etc. as well as authorities and other contractual partners as required.
An employee’s personal data is required, among other things, for the following purposes: salary payments, salary review and other remuneration and benefits, general personnel administration, time reporting, maintenance of emergency preparedness and disaster planning, contacting relatives in connection with incidents/accidents involving the employee, providing occupational health services, annual leave, administering employment benefits (including pensions, healthcare and sickness insurance), maintaining sickness and absence documentation for calculation of sick pay and participation in rehabilitation investigations pursuant to the work environment act, making decisions about an employee’s suitability for certain work duties, facilitating an evaluation and review of an employee’s performance (including information about work capacity and other assessment information and appraisal meetings with the employee) as well as more generally in order to be able to ensure compliance with legal obligations (including, but not limited to, income tax and social insurance legislation and all relevant labour laws, such as compliance with regulations on the order of precedence that applies in conjunction with redundancies, or in order to be able to issue a reference or certificate of employment).
As a general rule, when an employee leaves MO’s employment there is no longer any reason to save the (former) employee’s personal data. This includes the employee’s email account and details about the employee on MO’s website. In such case the personal data shall be erased as soon as possible after the cessation of employment, although certain important exceptions do apply. In order to fulfil its obligations under labour law, tax law and social insurance law, MO needs to save certain information about the employee even after cessation of employment. For example, data must be saved in order to comply with legal obligations regarding taxation or bookkeeping, obligations concerning the employee’s preferential right of re-employment under the Swedish Employment Protection Act (1982:80), and in order to be able to deal with any legal claims that could be made against MO. It is sometimes also necessary to retain information in order, for example, to be able to pay pensions or severance pay. For more information about storage period, please see appendix 1, MO Register List.
We may also process data in connection with employee satisfaction surveys. Such surveys are conducted to enable MO to identify any shortcomings and thereafter work with improvement measures to ensure a good work environment.
Certain personal data that MO processes as a result of a person’s employment may represent sensitive data, for example data about a person’s health or membership of a trade union. More information about MO’s management of sensitive personal data is provided below.
4.2 Recruitment
MO must process certain personal data in order to be able to deal with job applications, carry out job interviews and make decisions during a recruitment process. The legal grounds for this processing are consent, legitimate interest or a contract.
The personal data that is processed in such contexts includes, among other things, name, date of birth, address, information about education and training, work experience and skills, possibly a photograph, etc. The recipients of the data are primarily HR employees, managers and (if applicable) the recruitment agency whose services we have engaged. If a recruitment agency is managing the recruitment process, a personal data processor agreement is always entered into with this external party.
For more information about storage period, please see appendix 1, MO Register List.
4.3 Production contracts, Business partners, etc.
MO may need to process an individual party’s personal data in order to fulfil legal obligations or be able to enter into and perform agreements regarding production and event contracts or other such collaborations.
The personal data that may be processed by MO in these contexts includes, among other things, name, personal ID number, address, email address, telephone number, bank account number, Bankgiro and Postgiro number. Please see appendix 1, MO Register List.
The individuals who process the data are primarily the managers and employees from the relevant departments as well as HR and accountancy employees.
Processing of this information may be required, among other things, for payment of fees and other remuneration, general administration, production planning, maintenance of emergency preparedness and disaster planning, and also more generally to ensure fulfilment of legal obligations.
For more information about storage period, please see appendix 1, MO Register List.
4.4 Customers
MO processes personal data in order to be able to enter into and manage agreements and contracts with our customers. Our General terms & conditions for ticket purchases, including personal data policy, apply to individual customers who buy tickets via our box office or via our website. Please see our website for more information.
If the customer is an agent or an organiser (for example a school), we process data for persons who are representatives for our customers. Certain personal data may also be processed by MO due to a legal obligation, for example the need to state personal data on invoices in order to comply with bookkeeping legislation.
The personal data that may be processed in these contexts includes name, address, telephone number and email. The recipients of the data are primarily relevant persons at the sales department as well as the accountancy department. Producers, production managers and technicians may also process the data.
The data is processed in order to be able to conduct dialogue with the customer and to generally be able to administer the customer agreement. Representatives’ personal data may also be processed for the purpose of sending offers and information to the customer company. If MO processes personal data regarding representatives for potential customers, this is done for the purpose of contacting the customer in order to be able to provide the customer with offers and information via telephone, SMS or email.
The customer accounts are set up in our CRM system, and every fifth year we perform an internal review of customers’ user accounts in order to identify the accounts that are inactive, after which we erase or anonymise the user accounts where there has been no logins or other activity during the past 5 years.
Please also see our General terms & conditions for ticket purchases, including personal data policy.
4.5 Suppliers
In order to be able to enter into and manage agreements and contracts with suppliers, MO processes personal data belonging to persons who are representatives for the suppliers. Certain personal data may also be processed by MO due to a legal obligation, for example the need to state personal data on invoices in order to comply with bookkeeping legislation.
MO processes personal data regarding representatives for supplier companies with whom we have or intend to enter into an agreement or contract. The personal data that may be processed in these contexts includes, among other things, name, address, telephone number, email and job title. The recipients of the data are primarily employees or managers at the relevant section/department as well as the accountancy department.
MO processes the personal data in order to generally be able to administer purchasing contracts, manage invoices and to be able to pose questions to the supplier regarding the goods or services we are purchasing.
However, MO may need to store the personal data even after the contractual relationship has ended, among other things in order to administer any warranty periods and manage any statutory requirements. Personal data may also need to be stored more generally in order to ensure fulfilment of legal obligations, for example in relation to bookkeeping.
For more information about storage period, please see appendix 1, MO Register List.
5. Sensitive data/ Classification of data
The term sensitive data refers to personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
MO does not normally process sensitive personal data in its business activities, and if sensitive date is processed in some instance, the processing never takes place without consent from the data subject or without the existence of the type of support that is specified in article 9 of the General Data Protection Regulation, for example:
- when the processing is necessary for the purposes of carrying out obligations or exercising specific rights within the field of labour law, social security and social protection,
- when the processing is necessary to protect the vital interests of the data subject or some other natural person,
- when the data subject is physically or legally incapable of giving consent,
- in certain cases within the framework for trade union activities,
- if the data has already been made public by the data subject,
Or when the processing is necessary for:
- reasons of substantial public interest,
- the purposes of, among other things, the assessment of the working capacity of the employee or the provision of health or social care,
- for statistical purposes.
In connection with every processing of sensitive data, MO always undertakes appropriate security measures to protect the data. Personal data is never made available to more recipients than necessary.
It is the responsibility of every employee to classify the information and data that is received by MO on the basis of the data’s degree of sensitivity. The section/department managers are responsible for ensuring that the employees at each department are aware of and carry out this classification.
If sensitive data (class 1-2) is received by MO and MO has no reason to process such data, the data shall be erased immediately.
Personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation Class 2) Personal data such as personal ID number and bank account/card number Class 3) Personal data such as name, address, telephone, email address] Personal data (class 3) received as contact details or for fulfilment of an agreement or other undertaking is processed during the period there are valid legal grounds for the processing.
6. Period for erasure or retention of data
The purpose of the collection of personal data (for example to perform an employment contract or to obtain contact details to a business party in order to be able to carry out collaborative activities) determines how long MO processes the data. When MO no longer has cause to process the data, and if the data is not subject to the law on archiving or some other legislation, the data is erased or anonymised.
The period of time after which a register/document shall be archived or retained is based on MO’s Archiving Rules as well as that which is set out in MO Register List (appendix 1).
If the legal grounds are not based on an agreement or contract, legal obligation or legitimate interest, consent is sought from the data subject to save the data subject’s contact details if there is cause to do so.
Given the nature of MO’s business activities, with the work based on seasons, and where programme scheduling and the work with future productions and events is prepared during a period of at least three to four years in advance and requires at least a further year’s work after the event, MO processes personal data during five years. Thereafter new consent is sought from the data subject, or else the data is erased.
The MO Register List (appendix 1) contains information about the personal data that is contained in each register, along with the purposes for which the data is processed, the legal grounds for the processing, the period of time during which various data is processed, the data flow (i.e. which digital systems the data has been entered into), any legal obligations or issues of legitimate or public interest, etc.
7. The rights of the data subject
7.1 Access, rectification and erasure
The data subject has the right to contact MO in its capacity as personal data controller and request access to the personal data that MO processes. The data subject is also entitled to request information about, among other things, the purposes of the processing and the recipients to whom the personal data has been disclosed.
In its capacity as personal data controller, MO shall provide the data subject with a free-of-charge copy of the personal data that is processed. MO may charge an administration fee for the provision of extra copies.
The data subject has the right, without undue delay, to have his or her personal data rectified or, under certain conditions, restricted or erased. If a data subject feels that MO is processing personal data about the data subject that is incorrect or incomplete, the data subject may demand rectification or completion of such data.
The data subject also has the right to have his or her data erased if, among other things, the processing of such data is no longer necessary or the processing is based on consent and the consent has been revoked.
If the data subject requests to have his or her data rectified or erased or to have the processing of the data restricted, MO, in its capacity as personal data controller, has a procedure to notify, using a reasonable amount of effort, each recipient of the personal data about the data subject’s request.
A request for an excerpt, rectification or erasure shall be made via the email address that is stated at the end of this document under Contact Information.
The data subject has the right, at any time, to object to the processing of his or her personal data if the legal grounds for the processing are based on public interest or legitimate interest pursuant to article 6.1 (e) and (f) of the General Data Protection Regulation. The data subject also has the right, at any time, to object to the processing of his or her personal data if the data is being processed for direct marketing purposes.
7.2 Right to data portability
The data subject has the right to receive the personal data that he or she has provided to the personal data controller and has the right to request that the data be transferred to another personal data controller. However, this applies under the condition that (a) it is technically possible, and (b) the legal grounds for the processing are based on consent or the fact that the processing has been necessary for the performance of an agreement or contract.
7.3 Right to revoke consent
If the personal data processing is based on the data subject’s consent, the data subject has the right, at any time, to revoke his or her consent. Such revocation does not affect the lawfulness of the personal data processing before the consent was revoked.
7.4 Rights in relation to profiling
The data subject has the right to not be subject to a decision that is based solely on automated processing, including profiling, and which could produce legal effects for the data subject or could have a similarly significant effect on him or her. However, this does not apply if (a) the processing is necessary for the entering into or performance of a contract with the data subject, (b) the processing is authorised under applicable law, or (c) the legal grounds are based on the data subject’s consent.
7.5 Right to complain to the Swedish Data Protection Authority
The data subject has the right to lodge a complaint with the Swedish Data Protection Authority.
Contact details:
Telephone: +46 (0)8 657 61 00
Email: datainspektionen@datainspektionen.se
8. Changes to this Policy
MO reserves the right to change and update this Policy. In the event of material changes to the Policy, or if existing data is to be processed in a manner that is different to the manner described in this Policy, MO will provide information about this in an appropriate manner.
9. Contact Information
Personal Data Controller:
Malmö Opera och Musikteater AB
Box 17520
200 10 Malmö
Tel: 040-20 84 00
E-mail: info@malmoopera.se
Org.no. 556256-2065
Personal Data Coordinator:
E-mail: Personuppgiftssamordnare@malmoopera.se