Publish date: 25 April 2023
Stockholm Business Region AB is a wholly-owned company owned by the City of Stockholm and is part of Stockholms Stadshus AB. Stockholm Business Region conducts its operations with the help of its two subsidiaries: Visit Stockholm and Invest Stockholm.
To explain how we collect and use your personal information.
To describe your rights and how you can implement them.
The policy is aimed at those who come in contact with the Group in the course of its core business operations, either of their own initiative or because we sought them out.
You are always welcome to contact us with any questions about privacy and data protection!
Personal data are information that is directly or indirectly linked to a natural living person. Examples of personal data include your name, address, telephone number, and email address. In some circumstances, even data such as IP addresses or other combined information may constitute personal data.
The processing of personal data includes all handling of personal data, such as collection, registration, and storage.
The data controller is the person who determines the purposes and means of the processing of personal data, either independently or in consultation with others.
The purpose of the processing of personal data
The Group is responsible for promoting and developing Stockholm as a business and tourist destination under the brand “Stockholm – The Capital of Scandinavia.” The Group collaborates closely with the business community, academic, and other institutions as well as with various organizations, municipalities, and federal agencies.
This means that personal data are collected and processed in order to achieve the objective for the Group.
What personal data do we collect, and when do we do so?
Information that you provide to us. For example, when you participate in our events, sign up to our notification lists for events and newsletters, interact with us on social media, contact our business establishment service or apply for event support, or register with Starta Eget Stockholm ('Start your own company in Stockholm') to receive free advice on setting up a company, we may collect:
- Personal and contact information — name, e-mail address, phone number, professional role, and online ID. If you participate in one of our focus groups, or in Starta Eget Stockholm, we may also collect information including gender, place of residence, and nationality. In the case of Starta Eget Stockholm, we also collect personal identification numbers since the service is only available to residents of Stockholm Municipality.
Information we collect about you. For example, if you are a public person, a journalist, or work as a contact person for a company or visit any of our websites, we may actively collect the following information about you:
- Personal and contact information — name, e-mail address, mobile phone number, photo, and online ID.
- Information about how you interact with our websites – how you use our websites.
- Device information – such as IP address, language settings, browser settings, time zone, operating system, platform, and screen resolution.
Information from third parties. We may also collect personal data from someone other than you (a third party). The information we collect from third parties are as follows:
Address information from public records, in order to be sure that we have your correct address information.
If you belong to a certain target group to which we wish to reach out, we may also collect personal information about you from other marketing organizations.
What do we do with your personal data?
We may also contact you via mailing to inform you of events and current affairs in the city. We may do so if you ever have registered your interest in receiving such information or if we judge there to be a legitimate interest in sending you this information; for example, if you are a journalist, blogger, or contact person in a relevant organization. You always have the option of contacting us and saying that you do not wish to receive information from us. Write to us at email@example.com.
Who may we share information with?
Data processors. Sometimes it is necessary for us to share your personal data with other organizations in order to provide our services. A data processor is a company that deals with the information on our behalf in accordance with our instructions. We have data processors that help us with:
- IT services (companies that handle the necessary operation, technical support, and maintenance of our IT solutions).
- Marketing (print and distribution, social media, media agencies, or ad agencies).
Organizations that are independent data controllers
- State authorities (the police, the National Tax Board, or other authorities), if we are required by law to share the information or in cases of suspected crimes.
- Other administrations and municipal companies (in the City of Stockholm) in order to fulfill our establishment service obligations to a business, we may need to share your personal data with other administrations and companies concerned, for example with the City Development Department if your case regards matters related to construction or land.
- Business partners (professional organizations or other industry actors, such as hotels and restaurants). The Group's activities aim to promote interaction with the City of Stockholm both nationally and internationally, and we may therefore pass on some of your data in order to promote and facilitate such collaboration.
Where do we process your personal data?
We always strive to process your data within the EU/EEA. However, data may in some situations be transferred to and/or processed by suppliers or subcontractors in countries outside the EU/EEA.
How long do we store your personal data?
We never save your personal data for longer than is necessary for their respective purposes, is required to meet the existing statutory storage periods, or is necessary for the purposes of other legitimate interests. Aside from legal grounds, the continued relevance/necessity of data is determined by the relationship we have with you, such as an ongoing relationship through a trade organization or event coordination.
What are your rights as a registered person?
Right of access (so-called “extracts from the register”). You have the right to obtain access to the data we process that pertains to you and may request a copy of these. (Information is provided in the form of an extract from the register indicating the purpose, categories of personal data, categories of recipients, storage periods, information about where the information was collected and the presence of automated decision-making).
Pursuant to the General Data Protection Regulation, we may ask you for additional information in order to ensure that you are the one who has the right to request the data.
The right to rectification. You have the right to correct incorrect or incomplete personal information (about yourself), within the context of the purpose for which this data is being processed.
The right to deletion (“the right to be forgotten”). You have the right to request that we delete the personal data we process about you if:
- The data are no longer necessary for the purposes for which they were collected or processed.
- You object to a balancing of interests we have made based on the legal grounds of legitimate interests and your reasons for objection outweigh our legitimate interests.
- You object to the processing of your personal data for direct marketing purposes.
- Personal data has been processed in an unlawful manner.
- Personal data must be deleted in order to fulfill a legal obligation to which the Group is subject.
- The personal data collected is about a child (under 13 years) for whom you have parental responsibility, and the collection took place in connection with the provision of information society services (e.g. social media).
Please be aware that there may be legal obligations that prevent us from immediately deleting parts of your data. These obligations are imposed by the Public Access to Information and Secrecy Act, the Archives Act, the Administrative Procedure Act, and accounting and tax legislation, among others.
The right to the limitation. Under certain circumstances, you have the right to request that our processing of your personal data be limited. For example, if you should call into question whether or not the data are accurate or if we no longer need them for our purposes, but you require them in order to establish, exercise or defend legal claims. This means that you can request that we refrain from deleting your data.
If you object to the processing we conduct with reference to the balancing of interests, you may request that we limit the processing during the time necessary to determine whether our legitimate interests outweigh your interests in having the data deleted.
If the processing is limited as described above, we cannot do anything else with your personal data (beyond actually storing it) other than to use it in the establishment, exercise or defense of legal claims, or to protect the rights of another person, unless we request your specific consent.
The right to object to certain types of processing. You always have the right to avoid direct marketing (for example, when an organization directly contacts a customer via email, SMS or newsletter. Marketing measures in which the customer him/herself actively chose to use a service or otherwise sought out an organization in order to learn more about its services do not count as direct marketing.) and to object to any processing of personal data based on a balancing of interests.
In the instance that you have objected to a balancing of interests, to continue to process your data we are required to demonstrate compelling legitimate grounds for the processing which outweigh your interests. In other cases, we only process the data in order to establish, exercise, or defend legal claims.
The right to data portability. If your personal data are processed automatically on the legal grounds of consent or the fulfillment of a contractual obligation, you also have the right to request these so long as doing so does not affect the rights or freedoms of any other person.
Submitting a complaint to the Data Protection Authority. The Data Protection Authority is a regulatory government authority that is responsible for monitoring the application of privacy legislation. If you believe that an organization is processing personal data incorrectly, you may file a complaint with them.
Cookies – What are they and how do we use them?
Cookies are small text files consisting of letters and numbers that are sent from our web server and stored in your internet browser or on your device. These may consist of:
- Session cookies (a temporary cookie that expires when you close your browser or device).
- Persistent cookies (cookies that remain on your computer until you delete them or they expire).
- First-party cookies (cookies set by the site you are visiting).
- Third-party cookies (cookies set by a third party. These are used for analyses).
In order to improve your experience of interacting with us, we use all the above-mentioned types of cookies on our website www.visitstockholm.com. Some are directly necessary to the functioning of our websites, while others are used to save your selected preferences as a visitor, to obtain visitor statistics, and for marketing.
You can control the use and scope of the cookies you allow by changing your browser settings. For example, you can block all cookies, only accept first-party cookies, or delete cookies when you close your browser. However, be aware that such settings may interfere with the functionality of certain websites.
Stockholm Business Region AB, reg. # 556491-6798, located at Fleminggatan 4, SE-102 26 Stockholm, and its subsidiaries Visit Stockholm, reg. # 556027-5736 and Invest Stockholm, reg. # 556083-1306, are the data controllers for the processing of your personal data as described above.
If you have any questions related to how we treat your personal data, please contact us at firstname.lastname@example.org.