The Swedish Pharmaceutical Society’s aim is to promote high professional standards in the pharmaceutical field and to endeavour to achieve development and use of pharmaceutical products in a manner that is beneficial for the individual and for society. Toward this end, the Swedish Pharmaceutical Society promotes professional development and skills development within the field of pharmacy. A natural person may be accepted as a member if that person can be expected to uphold the aims of the Society. According to the statutes, a member must also belong to a division and/or one or more sections. This purpose is the overall purpose of the process described here. Other purposes also apply at certain times, as described below. In addition to pharmaceuticals, the Swedish Pharmaceutical Society also focuses on the field of medical technology.

The legal basis for the processing in the following points consists of a contract (the statutes must be considered as a contract).

1. Application. If you wish to become a member, you can apply via our website. Sometimes you may already have been in contact with Läkemedelsakademin i Stockholm AB (for example, if you have done an educational course) which means that we may already have personal data saved on you. If we have personal data saved on you,you must choose the option “jag har konto” [I have an account] at this point. Otherwise you choose the option “jag vill skapa konto” [I want to create an account]. You log in to your account using your e-mail address and a password that you choose yourself (these are then saved so that you will be able to log back in to your account). The selected log-in details are saved with us to enable you to see your membership information on Mina sidor. The purpose of this step is to obtain new members and to make it easy to apply for membership and manage your membership in future.
2. Data is registered. In this step, you register information about yourself that we need in order to be able to process your membership. If you do not have an account, you fill in all the details. If you have an existing account, you check and supplement the details as necessary. Because we have different membership fees for different categories of member, information is also registered on the status of “Member”, “Pensioner” or “Student”. At this stage, we also ask you to register you personal identity number, which we need in order to be able to securely identify our members and to avoid duplicated registration, which can occur if you used different e-mail addresses when you created an account. In addition to this, we also obtain your name, mobile number, first degree, the field in which you are active (an optional field that you fill in if you want to receive targeted offers from us) and details of the address to which we must send the advice for payment of membership fees. We store your personal data in our business system, which then updates “Mina sidor” on the website. The purpose of this step is the same as for step 1.
3. Select a division and section. In accordance with our statutes, you must select a division and/or section of which you wish to be a member. You make that choice in this step. We store your information in our business system, which then updates  “Mina sidor” on the website. The purpose of this step is the same as for step 1. For the Section for Hospital Pharmacy, the membership also include membership in the European Association of Hospital Pharmacists (EAHP) which sends direct mail to the members. We will therefore send them names, addresses and e-mails once a year.
4. Payment information. The purpose of this step is to enable us to take payment and keep our accounts. We ask you to register the personal data required for this purpose. The legal basis for the processing is a contract (the statutes) and a legal obligation (the Book-Keeping Act).
5. Membership is confirmed. When you have notified us of your wish to become a member, you will receive confirmation from us. Your membership is finally approved at the time of payment of the membership fee in cases where it is payable, i.e., if you have not received a free membership, which sometimes occurs in conjunction with campaigns.

All steps in this process are for the purposes of membership administration and to ensure that proper payment of membership fees is made.

1. Preparation. Since the Swedish Pharmaceutical Society has different membership fees for different categories of members, the work of issuing payment advice for membership fees begins with an update in our business system. We identify those who will reach the age of 65 in the next calendar year and change your membership status to “Pensioner” in the system. We also go through the membership category of “Student” to see whether it is time for a possible move to the status of “Member”. In this step, we use the details you registered on your age and/or first degree and/or your workplace to enable us to carry out the assessments.
2. A selection is made. In this step, a further selection is made in our business system to enable us to identify members that are not obliged to pay a membership fee (this refers to members such as new members who were registered on 1 August or later in the year in question and honorary members).
3. Payment advice is sent. In this step, our business system issues payment advice to the members who must pay a membership fee. The advice must clearly indicate your type of membership and for that reason we process personal data relating to your name, address (home or place of work), e-mail, membership number, membership status (see step 1) and the divisions and sections of which you are a member. When the selection has been made, supporting data for the advice is sent in PDF format to the printer for printing of invoices which are then sent out to the members. The legal basis for this step consists of a contract (the statutes) but also a legal obligation (production of supporting data for accounts).
4. Payment reminder. Those who fail to pay receive reminders on two occasions. If payment is not made after two reminders, we terminate the membership (for how this is done, see the next process). If you fail to pay the fees, the Swedish Pharmaceutical Society presumes that you are longer interested in being a member. In that case, your personal data is processed for the purpose (besides what is indicated above) of carrying out membership administration in a reasonable way (including keeping down the cost of payment reminders). The legal basis consists of a contract (the statutes).

1. The notices “terminate membership”/”not paid despite reminders”. If you no longer wish to be a  member, you inform us by telephone or by sending an e-mail to our society support services. The data processed in this step consists of contact details (name, personal identity number, e-mail address, telephone number). The purpose of the processing is to provide you with a service whereby you can terminate your membership and the legal basis consists of a contract (the statutes). This step is also initiated if you have failed to pay your fees despite the fact that you received two reminders, as is clearly set out in the statutes. In this case, data is also processed for the purpose of managing membership administration in a reasonable way (including keeping down the cost of payment reminders).
2. Deregistration. In this step, you are deregistered as a member by making a note of your new status (former member) in the business system. The membership data registered on you in the business system is saved for a further period. The purpose of this storage is to enable us to manage the remaining administration of payments, etc. and to retain the data for the purpose of rejoining the Society because we know that many people change their minds after a while (see also point 4). However, data concerning membership mailings is immediately cleansed from our bulk-mail system because there is no longer any reason to send membership information to you. The legal basis for the processing in this step consists of a contract (the statutes) but also a legal obligation (to keep data to enable us to invoice, keep accounts and comply with legislation on foundations).Sometimes you have relationships with us other than membership. You may, for example, have received scholarships or have participated in our educational courses/activities. This means that, even if you terminate your membership, there may be remaining relationships in which personal data is processed. We have also described such processing on a fact sheet like this. Please consult that fact sheet if you want to find out more
3. Message.  In this step, you will be notified by e-mail that your membership has ceased. Names and e-mail addresses are processed.
4. Rejoining within one year. If you told us that you do not wish to have the opportunity of rejoining, we cleanse the personal data connected to your membership in the business system when you have paid any remaining debts to the Society (if there is no other legal basis for storing the data such as a legal obligation). Otherwise, we send out mailings by e-mail for one year to try to persuade you to rejoin (after which we delete the personal data relating to your membership).As stated in step 2, you may have had relationships with us other than your membership, which means that personal data on you relating to the other relationships may remain. If you wish to find out more about how we deal with personal data in such cases, please go to the process in question

The purpose of processing personal data in this step (besides what is stated above) is to manage interesting proposals received so that they can be developed into concrete activities in sections and divisions.

1. An idea comes up. Activities are organised in order to promote the aims of the Society. In this step, personal data that can be linked to the person putting forward the proposal (e.g., e-mail address, workplace and name) is processed. Furthermore, personal data on possible speakers (e.g. names and contact details) is also processed. The legal basis for processing in this step consists of a contract (the statutes) and, in relation to possible speakers, a legitimate interest. We have a list of those who have previously collaborated as speakers and we have received recommendations on who to ask. We know that many people appreciate being asked to speak, for their own development and for the development of others. When we receive a recommendation on a new potential collaboration, we always ask whether the person wishes to be on our list. This is to ensure that everyone who is interested and who has the right expertise will have the opportunity to be asked to collaborate in our activities. If a person in our collaborator bank has not collaborated with us in five years, we delete this data.
2. Checking with possible speakers. In this step, we contact a possible speaker by e-mail or telephone to find out whether they are interested and we then process personal data relating to the speaker and the employee (names, e-mail addresses, contact details). In this step, the legal basis consists of contracts (the statutes, employment contracts and negotiations on a contract with the speaker).
3. Practical checks. If the speaker accepts the invitation to speak, in this step we deal with travel bookings and similar practical issues. We also carry out checks with the speaker concerning his or her presentation. We process personal data required for these purposes such as names, telephone numbers and e-mail addresses. The legal basis consists of contracts (with the speaker and employment contracts).

The overall purpose of this process (besides what is initially stated) is to manage and market activities so they can be implemented. When you have signed up for an activity,  the legal basis consists of a contract. Prior to that, there are other legal bases that are described in the steps.

1. The activity is offered. In this step, we register the activity and then publish it on the website (the personal data processed consists of the information contained in the invitation, for example relating to the collaborating speaker). In this way, interested members can access the offer regarding the activity. In this step, the purpose is administration of the activity to enable it to be publicised. The legal basis consists of contracts (with collaborating speakers).
2. The activity is marketed. Besides on the website, we also market the activity in the following ways:We e-mail people we think will be interested. To enable us to do this, we sometimes process personal data from those who have given their express consent to profiling (we do this in the manner described in the introduction to our Privacy Policy). The mailings contain the same personal data as in step 1.The invitation (the same personal data as in step 1) is also published on our Facebook and LinkedIn pages. This means that anyone can post comments. We regularly delete comments on our social media because they can contain personal data, though no later than when the activity has been carried out or at least once a year.

   In the marketing activities, we use the legal basis of consent (profiling) as well as the basis of legitimate interest (direct marketing). If you withdraw your consent or object to your personal data being used for marketing purposes, we delete the personal data to which the withdrawal/objection relates. Note that there can be several reasons why we hold your personal data so there may still be reasons for processing personal data on you (see other processes to find out other ways in which we process personal data on you).

3. Applications are registered. In this step, applications from those who wish to take part in the activity are registered. Personal information obtained from you (name, personal identity number to be able to subsequently issue certificates, other contact details, food allergies, the field in which you are active and what basic education you have ) is registered. Some of the fields are optional and only need to be filled in, for example if you want us to be able to offer customised activities in future (you then also need to consent to profiling, see our Privacy Policy).If, as a participant, you also wish to receive a certificate of the activity, your personal identity number also needs to be registered (this also means that the data will be saved for a longer period to enable us to issue a certificate).After you have registered, you will receive confirmation of this by e-mail.

   You are also asked to pay the cost of the activity. After this has been done, your participation is given the green light.

   Because registration of your food allergies entails processing sensitive personal data (health is considered to be sensitive data in the GDPR) we ask you for express consent when you submit your application. If you do not want to give such consent, we cannot provide you with the right food.

   The purpose of the processing in this step is necessary administration, e.g. to ensure that we can receive payment and that the right food can be offered.

4. Information is sent out. This step is necessary to enable you as a participant to access all the information you need concerning the activity. Information is sent by e-mail (personal data such as e-mail addresses and information linked to the collaborating speakers is processed).

In this process, the activity is carried out. In addition to the overall purposes referred to initially, additional purposes for this step consist of necessary administration of participation and dietary requirements. The legal basis for this step consists of a contract (the contract that you as a participant entered into when you registered for the activity on Mina sidor).

1. Lists of participants are drawn up. In this step, we draw up lists of participants (we use personal data registered for the activity on Mina sidor, see the previous process) and the persons responsible for the activity locally can access them. With regard to food allergies, information is e-mailed to those responsible for the activity to ensure that the right food can be provided (no personal data is e-mailed, but only the number of people who need various types of special food).
2. Attendance is noted. We have now come to the point where the activity will be carried out. Initially, an attendance check is carried out against the lists of participants. The purpose of this (besides what is indicated above) is to be able to subsequently issue a certificate for the activity completed and to be able to charge anyone who fails to attend a “no-show fee”. Sometimes participants who have not pre-registered also turn up (see previous processes) and there is a possibility that they may be able to participate, despite the fact that they have not pre-registered. The notes made in this step will be registered in the master system in  follow-up work (see point 1 in the next process).
3. The activity is carried out. In this step, the activity is carried out. The personal data processed is the data contained in the presentation by the person putting forward the proposal and lists of participants. The personal data collected earlier regarding food allergies means that the right food can be serve. When an activity is carried out, there is usually a list of participants accessible on Mina Sidor [My Pages]. Many participants ask for a list of participants in connection with our activities. Naturally, we consider networking an important part of the development of competence. Because of this, we believe that you as a participant have the interest, and the legal basis is thus justified interest. The lists include the participants’ first and last names as well as their organization. If you do not want your name and organization to be included in the list of participants, please e-mail the project administrator responsible when you are registering or otherwise as soon as possible. Should you have other questions regarding the list of participants, you can contact the project administrator responsible at any time. Sometimes, the activity is recorded or streamed, which means that personal data relating to those present (images) is processed. The purpose of this is to subsequently provide participants with better documentation. We always indicate in the invitation if we intend to record or stream, so that participants can put forward any comments or ask questions. If you are not comfortable with the fact that we stream, we will be happy to discuss with you how we can stop you being visible in images. The legal basis consists of legitimate interest because we know from experience that recordings/streaming are usually appreciated by the participants and add value.

1. Attendance is registered. After the course has been carried out, the attendance notes are transferred (see step 2 of the previous process) to our business system (registration is carried out by the person responsible via Mina Sidor). The purpose of the processing in this step, besides what is indicated above, is to be able to subsequently issue a certificate for the activity completed and to be able to charge anyone who fails to attend a “no-show fee”.
2. Information is sent out. In this step, information is sent to you as a participant on where documentation, recordings or similar can be obtained. In this step, personal data such as names and e-mail addresses is processed. The purpose of the processing (besides what was indicated previously) is to add value for the participants. The legal basis consists of contracts (contracts with collaborators and participants).
3. Financial management. In this step, personal data required to attend to invoicing and payments for food and accommodation and fees is processed. The legal basis for processing in this step consists of a contract and a legal obligation (Book-keeping Act).
4. The activity is completed. When the follow-up work has been completed, the activity is flagged in the master system as having been completed. This flagging is required, among other things, to enable proper weeding to be carried out. No personal information is processed in this step.We delete sensitive information such as dietary restrictions or allergies no later than 48 hours after the activity has been carried out. We delete other practical information such as the time, place and date after the activity has been carried out and at the moment when the activity has been paid for. If you chose to give your personal identity number when registering, your certificate for the activity and material for participants are saved for five years on Mina sidor, whereafter that information is also deleted.

1. Decision on a call for applications. In this step, we decide that a call for applications for funds must be issued and the work involves some internal exchanges of e-mails. The personal data processed is linked to this.
2. Marketing. When the decision has been made in step 2, it is time to market the call for applications so that anyone interested can obtain information that funds can be applied for.
   It is not enough to simply publish the offer on the website to be able to fulfil the overall purposes. The call for applications is also disseminated in the following ways:
   We e-mail people we think will be interested. To enable us to do this, we sometimes process personal data from those who have given their express consent to profiling (we do this in the manner described in the introduction to our Privacy Policy). The mailings contain the same personal data as in step 1.
   The invitation (the same personal data as in step 1) is also published on our Facebook and LinkedIn pages. This means that anyone can post comments. We regularly delete comments on our social media because they can contain personal data, no later than when the activity has been carried out or at least once a year.
   In the marketing activities, we use the legal basis of consent (profiling) as well as the basis of legitimate interest (direct marketing). If you withdraw your consent or object to your personal data being used for marketing purposes, we delete the personal data to which the withdrawal/objection relates. Note that there can be several reasons why we hold your personal data so there may still be reasons for processing personal data on you (see other processes to find out other ways in which we process personal data on you).
3. The application is registered. In this step, applications from those seeking subsidies are registered. Personal data (name, home address, person identity number to enable us to pay and manage other matters correctly, other contact details, bank account details, the field in which you are active, what basic education you have, the year you graduated, who your tutor is and the purpose for which you are applying for funds, is registered. Some of the fields are optional and only need to be filled in, for example, if you want us to be able to offer customised educational courses in future (you then also need to consent to profiling, see our Privacy Policy).
   When you have registered you will receive confirmation by email.

   The purpose of the processing in this step is necessary administration to enable us to prepare incoming applications in advance of a decision and to possibly pay out the amounts awarded as quickly as possible to the right person. After all the steps have been completed, we proceed to the next process in which applications are assessed

1. Supporting data for a decision. In the first step, supporting data is compiled for the scholarship committees that will make a decision (see step 2). Supporting data for a decision, containing personal data consisting of your name, the company you work for, the purpose for which you have applied for funds and the amount applied for, is compiled. To this we attach a draft decision and reasons. The supporting data is shared with the Board members via Mina sidor.The purpose of this step is to prepare the decision and provide the Board members with a comprehensive view of the supporting data for the decision.
2. Decision meeting. In this step, the scholarship committee holds a decision meeting. During the meeting, the supporting data in the previous step is supplemented with any incoming attachments and notes on whose applications are approved and whose are rejected. Minutes are taken of the meeting, with corresponding personal data attached.The amount awarded is included in the list and, after the meeting, is transferred to our master system, whereafter the supporting data for the decision is weeded. A list of approved applications is drawn up from the master system. The list of approved applications contains information consisting of the names of the persons who have been awarded funds and the purpose and amount awarded. This and the minutes (after they have been countersigned) are stored for the periods specified initially (2 or 7 years).
3. The decision is communicated. In this step, the decision is sent out to all applicants by e-mail. A list containing the names of those awarded funds, which foundation the funds come from, the purpose to which they relate and the relevant period of time and the amount awarded is sent out. Names and e-mail addresses for all applicants are also processed in this step

The purpose of the processing in this step is to provide all applicants with information.

Some follow-up work takes place in these processes.

1. Payment. To enable us to pay out funds according to the decision in the previous process, we need to process personal data consisting of names, foundations, total amount granted, amount actually paid out and the number of the minutes. We also check that a bank account number exists for those to whom funds are to be paid out and we supplement the information otherwise. The payment will then be made and we note the status of “Paid out” on your personal card in our master system.The purpose of the processing in this step is to execute the decision by paying out funds.
2. Accounting. In this step, we fulfil our accounting obligation by entering supporting documents linked to the decision for each foundation in the accounts. This means that personal data relating to name, purpose, time of the activity, amount and foundation name is processed because such information is available in the supporting documents.
3. Analysis. In order to ensure that scholarships are of high quality, an analysis is carried out of the number of incoming and approved applications per foundation. No personal data on you as an applicant is processed.
4. Weeding. Weeding of incoming scholarship applications is carried out after 2 years (received but not approved) and 7 years (approved), see also in the introduction to this chapter. Bank account numbers are deleted after the final payment for approved scholarships and immediately after the decision meeting for applications that were not approved.

In this process, we describe various measures that may occur after the scholarship has been paid out. We have described it as a process, but not all steps are obligatory or will even come in this order. The overall purpose of these steps is to control whether the funds are used in a manner that is compatible with the charter of foundation and, if not, to ensure that they are repaid.

1. Feedback. Persons who have been granted a scholarship must provide feedback in the form of testimonials or other agreed materials. In this step, the personal data processed consists of names, e-mail addresses and the data contained in the reporting of the purpose. When we have received your feedback, we change the status in our master system from “paid out” to “feedback received”.
2. Follow-up. We follow up how funds awarded are used by going through the minutes containing the decision and verifying whether we received feedback (see step 1 above). If we have not received it, we take […] which can lead to us having to deal with matters relating to changes or repayment (see steps 3 and 4). In this step, we process personal data such as names, the purpose for which the funds were granted, the amount granted and from which foundation.
3. Change. A person who has received a scholarship for a particular purpose asks if it is possible to change to another purpose. If you are in that situation, personal data such as e-mail addresses, names and your and our thoughts on the existing and the desired purpose is processed. If you are not granted approval, you will need to pay the money back.The purpose of the processing of personal data in this step, besides what was initially stated, is linked to answering your question concerning a change.
4. Repayment. Sometimes a person granted a scholarship wants to pay funds back. At other times, we initiate a repayment because we see that the funds have not been used for their intended purpose (e.g. if no feedback takes place). If you are in that situation, personal data such as e-mail addresses, names and various assessments concerning repayment is initially processed. When you have repaid the amount, we will change the status in our master system so the system reflects the current situation (the status “partially repaid” or “not used” is registered) which will then be registered on your personal card.
5. Weeding. Weeding of incoming scholarship applications is carried out after 2 years (received but not approved) and 7 years (approved), see also in the introduction to this chapter. Bank account numbers are deleted after the final payment for approved scholarships and immediately after the decision meeting for applications that were not approved.

1. 1. Calls. In this step, a notice is sent to those who must be called to the meeting in accordance with the statutes. In the case of the Council, the elected delegates are called. The personal data processed in this step consists of the names and e-mail addresses of the persons concerned, which we have stored in our master system for that reason, among others.
   2. Applications are registered. In this step, applications from the persons called in step 1 and who wish to take part in the meeting are registered. Personal data processed on you consists of your name, contact details, the field in which you are active, what basic education you have and any food allergies. After you have registered, you will receive confirmation of this by e-mail. Because registration of your food allergies entails processing sensitive personal data (health is considered to be sensitive data in the GDPR) we ask you for express consent when you submit your application. If you do not want to give such consent, we cannot provide you with the right food.
   3. Information is sent out. This step is necessary to enable you as a participant to access all the information you need. You will have some information sent to you by e-mail (in that case primarily names and e-mail addresses are processed), but documents may also be sent by post (names and home addresses).
   4. Bookings. To hold the meeting, we need to book food and hotel rooms. This means that we process personal data on food allergies and hotel reservations at this stage. We send names to the hotel of the persons who will have rooms, though we send no personal data in the case of food allergies.
   5. Wedding. We delete sensitive information such as dietary restrictions or allergies no later than 48 hours after the activity has been carried out. We delete other practical information such as the time, place and date as well as the list of participants after the activity has been carried out and at the moment when the activity has been paid for. If you chose to give your personal identity number when registering, your certificate for the activity and material for participants are saved for five years on Mina sidor, whereafter that information is also deleted.

The overall purpose of this process (besides what is initially stated) is to manage and market educational courses so they can be implemented. When you sign up for an educational course,  the legal basis consists of a contract. Prior to that, there are other legal bases that are described in the steps.

1. Make a decision on a new course. In this step, the idea for a new educational course comes up either internally or is requested by a customer. The personal data processed consists of names, telephone numbers, e-mail addresses, etc. (employees’ and the customer’s). The legal basis for processing is a contract.In this step, personal data linked to the project manager and other employees as well as personal data on possible collaborators (names, e-mail addresses, postal addresses, which company the collaborator works for) is processed. A personal identity number is also obtained to allow fees to be paid to the collaborator. In this step, the collaborator also specifies any allergies or other dietary requirements. The purpose of the processing is to manage the educational course and also to obtain supporting data for outgoing payments and accounting. The legal basis consists of contracts (both employment contracts and contracts with collaborators) and a legal obligation (the Book-Keeping Act)
2. An educational course is offered. In this step, the educational course is registered and is then published on the website. In this step, the purpose is administration of the educational course to enable it to be published and the legal basis is a contract (with the persons who will hold the educational course). The personal data processed consists of contact details and names and company details for collaborators.
3. The educational course is marketed. In addition to publishing information on our website, we also market the educational course in the following ways:
   We e-mail people we think will be interested. To enable us to do this, we sometimes process personal data from those who have given their express consent to profiling (we do this in the manner described in the introduction to our Privacy Policy). The mailings contain the same personal data as in step 2.

   The invitation (the same personal data as in step 2) is also published on our Facebook and LinkedIn pages. This means that anyone can post comments. We regularly delete comments on our social media because they can contain personal data, though no later than when the educational course has been carried out or at least once a year.

   In the marketing activities, we use the legal basis of consent (profiling) as well as the basis of legitimate interest (direct marketing). If you withdraw your consent or object to your personal data being used for marketing purposes, we delete the personal data to which the withdrawal/objection relates. Note that there can be several reasons why we hold your personal data so there may still be reasons for processing personal data on you (see other processes to find out other ways in which we process personal data on you).

4. Applications are registered. . In this step, applications from those who want to take part in the educational course are registered. Depending on the educational course, different personal data is registered for those who wish to take part (e.g. names, personal identity numbers to allow certificates to be issued later, other contact details, food allergies, the field in which you are active, what basic education you have, the number of years for which you have worked and the number of courses in the field and any membership of the Swedish Pharmaceutical Society). Some of the fields are optional and only need to be filled in, for example, if you want us to be able to offer customised educational courses in future (you then also need to consent to profiling, see our Privacy Policy).If you, as a participant, also wish to receive a certificate from the educational course, your personal identity number must also be registered. If you chose to give your personal identity number when registering, your certificate for the activity completed and material for participants are saved for five years on Mina sidor, whereafter that information is also deleted.
   When you have registered you will receive confirmation by email.

   You are also asked to pay the cost of the educational course at this point (see the description of the financial process to see how personal data is used there). After this has been done, your participation is given the green light.

   Finally, in this step, you can also register the fact that you wish to become a member of the Society.

   The purpose of the processing in this step is necessary administration, e.g. to ensure that we can receive payment and that the right food can be offered.

5. Information is sent out. This step is necessary to enable participants to access all the information they need on the educational course. The participants receive information by e-mail (personal data such as e-mail addresses and information linked to collaborators is processed). The legal basis consists of contracts (with participants, collaborators and employment contracts).

In this process, the educational course is implemented. In addition to the overall purposes referred to initially, additional purposes for this step consist of necessary administration of participation and dietary requirements. The legal basis for this step consists of a contract (the contract that you as a participant entered into when you registered for the activity on Mina sidor).

1. Lists of participants are drawn up. . In this step, we produce lists of participants and name badges (we use personal data that was registered for the activity on Mina sidor, see the previous process) and persons responsible locally can access it there. With regard to food allergies, information is e-mailed to those responsible for the activity to ensure that the right food can be provided (no personal data is e-mailed – only the number of people that need various types of special diet).
2. Attendance is checked. We have now come to the moment when the educational course is to be held. Initially, an attendance check is carried out against the lists of participants and participants are given a name badge. Other preparations are also carried out so the educational course can be held. The purpose of this (besides what has previously been indicated) is to be able subsequently to issue a certificate for the educational course completed.
3. The educational course is held. In this step, the educational course is held. The personal data processed is the data contained in the presentation by the person putting forward the proposal and lists of participants. The personal data collected earlier regarding food allergies means that the right food can be served. At the beginning of the educational course, we usually distribute a list of participants. Many participants ask for a list of participants in connection with courses. Naturally, we consider networking an important part of the development of competence. Because of this, we believe that you as a participant have the interest, and the legal basis is thus justified interest. The lists include the participants’ first and last names as well as their organization. If you do not want your name and organization to be included in the list of participants, please e-mail the project administrator responsible when you are registering or otherwise as soon as possible. Should you have other questions regarding the list of participants, you can contact the project administrator responsible at any time.Sometimes, the educational course is recorded or streamed, which means that personal data relating to those present (images) is processed. The purpose of this is to subsequently provide participants with better documentation. We always indicate in the invitation if we intend to record or stream, so that participants can put forward any comments or ask questions. If you are not comfortable with the fact that we stream, we will be happy to discuss with you how we can stop you being visible in images. The legal basis is a contract because, for some of our educational courses, we offer recordings/streaming as an alternative to participation in the course.

1. Follow-up work. After the course has been completed, personal data related to attendance is registered so that correct certificates can be issued (for example, the status of “Present” is registered for those who were present at least 80 per cent of the time). In this step, those who were on the waiting list for the course are deregistered (the status of “Cancelled” is registered).  Furthermore, an e-mail is sent to participants to enable them to download a certificate and course material from Mina sidor (names and e-mail addresses are processed). If, at the time of the application, you placed a cross to indicate that you wished to become a member, the information is forwarded to the Swedish Pharmaceutical Society support services in this step (see also the “Membership” process on the website).The purpose of the processing in this step, besides what was indicated previously, is necessary administration and service, e.g. to send out supporting data and to be able subsequently to issue certificates for the educational course completed.
2. Evaluation. Evaluations are carried out in order to ensure that the educational courses are of high quality. These evaluations can be carried out after the course has been held, but measurements are also taken both before and after the course. In cases where the survey is also issued before the course, the survey contains questions intended to create a base measurement against which the effect of the educational course can later be measured. Participants are asked to answer questions using a link in an e-mail we send out. The answers are compiled in a report and stored in the same internal folder as the other information on the educational course. The report is analysed and those who collaborated as educators may access the assessment carried out on their own and other collaborators’ performance. No personal data on you as a participant is processed since participation in the survey is subject to anonymity. If there are fewer than seven participants in an educational course, the survey is carried out in paper format.
   We delete the questionnaire responses themselves no later than five years after completion of the educational course. Since only the collaborators’ personal data is saved, the legal basis is a contract.
3. Financial management.In this step, personal data required to manage payments in respect of food and accommodation and fees is processed. The legal basis for processing in this step consists of a contract and a legal obligation (Book-keeping Act).
4. The educational course is completed. When all the follow-up work has been completed, the educational course is flagged in the business system as having been completed. This flagging is required, among other things, to enable proper weeding to be carried out. No personal information is processed in this step.We delete sensitive information such as dietary restrictions or allergies no later than 48 hours after the educational course has been held. We delete other practical information such as the time, place and date after the educational course has been held and at the moment when the course has been paid for. If you chose to give your personal identity number when registering, your certificate for the completed course and materials for participants are saved for five years on Mina sidor, whereafter that information is also deleted.

1. Idea for a new educational course. In this step, the idea for a new educational course comes up either internally or through a direct request from a customer. The personal data processed relates to commercial matters and consists of names, e-mail addresses, telephone numbers, etc. at our premises and at the customer’s. The purpose of the processing in this step is to provide customer service that is consistent with the overall purpose and to develop the company’s business activities. The legal basis for the processing is a contract (negotiations on a commercial contract with the customer).
2. The quote. The idea has now become sufficiently concrete to enable us to provide a preliminary quote. Sometimes further contacts will also take place in order to reach a final quote. In this step, the personal data processed is the same type as in point 1. The legal basis and purpose are also the same, but there is the added purpose here of storing important supporting data relating to the parties’ intentions and being able to comply with the rules contained in the Book-Keeping Act (the legal basis in the latter case is a legal obligation).If the customer accepts the quote, personal data equivalent to the above is processed and the purpose and legal basis are also the same as above. In this situation, the quote and the acceptance are important accounting documents and must be saved for seven years in accordance with accounting and tax legislation.

   If the customer does not accept the quote, we save the conversation concerning the quote and the printout of the quote for one year because we are aware that customers sometimes change their minds. We then save the supporting documents that are relevant for other transactions but we then weed (delete) any unnecessary personal data.

3. Contract. In this step, the quote is signed, which means that a contract has been entered into between the parties. Furthermore, contracts are signed with consultants who will assist in the production of the educational course. The personal data processed, the purpose and the legal basis are the same as in step 2 concerning an accepted quote.
4. Working group. After the contract has been concluded, it is time to set up a working group to produce an educational course and allocate roles. Appropriate collaborators are identified (in this process personal data such as names of collaborators along with assessed suitability and area of expertise is processed). When identifying collaborators, the basis is legitimate interest. We have a list of persons who have previously collaborated as speakers and/or consultants and we have received recommendations of people to ask. We know that many people appreciate being asked to act as a consultant/speaker, for their own development and for the development of others. When we receive a recommendation on a new potential collaboration, we always ask whether the person wishes to be on our list. This is to ensure that everyone who is interested and who has the right expertise will have the opportunity to be asked to collaborate in our activities. If a person in our collaborator bank has not collaborated with us in five years, we delete this data.The data on the various collaborating consultants is also shared with the customer and persons responsible within our organisation. This is done after a contract has been entered into with the consultant in question.
5. The educational course is produced. In this step, personal data on those who prepare and take part in the activities of the working group is processed. The legal basis and purpose are consistent with the previous step.

1. A digital educational course is offered. In this step, an offer of an educational course can be published on websites in our organisation and at the customer. The offer can contain personal data relating to collaborators who are linked to the educational course or to the registration procedure, see steps 3–4. The legal basis is a contract (the conclusion of a contract on a digital educational course).
2. The educational course is marketed. It is not enough to simply publish the offer on the website to be able to fulfil the overall purposes.In addition to the website, we also market the educational course in the following ways:

   We e-mail people we think will be interested. To enable us to do this, we sometimes process personal data from those who have given their express consent to profiling (we do this in the manner described in the introduction to our Privacy Policy). The mailings contain the same personal data as in step 2.

   The invitation (the same personal data as in step 2) is also published on our Facebook and LinkedIn pages. This means that anyone can post comments. We regularly delete comments on our social media because they can contain personal data, though no later than when the course is no longer available or at least once a year.

   In the marketing activities, we use the legal basis of consent (profiling) as well as the basis of legitimate interest (direct marketing). If you withdraw your consent or object to your personal data being used for marketing purposes, we delete the personal data to which the withdrawal/objection relates. Note that there can be several reasons why we hold your personal data so there may still be reasons for processing personal data on you (see other processes to find out other ways in which we process personal data on you).

3. Applications are registered. In this step, applications from those who want to take part in the educational course are registered. Personal data from the participants (name, personal identity number to allow certificates to be issued later, other contact details, the field in which the person concerned is active, what basic education he or she has, the number of years for which he or she has worked and the number of courses in the field and any membership of the Swedish Pharmaceutical Society) is registered. Some of the fields are optional and only need to be filled in, for example, if you want us to be able to offer customised educational courses in future (you then also need to consent to profiling, see our Privacy Policy).The purpose of the processing in this step is necessary administration. Another legal basis is the conclusion of a contract on participation in an educational course. Another purpose is to enable us to carry out profiling to be able to offer relevant courses in future. If a participant also wishes to receive a certificate for the course, his or her personal identity number also needs to be registered (this also means that the data will be saved for a longer period to allow us to issue a certificate)
   .
4. When registration is complete, participants will have access to all the course material, i.e. more than is marketed on the website. They are supplied with log-in details and can begin the course. The personal data processed in this step consists of names and log-in details. The purpose of the step is to enable the participants to do the course and the legal basis consists of a contract.
5. Survey and evaluation. Evaluations are carried out in order to ensure that the educational courses are of high quality. These evaluations can be carried out after the course has been held, but measurements are also taken both before and after the course. In cases where the survey is also issued before the course, the survey contains questions intended to create a base measurement against which the effect of the educational course can later be measured. Participants are asked to answer questions using a link in an e-mail we send out. The answers are compiled in a report and stored in the same internal folder as the other information on the educational course. The report is analysed and those who collaborated as educators may access the assessment carried out on their own and other collaborators’ performance. No personal data on you as a participant is processed since participation in the survey is subject to anonymity. If there are fewer than seven participants in an educational course, the survey is carried out in paper format.We delete the questionnaire responses themselves no later than five years after completion of the educational course. Since only the collaborators’ personal data is saved, the legal basis is a contract.