Privacy Policy

The Swedish Pharmaceutical Society and Läkemedelsakademin i Stockholm AB bring together professionals from the entire pharmaceutical chain and from all over Sweden. Through the Privacy Policy, we issue information about how we process personal data in our activities in accordance with the rules of the EU Data Protection Regulation, GDPR (see the box below).

Fact box on our responsibility for processing personal data

The Swedish Pharmaceutical Society is a non-profit association with a subsidiary, Läkemedelsakademin i Stockholm AB, whose purpose is to support the Society’s work in various ways. The Board of the Society and the company have overall responsibility for processing personal data.

The Swedish Pharmaceutical Society is a non-profit organisation whose purpose is to promote high professional standards in the area of pharmaceuticals and to endeavour to promote development and use of pharmaceutical products that is beneficial for the individual and for society. Toward this end, the Swedish Pharmaceutical Society promotes professional development and skills development within the field of pharmacy.

In order to fulfil its purpose, the Swedish Pharmaceutical Society is assisted by a wholly-owned subsidiary, Läkemedelsakademin i Stockholm AB. The company is responsible for educational activities and the journal “Läkemedelsvärlden”. There are also common support functions (finance, HR and other administration).

The Society and the company are joint personal data controllers since they both influence how personal data is processed in our activities.

In our Privacy Policy, we provide information on how the Swedish Pharmaceutical Society and Läkemedelsakademin i Stockholm AB process personal data on members, customers and others that come into contact with us. The contents of the information are briefly described in the fact box. If you would like to know more about the concepts in the box, please read the brochure Enkla grunder i dataskydd [Simple fundamentals of data protection, accessible in Swedish only] and other information, accessible in English, from the Swedish Data Protection Authority.

We care about your privacy and about protecting your personal data and we therefore have a joint unit that deals with data protection issues. Details of how to get in touch with that unit are provided in Contact us to right.

Facts: What the information must contain under the GDPR

Purpose: Why we process personal data. This can be about the overall objectives of the activities such as the contents of the statutes/articles of association, but also more precise purposes such as accounting or administration.

Legal basis: We also provide information on the legal basis for our processing. This consists of contracts (e.g. employment contracts and our statutes), consent, legitimate interests (we must also describe what these interests consist of and the balancing of interests we have carried out), general interests and legal obligations.

  • Recipients and who we provide data to.
  • How long we keep data.
  • The existence of profiling
  • Where we obtain personal data
  • Whether we obtain it from the data subject: whether this is a legal or contractual requirement (how the requirement is formulated)

How we process personal data

We describe how the Swedish Pharmaceutical Society and Läkemedelsakademin i Stockholm AB process their personal data mainly from the point of view of processes in separate sections. If you would like more information on the organisations, visit our websites www.apotekarsocieteten.se or www.lakemedelsakademin.se. To aid understanding, we have drawn up charts for our most common processes. We use these charts to describe how we process personal data in our activities. The “Upon recruitment” process and “Our employees’ personal data” and “Our e-mail and document management policy” sections apply jointly.

The Swedish Pharmaceutical Society’s processes

Membership

We implement the following processes in the various parts of your membership of the Swedish Pharmaceutical Society:

Become a member

The Swedish Pharmaceutical Society’s aim is to promote high professional standards in the pharmaceutical field and to endeavour to achieve development and use of pharmaceutical products in a manner that is beneficial for the individual and for society. Toward this end, the Swedish Pharmaceutical Society promotes professional development and skills development within the field of pharmacy. A natural person may be accepted as a member if that person can be expected to uphold the aims of the Society. According to the statutes, a member must also belong to a division and/or one or more sections. This purpose is the overall purpose of the process described here. Other purposes also apply at certain times, as described below. In addition to pharmaceuticals, the Swedish Pharmaceutical Society also focuses on the field of medical technology.

The legal basis for the processing in the following points consists of a contract (the statutes must be considered as a contract).

Become a member

  1. Application. If you wish to become a member, you can apply via our website. Sometimes you may already have been in contact with Läkemedelsakademin i Stockholm AB (for example, if you have done an educational course) which means that we may already have personal data saved on you. If we have personal data saved on you,you must choose the option “jag har konto” [I have an account] at this point. Otherwise you choose the option “jag vill skapa konto” [I want to create an account]. You log in to your account using your e-mail address and a password that you choose yourself (these are then saved so that you will be able to log back in to your account). The selected log-in details are saved with us to enable you to see your membership information on Mina sidor. The purpose of this step is to obtain new members and to make it easy to apply for membership and manage your membership in future.
  2. Data is registered. In this step, you register information about yourself that we need in order to be able to process your membership. If you do not have an account, you fill in all the details. If you have an existing account, you check and supplement the details as necessary. Because we have different membership fees for different categories of member, information is also registered on the status of “Member”, “Pensioner” or “Student”. At this stage, we also ask you to register you personal identity number, which we need in order to be able to securely identify our members and to avoid duplicated registration, which can occur if you used different e-mail addresses when you created an account. In addition to this, we also obtain your name, mobile number, first degree, the field in which you are active (an optional field that you fill in if you want to receive targeted offers from us) and details of the address to which we must send the advice for payment of membership fees. We store your personal data in our business system, which then updates “Mina sidor” on the website. The purpose of this step is the same as for step 1.
  3. Select a division and section. In accordance with our statutes, you must select a division and/or section of which you wish to be a member. You make that choice in this step. We store your information in our business system, which then updates  “Mina sidor” on the website. The purpose of this step is the same as for step 1. For the Section for Hospital Pharmacy, the membership also include membership in the European Association of Hospital Pharmacists (EAHP) which sends direct mail to the members. We will therefore send them names, addresses and e-mails once a year.
  4. Payment information. The purpose of this step is to enable us to take payment and keep our accounts. We ask you to register the personal data required for this purpose. The legal basis for the processing is a contract (the statutes) and a legal obligation (the Book-Keeping Act).
  5. Membership is confirmed. When you have notified us of your wish to become a member, you will receive confirmation from us. Your membership is finally approved at the time of payment of the membership fee in cases where it is payable, i.e., if you have not received a free membership, which sometimes occurs in conjunction with campaigns.

Annual notices during membership

All steps in this process are for the purposes of membership administration and to ensure that proper payment of membership fees is made.

Annual notices during membership

  1. Preparation. Since the Swedish Pharmaceutical Society has different membership fees for different categories of members, the work of issuing payment advice for membership fees begins with an update in our business system. We identify those who will reach the age of 65 in the next calendar year and change your membership status to “Pensioner” in the system. We also go through the membership category of “Student” to see whether it is time for a possible move to the status of “Member”. In this step, we use the details you registered on your age and/or first degree and/or your workplace to enable us to carry out the assessments.
  2. A selection is made. In this step, a further selection is made in our business system to enable us to identify members that are not obliged to pay a membership fee (this refers to members such as new members who were registered on 1 August or later in the year in question and honorary members).
  3. Payment advice is sent. In this step, our business system issues payment advice to the members who must pay a membership fee. The advice must clearly indicate your type of membership and for that reason we process personal data relating to your name, address (home or place of work), e-mail, membership number, membership status (see step 1) and the divisions and sections of which you are a member. When the selection has been made, supporting data for the advice is sent in PDF format to the printer for printing of invoices which are then sent out to the members. The legal basis for this step consists of a contract (the statutes) but also a legal obligation (production of supporting data for accounts).
  4. Payment reminder. Those who fail to pay receive reminders on two occasions. If payment is not made after two reminders, we terminate the membership (for how this is done, see the next process). If you fail to pay the fees, the Swedish Pharmaceutical Society presumes that you are longer interested in being a member. In that case, your personal data is processed for the purpose (besides what is indicated above) of carrying out membership administration in a reasonable way (including keeping down the cost of payment reminders). The legal basis consists of a contract (the statutes).

Terminate membership

  1. The notices “terminate membership”/”not paid despite reminders”. If you no longer wish to be a  member, you inform us by telephone or by sending an e-mail to our society support services. The data processed in this step consists of contact details (name, personal identity number, e-mail address, telephone number). The purpose of the processing is to provide you with a service whereby you can terminate your membership and the legal basis consists of a contract (the statutes). This step is also initiated if you have failed to pay your fees despite the fact that you received two reminders, as is clearly set out in the statutes. In this case, data is also processed for the purpose of managing membership administration in a reasonable way (including keeping down the cost of payment reminders).
  2. Deregistration. In this step, you are deregistered as a member by making a note of your new status (former member) in the business system. The membership data registered on you in the business system is saved for a further period. The purpose of this storage is to enable us to manage the remaining administration of payments, etc. and to retain the data for the purpose of rejoining the Society because we know that many people change their minds after a while (see also point 4). However, data concerning membership mailings is immediately cleansed from our bulk-mail system because there is no longer any reason to send membership information to you. The legal basis for the processing in this step consists of a contract (the statutes) but also a legal obligation (to keep data to enable us to invoice, keep accounts and comply with legislation on foundations).Sometimes you have relationships with us other than membership. You may, for example, have received scholarships or have participated in our educational courses/activities. This means that, even if you terminate your membership, there may be remaining relationships in which personal data is processed. We have also described such processing on a fact sheet like this. Please consult that fact sheet if you want to find out more
  3. Message.  In this step, you will be notified by e-mail that your membership has ceased. Names and e-mail addresses are processed.
  4. Rejoining within one year. If you told us that you do not wish to have the opportunity of rejoining, we cleanse the personal data connected to your membership in the business system when you have paid any remaining debts to the Society (if there is no other legal basis for storing the data such as a legal obligation). Otherwise, we send out mailings by e-mail for one year to try to persuade you to rejoin (after which we delete the personal data relating to your membership).As stated in step 2, you may have had relationships with us other than your membership, which means that personal data on you relating to the other relationships may remain. If you wish to find out more about how we deal with personal data in such cases, please go to the process in question

Activities

The Swedish Pharmaceutical Society provides various activities to promote a high professional standard in the field of pharmaceuticals including through development of knowledge and expertise in the field of pharmaceuticals and through professional networking. The purpose is also to create membership benefits for members. These purposes are the overall purposes for all the processes described below. In some cases, data is processed for additional purposes, which we then describe in each process. There is also a description of how we use personal data in our work on activities.

In its work to provide activities, the Swedish Pharmaceutical Society implements the following processes:

Develop the activity

Develop the activity

The purpose of processing personal data in this step (besides what is stated above) is to manage interesting proposals received so that they can be developed into concrete activities in sections and divisions.

  1. An idea comes up. Activities are organised in order to promote the aims of the Society. In this step, personal data that can be linked to the person putting forward the proposal (e.g., e-mail address, workplace and name) is processed. Furthermore, personal data on possible speakers (e.g. names and contact details) is also processed. The legal basis for processing in this step consists of a contract (the statutes) and, in relation to possible speakers, a legitimate interest. We have a list of those who have previously collaborated as speakers and we have received recommendations on who to ask. We know that many people appreciate being asked to speak, for their own development and for the development of others. When we receive a recommendation on a new potential collaboration, we always ask whether the person wishes to be on our list. This is to ensure that everyone who is interested and who has the right expertise will have the opportunity to be asked to collaborate in our activities. If a person in our collaborator bank has not collaborated with us in five years, we delete this data.
  2. Checking with possible speakers. In this step, we contact a possible speaker by e-mail or telephone to find out whether they are interested and we then process personal data relating to the speaker and the employee (names, e-mail addresses, contact details). In this step, the legal basis consists of contracts (the statutes, employment contracts and negotiations on a contract with the speaker).
  3. Practical checks. If the speaker accepts the invitation to speak, in this step we deal with travel bookings and similar practical issues. We also carry out checks with the speaker concerning his or her presentation. We process personal data required for these purposes such as names, telephone numbers and e-mail addresses. The legal basis consists of contracts (with the speaker and employment contracts).

Marketing and applications

The overall purpose of this process (besides what is initially stated) is to manage and market activities so they can be implemented. When you have signed up for an activity,  the legal basis consists of a contract. Prior to that, there are other legal bases that are described in the steps.

Marketing and applications

  1. The activity is offered. In this step, we register the activity and then publish it on the website (the personal data processed consists of the information contained in the invitation, for example relating to the collaborating speaker). In this way, interested members can access the offer regarding the activity. In this step, the purpose is administration of the activity to enable it to be publicised. The legal basis consists of contracts (with collaborating speakers).
  2. The activity is marketed. Besides on the website, we also market the activity in the following ways:We e-mail people we think will be interested. To enable us to do this, we sometimes process personal data from those who have given their express consent to profiling (we do this in the manner described in the introduction to our Privacy Policy). The mailings contain the same personal data as in step 1.The invitation (the same personal data as in step 1) is also published on our Facebook and LinkedIn pages. This means that anyone can post comments. We regularly delete comments on our social media because they can contain personal data, though no later than when the activity has been carried out or at least once a year.

    In the marketing activities, we use the legal basis of consent (profiling) as well as the basis of legitimate interest (direct marketing). If you withdraw your consent or object to your personal data being used for marketing purposes, we delete the personal data to which the withdrawal/objection relates. Note that there can be several reasons why we hold your personal data so there may still be reasons for processing personal data on you (see other processes to find out other ways in which we process personal data on you).

  3. Applications are registered. In this step, applications from those who wish to take part in the activity are registered. Personal information obtained from you (name, personal identity number to be able to subsequently issue certificates, other contact details, food allergies, the field in which you are active and what basic education you have ) is registered. Some of the fields are optional and only need to be filled in, for example if you want us to be able to offer customised activities in future (you then also need to consent to profiling, see our Privacy Policy).If, as a participant, you also wish to receive a certificate of the activity, your personal identity number also needs to be registered (this also means that the data will be saved for a longer period to enable us to issue a certificate).After you have registered, you will receive confirmation of this by e-mail.

    You are also asked to pay the cost of the activity. After this has been done, your participation is given the green light.

    Because registration of your food allergies entails processing sensitive personal data (health is considered to be sensitive data in the GDPR) we ask you for express consent when you submit your application. If you do not want to give such consent, we cannot provide you with the right food.

    The purpose of the processing in this step is necessary administration, e.g. to ensure that we can receive payment and that the right food can be offered.

  4. Information is sent out. This step is necessary to enable you as a participant to access all the information you need concerning the activity. Information is sent by e-mail (personal data such as e-mail addresses and information linked to the collaborating speakers is processed).

Implementation of the activity

In this process, the activity is carried out. In addition to the overall purposes referred to initially, additional purposes for this step consist of necessary administration of participation and dietary requirements. The legal basis for this step consists of a contract (the contract that you as a participant entered into when you registered for the activity on Mina sidor).

  1. Lists of participants are drawn up. In this step, we draw up lists of participants (we use personal data registered for the activity on Mina sidor, see the previous process) and the persons responsible for the activity locally can access them. With regard to food allergies, information is e-mailed to those responsible for the activity to ensure that the right food can be provided (no personal data is e-mailed, but only the number of people who need various types of special food).
  2. Attendance is noted. We have now come to the point where the activity will be carried out. Initially, an attendance check is carried out against the lists of participants. The purpose of this (besides what is indicated above) is to be able to subsequently issue a certificate for the activity completed and to be able to charge anyone who fails to attend a “no-show fee”. Sometimes participants who have not pre-registered also turn up (see previous processes) and there is a possibility that they may be able to participate, despite the fact that they have not pre-registered. The notes made in this step will be registered in the master system in  follow-up work (see point 1 in the next process).
  3. The activity is carried out. In this step, the activity is carried out. The personal data processed is the data contained in the presentation by the person putting forward the proposal and lists of participants. The personal data collected earlier regarding food allergies means that the right food can be serve. When an activity is carried out, there is usually a list of participants accessible on Mina Sidor [My Pages]. Many participants ask for a list of participants in connection with our activities. Naturally, we consider networking an important part of the development of competence. Because of this, we believe that you as a participant have the interest, and the legal basis is thus justified interest. The lists include the participants’ first and last names as well as their organization. If you do not want your name and organization to be included in the list of participants, please e-mail the project administrator responsible when you are registering or otherwise as soon as possible. Should you have other questions regarding the list of participants, you can contact the project administrator responsible at any time. Sometimes, the activity is recorded or streamed, which means that personal data relating to those present (images) is processed. The purpose of this is to subsequently provide participants with better documentation. We always indicate in the invitation if we intend to record or stream, so that participants can put forward any comments or ask questions. If you are not comfortable with the fact that we stream, we will be happy to discuss with you how we can stop you being visible in images. The legal basis consists of legitimate interest because we know from experience that recordings/streaming are usually appreciated by the participants and add value.

Follow-up work

Follow-up work

  1. Attendance is registered. After the course has been carried out, the attendance notes are transferred (see step 2 of the previous process) to our business system (registration is carried out by the person responsible via Mina Sidor). The purpose of the processing in this step, besides what is indicated above, is to be able to subsequently issue a certificate for the activity completed and to be able to charge anyone who fails to attend a “no-show fee”.
  2. Information is sent out. In this step, information is sent to you as a participant on where documentation, recordings or similar can be obtained. In this step, personal data such as names and e-mail addresses is processed. The purpose of the processing (besides what was indicated previously) is to add value for the participants. The legal basis consists of contracts (contracts with collaborators and participants).
  3. Financial management. In this step, personal data required to attend to invoicing and payments for food and accommodation and fees is processed. The legal basis for processing in this step consists of a contract and a legal obligation (Book-keeping Act).
  4. The activity is completed. When the follow-up work has been completed, the activity is flagged in the master system as having been completed. This flagging is required, among other things, to enable proper weeding to be carried out. No personal information is processed in this step.We delete sensitive information such as dietary restrictions or allergies no later than 48 hours after the activity has been carried out. We delete other practical information such as the time, place and date after the activity has been carried out and at the moment when the activity has been paid for. If you chose to give your personal identity number when registering, your certificate for the activity and material for participants are saved for five years on Mina sidor, whereafter that information is also deleted.

Scholarships

One of the Swedish Pharmaceutical Society’s tasks is awarding scholarships and other subsidies from various foundations that we manage in accordance with instructions issued by each donor, which means that one legal basis is a contract – our statutes). We manage two types of foundations, which can be divided into two main purposes: education and subsidies.

The Act on Foundations states that it is necessary to comply with the regulations contained in the charter of foundation when managing a foundation’s affairs, unless the regulations are in breach of any provision of the Act on Foundations. We therefore also have a legal obligation to comply with the provisions of the charter of foundation of each foundation. We also have a legal obligation to save documentation for seven years in order to fulfil the accounting obligation (applications approved) and two years in accordance with the Discrimination Act (applies if the charter of foundation relates to education).

These overall purposes and legal bases are relevant for all the processes described below. In some, there are also additional purposes or legal bases which are then specifically described.

The following processes relating to management of scholarships exist

Marketing and applications

Marketing and applications

  1. Decision on a call for applications. In this step, we decide that a call for applications for funds must be issued and the work involves some internal exchanges of e-mails. The personal data processed is linked to this.
  2. Marketing. When the decision has been made in step 2, it is time to market the call for applications so that anyone interested can obtain information that funds can be applied for.
    It is not enough to simply publish the offer on the website to be able to fulfil the overall purposes. The call for applications is also disseminated in the following ways:
    We e-mail people we think will be interested. To enable us to do this, we sometimes process personal data from those who have given their express consent to profiling (we do this in the manner described in the introduction to our Privacy Policy). The mailings contain the same personal data as in step 1.
    The invitation (the same personal data as in step 1) is also published on our Facebook and LinkedIn pages. This means that anyone can post comments. We regularly delete comments on our social media because they can contain personal data, no later than when the activity has been carried out or at least once a year.
    In the marketing activities, we use the legal basis of consent (profiling) as well as the basis of legitimate interest (direct marketing). If you withdraw your consent or object to your personal data being used for marketing purposes, we delete the personal data to which the withdrawal/objection relates. Note that there can be several reasons why we hold your personal data so there may still be reasons for processing personal data on you (see other processes to find out other ways in which we process personal data on you).
  3. The application is registered. In this step, applications from those seeking subsidies are registered. Personal data (name, home address, person identity number to enable us to pay and manage other matters correctly, other contact details, bank account details, the field in which you are active, what basic education you have, the year you graduated, who your tutor is and the purpose for which you are applying for funds, is registered. Some of the fields are optional and only need to be filled in, for example, if you want us to be able to offer customised educational courses in future (you then also need to consent to profiling, see our Privacy Policy).
    When you have registered you will receive confirmation by email.

    The purpose of the processing in this step is necessary administration to enable us to prepare incoming applications in advance of a decision and to possibly pay out the amounts awarded as quickly as possible to the right person. After all the steps have been completed, we proceed to the next process in which applications are assessed

Decision and award

Decision and award

  1. Supporting data for a decision. In the first step, supporting data is compiled for the scholarship committees that will make a decision (see step 2). Supporting data for a decision, containing personal data consisting of your name, the company you work for, the purpose for which you have applied for funds and the amount applied for, is compiled. To this we attach a draft decision and reasons. The supporting data is shared with the Board members via Mina sidor.The purpose of this step is to prepare the decision and provide the Board members with a comprehensive view of the supporting data for the decision.
  2. Decision meeting. In this step, the scholarship committee holds a decision meeting. During the meeting, the supporting data in the previous step is supplemented with any incoming attachments and notes on whose applications are approved and whose are rejected. Minutes are taken of the meeting, with corresponding personal data attached.The amount awarded is included in the list and, after the meeting, is transferred to our master system, whereafter the supporting data for the decision is weeded. A list of approved applications is drawn up from the master system. The list of approved applications contains information consisting of the names of the persons who have been awarded funds and the purpose and amount awarded. This and the minutes (after they have been countersigned) are stored for the periods specified initially (2 or 7 years).
  3. The decision is communicated. In this step, the decision is sent out to all applicants by e-mail. A list containing the names of those awarded funds, which foundation the funds come from, the purpose to which they relate and the relevant period of time and the amount awarded is sent out. Names and e-mail addresses for all applicants are also processed in this step

The purpose of the processing in this step is to provide all applicants with information.

Follow-up work

Some follow-up work takes place in these processes.

Follow-up work

  1. Payment. To enable us to pay out funds according to the decision in the previous process, we need to process personal data consisting of names, foundations, total amount granted, amount actually paid out and the number of the minutes. We also check that a bank account number exists for those to whom funds are to be paid out and we supplement the information otherwise. The payment will then be made and we note the status of “Paid out” on your personal card in our master system.The purpose of the processing in this step is to execute the decision by paying out funds.
  2. Accounting. In this step, we fulfil our accounting obligation by entering supporting documents linked to the decision for each foundation in the accounts. This means that personal data relating to name, purpose, time of the activity, amount and foundation name is processed because such information is available in the supporting documents.
  3. Analysis. In order to ensure that scholarships are of high quality, an analysis is carried out of the number of incoming and approved applications per foundation. No personal data on you as an applicant is processed.
  4. Weeding. Weeding of incoming scholarship applications is carried out after 2 years (received but not approved) and 7 years (approved), see also in the introduction to this chapter. Bank account numbers are deleted after the final payment for approved scholarships and immediately after the decision meeting for applications that were not approved.

After the money has been paid out

In this process, we describe various measures that may occur after the scholarship has been paid out. We have described it as a process, but not all steps are obligatory or will even come in this order. The overall purpose of these steps is to control whether the funds are used in a manner that is compatible with the charter of foundation and, if not, to ensure that they are repaid.

After the money has been paid out

  1. Feedback. Persons who have been granted a scholarship must provide feedback in the form of testimonials or other agreed materials. In this step, the personal data processed consists of names, e-mail addresses and the data contained in the reporting of the purpose. When we have received your feedback, we change the status in our master system from “paid out” to “feedback received”.
  2. Follow-up. We follow up how funds awarded are used by going through the minutes containing the decision and verifying whether we received feedback (see step 1 above). If we have not received it, we take […] which can lead to us having to deal with matters relating to changes or repayment (see steps 3 and 4). In this step, we process personal data such as names, the purpose for which the funds were granted, the amount granted and from which foundation.
  3. Change. A person who has received a scholarship for a particular purpose asks if it is possible to change to another purpose. If you are in that situation, personal data such as e-mail addresses, names and your and our thoughts on the existing and the desired purpose is processed. If you are not granted approval, you will need to pay the money back.The purpose of the processing of personal data in this step, besides what was initially stated, is linked to answering your question concerning a change.
  4. Repayment. Sometimes a person granted a scholarship wants to pay funds back. At other times, we initiate a repayment because we see that the funds have not been used for their intended purpose (e.g. if no feedback takes place). If you are in that situation, personal data such as e-mail addresses, names and various assessments concerning repayment is initially processed. When you have repaid the amount, we will change the status in our master system so the system reflects the current situation (the status “partially repaid” or “not used” is registered) which will then be registered on your personal card.
  5. Weeding. Weeding of incoming scholarship applications is carried out after 2 years (received but not approved) and 7 years (approved), see also in the introduction to this chapter. Bank account numbers are deleted after the final payment for approved scholarships and immediately after the decision meeting for applications that were not approved.

Internal conferences, delegates, etc.

The process whereby the Swedish Pharmaceutical Society organises conferences for elected representatives such as chairperson conferences, delegate meetings, etc. is described below.

Meetings of this kind are necessary to fulfil the Swedish Pharmaceutical Society’s statutes, which is the overall purpose of the processing. Another overall purpose is to deal with necessary administration in an efficient manner. The legal basis for the processing is a contract (the Swedish Pharmaceutical Society’s statutes). In some steps, a further purpose or legal basis may be added.

Processen

Processen

    1. Calls. In this step, a notice is sent to those who must be called to the meeting in accordance with the statutes. In the case of the Council, the elected delegates are called. The personal data processed in this step consists of the names and e-mail addresses of the persons concerned, which we have stored in our master system for that reason, among others.
    2. Applications are registered. In this step, applications from the persons called in step 1 and who wish to take part in the meeting are registered. Personal data processed on you consists of your name, contact details, the field in which you are active, what basic education you have and any food allergies. After you have registered, you will receive confirmation of this by e-mail. Because registration of your food allergies entails processing sensitive personal data (health is considered to be sensitive data in the GDPR) we ask you for express consent when you submit your application. If you do not want to give such consent, we cannot provide you with the right food.
    3. Information is sent out. This step is necessary to enable you as a participant to access all the information you need. You will have some information sent to you by e-mail (in that case primarily names and e-mail addresses are processed), but documents may also be sent by post (names and home addresses).
    4. Bookings. To hold the meeting, we need to book food and hotel rooms. This means that we process personal data on food allergies and hotel reservations at this stage. We send names to the hotel of the persons who will have rooms, though we send no personal data in the case of food allergies.
    5. Wedding. We delete sensitive information such as dietary restrictions or allergies no later than 48 hours after the activity has been carried out. We delete other practical information such as the time, place and date as well as the list of participants after the activity has been carried out and at the moment when the activity has been paid for. If you chose to give your personal identity number when registering, your certificate for the activity and material for participants are saved for five years on Mina sidor, whereafter that information is also deleted.

Läkemedelsakademin i Stockholm ABs processes

Educational courses

Läkemedelsakademin i Stockholm AB provides various educational courses to enable us to promote a high professional standard in the field of pharmaceuticals. The intention is to fulfil the Society’s purposes and create benefit for the Swedish Pharmaceutical Society’s members, though other customers are also welcome. These purposes are the overall purposes for all the processes described below. Further purposes are added in some processes, which we describe below. There is also a description of how we use personal data in our work on educational courses.

In the work of providing educational courses, we apply the following processes:

Marketing and applications

The overall purpose of this process (besides what is initially stated) is to manage and market educational courses so they can be implemented. When you sign up for an educational course,  the legal basis consists of a contract. Prior to that, there are other legal bases that are described in the steps.

Marketing and applications

  1. Make a decision on a new course. In this step, the idea for a new educational course comes up either internally or is requested by a customer. The personal data processed consists of names, telephone numbers, e-mail addresses, etc. (employees’ and the customer’s). The legal basis for processing is a contract.In this step, personal data linked to the project manager and other employees as well as personal data on possible collaborators (names, e-mail addresses, postal addresses, which company the collaborator works for) is processed. A personal identity number is also obtained to allow fees to be paid to the collaborator. In this step, the collaborator also specifies any allergies or other dietary requirements. The purpose of the processing is to manage the educational course and also to obtain supporting data for outgoing payments and accounting. The legal basis consists of contracts (both employment contracts and contracts with collaborators) and a legal obligation (the Book-Keeping Act)
  2. An educational course is offered. In this step, the educational course is registered and is then published on the website. In this step, the purpose is administration of the educational course to enable it to be published and the legal basis is a contract (with the persons who will hold the educational course). The personal data processed consists of contact details and names and company details for collaborators.
  3. The educational course is marketed. In addition to publishing information on our website, we also market the educational course in the following ways:
    We e-mail people we think will be interested. To enable us to do this, we sometimes process personal data from those who have given their express consent to profiling (we do this in the manner described in the introduction to our Privacy Policy). The mailings contain the same personal data as in step 2.

    The invitation (the same personal data as in step 2) is also published on our Facebook and LinkedIn pages. This means that anyone can post comments. We regularly delete comments on our social media because they can contain personal data, though no later than when the educational course has been carried out or at least once a year.

    In the marketing activities, we use the legal basis of consent (profiling) as well as the basis of legitimate interest (direct marketing). If you withdraw your consent or object to your personal data being used for marketing purposes, we delete the personal data to which the withdrawal/objection relates. Note that there can be several reasons why we hold your personal data so there may still be reasons for processing personal data on you (see other processes to find out other ways in which we process personal data on you).

  4. Applications are registered. . In this step, applications from those who want to take part in the educational course are registered. Depending on the educational course, different personal data is registered for those who wish to take part (e.g. names, personal identity numbers to allow certificates to be issued later, other contact details, food allergies, the field in which you are active, what basic education you have, the number of years for which you have worked and the number of courses in the field and any membership of the Swedish Pharmaceutical Society). Some of the fields are optional and only need to be filled in, for example, if you want us to be able to offer customised educational courses in future (you then also need to consent to profiling, see our Privacy Policy).If you, as a participant, also wish to receive a certificate from the educational course, your personal identity number must also be registered. If you chose to give your personal identity number when registering, your certificate for the activity completed and material for participants are saved for five years on Mina sidor, whereafter that information is also deleted.
    When you have registered you will receive confirmation by email.

    You are also asked to pay the cost of the educational course at this point (see the description of the financial process to see how personal data is used there). After this has been done, your participation is given the green light.

    Finally, in this step, you can also register the fact that you wish to become a member of the Society.

    The purpose of the processing in this step is necessary administration, e.g. to ensure that we can receive payment and that the right food can be offered.

  5. Information is sent out. This step is necessary to enable participants to access all the information they need on the educational course. The participants receive information by e-mail (personal data such as e-mail addresses and information linked to collaborators is processed). The legal basis consists of contracts (with participants, collaborators and employment contracts).

Implementation of the educational course

In this process, the educational course is implemented. In addition to the overall purposes referred to initially, additional purposes for this step consist of necessary administration of participation and dietary requirements. The legal basis for this step consists of a contract (the contract that you as a participant entered into when you registered for the activity on Mina sidor).

Implementation of the educational course

  1. Lists of participants are drawn up. . In this step, we produce lists of participants and name badges (we use personal data that was registered for the activity on Mina sidor, see the previous process) and persons responsible locally can access it there. With regard to food allergies, information is e-mailed to those responsible for the activity to ensure that the right food can be provided (no personal data is e-mailed – only the number of people that need various types of special diet).
  2. Attendance is checked. We have now come to the moment when the educational course is to be held. Initially, an attendance check is carried out against the lists of participants and participants are given a name badge. Other preparations are also carried out so the educational course can be held. The purpose of this (besides what has previously been indicated) is to be able subsequently to issue a certificate for the educational course completed.
  3. The educational course is held. In this step, the educational course is held. The personal data processed is the data contained in the presentation by the person putting forward the proposal and lists of participants. The personal data collected earlier regarding food allergies means that the right food can be served. At the beginning of the educational course, we usually distribute a list of participants. Many participants ask for a list of participants in connection with courses. Naturally, we consider networking an important part of the development of competence. Because of this, we believe that you as a participant have the interest, and the legal basis is thus justified interest. The lists include the participants’ first and last names as well as their organization. If you do not want your name and organization to be included in the list of participants, please e-mail the project administrator responsible when you are registering or otherwise as soon as possible. Should you have other questions regarding the list of participants, you can contact the project administrator responsible at any time.Sometimes, the educational course is recorded or streamed, which means that personal data relating to those present (images) is processed. The purpose of this is to subsequently provide participants with better documentation. We always indicate in the invitation if we intend to record or stream, so that participants can put forward any comments or ask questions. If you are not comfortable with the fact that we stream, we will be happy to discuss with you how we can stop you being visible in images. The legal basis is a contract because, for some of our educational courses, we offer recordings/streaming as an alternative to participation in the course.

Follow-up work

Follow-up work

  1. Follow-up work. After the course has been completed, personal data related to attendance is registered so that correct certificates can be issued (for example, the status of “Present” is registered for those who were present at least 80 per cent of the time). In this step, those who were on the waiting list for the course are deregistered (the status of “Cancelled” is registered).  Furthermore, an e-mail is sent to participants to enable them to download a certificate and course material from Mina sidor (names and e-mail addresses are processed). If, at the time of the application, you placed a cross to indicate that you wished to become a member, the information is forwarded to the Swedish Pharmaceutical Society support services in this step (see also the “Membership” process on the website).The purpose of the processing in this step, besides what was indicated previously, is necessary administration and service, e.g. to send out supporting data and to be able subsequently to issue certificates for the educational course completed.
  2. Evaluation. Evaluations are carried out in order to ensure that the educational courses are of high quality. These evaluations can be carried out after the course has been held, but measurements are also taken both before and after the course. In cases where the survey is also issued before the course, the survey contains questions intended to create a base measurement against which the effect of the educational course can later be measured. Participants are asked to answer questions using a link in an e-mail we send out. The answers are compiled in a report and stored in the same internal folder as the other information on the educational course. The report is analysed and those who collaborated as educators may access the assessment carried out on their own and other collaborators’ performance. No personal data on you as a participant is processed since participation in the survey is subject to anonymity. If there are fewer than seven participants in an educational course, the survey is carried out in paper format.
    We delete the questionnaire responses themselves no later than five years after completion of the educational course. Since only the collaborators’ personal data is saved, the legal basis is a contract.
  3. Financial management.In this step, personal data required to manage payments in respect of food and accommodation and fees is processed. The legal basis for processing in this step consists of a contract and a legal obligation (Book-keeping Act).
  4. The educational course is completed. When all the follow-up work has been completed, the educational course is flagged in the business system as having been completed. This flagging is required, among other things, to enable proper weeding to be carried out. No personal information is processed in this step.We delete sensitive information such as dietary restrictions or allergies no later than 48 hours after the educational course has been held. We delete other practical information such as the time, place and date after the educational course has been held and at the moment when the course has been paid for. If you chose to give your personal identity number when registering, your certificate for the completed course and materials for participants are saved for five years on Mina sidor, whereafter that information is also deleted.

Digital educational courses

Läkemedelsakademin i Stockholm AB provides various digital educational courses to enable us to promote a high professional standard in the field of pharmaceuticals. The intention is to fulfil the Society’s purposes and create benefit for the Swedish Pharmaceutical Society’s members, though other customers are also welcome. These purposes are the overall purposes for all the processes described below. Further purposes are added in some processes, which we describe below. There is also a description of how we use personal data in our work on digital educational courses.

We apply the following processes in the work of providing activities:

Production of new educational courses

Production of new educational courses

  1. Idea for a new educational course. In this step, the idea for a new educational course comes up either internally or through a direct request from a customer. The personal data processed relates to commercial matters and consists of names, e-mail addresses, telephone numbers, etc. at our premises and at the customer’s. The purpose of the processing in this step is to provide customer service that is consistent with the overall purpose and to develop the company’s business activities. The legal basis for the processing is a contract (negotiations on a commercial contract with the customer).
  2. The quote. The idea has now become sufficiently concrete to enable us to provide a preliminary quote. Sometimes further contacts will also take place in order to reach a final quote. In this step, the personal data processed is the same type as in point 1. The legal basis and purpose are also the same, but there is the added purpose here of storing important supporting data relating to the parties’ intentions and being able to comply with the rules contained in the Book-Keeping Act (the legal basis in the latter case is a legal obligation).If the customer accepts the quote, personal data equivalent to the above is processed and the purpose and legal basis are also the same as above. In this situation, the quote and the acceptance are important accounting documents and must be saved for seven years in accordance with accounting and tax legislation.

    If the customer does not accept the quote, we save the conversation concerning the quote and the printout of the quote for one year because we are aware that customers sometimes change their minds. We then save the supporting documents that are relevant for other transactions but we then weed (delete) any unnecessary personal data.

  3. Contract. In this step, the quote is signed, which means that a contract has been entered into between the parties. Furthermore, contracts are signed with consultants who will assist in the production of the educational course. The personal data processed, the purpose and the legal basis are the same as in step 2 concerning an accepted quote.
  4. Working group. After the contract has been concluded, it is time to set up a working group to produce an educational course and allocate roles. Appropriate collaborators are identified (in this process personal data such as names of collaborators along with assessed suitability and area of expertise is processed). When identifying collaborators, the basis is legitimate interest. We have a list of persons who have previously collaborated as speakers and/or consultants and we have received recommendations of people to ask. We know that many people appreciate being asked to act as a consultant/speaker, for their own development and for the development of others. When we receive a recommendation on a new potential collaboration, we always ask whether the person wishes to be on our list. This is to ensure that everyone who is interested and who has the right expertise will have the opportunity to be asked to collaborate in our activities. If a person in our collaborator bank has not collaborated with us in five years, we delete this data.The data on the various collaborating consultants is also shared with the customer and persons responsible within our organisation. This is done after a contract has been entered into with the consultant in question.
  5. The educational course is produced. In this step, personal data on those who prepare and take part in the activities of the working group is processed. The legal basis and purpose are consistent with the previous step.

Offer a digital educational course and distribute it to customers

Offer a digital educational course and distribute it to customers

  1. A digital educational course is offered. In this step, an offer of an educational course can be published on websites in our organisation and at the customer. The offer can contain personal data relating to collaborators who are linked to the educational course or to the registration procedure, see steps 3–4. The legal basis is a contract (the conclusion of a contract on a digital educational course).
  2. The educational course is marketed. It is not enough to simply publish the offer on the website to be able to fulfil the overall purposes.In addition to the website, we also market the educational course in the following ways:

    We e-mail people we think will be interested. To enable us to do this, we sometimes process personal data from those who have given their express consent to profiling (we do this in the manner described in the introduction to our Privacy Policy). The mailings contain the same personal data as in step 2.

    The invitation (the same personal data as in step 2) is also published on our Facebook and LinkedIn pages. This means that anyone can post comments. We regularly delete comments on our social media because they can contain personal data, though no later than when the course is no longer available or at least once a year.

    In the marketing activities, we use the legal basis of consent (profiling) as well as the basis of legitimate interest (direct marketing). If you withdraw your consent or object to your personal data being used for marketing purposes, we delete the personal data to which the withdrawal/objection relates. Note that there can be several reasons why we hold your personal data so there may still be reasons for processing personal data on you (see other processes to find out other ways in which we process personal data on you).

  3. Applications are registered. In this step, applications from those who want to take part in the educational course are registered. Personal data from the participants (name, personal identity number to allow certificates to be issued later, other contact details, the field in which the person concerned is active, what basic education he or she has, the number of years for which he or she has worked and the number of courses in the field and any membership of the Swedish Pharmaceutical Society) is registered. Some of the fields are optional and only need to be filled in, for example, if you want us to be able to offer customised educational courses in future (you then also need to consent to profiling, see our Privacy Policy).The purpose of the processing in this step is necessary administration. Another legal basis is the conclusion of a contract on participation in an educational course. Another purpose is to enable us to carry out profiling to be able to offer relevant courses in future. If a participant also wishes to receive a certificate for the course, his or her personal identity number also needs to be registered (this also means that the data will be saved for a longer period to allow us to issue a certificate)
    .
  4. When registration is complete, participants will have access to all the course material, i.e. more than is marketed on the website. They are supplied with log-in details and can begin the course. The personal data processed in this step consists of names and log-in details. The purpose of the step is to enable the participants to do the course and the legal basis consists of a contract.
  5. Survey and evaluation. Evaluations are carried out in order to ensure that the educational courses are of high quality. These evaluations can be carried out after the course has been held, but measurements are also taken both before and after the course. In cases where the survey is also issued before the course, the survey contains questions intended to create a base measurement against which the effect of the educational course can later be measured. Participants are asked to answer questions using a link in an e-mail we send out. The answers are compiled in a report and stored in the same internal folder as the other information on the educational course. The report is analysed and those who collaborated as educators may access the assessment carried out on their own and other collaborators’ performance. No personal data on you as a participant is processed since participation in the survey is subject to anonymity. If there are fewer than seven participants in an educational course, the survey is carried out in paper format.We delete the questionnaire responses themselves no later than five years after completion of the educational course. Since only the collaborators’ personal data is saved, the legal basis is a contract.

Gemensam Process

Recruitment

When we recruit for the Swedish Pharmaceutical Society or Läkemedelsakademin i Stockholm AB, we apply the following processes:

Preparatory work

Preparatory work

  1. A recruitment firm is given the assignment. Before a recruitment is carried out, a needs analysis is carried out first and we then engage a recruitment firm. The first stage in this is to agree on a collaboration. At that stage, a quote is sent by email. Personal data that can be connected to the discussions on the quote and the contract itself is processed in this step. The legal basis is a contract (an employment contract with us and our counterparty).
  2. Advertisement. The next step is to produce an advertisement. Before the advertisement itself is designed, the manager concerned and the recruiter go through the needs analysis from step 1 by e-mail. Based on this, the recruiter puts forward proposals on the advertisement and which channels it should be sent out in. The advertisement produced contains personal data in the form of contact details for the manager concerned and the recruiter.The advertisement also contains a link to the recruitment firm and recruitment tools that will then be used in the next process.

    The legal basis for processing in this step is consistent with the previous step. The advertisement specifies whether we will use tests (profiling) in the procedure.

Applications, selection and interviews

Applications, selection and interviews

  1. Applications are received. In this step, applications are received via the recruitment firm’s tool. If you are applying for a job with us, you register your application, your personal statement and your CV in the tool. The personal data processed is the data that you yourself choose to supply to us. Remember not to provide unnecessary personal data on yourself or others (e.g. family members). For that reason, you should read the advertisement carefully before you register your details so you know what you need to include.The purpose of the processing in this step is to make it easy for those who are interested to apply for the job, but also to save data required in the next steps.
  2. Selection. In this step, we select who we want to interview. The selection begins with assessment and scoring of applications in relation to their relevance for the job applied for. The scoring takes place using the recruiter’s tool. The personal data processed consists of the data you provided and the data you add when you answer various questions in the tool and the scoring that takes place in the tool. The step ends with a telephone meeting with the recruitment firm in which we check who will be called to an interview (see the next step). In this step, the persons called are flagged electronically in the tool.The purpose of the processing in this step is to assess the applications in a structured way to ensure that the right candidates in relation to the needs analysis and the business’ need for expertise progress.
  3. Interviews. Interviews are carried out in this step. If you have progressed from step 2, you must first take part in a telephone interview. A new check is then carried out between the manager concerned and the recruiter and if you also progress in this step, you will be called to an interview at our premises. The personal information you provided in step 1 is used as support in the interviews. The recruitment firm also documents the call and gives us feedback on it.The purpose of the processing in this step is to assess the impression gained during the telephone interview in a structured way in order to carry out further screening to verify which candidates’ skills best match the needs of the business. Those candidates will be called to one or sometimes multiple interviews at our premises. Another purpose is to check the supporting data you supplied and give you an opportunity to complete the picture. All this is done in order to ensure that the right candidate in relation to the needs analysis and the needs of the business progresses in the process.
  4. Testing. Those who progress from step 3 may, in individual cases, participate in personality tests (often only one final candidate then remains). The purpose of this is to verify that the candidates possess the qualities required for the job, which involves the performance of personal behaviour tests (so-called profiling, see the fact box alongside this section). If you have progressed to this step, the recruitment firm sends you a link to the test. The test results are passed on to us and to the person who took the test. After the test, we and the recruitment consultant hold a discussion with the person who took the test to give that person the opportunity to comment on the test results and to enable a modified assessment to be carried out.The legal basis for the test is the conclusion of an employment contract: we only use tests in individual cases when it is deemed necessary to identify appropriate personal qualities which we have also listed in the needs analysis. After the recruitment process is over, we store the data only for the length of time necessary to allow us to demonstrate that we have made a proper selection (e.g. the Discrimination Act requires supporting data to be saved for two years). The contract with the recruitment firm states that it must not store any of its own copies of the test results.
  5. References. In this step, references are obtained from the referees named by the applicant. The recruitment firm or someone from our organisation (usually the recruiting manager) calls the referees named by the applicant. During the discussion, we note what the referees say and we summarise what has been noted at the end of the conversation. Those notes are also sent to both the referee and the candidate. The personal data processed consists of the name of the candidate and of the referee and also the referee’s subjective assessments of the employee’s previous work performance. The information is stored electronically. If you are a referee, it may be useful to know that we may need to provide the applicant with information on the information provided or an extract from the register.

How we use profiling in recruitment

Profiling means that an organisation carries out automatic processing of personal data to analyse or predict aspects such as work performance, personal preferences and interests. The purpose of our profiling during recruitment is to find the right person for the right position. Sometimes it is necessary to possess certain personal qualities for a job such as good ability to lead others when you are a manager. In this way, profiling is a necessary part of our recruitment work aimed at arriving at an employment contract. We use profiling in individual cases when there are specific qualities we need to find (as stated in our needs analysis). This takes the form of one of our subcontractors conduct a range of tests which aim to verify whether your qualities correspond to the needs analysis). The tests are not in themselves decisive for the decision on employment and other aspects are also considered (e.g. your conversation with us and the recruitment firm when you had taken the test), the impression we gained of you from our interviews and references.

Decision and notification

Decision and notification

  1. Assessment. In this step, an assessment is carried out of all the supporting data compiled during the previous process, which means that the personal data that existed in that process is also processed here. Those involved in the assessment are recruiting managers and employees who have supported the manager in the work as well as a senior manager. The assessment of the final candidate is documented in an electronic document.The purpose of the processing in this step is to select the candidate and check the candidate against the requirements set out in the advertisement and the needs analysis. The assessment is clarified by writing reasons in the recruitment tool, which may be useful, for example, if any dispute in accordance with the Discrimination Act should arise (we have a legal obligation to save the supporting data so we can show that our assessments comply with the legislation). As an applicant, you may access the reasons in the tool.
  2. Notification. When a decision has been made in step 1, the final candidate is offered employment. If you are our final candidate, it means that you receive a call from us in which we offer you the salary and agree on the salary and the start date. No new personal data is added in this step, but we may have used notes from previous steps when preparing the call and during the call when we gave the reasons.The purpose of the processing in this step is to enter into an employment contract and also to provide feedback on why we chose you for the job.
  3. Contract. If we and the final candidate reach agreement in step 2, we draw up an employment contract which is signed at a meeting with us. The purpose of this is to ensure that we have a clear employment contract.After we have signed the contract, we also inform the other applicants. If you have been to an interview at our premises, we will contact you by telephone and give you the news. Other applicants are contacted by the recruitment firm both through an automatic message from the recruitment tool and by telephone. The purpose of the processing is to provide feedback on why we did not choose the applicants who did not get the job.
    After the contract has been signed, we evaluate the process with the recruitment firm in a telephone call. This is primarily concerned with feedback on how the work was carried out, which means that personal data on us and the recruiter may also be processed. The purpose of the evaluation is to learn lessons and improve for the next recruitment.
  4. Weeding. When we have employed a person, the employment contract becomes part of the personal file, which means that it will be stored for as long as the person is employed and for a particular period afterwards (see the process “Termination of employment”). The other supporting data in this process and the two previous processes will be saved for two years since we have a legal obligation to do so under the Discrimination Act. We then delete the data unless there is a special reason to keep it, e.g. a legal dispute.

The legal basis for all the processes is a contract (the conclusion of an employment contract). The overall purpose of the processes is to find the right person with the right skills matched to the needs of the business.

Our employees’ personal data

In all processes described, our employees’ personal data (e.g. names, contact details, e-mail addresses, telephone numbers, titles, positions) are processed when they perform their duties, e.g. when they answer a question or contact someone. Different purposes for processing are described in each process above and also apply to employees’ personal data. The legal basis for processing is a contract (the employment contract) and sometimes there may also be a legal obligation (described in each process, as appropriate).

Our e-mail and document management policy

The way in which we manage e-mail and different documents is described in the various processes above. In order to fully complete the picture, we also describe principles we have adopted for personal data existing in our e-mail and document management:

  • The following applies to documents that have not been completed: We must have a clear document management structure, which means that we avoid having multiple versions of a document (documents must be saved in one way in one folder). When a document has been completed, it must be saved in accordance with the guidelines for weeding that we have established (see above in each process for how we carry out weeding)
  • If an e-mail needs to be saved, it must be saved in the right folder for the purpose.
  • When a document or a saved e-mail message is no longer needed for the purpose for which it was saved, it must be weeded (i.e. deleted). If there is a need to save a particular document as a template, the document must be cleansed of all personal data before the template is saved.
  • There is an authorisation control in the document management system so personal data can only be accessed by persons who require access.
  • We must be restrictive when it comes to sharing personal data by e-mail. If it is a question of sensitive personal data, we must if possible use encrypted e-mail or find other ways to share the information.
  • We must carry out regular weeding of our e-mail and document management system, i.e. continue the work of making our systems GDPR-secure.

Management of accounts and taxes

We process personal data to fulfil our obligation to keep accounts of taxes and pay them and comply with the provisions of tax legislation, the Book-Keeping Act and the Annual Accounts Act (the legal basis for this is a legal obligation).

How we use profiling

We gather together professional persons from the entire pharmaceutical chain and from all over Sweden. To enable us to provide satisfactory service and customised offers, we carry out automatic processing of members’ and customers’ personal data. It may be a question of offering a person who is professionally active in the field of pharmaceuticals relevant education, activities and scholarships on the basis of his or her interests and professional background or of providing tips on vacancies in our network. This is referred to as “profiling” in the GDPR.

To allow us to provide the service, we (i.e. both the Society and the company) need your express consent for processing of personal data, or profiling, as stated in the Data Protection Regulation. You give your consent through Mina Sidor [My Pages] and you can also withdraw your consent at any time. In the fact box below, we describe what we do when we carry out profiling.

If you wish to find out more about how we carry out profiling and to understand how this can benefit you as a member or a customer, please consult our process descriptions (activities, scholarships, educational courses and digital educational courses, etc.). At the various stages of the processes, we describe when we use profiling and the purpose for which we use it.

We also use profiling in connection with recruitment because we use personality tests as part of the selection process. How we use profiling in this context is described in the “Recruitment” process above.

Facts about what information we use to carry out profiling for marketing purposes

In order to ensure that our mailings and offers are relevant, we use the information you provided on Mina sidor. From the fields that are sometimes mandatory, we obtain information about:

  • your type of membership
  • what division/section you are a member of
  • the postal code you registered
  • what your first degree is

From the optional fields, we obtain information about:

  • where you work or study
  • what field you are active in

Where appropriate, we use information on the areas of interest you have specified when ordering a newsletter from Läkemedelsakademin i Stockholm AB.

Finally, we also use information about what campaigns you have responded to, whether you were awarded a diploma or were certified, previous participation in educational courses and activities and whether you have applied for/been granted scholarships from us.

As always, our aim is to never use more data than is required to keep our communication with you relevant. We will continuously evaluate our use of data and if we increase the amount of profiling data, we will let you know.  You can withdraw your consent at any time via Mina sidor. There you can also influence what data will form the basis for profiling by changing the information you enter in some of the fields.

Your rights

In our Privacy Policy, we issue information on our processing of personal data, which is one way for us to ensure that you are able to exercise your right to receive information from us if you have registered with us.

If you think we have processed your personal data incorrectly or that it needs to be supplemented, you have the right to ask us to rectify it and if you do not want us to continue processing personal data on you, you have the right to ask us to erase it. We will rectify and erase the personal data, if possible, in relation to the purpose of the processing, the legal rules with which we are obliged to comply and the contracts we have entered into with you as a registered person (e.g. our statutes are considered to be a contract between us and the members of the Swedish Pharmaceutical Society).

If you have given your consent for processing, you have a right to withdraw your consent at any time and we will then terminate the processing to which the consent relates (which may include deleting data if we have no other legal basis for the processing). You can also object to the processing we carry out with regard to marketing or profiling or if you have your own personal reasons for not wanting to have the data processed. If you object, we will check whether we must erase it. Of course, we will always erase personal data if you no longer wish to receive marketing from us or to be profiled. We are also obliged to erase it of our own accord in several cases.

If you are in a legal dispute and need your personal data as evidence, you can also ask us not to erase your data (known as restriction). You also have the right to request restriction when you ask us to rectify/erase data, which means that we may not use the data for the period during which we are investigating whether we can rectify/erase it.

Finally, you are entitled to access information on the processing we do on you (sometimes called an extract from the register). The contents of such an extract must include a description of the purpose and legal basis for the processing and the categories of personal data to which it relates. We have already compiled this type of information at an overall level – see above under How we process personal data, which is an easy way for you to obtain information on how we work with your personal data. An extract from the register means that you gain an overview of the processing so you understand where your personal data may be processed (however, you do not have an unconditional right to access documents where your personal data is located).

If you would like to know more about your rights, you can read Allmänna frågor om EU:s dataskyddsreform [General questions on EU data protection reform ] at the Data Protection Authority.

Last updated September 11, 2019

Contact us

It is important to us that you should have confidence in the way we process your personal data. If you have any questions or comments, you can contact our GDPR organisation throughinfo@apotekarsocieteten.se or 08-723 5000. The same applies if you wish to exercise your rights (see above).

Contact the Data Protection Authority

You have a right to contact Datainspektionen [the Data Protection Authority] at any time if you have any comments on our processing of your personal data. Naturally, you may do this without contacting us first, but of course we will also appreciate it if you tell us what you think so we are aware of it in our continuous work to improve.