Privacy Notice – SEI Project Tracker
1 Introduction
Stockholm Environment Institute, 802014-0763 ("SEI" or "we" in any form) collects and otherwise processes personal data about you in your capacity as a staff. This privacy notice ("Privacy Notice") sets out information about the processing of personal data carried out by us in our role as controller, including what personal data we collect about you, for which purposes the personal data is processed and with whom we may share your personal data.
1.1 Definitions
"Applicable Data Protection Laws" means all legislation and regulations, including regulations issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time applies to this Privacy Notice, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR") as well as laws and regulations supplementing the GDPR.
Unless otherwise stated, terms defined in the GDPR, such as "personal data" and "processing", shall have the same meaning in this Privacy Notice.
Accordingly, "personal data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The term "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2 From where do we collect your personal data?
We collect your personal data from:
- Yourself, e.g. your name
- SEI Human Resources, e.g. your title
- SEI IT systems, e.g. your work email address
3 When and why do we process your personal data?
3.1 Project Tracker users
We use technologies on our Project Tracker website that are intended to facilitate secure access via a single sign-on using SEI work emails.
3.1.1 Managing and administering our websites
We process your personal data in order to manage the Project Tracker website, to ensure that the content is presented in the most effective manner for you and your device, and that the data is kept secure.
(a) Categories of personal data
- User-generated data
(b) Legal basis
We base the processing on our legitimate interest to manage and administer our Project Tracker website (Art. 6 (1) (f) GDPR).
(c) Retention period
Your personal data will be retained indefinitely.
(d) Recipients of personal data
We may share your personal data with our service providers, such as IT- and hosting suppliers.
3.2 Fulfilment of legal obligations
We process your personal data for the purpose of complying with legal requirements placed upon us such as corporate financial responsibilities including audit requirements and employment-related requirements such as e.g. income tax, social security deductions and immigration requirements.
(a) Categories of personal data
- Name, title and email.
(b) Legal basis
We base the processing of your personal data in the legal basis compliance with a legal obligation to which we are subject (Article 6 (1) (c) GDPR).
(c) Retention period
Your personal data will be retained for as long as required under the relevant legal obligation.
For Sweden, the Bookkeeping Act requires that bookkeeping information is stored for seven (7) years following the end of the calendar year during which the financial year ended.
(d) Recipients of personal data
We may share your personal data with advisors and authorities, such as tax authorities, in order for us to fulfil the legal obligation laid upon us.
3.3 Business changes, including mergers and acquisitions
3.3.1 Where we change our organization
In the event of a contemplated or actual reorganization, merger, acquisition, sale, joint venture, assignment or other disposition of all or any portion of our business, assets and stock we may need to share personal data for the purposes of executing the change at hand.
(a) Categories of personal data
Potentially all categories of personal data, subject to assessment in each individual case.
(b) Legal basis
We base the processing of your personal data on the legal basis legitimate interest to facilitate and/or enable the contemplated or actual reorganization, merger, acquisition, sale, joint venture, assignment or other disposition of all or any portion of our business, assets and stocks (Article 6 (1) (f) GDPR).
(c) Retention period
We will process the personal data until the change at hand has been executed.
(d) Recipients of personal data
Buyers and external advisors/other involved parties and group companies.
4 Recipients with whom we share personal data
For the purposes set out in this Privacy Notice, we may transfer your personal data to our service providers and business partners, e.g. service providers in IT. Such suppliers might process your personal data in Thailand, Kenya, Colombia, the USA or the UK. These parties will generally act as processors relating to the processing of personal data, which means that they are contractually obliged to process your personal data only on behalf of and in accordance with the our instructions.
We may also share personal data to other recipients, acting as data controllers.
| Purpose | Recipient | Legal Basis |
| To transfer personal data within the organization e.g. for internal administrative purposes, including the processing of employees' personal data. | SEI's affiliates | Legitimate interest (Art. 6.1 (f) GDPR). SEI as a part of a group of undertakings has a legitimate interest in transferring personal data within the group for internal administrative purposes, including the processing of employees' personal data. |
| To enable business changes, e.g. sale or merger of the business or investments in general. | Buyers, sellers and external advisors/other parties involved | Legitimate interest (Art. 6.1 (f) GDPR). The processing is necessary to fulfil our legitimate interest in conducting and executing business changes. |
Transfers of personal data outside of the EU/EEA
In case we transfer your personal data to a recipient in a country outside of the EU/EEA ("third country"), such transfer will only take place where an adequate level of protection is ensured in accordance with a decision by the EU Commission. Alternatively, we will ensure that appropriate safeguards have been implemented (such as those provided for in the EU Commission's standard contract clauses). Where deemed necessary, such appropriate safeguards will be complemented by supplementary measures for ensuring an essentially equivalent level of data protection to that found under the GDPR.
You have the right, upon request, to receive a copy of the documentation demonstrating that the necessary safeguards have been put in place to protect your personal data when transferred to a third country. Such request may be made by contacting us on the contact details set out below.
5 Security
We will ensure that access to your information is adequately protected by having appropriate security measures implemented and, depending on the circumstances, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks. To uphold this warranty, we have also implemented appropriate technical, physical and organisational measures to protect your personal data from unlawful or accidental destruction, alteration or disclosure, misuse, damage, theft or loss by accident or unauthorised access.
6 Your Rights
Rights in relation to your personal data
In connection with our processing of your personal data, you may, under the conditions set out below, exercise the following rights:
Access
You can request confirmation of whether or not your personal data is being processed and, if it is being processed, request access to your Personal data and additional information such as the purpose of the processing. You also have the right to receive a copy of the personal data that is processed. If the request is submitted electronically, the information will also be obtained in a commonly used electronic form unless you request otherwise.
Rectification
If you notice that personal data about you is inaccurate or incomplete, you have the right to have your personal data rectified or completed.
Object to specific processing
You can object to processing of your personal data if it is based on a legitimate interest, on grounds relating to your particular situation or if the processing takes place for direct marketing purposes. Upon such an objection, we are obliged to cease the processing, unless we can demonstrate compelling legitimate grounds to continue processing and those grounds override your interests. We may also continue processing that is necessary to establish, exercise and defend legal claims. Processing for the purpose of direct marketing will, however, always be ceased upon your objection.
If you object to processing of your personal data, you have the right to request restriction of the processing pending our verification of whether we may continue to process it, in accordance with the below (see Restrict processing).
If, upon your objection, we no longer have a right to process your personal data, you have a right to have the personal data erased in accordance with the below (see Erasure). |
|---|
Erasure
You can have your personal data erased under the following circumstances;
- If the personal data is no longer necessary in relation to the purposes for which it were collected or otherwise is processed;
- If our processing of the personal data can only be carried out based on your consent; if you withdraw such consent;
- If our processing is based on legitimate interest, you object to the processing are no overriding legitimate grounds for the processing, and if you object to the processing for direct marketing purposes;
- If your personal data has been unlawfully processed; and
- If your personal data has to be erased for compliance with a legal obligation in Union or Member State law to which we are subject.
The right to erasure does not apply when our processing of your personal data is necessary for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires the processing; or for the establishment, exercise or defence of legal claims.
Restrict processing
Under the following circumstances, you can request that we restrict the processing of your personal data to only involve the storage of your personal data;
- If you contest the accuracy of the personal data, we will restrict processing for the time required to verify its' accuracy.
- If the processing is unlawful, you may oppose the erasure of the personal data and request that its' use is instead restricted.
- If we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, you have the right for the processing to be restricted.
- If you have objected to processing, you have a right to restriction pending the verification of whether our legitimate grounds override your interests.
We may, however, still use your personal data for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
Withdraw consent
To the extent that the processing of personal data is based on your consent, you always have the right to withdraw your consent. If there is no other legal ground for the processing, you have the right to have the relevant personal data erased in accordance with the above (see above Erasure).
Data portability
Unless it adversely would affect the rights and freedoms of others, you have the right to request a machine-readable copy of the personal data processed based on your consent or when the processing is necessary to fulfil an agreement with you as well as when personal data has been obtained from you (data portability), and to request that the information be transferred to another data controller (if possible).
Complaints to the supervisory authority
You are welcome to contact us with questions or complaints regarding the processing of your personal data on the contact details set out below. However, you also have the right to lodge a complaint regarding the processing of your personal data to the Swedish Authority for Privacy Protection.
7 Contact Us
If you have any questions regarding the processing of your personal data or if you wish to exercise any of your rights pursuant to applicable data protection legislation, please contact by using the contact details below. If needed, we have the right to change and supplement the Privacy Notice.
The controller is:
Stockholm Environment Institute
Org. no. 802014-0763
Virkesvägen 1A
120 30 STOCKHOLM
ian.caldwell@sei.org
8 Description of categories of personal data
Please see the table below for detailed information regarding which personal data that we process.
| Categories of personal data | Examples of personal data |
|---|
Identification information
| Name |
Contact information
| Email address |
| Correspondence data | Personal data that is included in your communication with us
|
| User-generated data | Technical data regarding used devices and their settings (e.g. language setting, IP address, browser settings, time zone, operating system, screen resolution and platform), information about how you interacted with us, login method, which pages and how long different pages have been visited, response times, download errors, how to access and leave the service, etc. |
| Work related information | Title |