In this privacy notice, we explain how the The Council on Ethics for the Swedish National Pension Funds collects, uses, discloses and stores your personal data and how we otherwise ensure that your personal data is processed in accordance with applicable regulations. The privacy policy applies to you as a contact person, external manager, counterparty, supplier, job applicant, trainee, consultant or other stakeholder in relation to us.
Data Controller
The Council on Ethics for the Swedish National Pension Funds is legally part of AP3, which is therefore responsible for the processing of your personal data. If you have questions about AP3’s data processing or wish to contact AP3’s Data Protection Officer, you can reach out to the fund’s Head of Compliance.
If you have specific questions about AP3’s processing of personal data or wish to contact the Fund’s Data Protection Officer, please contact the Fund’s Head of Compliance, see phone number and email address below.
Name: Tredje AP-fonden, org.nr 802014–4120
Contact person: Head of Compliance
Adress: Vasagatan 16, 111 20 Stockholm
Postal address: Box 1176, 111 91 Stockholm
Phone number: 08-555 17 100
E-mail address: gdpr@ap3.se
Data Protection Officer
Name: Caroline Mitteregger, Apriori Advokatbyrå
Adress: Nybrogatan 7, 114 34 Stockholm
Phone number: 08-403 777 10
E-mail address: info@apriorilaw.se
Collection and processing of personal data
Most of the personal data that AP3 processes about you have been provided to AP3 by you, either as a private individual or as a representative of an organisation. Some data may also have been obtained from a third party, for example from your employer when AP3 has a business relationship with it. We use personal data to fulfil our mandate as an authority, to inform you about our business and to communicate and interact with you.
We use personal data for the following purposes:
| Fulfilling our mandate to manage pension fund | |
|---|---|
| Purpose | Categories of personal data |
| In order to fulfil our mission to manage the Swedish people’s pension capital.To be able to invest capital that generates a high return over time.To contribute to the stable development of the state income pension system.To establish and manage contracts on behalf of AP3.To prepare and manage ongoing documentation such as project plans, analyses and presentations together with external managers.To communicate with you. | Name, professional title, address, e-mail, telephone number, signature |
| Legal basis: The processing is necessary for AP3 to perform a task in the public interest, i.e. to fulfil our mission as a public authority. | |
| Retention time: As a government agency, the starting point under archive legislation is that the agency must preserve public documents. AP3 must comply with these preservation rules and delete public documents in accordance with applicable deletion rules and decisions. Information of minor or temporary importance is deleted on an ongoing basis. | |
| Recipients: Data processors and subcontractors for the management of our systems. Authorities to which AP3 has an obligation, either on an ongoing basis or upon request, to disclose personal data, such as the Swedish Tax Agency, the Swedish National Audit Office and the government. |
| Contact persons of suppliers and other co-operation partners | |
|---|---|
| Purpose | Categories of personal data |
| To establish and manage contracts on behalf of AP3. To be able to communicate and manage the necessary contacts in contractual or supplier relationships. | Name, professional title, address, e-mail, telephone number, signature |
| Legal basis: The processing is necessary for AP3 to perform a task in the public interest, i.e. to fulfil our mission as a public authority. | |
| Retention time: As a government agency, the starting point under archive legislation is that the agency must preserve public documents. AP3 must comply with these preservation rules and delete public documents in accordance with applicable deletion rules and decisions. Information of minor or temporary importance is deleted on an ongoing basis. | |
| Recipients: Data processors and subcontractors for the management of our systems. Authorities to which AP3 has an obligation, either on an ongoing basis or upon request, to disclose personal data, such as the Swedish Tax Agency, the Swedish National Audit Office and the government. |
| Conducting public procurement | |
|---|---|
| Purpose | Categories of personal data |
| To administer the tenders received and communicate with tenderers. | Name, job title, email, phone number, signature, CV details |
| Retention time: Accepted tenders are kept in accordance with archive legislation. Unsuccessful tenders are kept for four years. | |
| Recipients: Data processors and subcontractors for the management of our systems. Authorities to which AP3 has an obligation, either on an ongoing basis or upon request, to disclose personal data, such as the Swedish Tax Agency, the Swedish National Audit Office and the government. | |
| Legal basis: The processing is necessary for AP3 to perform a task in the public interest, i.e. to fulfil our mission as a public authority. |
| Recording of calls in telephone trading | |
|---|---|
| Purpose | Categories of personal data |
| To verify that trades that are exceptionally carried out by telephone are recorded to ensure the legality of the trade. For verification for accounting/reconciliation of business conditions. | Audio recording, telephone number |
| Legal basis: The processing is necessary for AP3 to fulfil a legal obligation to which we are bound as a public authority. | |
| Retention time: For the purposes of the Market Abuse Regulation, data is stored for five years and for accounting purposes for seven years. | |
| Recipients: Data processors and subcontractors for the management of our systems. Authorities to which AP3 has an obligation, either on an ongoing basis or upon request, to disclose personal data, such as the Swedish Tax Agency, the Swedish National Audit Office and the government. |
| Job vacancies and expressions of interest | |
|---|---|
| Purpose | Categories of personal data |
| To manage candidates presented to us by our recruitment partners. To receive, assess and store applications and contact applicants. To be able to handle spontaneous applications. | Name, social security number, email, phone number, and anything you submit to us such as a cover letter, CV, grades, and references. |
| Legal basis: The processing is necessary to enable AP3 to fulfil the future employment contract or to take measures at the applicant’s request before such a contract is concluded. Spontaneous applications are processed on the basis of a legitimate interests. If you want to know more about how we have carried out this balancing of interests, please contact us. After recruitment, personal data may continue to be processed within the framework of the employment contract. Due to anti-discrimination legislation, we have to keep application documents for two years for those who did not get the position. The legal basis for that is a legal obligation. | |
| Retention time: Documents leading to employment are retained. Other application documents are kept for two years. | |
| Recipients: Data processors and subcontractors for the management of our systems.Authorities to which AP3 has an obligation, either on an ongoing basis or upon request, to disclose personal data, such as the Swedish Tax Agency, the Swedish National Audit Office and the government. |
Processing of personal data in shared channels and collaboration spaces
Collaboration spaces, shared channels and Microsoft 365
AP3 uses Microsoft 365, which includes Teams, SharePoint and OneDrive. AP3 uses the service to, for example, collect information, communicate, plan, work with documents and save files. Additional functions within Microsoft 365 may over time be used by AP3.
Processing of personal data
In cases where login is required to use Microsoft 365, we need to process your personal data to give you access to the service. The personal data required may include name, telephone number, title and e-mail address. The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in AP3.
If you enter, change, delete or share information or documents containing personal data in collaboration spaces, shared channels or other services provided by AP3, this data is also processed. You should therefore consider limiting your use, sharing and other processing of personal data so that personal data is only processed to the extent necessary for the specific purposes for which the services are intended to be used.
Your personal data will be deleted when there is no longer a need for you to participate in a collaboration space or use another service within Microsoft 365, unless AP3 is obliged to retain the personal data for a longer period in accordance with the general rules on archiving for public authorities.
Sensitive personal data
Avoid sharing sensitive personal data. Examples of sensitive personal data include health status, trade union membership, ethnic origin and political opinions. The processing of sensitive personal data requires that the processing is subject to an exception to the prohibition in Article 9 of the GDPR and that it may exceptionally be transferred outside the EU/EEA.
The principle of public access to official documents
Note that AP3 is a public authority and that information shared and/or made available in AP3’s shared channels may constitute public documents under the principle of public access to official documents. A third party may therefore request access to them.
Security
AP3 has taken a number of security measures in accordance with the General Data Protection Regulation to protect your personal data against unauthorised access, alteration and deletion. Should there be a security incident that could adversely affect you and your personal data, AP3 will
contact you with information about what we are doing, and what you can do, to minimise the risk of negative consequences.
Automated decision-making, profiling and direct marketing
AP3 does not use your personal data for automated decision-making, profiling or direct marketing. Nor will AP3 sell your personal data to anyone else.
Transfer of data to third parties
Transfer within the EU/EEA
AP3 only transfers data to third parties if it is necessary for backup, due to a legal obligation or when it is necessary for the conduct of AP3’s business. Before data is transferred to a data processor, a Data Processor Agreement is signed between AP3 and the processor to protect your data. To find out about the data processors used by AP3, please contact the Head of Compliance.
Transfers to third countries
If personal data needs to be transferred to a recipient in a country outside the EU/EEA, AP3 will ensure that the personal data remains protected and that the transfer takes place in a lawful manner. This is done by, among other things, comparing it to the European Commission’s list of countries with an “adequate level of protection” or by signing the Commission’s Standard Contractual Clauses with the counterparty. If necessary, due diligence is also carried out on the counterparty’s handling of personal data. AP3 does not transfer your personal data to third countries if this would be contrary to the provisions of Chapter V of the GDPR.
Your rights
As a data controller, we are responsible for ensuring that your personal data is processed in accordance with the law and that you can exercise your rights. You can contact us at any time if you wish to exercise your rights. If you wish to exercise any of your rights, please contact the Head of Compliance by email, see contact details under the heading Data Controller.
We have an obligation to respond to your request to exercise your rights within one month of receipt of your request. If your request is complex or if we have received many requests, we have the right to extend this deadline by a further two months. If we cannot take the action you request within one month, we will inform you of the reason for the delay and of your right to lodge a complaint with a supervisory authority and to seek judicial redress.
You will not be charged for any information, communication or action we take. However, if your request is manifestly unfounded or unreasonable, we may charge an administrative fee for providing the information or taking the requested action or refuse to fulfil your request altogether.
You have the right to request:
- Access to your personal data. This means that you have the right to request access to the personal data we hold about you. You also have the right to receive, free of charge, information about the personal data we process about you. We are entitled to charge a reasonable administrative fee if you request additional copies. If you make a request by electronic means, such as by email, we will provide you with the information in a commonly used electronic format.
- Rectification of your personal data. At your request or on our own initiative, we will rectify, anonymise, erase or complete data that we know to be inaccurate, incomplete or misleading. You also have the right to complete incomplete personal data if something relevant is missing.
- Erasure of your personal data. In some cases, you can have your personal data erased. When your personal data is necessary for us to fulfil our mission or is contained in a public document, we are not able to delete the data. Personal data can be erased if:
- we process your data based on your consent and you withdraw your consent,
- you object to us processing your data following a legitimate interest assessment and we have no compelling interest that overrides your interests and rights.
- we have processed the personal data unlawfully; or
- we have a legal obligation to erase the personal data.
- Right to restrict processing. This means that we temporarily restrict the processing of your data. You have the right to request restriction when:
- you consider your data to be inaccurate and you have requested rectification as described above, while we determine the accuracy of the data,
- the processing is unlawful and you do not want the data to be erased,
- we as controller no longer need the personal data for our processing purposes, but you need it for the establishment, exercise or defence of legal claims; or
- you have objected to processing as above, while waiting for us to consider whether our legitimate interests override yours.
We will take all reasonable steps to notify anyone who has received personal data as described above if we have rectified, erased or restricted access to your personal data after you have requested us to do so. If you request information about recipients of your personal data, we will inform you of the recipients.
- Your right to object to the processing. You have the right to object to the processing of your personal data if our processing is based on legitimate interests or a public task. If you object to such processing, we will only continue to process your data if we have compelling reasons for doing so that override your interests.
- Your right to data portability. This means that you have the right to receive your personal data in a structured, commonly used and machine-readable format and to request the transfer of this data to another controller. The right to data portability only applies when processing is carried out by automated means and our legal basis for processing your data is your consent or to fulfil a contract between you and us.
- Right to lodge a complaint. If you have concerns about the processing of your personal data, you have the right to lodge a complaint with the Data Protection Authority. We hope that you will contact us first, so that we have a chance to try to rectify any problems.
Read more about your rights on Integritetsskyddsmyndighetens (Swedish Data Protection Authority) website www.imy.se.
Other questions
If you have any questions about the privacy notice or about AP3’s processing of personal data in general, you are welcome to contact the Head of Compliance at AP3. See contact details under the heading Data Controller.