The policy regulates how Skellefteå Airport (the company) handles personal data in accordance with the EU’s General Data Protection Regulation (GDPR). The policy covers the handling of all personal data and includes both structured and unstructured data. Policy is rooted in all our employees.
Application and revision
The company’s board is responsible for ensuring that the processing of personal data follows this policy.
Organization and responsibility
The CEO is ultimately responsible for the content of the company’s personal data policy and that it is implemented and complied with by all the company’s executives, employees and contractors. The CEO may delegate the content responsibility and implementation to a suitable person at the company.
All of the company’s executives, employees and contractors are responsible for ensuring that they act in accordance with the company’s personal data policy.
Personal data processing
Each personal data processing takes place according to the following principles:
Data collection criteria
The principles for data processing mean that we only continuously handle personal data that is of directly relevant and justified commercial interest, contractually regulated or statutory. Only in exceptional cases and if necessary are other personal data handled, which are then regulated by consent agreements.
Only personal data that is absolutely necessary to conduct business operations, fulfill current agreements, handle personnel administration and meet legal requirements shall be processed and stored. When the personal data no longer meet these criteria, they must be deleted without delay.
Our data processing is documented on an ongoing basis in our handling register, which is handled by the person responsible for personal data. A person who is registered always has the right to receive an extract of registered information, as well as the right to correct incorrect information. Follow-up and evaluation of our handling of personal data must take place at least annually.
Illegal data handling
Any incidents concerning personal data that we process must be reported to the person responsible for personal data without delay. The person responsible for personal data shall, without undue delay and within 72 hours at the latest, report the incident to the Data Inspectorate and otherwise take the necessary measures in connection with the incident.
For external management, collaboration and purchase of services
Our requirements for personal data to be handled in accordance with the GDPR must always be ensured when procuring external suppliers and the development of IT solutions and services, and must be part of the requirements specification and any agreements. Outsourcing of personal data management is regulated by personal assistant agreements.