Privacy Policy

The policy regulates how Skellefteå Airport (the company) handles personal data in accordance with the EU’s General Data Protection Regulation (GDPR). The policy covers the handling of all personal data and includes both structured and unstructured data. Policy is rooted in all our employees.

Application and revision

The company’s board is responsible for ensuring that the processing of personal data follows this policy.

  • The policy shall be determined, and if necessary updated, annually by the company’s board.
  • The company’s personal data manager has the task of keeping himself informed of changes in the Data Protection Ordinance and is responsible for updating the policy as a result of new and changed regulations.
  • This policy shall be applied by all the company’s executives and employees as well as sub-consultants and contractors who in one way or another are part of our business operations.

Organization and responsibility

The CEO is ultimately responsible for the content of the company’s personal data policy and that it is implemented and complied with by all the company’s executives, employees and contractors. The CEO may delegate the content responsibility and implementation to a suitable person at the company.

All of the company’s executives, employees and contractors are responsible for ensuring that they act in accordance with the company’s personal data policy.

Personal data processing

Each personal data processing takes place according to the following principles:

  • Legality
  • Purpose limitation
  • Task minimization
  • Correctness
  • Storage minimization
  • Integrity and confidentiality

Data collection criteria

The principles for data processing mean that we only continuously handle personal data that is of directly relevant and justified commercial interest, contractually regulated or statutory. Only in exceptional cases and if necessary are other personal data handled, which are then regulated by consent agreements.

Only personal data that is absolutely necessary to conduct business operations, fulfill current agreements, handle personnel administration and meet legal requirements shall be processed and stored. When the personal data no longer meet these criteria, they must be deleted without delay.

Handling routines

Our data processing is documented on an ongoing basis in our handling register, which is handled by the person responsible for personal data. A person who is registered always has the right to receive an extract of registered information, as well as the right to correct incorrect information. Follow-up and evaluation of our handling of personal data must take place at least annually.

Illegal data handling

Any incidents concerning personal data that we process must be reported to the person responsible for personal data without delay. The person responsible for personal data shall, without undue delay and within 72 hours at the latest, report the incident to the Data Inspectorate and otherwise take the necessary measures in connection with the incident.

For external management, collaboration and purchase of services

Our requirements for personal data to be handled in accordance with the GDPR must always be ensured when procuring external suppliers and the development of IT solutions and services, and must be part of the requirements specification and any agreements. Outsourcing of personal data management is regulated by personal assistant agreements.