UF Uppsala

UF logo vectorized_1

Uppsala Association
of Foreign Affairs

    Become a member
    Register
    Menu
    Follow us
    Instagram Facebook Linkedin Youtube
    Edit Template

    Policy on Personal Data Processing

    Purpose and Introduction
    The purpose of this policy is to establish the procedures for personal data processing in the Utrikespolitiska Föreningen in Uppsala to guide the association in handling personal data of its members and participants in events organized by the association, and to ensure that the association’s activities comply with the General Data Protection Regulation (GDPR). The information regarding the GDPR in this policy is based on data collected from the Swedish Data Protection Authority’s website in November 2021. This policy consists of three parts: the first part covers definitions and clarifications regarding personal data, the second part discusses the routines that UF Uppsala should follow to comply with the GDPR, and the third part addresses how UF Uppsala should handle a situation in which the association breaches the GDPR.

    Personal Data
    What is personal data?
    Personal data refers to any information relating to an identified or identifiable natural person. This means that personal data is any information that, either on its own or combined with other data, can be linked to a living individual. Examples of personal data include:

    • Name
    • Address
    • Personal identification number
    • ID card number
    • Telephone number
    • Photographs of individuals
    • Audio recordings
    • Email addresses like firstname.lastname@gmail.com

    When do we process personal data?
    Personal data is processed whenever an action or series of actions are taken in relation to personal data, either automatically or not. Examples of when the Utrikespolitiska Föreningen in Uppsala processes personal data include membership registration, maintaining a membership register, applications for positions and roles within the association, event registration forms, photography, in photo archives, etc.

    Established on December 3rd
    Utrikespolitiska Föreningen in Uppsala
    BOX 513
    Kyrkogårdsgatan 10
    751 20 Uppsala
    Org. No. 817603-5221
    ufuppsala.se
    info@ufuppsala.se

    When can we process personal data?
    According to the GDPR, personal data can be processed and collected by associations for specific purposes and not for any other purposes. Only data relevant to the purpose should be collected, and it is important that the data is accurate and updated if necessary. The data should also not be stored for longer than necessary. Furthermore, members have the right to access the data that UF Uppsala holds about them, if they request it.

    Procedures

    Membership Register
    In the association, the secretary is responsible for the membership register and is the only one who administers and maintains it. If the secretary position is vacant or the secretary is unable to perform their duties, the chairperson or vice-chairperson can access the membership register. In the membership register, we only process the necessary data about members, which includes their first name, last name, email address, and date of birth. Members can also provide their mailing address, postal code, and city to receive the association’s newsletter – Uttryck – by mail. The purpose of collecting the information in the membership register should be specified.
    Since only the association’s secretary has access to the membership register, they are responsible for tasks associated with it, such as sending emails to all members, maintaining membership statistics, and ensuring that the data in the membership register is accurate. Other board members may gain access to the membership register upon the secretary’s request, but only when there is a clear need, and the board member must be asked to delete the information once it is no longer required. When the membership register is shared, only the necessary information should be provided, and the board member must be informed that this is GDPR-protected material.

    Forms
    For example, when registering for events, banquets, trips, evaluations, study visits, etc., forms are sent to members and other participants. The purpose of collecting personal data should be made clear in the form. All forms containing personal data should have a consent box, where the person filling out the form agrees to the association processing their information in accordance with the GDPR. Forms containing personal data should be deleted as soon as the information is no longer relevant or required.

    Health Data
    According to the GDPR, health data is subject to stronger protection as it is considered sensitive data. For example, when asking about allergies or dietary preferences in event registration forms, the question should be phrased as “Do you have any dietary preferences?” rather than “What allergies do you have?”. When passing this information on to a vendor or similar, it should be described as “a vegan request”, “one without peanuts”, or “one without pork” rather than “a vegan”, “a peanut allergic person”, or “a person avoiding pork for religious reasons”.

    Minutes
    At board meetings, participants’ first and last names are always recorded and saved. The minutes are also made available on the association’s website. The purpose of recording the names is for documentation of what took place at the board meetings, and sharing them is important for transparency with members. An adjunct participant at a board meeting should be made aware that their name will be recorded in the minutes.
    If someone attends an annual meeting, their first and last names may also be recorded in the minutes. Annual meeting minutes are publicly available on the association’s website and stored on Google Drive.

    Email
    When sending a mass email within the association, it must not be done in a way that allows all recipients to see each other’s email addresses. To do this, the sender’s own email address or another association email address should be entered in the recipient field, and the recipient group should be placed in the “BCC” field.

    Internal Communication about Personal Data
    Communication about sensitive or detailed personal data should primarily be done via email and not through other communication channels. The information should also be deleted once it has fulfilled its purpose.

    Uttryck
    When publishing names of editors, chief editors, illustrators, writers, and responsible publishers, the GDPR does not apply as it is protected by the Swedish Freedom of the Press Act.

    Established on December 3rd
    Utrikespolitiska Föreningen in Uppsala
    BOX 513
    Kyrkogårdsgatan 10
    751 20 Uppsala
    Org. No. 817603-5221
    ufuppsala.se
    info@ufuppsala.se

    Procedures for Incidents Breaching the GDPR

    Step 1: Detection and Initial Reporting
    If an incident involving personal data is discovered or suspected, it should be reported to the chairperson without delay. If the chairperson is unavailable, unreachable, or unsuitable to handle the incident, the incident should be reported to the vice-chairperson. It is crucial that the incident is reported as soon as it is detected.

    Step 2: Information to UFS
    The reporter is responsible for contacting the Utrikespolitiska Förbundet Sveriges administrative officer (admin@ufsverige.org, 070 868 54 76) immediately after discovering or suspecting an incident. If the administrative officer is not suitable to handle the incident or cannot be reached, the president (president@ufsverige.org) should be contacted. The reporter must follow the instructions and information provided by the federation’s administrative officer.

    With grants and funding from