top of page

Privacy Policy

Privacy Policy for Progressive Judaism in Stockholm

Privacy is important to us at Progressive Judaism in Stockholm (PJS) and we are responsible for the personal information that various individuals provide to us. To ensure that members/participants/visitors/employees feel secure, this personal data policy describes how PJS processes, stores, and handles personal data.

English translation

Please note that this English translation is provided as a service for our visitors. The original Swedish version of this policy is the legally binding document. In the event of any discrepancies between the Swedish text and this English translation, the Swedish version shall prevail.

Personal Data

Personal data refers to all information that can directly or indirectly be attributed to a now-living natural person. Examples of personal data are name, address, personal identity number, telephone number, e-mail, images, and health information. When data can be linked to a specific person, it is personal data. Encrypted data and various kinds of electronic identities (e.g., IP numbers) are also personal data if they can be linked to natural persons.

 

Processing of Personal Data

PJS collects, uses, and processes personal data about, for example, members, participants in groups in our activities, employees, and business contacts. Processing of personal data is everything that happens to the personal data. Every action taken with personal data constitutes processing, regardless of whether it is automated or not. Examples of common processing activities are collection, registration, organization, structuring, storage, processing, transfer, and deletion.

 

Data Controller

Progressive Judaism in Stockholm, organization number 802428-1720, is the data controller for PJS's processing of personal data. PJS is responsible for all data provided in contact with us, which may be on the website, via telephone, letter, e-mail, directly to an employee, or in other ways. As data controller, PJS is responsible for ensuring that personal data is processed securely and that the GDPR, the General Data Protection Regulation, is followed. Our main purpose for processing personal data is to fulfill our commitments to our members/users/customers, but we also collect data about those who are not, but who wish to be contacted by us for various reasons.

Applicability and Scope

This privacy policy is aimed at all employees within PJS. Customers, suppliers, agents, representatives, and other business partners of the congregation are expected to follow this, or an equivalent policy, insofar as they process personal data on PJS's behalf. The policy shall be available to the congregation's employees and, upon request in accordance with applicable law, from the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, formerly the Data Inspection Board). To the extent applicable law imposes additional requirements, it shall be applied alongside the policy. If applicable law conflicts with this policy, PJS's board must be informed to decide how the situation should be handled.

Purpose of this policy

The purpose of the policy is to ensure that PJS complies with legal requirements and avoids unacceptable legal risks. The policy explains how PJS processes personal data.

Policy

PJS shall follow applicable laws, rules, and regulations governing privacy and data protection and conduct operations in a manner that respects privacy in relation to PJS's processing of personal data.

The following principles set out in the Data Protection Regulation apply to PJS's processing of personal data:

Lawfulness, fairness and transparency

Collection, use, and other processing of personal data shall be lawful, fair, and transparent towards the data subject. PJS shall facilitate the data subject's exercise of their rights in accordance with current law. The data subject shall receive clear and distinct information on how their personal data will be used by PJS.

Purpose limitation

Personal data shall be collected for specified, explicit, and legitimate purposes and not later be processed in a manner that is incompatible with these purposes or for undefined future needs. PJS shall ensure that there are procedures for culling or anonymizing personal data whose processing is no longer necessary for the original purpose.

 

Only processing on a lawful basis

Personal data shall only be processed if a lawful basis for the processing exists.

 

Storage minimization

Personal data may only be stored for as long as is necessary for the purpose of the processing. When PJS no longer needs the data, it shall be erased, restricted, or anonymized so that it can no longer be linked to the data subject.

 

Sensitive personal data

Some personal data is considered extra sensitive and therefore has stronger protection in the Data Protection Regulation. This includes, among other things, trade union membership, health, ethnic origin, religious or philosophical beliefs, political opinions, sex life or sexual orientation, and data about criminal offenses. The main rule is that it is forbidden to process sensitive data, but there are exceptions to the prohibition, e.g., if a person has explicitly consented to the processing. Higher requirements than just consent are set here. The Data Protection Regulation states how the exceptions are to be interpreted. One exception is the processing by religious communities for their core activities. Personal identity numbers and coordination numbers may only be processed if it is justified with regard to the purpose of the processing. Employees at PJS shall exercise special care with sensitive personal data.

 

Information on processing of personal data

PJS shall, in accordance with applicable law, provide information to data subjects about the processing of personal data.

 

Access to personal data

PJS shall provide access to personal data in accordance with applicable law.

 

Objections to processing

PJS shall ensure that the data subject can object to processing carried out on the basis of a public or legitimate interest or for direct marketing purposes, and shall accept such a request when applicable.

 

Data portability

The data subject has the right to request their personal data to transfer it to another data controller. The data subject only has this right when the processing is based on consent or contract and the processing is automated.

 

Data minimization and accuracy

Personal data shall be adequate, relevant, and not excessive for the purpose of the processing, and shall be updated as necessary. Inaccurate data shall be corrected or supplemented, either on PJS's own initiative or at the data subject's request.

 

Engaging data processors

PJS may engage a data processor who processes personal data on PJS's behalf. The processor must be able to guarantee that the personal data processing meets the requirements of this policy and the requirements of applicable law. A special processor agreement (DPA) shall be established between the parties with detailed requirements on how the personal data may be processed to thereby ensure that the data subject's rights are protected. Personal data outside the EU/EEA: There are restrictions on transferring personal data to recipients outside the EU/EEA; Israel is an exception and personal data can be transferred to Israel. PJS shall follow the restrictions set by applicable law.

Integrity and confidentiality Personal data shall be processed in a manner that ensures appropriate security of the data. There must be a sufficient level of protection against the data being subjected to unauthorized or unlawful processing, or being accidentally erased or damaged. PJS shall take appropriate technical organizational measures in relation to the risk of the processing.

 

Privacy by Design and Privacy by Default

PJS shall ensure that systems purchased and developed are privacy-secured. For a system to be considered to have sufficiently good privacy protection in relation to the data being processed, the basic principles of the Data Protection Regulation must be built directly into the system in such a way that the use of the system lives up to these principles by default.

 

Responsibility and Violation

All employees and elected representatives must be aware of the policy and follow it - everyone is obliged to report suspected violations of this policy to PJS's data protection officer.

 

Sharing of personal data

Sometimes personal data needs to be shared with other companies and organizations. Some of these are independent data controllers. The fact that a company/organization is an independent data controller means that PJS does not control how the information provided to the company is processed. When personal data is shared with a company/organization that is an independent data controller, that company's privacy policy and personal data handling apply. Independent data controllers with whom we share personal data may be, e.g.:

  • The Jewish Central Council in Sweden

  • The Jewish Community in Stockholm

  • Government authorities (the police, the tax agency, or other authorities) if we are obliged to do so by law or on suspicion of a crime.

  • Companies that provide general passenger and freight transport (transport and logistics companies).

  • Companies that offer travel arrangements, hotels, conference centers, restaurants, etc.

  • Companies that offer payment solutions (card-acquiring companies, banks, and other payment service providers).

  • Partners and suppliers with whom a data processor agreement has been signed.

Security

We have taken special security measures to protect personal data against unlawful or unauthorized processing (such as unlawful access, loss, destruction, or damage). Only those persons who actually need to process personal data for us to fulfill our stated purposes have access to them.

 

Security Check

We conduct security checks on non-members who wish to visit our events and services to protect our institutions and members against terror and other crimes. In this work, personal data relevant to security is processed. The data is culled after the event is completed.

 

Storage of personal data

We never save personal data longer than is necessary for each purpose. We will only process your personal identity number when it is clearly justified with regard to the purpose, necessary for secure identification, or if there is some other considerable reason. We always minimize the use of personal identity numbers as much as possible by, where sufficient, using birth numbers instead.

 

Cookies

We use cookies to see how many people use the websites progjud.se and sukkatshalom.se, which pages are visited, and how our users move between the pages. Everyone who uses the website remains anonymous to us. In some cases, we use cookies to remember settings made when a person visits our website, so they do not have to redo them on their next visit. The purpose is solely to improve and simplify for the users.

 

Rights as a data subject

Right to access (so-called register extract). We are always open and transparent about how we process personal data, and if you want to gain deeper insight into which personal data we process about you, you can request access to the data (information is provided in the form of a register extract specifying purposes, categories of personal data, categories of recipients, storage periods, information on where the information was collected, and the existence of automated decision-making).

 

If we receive a request for access, we may ask for additional information to ensure efficient handling of the request and that the information is provided to the right person. Right to rectification. Data subjects can request to have their personal data corrected if the data is incorrect. Within the scope of the stated purpose, they also have the right to supplement any incomplete personal data.

Keep in mind that we may have the right to deny a request if there are legal obligations that prevent us from immediately deleting certain personal data. These obligations come from accounting and tax legislation, banking and money laundering legislation, but also from consumer rights legislation. It may also happen that the processing is necessary for us to establish, assert, or defend legal claims. Should we be prevented from complying with a request for deletion, we will instead block the personal data from being used for purposes other than the purpose that prevents the requested deletion.

 

Incidents

A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, or alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. If it is judged likely that such an incident entails a risk to the rights and freedoms of natural persons, the incident shall be reported to the Swedish Authority for Privacy Protection (Integritetsmyndigheten) within 72 hours. If the incident is likely to entail a high risk to the rights and freedoms of natural persons, the affected individuals shall be informed of the incident without undue delay.

 

The Swedish Authority for Privacy Protection is the supervisory authority

The Swedish Authority for Privacy Protection is responsible for monitoring the application of the legislation. Anyone who believes that a company/organization is handling personal data incorrectly can file a complaint with the Swedish Authority for Privacy Protection.

Contact in data protection matters

Progressive Judaism in Stockholm takes data protection very seriously. For questions, contact info@sukkatshalom.se

bottom of page