Yeshin Norbu needs to comply with The General Data Protection Regulation (GDPR), effective since the 25th of May 2018 in regards to the processing of personal data.
Yeshin Norbu is committed to processing data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it’s processed. Data shall be collected for specified, explicit and legitimate purposes. All data processed by Yeshin Norbu must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests. Yeshin Norbu does not store personal data longer than necessary for the purpose of which the personal data is stored. Below are Yeshin Norbu’s written routines for the processing of personal data; the Register of Systems.
For further guidance regarding GDPR and the processing of personal data, please refer to the website of Integritetsskyddsmyndigheten.
The responsible person (Personuppgiftsansvarig)
The organisation Yeshin Norbu is responsible for compliance with the GPDR. Contact information:
Styrelsen Yeshin Norbu, Birger Jarlsgatan 131B, 113 56 Stockholm
THE PERSONAL DATA THAT WE PROCESS
Directory of members
If you become a member of the non profit organisation Yeshin Norbu your personal data will be stored in a directory of members. The information that we process is your name and email address and in some instances your phone number and street address. The directory is saved on our drive and through our website. The data is saved so that we can fulfill our obligations of the membership contract. The directory is revised once a year, or more often if relevant, and data regarding people who are no longer members is erased.
Information about membership is sensitive personal data. We process this data on the grounds that we are a non profit organisation with religious purpose in which you are a member. We will not pass on information about your membership to anyone outside Yeshin Norbu, except in certain cases (see below regarding passing on information).
Participants in education
If you participate in any of our courses or events we register data about you in order to implement our activities. Data that we register upon signing up are generally your name and your email address. The basis of this is contract. In order to sign up you need to create a personal account on our website. You can, at any time, erase your account.
If you order food from our café through our website you may have to state information about allergies. This is sensitive personal data and will only be available to the staff that needs to know. The information is not stored. The basis of processing the data is contract and/or legitimate interest.
Photographs
As a visitor at the center or participant in our activities you may, in certain circumstances, be photographed. We ask for your consent before publishing any photos of you on our homepage or our social media. The data is saved until further notice. You can recall your consent and have your picture removed.
Information about staff
Yeshin Norbu saves contact information for staff members including name, phone number, date-of-birth, address, email address. The information is stored both on our drive and on a physical copy in the office. The information is stored on the basis of contractual obligation and is stored until further notice.
Payment through Swish and booking of our venues
If you pay with Swish we will process your phone number and any message you include when paying. The basis is to fulfill a legal obligation in bokföringslagen (SFS 1999:1078) to save accounting information and to fulfill the contractual obligations of payment. The information about payment is stored for 7 years after the fiscal year.
If you book our venue we will process your personal data in order to administer the booking and to contact you if needed. The data processed includes name, email address, phone number, organisation number and address for invoice purposes. The basis for processing is contract. The data is stored for 7 years after the fiscal year in accordance with bokföringslagen.
Communication through email and social media
We can use your information in order to send you our newsletter or information about our activities. To administer this we use the service provider Mailchimp, a company that also needs to comply with GDPR. You can, at any time, change or remove your information from the mailing list. At the end of every email there is a link through which you can administer your information.
If you send us an email we will process your data by reading it, storing it, handling it and if needed forwarding it to the correct recipient in Yeshin Norbu. The information that reaches us this way is often: names, email addresses and occupation. The basis for processing this information is your and our legitimate interest of communication. The information is stored for as long as the matter is ongoing.
When you communicate with us through social media you consent to us processing any information that you publish. We process this data to inform and communicate with people who reach out to us. You can, at any time, erase any data published on our social media.
Grievance procedure
If Yeshin Norbu’s grievance procedure is launched this could mean that a complaint is directed towards someone connected to Yeshin Norbu. In these cases the personal data that is necessary to address the complaint is processed. This could include names, phone numbers, email addresses and occupations. The basis for processing is the legitimate interest of addressing the complaint. The data is stored until further notice.
PASSING ON INFORMATION
Yeshin Norbu generally does not pass on any personal data to outside parties. There are, however, some instances where this is necessary.
As stated above Yeshin Norbu uses the outside service provider Mailchimp to administer our mailing list.
Yeshin Norbu is about to become a member in Sveriges buddhistiska gemenskap (SBG). When this happens SBG will have a right to review the directory of members. Becoming a member of SBG could also affect the kind of information we need to process about our members. The third party also needs to comply with GDPR. The basis for the processing is that Yeshin Norbu has a legitimate interest in running our organization.
Yeshin Norbu does not transfer personal data to any third countries.
YOUR RIGHTS AS A MEMBER
According to the GDPR you have a right to receive a statement of the personal data we process regarding you and information about how we process the data, free of charge. You also have the right to request that we correct or complete the personal data we process regarding you. During the time we control that the information is correct you can request that the processing of your personal data is limited, and can only be stored by us until further notice.
You can also request that we erase your personal data. However, if there is still a legitimate reason for us to store the information, for example on the basis of contractual or legal obligation, your request could be denied. You also have the right to know for how long we will store your personal data.
If you think that our processing of your personal data is incorrectly handled or illegal you have the right to file a complaint with Integritetsskyddsmyndigheten.
PROTECTION OF PERSONAL DATA
Yeshin Norbu shall ensure that personal data is stored securely using appropriate technical and organizational measures.
BREACH
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Yeshin Norbu shall promptly report this to Integritetsskyddsmyndigheten within 72 hours. A breach could result in risks to people’s rights and freedoms.