Personal data policy for Musik i Syd
Musik i Syd is a music institution in Skåne and Kronoberg with the aim of giving people access to creative and live music experiences. It is a cultural policy mission with the goal of making live music available even outside the major cities. Music in the South participates in a number of festivals in different genres around Skåne and Kronoberg. In addition to public concerts and projects, Musik i Syd also performs a large number of concerts in preschool, school, care and nursing. Every year, often in collaboration with various local organizers, more than 3,000 concerts are presented to more than 300,000 people.
The principals of the business are Region Skåne and Region Kronoberg. Musik i Syd has offices in Kristianstad (head office), Växjö and Malmö.
Musik i Syd processes personal data in order to fulfill the assignment agreements with our principals that form the basis for the business and to be able to act as a producer, organizer, partner, client and employer.
Relevant documents – processing of personal data
In various different documents, we describe which registers and parts of the organisation hold and process personal data, which data are processed and the purpose of the processing. The legal basis and the applicable period of time for deletion/retention of the information are explained. It is also explained how the data subjects who have their data processed by us can assert their rights.
In the various cases in which Musik i Syd processes personal data, this is done for the purpose of fulfilling statutory or contractual requirements, or requirements that are necessary for entering into an agreement with, for example, an employee, partner, customer or supplier. If the data subject does not provide the information we request, this may mean that Musik i Syd cannot enter into an agreement or fulfil its obligations in an agreement with the data subject.
The documents that describe Musik i Syd’s processing of personal data are defined in the list below. This overarching Privacy Policy is available on our website, together with specific information about the processing of data in connection with ticket purchases. A number of other documents govern our internal work.
Internal documents:
• Register of Musik i Syd’s processing of personal data
• List of personal data processor agreements
• Guidelines and procedures for employees
• Technical safety documentation
Musik i Syd’s processing of personal data
Personal data are any kind of information that can be directly or indirectly attributed to a natural person who is alive. This includes, for example, their name, personal identity number, picture, address, email address and telephone number. It also includes, for example, booking numbers and electronic identities, such as IP numbers, if they can be linked to natural persons.
Musik i Syd’s processing of personal data shall be carried out in a legal, correct, transparent and appropriate manner, to the extent this is deemed to be necessary, and in a manner that avoids violating the data subject’s personal integrity.
Musik i Syd is responsible for ensuring that personal data are protected using appropriate security measures.
In certain cases, Musik i Syd may need to share information with relevant third parties, e.g. a service provider, in addition to the cases where the performance of a contract or the fulfilment of a legal obligation is the legal basis. To ensure that personal data are processed in a safe and secure manner, Musik i Syd concludes an agreement (data processor agreement or similar) with external parties that process personal data on its behalf.
Legal basis and retention minimisation
Depending on the purpose for which personal data are collected by Musik i Syd (whether the person is an employee, a partner, customer or similar), the legal basis and the deletion/retention time for the personal data may differ. The “Register of Musik i Syd’s processing of personal data” states the legal basis on which the data are collected/stored, as well as the deletion policy that applies to the various types of processing. The purpose of the processing governs what data are collected and saved – this is never more or for longer than is deemed necessary. Deletion of unused data is carried out regularly.
However, more generally personal data may need to be retained to ensure compliance with legal obligations, for example regarding accounting. If this is the case, the personal data may be stored in accordance with applicable other legislation.
Employees
The personal data of employees are processed to fulfil obligations defined in laws or collective agreements, and/or in order to be able to conclude and carry out individual agreements.
The personal data that are processed are mainly names, personal identity numbers, telephone numbers, the basis for remuneration and benefits, addresses, contact information of close relatives, absence details, illnesses and possible rehabilitation. The people who see the information are senior managers, administrative staff and possible parties that administer salaries and other benefits, etc., as well as authorities and other contracting parties when required.
The personal data of employees are required for, among other things, salary payments, salary reviews and other remuneration and benefits (including pensions), general personnel administration, time reporting, possible crisis management measures, occupational healthcare and holidays. The personal data of employees are also processed to ensure fulfilment of legal obligations (income tax, social security payments, length of service priority rules, employer certificates, etc.).
When an employment relationship is terminated, Musik i Syd saves certain information about the employee in order to fulfil obligations under employment law, tax law and social insurance law. For example, data must be stored to meet legal obligations regarding taxation and accounting.
Some of the personal data processed as a result of the employment relationship may be considered to be sensitive data, e.g. about illnesses or union affiliation. More information about Musik i Syd’s processing of sensitive information is provided below.
Recruitment
Personal data that are processed during recruitment procedures include the applicant’s name, date of birth, address, information about education, work experience and skills, possibly a photograph, etc. The employees who process personal data relating to applications, conduct interviews and make decisions about the recruitment data are the CEO, the relevant operations manager, administrative staff and, if applicable, a recruitment consultant that has been hired for the recruitment process. In cases where a recruitment consultant is hired, a data processor agreement is concluded.
The basis for personal data processing in connection with recruitment is consent, balancing of legitimate interests, or agreement. The retention period is stated in the Register of Musik i Syd’s processing of personal data.
Agreements for productions, collaboration etc.
In order to fulfil legal obligations or to be able to enter into and fulfil agreements regarding productions, events and/or collaborations, Musik i Syd may need to process the personal data of individual parties. This can include their name, personal identity number, address, email address, telephone number, bank account number, bankgiro and postal giro account numbers.
The employees who process the information are primarily the relevant operations manager, producers and administrative staff.
Processing of this data may be required for, among other things, the payment of fees and other remuneration, general administration purposes, production planning and to ensure fulfilment of legal obligations.
The Register of Musik i Syd’s processing of personal data also contains information about systems and the retention period for the data.
Customers
Musik i Syd processes personal data in order to be able to enter into and execute agreements with its customers.
Customers can include organisers, other ordering parties and ticket buyers.
For ticket purchases made via the AXS, Kulturcentralen and Biljettcentrum ticketing systems used by Musik i Syd’s various venues – Kulturkvarteret Kristianstad, Palladium Malmö och Växjö Konserthus – the general terms and conditions for ticket purchases and the associated privacy policy are available on our website.
If the customer is an organiser or another orderer of productions (for example a school), we process the data of people who are representatives of our customers. Some personal data may also be processed due to Musik i Syd having a legal obligation to do this, for example personal data on invoices may be processed as a result of accounting obligations.
Personal data that may be processed include names, addresses, telephone numbers and email addresses. The employees who receive the information are primarily the operations manager, producer and administrative staff. Technicians and employees at our venues may, if the agreement relates to events at one of these venues, also process the data.
The data are processed in order to be able to have a dialogue with the customer and be able to administer the customer agreement in general. Representatives’ personal data may also be processed for the purpose of sending offers regarding services and information to the customer company. In cases in which Musik i Syd processes personal data relating to representatives of potential customers, this is done in order to contact the customer and provide the customer with offers and information by telephone or email.
The personal data of customers/representatives are handled in different systems and retained for different lengths of time, depending on the type of customer with which an agreement is signed. For organisers, other ordering parties or ticket buyers, the processing systems and deletion intervals are listed in the Register of Musik i Syd’s processing of personal data.
Suppliers
In order to be able to enter into and administer agreements with suppliers, Musik i Syd processes personal data belonging to persons who are representatives of suppliers. Some personal data may also be processed due to legal obligations, for example personal data on invoices that are regulated by an accounting obligation.
Musik i Syd processes personal data regarding representatives of supplier companies with which it has or intends to enter into agreements. The personal data that are processed can include names, telephone numbers, email addresses, addresses and professional titles. The employees who receive and process the information are mainly the operations manager and employees at the relevant unit as well as administrative staff, with the intention of being able to administer procurement agreements, handle invoices, and ask suppliers questions about the goods or services provided to Musik i Syd.
Some data may have to be retained after the contractual relationship has ended, for example to administer possible warranties and fault claims and to handle possible legal requirements. Personal data may also more generally have to be retained to ensure the fulfilment of legal obligations, for example regarding accounting.
Retention times are listed in the Register of Musik i Syd’s processing of personal data.
Data that is collected in connection with usage of our digital services
Musik i Syd is also a data controller regarding processing of the personal data that are collected via the websites run by the organisation (such as Musikisyd.se, Kulturkvarteret.com, Palladium.nu, MusicaVitae.com and others)
When someone visits our websites or uses other digital services provided by us, we collect data about their use of the sites. Some of this information may be personal data, such as an IP number. We also collect anonymous and aggregated information about how users navigate around the sites, what searches are made, which content pages are frequently visited and what the flow looks like.
We also use external suppliers for web analysis of user behaviour. This is primarily data that are collected via cookies, which are handled at a general level. The information, which is anonymised, is stored for a maximum of 14 months from the last visit to the relevant website. The data are used for website development and user feedback.
Some of our websites also have embedded content (e.g. videos, pictures, articles, etc.) from other websites. These behave in the same way as if the visitor had visited the other website – so they may collect data about you, use cookies, embed additional tracking from third parties and monitor your interaction with the embedded content.
Sensitive data
The term sensitive data refers to personal data that reveal racial or ethnic origin, personal opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, use of biometric data to uniquely identify a natural person, and data about health or data about a natural person’s sexual life or sexual orientation.
Musik i Syd does not normally process sensitive personal data as part of its work. If sensitive data does arise in certain cases, they are never processed without the prior consent of the data subject or without the justification defined in Article 9 of the Data Protection Regulation, for example to fulfil obligations or exercise special rights relating to employment law, social security and social protection.
Examples of when we need to process sensitive personal data are for payment of sick pay, exercising our rehabilitation responsibilities, granting leave for visits to the doctor, etc.
In exceptional cases, the processing of personal data may also be necessary in order to protect the fundamental interests of the data subject or other parties, if the data subject is physically or legally prevented from giving consent, in some cases within the framework of trade union activities, if the data have already been published by the data subject, if it is necessary when taking an important public interest into account, if it is necessary for reasons related to, for example, the assessment of an employee’s capacity to work or for the provision of healthcare, or if it is necessary for statistical purposes.
For every case in which sensitive data are processed, Musik i Syd takes appropriate security measures. Personal data are never made available to more people than is necessary, and are never passed on to other parties without the express consent of the employee, unless this has to be done as a result of an employment law obligation.
Each employee is responsible for assessing the information and data received by the business organisation with regard to the degree of sensitivity. The heads of operations are responsible for ensuring that employees at each unit are aware of the type of personal data that is considered to be sensitive.
The systems in which and for how long sensitive personal data are stored are stated in the Register of Musik i Syd’s processing of personal data.
Deletion and retention
The purpose of collecting the personal data determines for how long Musik i Syd processes the data. When there is no longer a reason to process the data, and if the data do not fall under the law on archiving or other legislation, the data are deleted.
The Register of Musik i Syd’s processing of personal data states which personal data are stored in which register, for what purpose the data are processed, the legal basis, for how long various different data are processed, the data flow (which digital systems the data are in), legal obligations and public interest etc.
In cases where the legal basis is not based on an agreement, legal obligation or public interest, the person whose contact information there is reason to retain is asked for consent to do this.
Security
Musik i Syd works continuously to meet the principles of “inbuilt data protection and data protection as standard”. We care about the integrity and security of the personal data we handle and continuously assess risks and take measures to mitigate them.
We use a number of IT services and IT systems in the organisation, some of which are installed locally, and others which are cloud solutions. In cases where a supplier is our personal data processor and handles data on our behalf and in accordance with our instructions, we conclude a personal data processor agreement to regulate the responsibilities.
Rights of data subjects
Access, correction and deletion
The data subject has the right to contact Musik i Syd, in the latter’s role as the data controller, and request access to their personal data that are being processed and also to ask for information about the purpose of the processing and who has received the personal data. In its capacity as a data controller, Musik i Syd shall provide the data subject with a free copy of the personal data that are being processed.
The data subject has the right to have their personal data corrected or, under certain conditions, limited in terms of their processing or deleted without undue delay. If the data subject considers that Musik i Syd is processing personal data about them that is incorrect or incomplete, the data subject may demand that these be corrected or supplemented.
The data subject also has the right to have their data deleted, for example in cases where the data processing is no longer necessary or if the processing is based on consent and this has been revoked.
If the data subject requests that the data are corrected, deleted or limited in terms of the processing, Musik i Syd, in its capacity as the data controller, strives with reasonable effort to notify every recipient of the personal data about the data subject’s request.
Requests for extracts, corrections or deletion can be made using the email address provided at the end of this document under Contact Musik i Syd.
The data subject has the right to object at any time to the processing of their personal data if the legal basis for the processing consists of a public interest or balancing of interests in accordance with Article 6 (1) (e) and (f) of the Data Protection Regulation. The data subject also has the right to object to the processing of their personal data at any time if these are processed for direct marketing purposes.
Right to data portability
The data subject has the right to obtain the personal data that they have provided to the data controller and has the right to transfer these data to another data controller. However, this only applies if (a) it is technically possible and (b) the legal basis for the processing consists of consent or that the processing has been necessary for the performance of a contract.
Right to revoke consent
If the processing of personal data is based on the data subject’s consent, the data subject has the right to revoke this consent at any time. Such revocation does not affect the legality of the processing of the personal data that has been carried out before the consent is revoked.
Right to complain to the Swedish Authority for Privacy Protection (IMY)
Data subjects have the right to submit complaints to the Swedish Authority for Privacy Protection (IMY).
Telephone number: +46 (0)8-657 61 00
Email address: imy@imy.se
Contact Musik i Syd
Postal address
Musik i Syd, Kanalgatan 30, 291 34 Kristianstad, Sweden
Telephone, reception
+46 (0)44-20 58 80
Email
info@musikisyd.se
Organisation ID number
556634-2795
Person responsible for the processing of personal data at Musik i Syd
Head of Administration, Lena Ulvskog
