IVA's privacy policy

The term "personal data" encompasses anything that can be directly, indirectly, or in combination with other data, attributed to a living individual. Examples of personal data include names, personal email addresses, and images.

"Processing of personal data" includes, among other things, collection, storage, deletion, and dissemination.

"We" in this privacy policy refers to the Royal Swedish Academy of Engineering Sciences (IVA), including departments and sub-operations owned and/or controlled directly or indirectly by the Royal Swedish Academy of Engineering Sciences (IVA) AB at any given time.

"You" in this privacy policy refers to you as a fellow, proposed fellow, representative of a member company, participant in events, activities, projects and programmes, supplier, employee, intern, job applicant, or other stakeholder. "You" may also refer to other relevant parties, such as beneficial owners, authorised representatives and managers, beneficiaries, shareholders, and associated parties

What personal data do we process?

We process your personal data to provide services and products that you have registered to receive (such as a newsletter or participation in an event), to maintain and manage our relationship with you, when necessary to fulfil a contract with you, or when we have another legitimate and justified interest in processing your personal data.

Personal data are usually collected directly from you or generated as part of the use of our services and channels. Sometimes additional information is required to keep the information up to date or to verify the information we collect.

Examples of personal data we may process include names, titles, phone numbers, postal addresses, email addresses, personal identification numbers, free-text information about your role and our relationship, sales-related records such as quotes, orders, bookings, and invoices, and IP addresses.

Photography and filming
We photograph and film in connection with many of our meetings and events. Photos and filmed material are used for communication and marketing purposes.

Camera surveillance
We collect personal data via camera surveillance. The processing is necessary for our legitimate interests in increasing security in IVA's premises, including preventing, deterring, and investigating potential crimes. We do not use digital tracking technology. Recorded material is retained for three days. Recorded material may be shared with authorities. Information about camera surveillance is provided through signage on site.

How do we use your personal data and what is the legal basis?

Fulfilment of contract with you

We process personal data to fulfil our commitments when we enter into or have a contract with you. Examples of personal data processing necessary to fulfil a contract with you include:

• Collecting your contact information to provide service during the contract period, including details related to scholarships, mentoring, or internship programmes.
• Managing administrative tasks related to educational services, including registration, attendance, and compliance with regulatory requirements.

Legal obligation 

We may have an obligation to retain personal data under law, other regulations or government decissions. This may be related to:

• Accounting rules
• Reporting to tax authorities, police authorities and supervisory authorities

Balancing of interests

We process personal data to improve our operations and to promote our legitimate interests, as long as these legitimate interests are not outweighed by your interests or fundamental rights and freedoms. Examples of our processing based on balancing of interests include:

• Marketing, product, and customer analysis, process, operational, and system development, including testing.
• Processing of system data to monitor network traffic and detect potential cybersecurity threats, to ensure the security and integrity of IT systems.
• Cookies, which provide us with statistics on how visitors use our website.
• Providing contact details among fellows for improved communication and transparency within the Academy.

Consent

We may use consent as a legal basis for processing personal data, in cases where such consent exists and is registered. 

Examples of our processing based on consent include:

• Implementation of cookie banners and obtaining consent from website visitors before cookies are stored on their devices for tracking or analysis purposes.
• Requesting consent from job applicants to process personal data during the recruitment process.

To whom do we disclose personal data?

Our principle is to refrain from disclosing personal data to third parties unless you have given your consent or it is necessary to fulfil our obligations under a contract or legal requirement.

In situations where we need to engage other parties to perform our work, such as when we use IT suppliers, they are considered data processors for us. We enter into agreements with all data processors and provide instructions on how they may process the personal data. Data processors are engaged only for purposes that are compatible with the purposes for which we ourselves have the processing.

We may share your personal data with entities that are independently responsible for personal data, such as authorities like the Swedish Tax Agency. When personal data are shared with an entity that is independently responsible for personal data, that organisation's privacy policy and personal data management apply.

How do we protect your personal data?

We apply appropriate technical, organisational, and administrative security measures to protect all information we hold from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.

How long do we retain your personal data?

We retain your personal data for as long as necessary for the purposes for which they were collected and processed, or as long as any laws and regulations require.

What are your rights?

Right to request access (subject access request)

If you want to know what personal data we process about you, you can request access to the data. Your right to access may be limited by, among other things, legislation and the protection of other individuals' privacy.

Right to request rectification

If the data we have about you is incorrect or incomplete, you have the right to have the data corrected, subject to the limitations of the legislation.

Right to request erasure

You have the right to request that we erase the personal data we process about you if:

• You withdraw your consent to the processing and there is no other legitimate reason for the processing,
• You object to the processing and there is no legitimate reason for continued processing,
• The personal data is processed unlawfully,
• The personal data has been collected about a child (under 13 years) for whom you have parental responsibility.

Right to request restriction of processing

If you dispute the accuracy of the personal data we process, or if you have objected to the processing of the personal data according to your right to object, you can request a restricted processing during the time we need to verify whether the personal data and the processing are correct.

Right to object to processing based on our legitimate interest

You always have the right to object to any processing of personal data based on a balancing of interests. You also always have the right to opt out of direct marketing.

Right to withdraw consent

When the legal basis for a specific processing activity is your consent, you have the right to withdraw your consent at any time.

Right to data portability

As a data subject, you have the right to data portability if our right to process your personal data is based either on your consent or the fulfilment of a contract with you. A prerequisite for data portability is that the transfer is technically feasible and can be carried out automatically.

Exercising your rights

If you wish to exercise any of your rights as mentioned above, please contact us in writing via the email address gdpr@iva.se. We will respond to your requests without undue delay. Your request will be assessed considering the circumstances of each individual case.

Supervisory authority

The Swedish Authority for Privacy Protection (IMY) is the responsible supervisory authority tasked with overseeing the application of data protection legislation. If you believe we are acting incorrectly, you can contact the Swedish Authority for Privacy Protection, see imy.se.

Updates

We may make changes to our privacy policy. The latest version of the privacy policy is always available here on the website.

This policy was last updated on April 24, 2025.