Personal data policy
1. About Malmö Live Konserthus AB
2. Personal Data Policy
3. How does MLK process personal data?
4. Lawfulness and storage period
4.1 Employees
4.2 Recruitment
4.3 Production contracts, Business partners, etc
4.4 Customers
4.5 Suppliers
5. Sensitive data/ classification of data
6. Period for erasure or retention of data
7. The rights of the data subject
7.1 Access, rectification and erasure
7.2 Right to data portability
7.3 Right to revoke consent
7.4 Rights in relation to profiling
7.5 Right to complain to the Swedish Data Protection Authority
8. Changes to this Policy
9. Contact Information
1. About Malmö Live Konserthus AB
Malmö Live Konserthus AB is a fully owned company within Malmö kommun. Parent company is Malmö Stadshus AB. The company reconsituted from Malmö Symfoniorkester AB in 2014.
The companies mission is to produce and present concerts in every musical genre towards a wide audience. In the specific owner-directivs is stated business areas MSO, concerts, other cultural areas and the meeting place.. Malmö SymfoniOrkester shall create exciting meetings with different musical genres and present the heritage regarding symfonic music to the entire region of Skane. In addition to all above is business area subletting scenes to other businesses within music.
The company is funded mainly by contribution from the parentcompany Malmö Stadshus AB, contributions from Region Skåne and the state, and subletting scenes and ticketsales.
2. Personal Data Policy
For the purpose of performing our cultural-political assignment and carrying out our activities as cultural producer, event organiser and employer (among other roles), Malmö Live Konserthus AB (hereinafter referred to as MLK) processes personal data.
The information in this document, including “MLK_Registerförteckning” (appendix 1) and the register of personal data processors, “MLK_Personuppgiftsbiträden” (appendix 2), represents MLK’s Personal Data Policy.
In this policy MLK account for the registers and documents in the business which contain personal data, the data that is processed and the purpose of the processing. MLK account for the lawfulness of the processing and the period of time after which the data is erased or retained. MLK also describe the rights of the data subject (the person whose data we process).
In a number of cases when MLK process personal data, MLK do so for the purpose of complying with statutory or contractual requirements or requirements that are necessary in order to enter into an agreement or contract with, for example, an employee, business partner or supplier. If the data subject does not provide MLK with the data MLK request, this could mean that MLK are unable to enter into an agreement or fulfil our obligations under an existing agreement with the data subject.
This personal data policy consists of:
- Malmö Live Konserthus AB’s processing of personal data (this document)
- MLK_Registerförteckning (appendix 1)
- MLK_Personuppgiftsbiträden (appendix 2)
3. How does MLK process personal data?
When MLK processes and stores personal data, this shall always be done in a lawful, correct, transparent and appropriate manner, and only to the extent MLK deems necessary. MLK shall always process personal data in a manner that avoids violating the data subject’s personal integrity. In all cases of personal data processing MLK is careful to ensure that the personal data is protected by appropriate security measures.
If the data subject feels any doubt or concern about providing a certain piece of data, the data subject is welcome to contact MLK (please see the details at the end of this document under Contact Information) so that MLK can provide him or her with further information.
From time to time, MLK may need to provide information to a relevant third party (including, but not limited to, situations where MLK have a legal obligation to do so). In order to ensure that your personal data is processed in a safe and secure manner in each such case, MLK has a procedure whereby an agreement (personal data processor agreement or equivalent) is entered into with every external party that processes personal data on behalf of MLK.
MLK’s personal data processors’ servers are most often located within the EU. In certain cases MLK’s subcontractors (or their respective subcontractors) have business operations outside the EEA. MLK work with different methods to ensure adequate security, for example by applying the EU Commission’s standard contractual clauses for data transfer, or by choosing suppliers who are affiliated with Privacy Shield (for the transfer of data to the USA).
Information about the personal data processors MLK use is available in appendix 2, MLK_Personuppgiftsbiträden.
4. Lawfulness and storage period
Depending on the purpose for which personal data is received by MLK (employment, business partner, customer, etc.), the legal grounds for the processing and the periods for erasure/retention of personal data vary. MLK does not process data for a longer period than is necessary in relation to the purposes of the processing, and MLK carry out regular reviews of the personal data MLK possess and erase the data that is no longer required. For more information on lawfulness and storage period, please see appendix 1, MLK_Registerförteckning.
Personal data may also need to be stored more generally in order to ensure compliance with legal obligations, for example when it comes to bookkeeping. If such an obligation exists, the personal data may be saved pursuant to some other applicable piece of legislation.
4.1 Employees
Employees’ personal data is processed in order to comply with obligations pursuant to law, collective agreements and/or for the entering into and performance of individual contracts.
The personal data that is processed consists primarily of name, personal ID number, telephone number, bank details, documentation for the payment of salaries and benefits, address, information about next of kin, qualifications, experience and development, absence, sickness and any rehabilitation. The recipients of the data are managers, co-workers within the HR and accounting departments, IT and (if applicable) internal or external parties who administer salaries and other benefits etc. as well as authorities and other contractual partners as required.
An employee’s personal data is required, among other things, for the following purposes: salary payments, salary review and other remuneration and benefits, general personnel administration, time reporting, maintenance of emergency preparedness and disaster planning, contacting relatives in connection with incidents/accidents involving the employee, providing occupational health services, annual leave, administering employment benefits (including pensions, healthcare and sickness insurance), maintaining sickness and absence documentation for calculation of sick pay and participation in rehabilitation investigations pursuant to the work environment act, making decisions about an employee’s suitability for certain work duties, facilitating an evaluation and review of an employee’s performance (including information about work capacity and other assessment information and appraisal meetings with the employee) as well as more generally in order to be able to ensure compliance with legal obligations (including, but not limited to, income tax and social insurance legislation and all relevant labour laws, such as compliance with regulations on the order of precedence that applies in conjunction with redundancies, or in order to be able to issue a reference or certificate of employment).
As a general rule, when an employee leaves MLK’s employment there is no longer any reason to save the (former) employee’s personal data. This includes the employee’s email account and details about the employee on MLK’s website. In such case the personal data shall be erased as soon as possible after the cessation of employment, although certain important exceptions do apply. In order to fulfil its obligations under labour law, tax law and social insurance law, MLK needs to save certain information about the employee even after cessation of employment. For example, data must be saved in order to comply with legal obligations regarding taxation or bookkeeping, obligations concerning the employee’s preferential right of re-employment under the Swedish Employment Protection Act (1982:80), and in order to be able to deal with any legal claims that could be made against MLK. It is sometimes also necessary to retain information in order, for example, to be able to pay pensions or severance pay.
For more information about storage period, please see appendix 1, MLK_Registerförteckning
MLK may also process data in connection with employee satisfaction surveys. Such surveys are conducted to enable MLK to identify any shortcomings and thereafter work with improvement measures to ensure a good work environment.
Certain personal data that MLK processes as a result of a person’s employment may represent sensitive data, for example data about a person’s health or membership of a trade union. More information about MLk’s management of sensitive personal data is provided below.
4.2 Recruitment
MLK must process certain personal data in order to be able to deal with job applications, carry out job interviews and make decisions during a recruitment process. The legal grounds for this processing are consent, legitimate interest or a contract.
The personal data that is processed in such contexts includes, among other things, name, date of birth, address, information about education and training, work experience and skills, possibly a photograph, etc. The recipients of the data are primarily HR employees, managers and (if applicable) the recruitment agency whose services MLk have engaged. If a recruitment agency is managing the recruitment process, a personal data processor agreement is always entered into with this external party.
For more information about storage period, please see appendix 1, MLK_Registerförteckning
4.3 Production contracts, Business partners, etc.
MLK may need to process an individual party’s personal data in order to fulfil legal obligations or be able to enter into and perform agreements regarding production and event contracts or other such collaborations.
The personal data that may be processed by MLK in these contexts includes, among other things, name, personal ID number, address, email address, telephone number, bank account number, Bankgiro and Postgiro number. Please see appendix 1, MLK_Registerförteckning
The individuals who process the data are primarily the managers and employees from the relevant departments as well as HR and accountancy employees.
Processing of this information may be required, among other things, for payment of fees and other remuneration, general administration, production planning, maintenance of emergency preparedness and disaster planning, and also more generally to ensure fulfilment of legal obligations.
For more information about storage period, please see appendix 1, MLK_Registerförteckning.
4.4 Customers
MLK processes personal data in order to be able to enter into and manage agreements and contracts with our customers. General terms & conditions for ticket purchases, including personal data policy, apply to individual customers who buy tickets via the box office or via the website. Please see the website for more information.
If the customer is an agent or an organiser (for example a school), MLK process data for persons who are representatives for the customers. Certain personal data may also be processed by MLK due to a legal obligation, for example the need to state personal data on invoices in order to comply with bookkeeping legislation.
The personal data that may be processed in these contexts includes name, address, telephone number and email. The recipients of the data are primarily relevant persons at the sales department as well as the accountancy department. Producers, production managers and technicians may also process the data.
The data is processed in order to be able to conduct dialogue with the customer and to generally be able to administer the customer agreement. Representatives’ personal data may also be processed for the purpose of sending offers and information to the customer company. If MLK processes personal data regarding representatives for potential customers, this is done for the purpose of contacting the customer in order to be able to provide the customer with offers and information via telephone, texting or email.
The customer accounts are set up in the CRM system, and every fifth year MLK perform an internal review of customers’ user accounts in order to identify the accounts that are inactive, after which MLK erase or anonymize the user accounts where there has been no logins or other activity during the past 5 years.
Please also see General terms & conditions for ticket purchases, including personal data policy.
4.5 Suppliers
In order to be able to enter into and manage agreements and contracts with suppliers, MLK processes personal data belonging to persons who are representatives for the suppliers. Certain personal data may also be processed by MLK due to a legal obligation, for example the need to state personal data on invoices in order to comply with bookkeeping legislation.
MLK processes personal data regarding representatives for supplier companies with whom MLK have or intend to enter into an agreement or contract. The personal data that may be processed in these contexts includes, among other things, name, address, telephone number, email and job title. The recipients of the data are primarily employees or managers at the relevant section/department as well as the accountancy department.
MLK processes the personal data in order to generally be able to administer purchasing contracts, manage invoices and to be able to pose questions to the supplier regarding the goods or services we are purchasing.
However, MLK may need to store the personal data even after the contractual relationship has ended, among other things in order to administer any warranty periods and manage any statutory requirements. Personal data may also need to be stored more generally in order to ensure fulfilment of legal obligations, for example in relation to bookkeeping.
For more information about storage period, please see appendix 1, MLK_Registerförteckning.
5. Sensitive data/ classification of data
The term sensitive data refers to personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
MLK does not normally process sensitive personal data in its business activities, and if sensitive date is processed in some instance, the processing never takes place without consent from the data subject or without the existence of the type of support that is specified in article 9 of the General Data Protection Regulation, for example:
- when the processing is necessary for the purposes of carrying out obligations or exercising specific rights within the field of labour law, social security and social protection,
- when the processing is necessary to protect the vital interests of the data subject or some other natural person,
- when the data subject is physically or legally incapable of giving consent,
- in certain cases within the framework for trade union activities,
- if the data has already been made public by the data subject,
- when the processing is necessary for reasons of substantial public interest,
- when the processing is necessary for the purposes of, among other things, the assessment of the working capacity of the employee or the provision of health or social care,
- when the processing is necessary for statistical purposes.
In connection with every processing of sensitive data, MLK always undertakes appropriate security measures to protect the data. Personal data is never made available to more recipients than necessary.
It is the responsibility of every employee to classify the information and data that is received by MLK on the basis of the data’s degree of sensitivity. The section/department managers are responsible for ensuring that the employees at each department are aware of and carry out this classification.
If sensitive data (class 1-2) is received by MLK and MLK has no reason to process such data, the data shall be erased immediately.
Personal data (class 3) received as contact details or for fulfilment of an agreement or other undertaking is processed during the period there are valid legal grounds for the processing.
6. Period for erasure or retention of data
The purpose of the collection of personal data (for example to perform an employment contract or to obtain contact details to a business party in order to be able to carry out collaborative activities) determines how long MLK processes the data. When MLK no longer has cause to process the data, and if the data is not subject to the law on archiving or some other legislation, the data is erased or anonymised.
The period of time after which a register/document shall be archived or retained is based on MLK’s Archiving Rules as well as that which is set out in MLK_Registerförteckning (appendix 1).
If the legal grounds are not based on an agreement or contract, legal obligation or legitimate interest, consent is sought from the data subject to save the data subject’s contact details if there is cause to do so.
Given the nature of MLK’s business activities, with the work based on seasons, and where programme scheduling and the work with future productions and events is prepared during a period of at least three to four years in advance and requires at least a further year’s work after the event, MLK processes personal data during five years. Thereafter new consent is sought from the data subject, or else the data is erased or anonymised.
The MLK_Registerförteckning (appendix 1) contains information about the personal data that is contained in each register, along with the purposes for which the data is processed, the legal grounds for the processing, the period of time during which various data is processed, the data flow (i.e. which digital systems the data has been entered into), any legal obligations or issues of legitimate or public interest, etc.
7. The rights of the data subject
7.1 Access, rectification and erasure
The data subject has the right to contact MLK in its capacity as personal data controller and request access to the personal data that MLK processes. The data subject is also entitled to request information about, among other things, the purposes of the processing and the recipients to whom the personal data has been disclosed.
In its capacity as personal data controller, MLK shall provide the data subject with a free-of-charge copy of the personal data that is processed. MLK may charge an administration fee for the provision of extra copies.
The data subject has the right, without undue delay, to have his or her personal data rectified or, under certain conditions, restricted or erased. If a data subject feels that MLK is processing personal data about the data subject that is incorrect or incomplete, the data subject may demand rectification or completion of such data.
The data subject also has the right to have his or her data erased if, among other things, the processing of such data is no longer necessary or the processing is based on consent and the consent has been revoked.
If the data subject requests to have his or her data rectified or erased or anonymised or to have the processing of the data restricted, MLK, in its capacity as personal data controller, has a procedure to notify, using a reasonable amount of effort, each recipient of the personal data about the data subject’s request.
A request for an excerpt, rectification, anonymisation or erasure shall be made via the email address that is stated at the end of this document under Contact Information.
The data subject has the right, at any time, to object to the processing of his or her personal data if the legal grounds for the processing are based on public interest or legitimate interest pursuant to article 6.1 (e) and (f) of the General Data Protection Regulation. The data subject also has the right, at any time, to object to the processing of his or her personal data if the data is being processed for direct marketing purposes.
7.2 Right to data portability
The data subject has the right to receive the personal data that he or she has provided to the personal data controller and has the right to request that the data be transferred to another personal data controller. However, this applies under the condition that (a) it is technically possible, and (b) the legal grounds for the processing are based on consent or the fact that the processing has been necessary for the performance of an agreement or contract.
7.3 Right to revoke consent
If the personal data processing is based on the data subject’s consent, the data subject has the right, at any time, to revoke his or her consent. Such revocation does not affect the lawfulness of the personal data processing before the consent was revoked.
7.4 Rights in relation to profiling
The data subject has the right to not be subject to a decision that is based solely on automated processing, including profiling, and which could produce legal effects for the data subject or could have a similarly significant effect on him or her. However, this does not apply if (a) the processing is necessary for the entering into or performance of a contract with the data subject, (b) the processing is authorised under applicable law, or (c) the legal grounds are based on the data subject’s consent.
7.5 Right to complain to the Swedish Data Protection Authority
The data subject has the right to lodge a complaint with the Swedish Data Protection Authority.
Contact details:
Telephone: +46 (0)8 657 61 00
Email: @email
8. Changes to this Policy
MLK reserves the right to change and update this Policy. In the event of material changes to the Policy, or if existing data is to be processed in a manner that is different to the manner described in this Policy, MLK will provide information about this in an appropriate manner.
9. Contact Information
Personal Data Controller
Malmö Live Konserthus AB, Org.no: 556003-7482
Dag Hammarskjölds torg 4, 205 80 Malmö
Phone: 040-34 35 00
E-mail:
Data Protection Officer
Malmö stad, Stadskontoret Förvaltningsavdelningen
August Palms plats 1
205 80 MALMÖ
Tel: 040-34 10 57
E-mail: @email