# Processing of personal data for IRISS International SSbD Community members IVL Swedish Environmental Research Institute (IVL), as data controller, processes personal data of members of the IRISS International SSbD Community (hereinafter referred to as the “Member”). This processing takes place when the Member, or the Member’s employer or principal, has or has had a business relationship with IVL relating to the membership in the IRISS International SSbD Community, or has engaged in discussions or negotiations regarding such a relationship. This document describes the collection, processing, storage, transfer, and deletion of personal data of identifiable current, past, and prospective Members. ## Data Controller and Contact Information Data Controller: IVL Swedish Environmental Research Institute (IVL) (company registration number 556116-2446), with mailing address: Box 21060, 100 31 Stockholm, Sweden. Contact Person and responsible for GDPR: Sofia Mc Conell, Project manager, [sofia.mcconell@ivl.se](mailto:sofia.mcconell@ivl.se), +46-76 113 1978 Data Protection Officer: Susanna Edrud, [susanna.edrud@ivl.se](mailto:susanna.edrud@ivl.se) Community platform: The IRISS International SSbD Community uses the HumHub platform ([https://www.humhub.com/en/](https://www.humhub.com/en/)) ## Categories of Data Subjects The following categories of data subjects may have their personal data processed:  - Members of the IRISS International SSbD Community  - Moderators and administrators of the platform  - Founding Members (as stated in the [Terms and Conditions](https://iriss-ssbd.eu/iriss/become-a-member/terms-and-conditions---iriss-international-ssbd-community))  - Service providers’ contact persons involved in the community operations ## Personal data processed IVL processes the following categories of personal data, depending on the individual’s interactions with the Community: 1. Identification and Contact Information:  - Name  - Email address  - Username  - Phone number (if provided) 2. Profile Information:  - Type of organisation  - Organisation name  - Title/role  - Country and city  - Optional data provided by the Member (e.g., bio, profile picture, gender, interests, address, birthday) 3. User-Generated Content (UGC):  - Posts, comments, messages  - Uploaded files or other content shared in the Community 4. Technical and Log Data:  - IP address  - Login timestamps  - Browser/device information  - Time zone and language settings 5. Communication and Support Data:  - Support messages  - Reports or inquiries submitted to IVL or administrators 6. Invoicing and Financial Data:  - Billing address  - Organisation payment details  - Payment records where applicable ## Purpose of processing Based on _Contract_, IVL processes personal data for the following purposes: - Implementation, management, administration, and follow-up of the membership and related business relationships - Member account registration and profile administration - Invoicing and payment of service fees This processing is needed for IVL to be able to fulfill its contractual rights and obligations according to the contract entered or negotiated with IVL. If the contract is entered into or negotiated between IVL and the employer or principal of the Member, and the Member could reasonably expect the processing which is not deemed to cause unjustified harm, the personal data is processed based on the legitimate interest of IVL, which is to fulfill its contractual rights and obligations towards the contracting employer or principal. Based on _legitimate interest_, IVL processes personal data for the following purposes: - Operation and maintenance of the IRISS SSbD Community platform (e.g., posting, messaging, content sharing) - Security, fraud prevention, and misuse detection - Management of customer satisfaction surveys and evaluations - Safeguarding and exercising IVL’s legal rights - Complying with legal obligations where legitimate interest applies in combination (e.g., cooperation with founding partners, verification of entitlements) If the Member could reasonably expect the processing, which is not deemed to cause unjustified harm, the personal data is processed based on the legitimate interest of IVL. Based on _consent_, IVL processes personal data for the following purposes: - Distribution of newsletters and marketing communications via e-mail marketing service (Apsis). Members may withdraw consent at any time via the unsubscribe link. Based on _legal obligation_, IVL processes personal data for the following purposes: - Compliance with applicable laws such as the Swedish Bookkeeping Act (Bokföringslagen 1999:1078) - Security and fraud monitoring where required by law ## To whom the personal data is disclosed As data controller, IVL applies appropriate technical and organisational security measures to protect personal data against loss, misuse, and unauthorised access. Personal data may be disclosed to: 1. Individuals within IVL: - IVL staff who need to process personal data for membership administration, platform management, invoicing, communication, or other activities connected to the IRISS International SSbD Community. - Other companies within the IVL Group when shared IT systems (such as financial systems or customer registers) are used to coordinate IVL’s operations efficiently. 2. Founding Members of the IRISS International SSbD Community: - Certain personal data may be accessible to Founding Members for the purpose of supporting and governing the Community. 3. Personal Data Processors (acting on IVL’s behalf): IVL may transfer personal data to third-party suppliers engaged as processors to support the operation of the Community. These include: - Providers of IT, hosting, cloud, and platform services (including the HumHub platform) - Providers of support, maintenance, and development services for IVL’s systems - Providers of market surveys or customer satisfaction surveys - Email and newsletter services (e.g., Apsis) These processors may only process personal data according to IVL’s instructions and under strict confidentiality. 4. Independent data controllers: Personal data may be transferred to third parties acting as independent data controllers where required by law or where IVL has a legitimate interest in such transfer. Examples include: - Authorities and regulators, where disclosure is legally required - Collaboration partners and other network members involved in the IRISS International SSbD Community’s overall mission - Insurance companies, in the event of insurance-related matters - Service providers whose relationship with IVL entails independent legal responsibility for certain processing activities All such disclosures are made in accordance with applicable data protection legislation and only when necessary for the stated purposes. ## Storage and disposal IVL processes the personal data as long as it is necessary for the purposes for which the personal data was collected. Personal data processed for contractual and business relation purposes will be processed as long as IVL may have any contractual rights and obligations towards the Member or its employer or principal, and as long as necessary in order to comply with any legal obligations. Retention periods include: | **Data Category** | **Retention Period** | | ------------- | ---------------- | | Account and profile data | As long as the account is active + 6 months after termination | | User-generated content | Until deleted by the Member or administrators | | Log/technical data | 7 months | | Marketing data | Until consent is withdrawn | | Invoicing and financial data | In accordance with Swedish Bookkeeping Act (Bokföringslagen 1999:1078) | | Communications/support data | As long as necessary to manage the request | ## Transfer to third countries IVL strives to process personal data within the EEA. However, personal data may be transferred to: United Kingdom and Switzerland. In cases where IVL is transferring or processing personal data outside the EEA, IVL will ensure an adequate level of protection in accordance with applicable legislation. ## Legal rights The Member has the right to receive information regarding its personal data processed by IVL, and to request for rectification, limitation or deletion of this, by contacting the Data Protection Officer at IVL. The Member also has the right to file a complaint to the Swedish Data Protection Authority.