Processing of personal data (GDPR)
Boverket's processing of personal data – general information
Reviewed:
Here you can find out how Boverket processes personal data in accordance with the GDPR.
Boverket is the personal data controller
Boverket is responsible for the personal data processing within the authority's operations.
What is the purpose?
Boverket processes personal data in order to fulfil the authority's purpose and objectives. For example, to manage projects and matters, communicate with people who submit an enquiry or carry out the exercise of authority.
The principle of public access to official records
Boverket, as a government agency, is subject to the principle of public access. This means that the public has the right to access the agency's public documents. A public document can, for example, be e-mails, letters or documents received by or prepared by Boverket.
Many of the documents received by or prepared by Boverket become public documents and must be preserved according to the rules of the Archives Act. In some cases, there are decisions that mean that documents are only saved for a certain period of time.
When a document is requested, Boverket will assess whether the information can be given out, or whether it is subject to confidentiality under the Public Access and Secrecy Act. It is a fundamental right under the principle of public access to request public documents. Boverket has no right to investigate to whom or for what purpose the data is disclosed.
Public documents may contain personal data. Personal data may be disclosed under the principle of public access to official records. As long as it is not of crucial importance for the assessment of confidentiality.
What data is processed?
The personal data that are processed may include contact details, picture of the person, register number, email address, property name, date of birth, place of residence, mobile phone number, name or personal identification number, and other information that is necessary for the specific assignment or matter. The personal data that Boverket processes often come directly from the registered person from other actors.
What is the lawful basis?
Boverket processes personal data on the basis of at least one lawful basis according to Article 6 GDPR. The most common basis is that the processing is necessary to perform a task of public interest or in the exercise of official authority. Sometimes the processing is carried out due to a legal obligation. In some cases, the processing is based on an agreement or consent with the data subject.
How long will the personal data be stored?
Personal data is only stored for as long as it is needed for the purpose for which it is processed, in accordance with the GDPR. At the same time, Boverket, as a government agency, must comply with relevant Swedish legislation such as archiving legislation. This means that certain personal data must be archived, even after the purpose of the processing has been fulfilled. The data may then only be deleted when it is no longer necessary, if there is a special decision to this effect. Personal data not included in an official document is retained only for as long as it is needed for the purpose for which it is processed.
Is the processing of personal data secure?
Boverket protects personal data through appropriate organizational and technical security measures.
At Boverket, only persons with authorization – in order to be able to perform their duties – have access to personal data. The data is processed in Boverket's internal IT system. Furthermore, personal data is sometimes also processed by our external suppliers, which also include any subcontractors, who ensure that there is an adequate level of protection.
Is there a transfer to a third country outside the EU/EEA?
Boverket only processes personal data within the EU/EEA. In cases where a transfer to a third country outside the EU/EEA take place, the necessary protective measures are taken for this.
Who else can access the data?
In accordance with the principle of public access, Boverket may share personal data with anyone who requests a public document.
In certain processing operations, Boverket also shares personal data with, for example, other authorities, municipalities and organizations.
What rights does the data subjects have?
These are the data subject's rights (for their own personal data) according to the GDPR:
- Right to information – in different contexts and in different ways – about how personal data is handled.
- Right to access – the data subject can request whether Boverket processes personal data relating to him or her and if so receive a copy of such data (called a register extract).
- Right to rectification – request that inaccurate or incomplete personal data be rectified or completed.
- Right to erasure – request to have personal data erased.
- Right to limitation of processing – in certain cases the data subject have the possibility to demand that the processing of personal data be limited.
- Right to objection – object to the processing of personal data.
- Right to data portability – in certain cases have the possibility to use their personal data somewhere else.
- Right to complain – anyone who suspects that someone is processing data relating to him or her in a way that contravenes the GDPR can lodge a complaint with Swedish Authority for Privacy Protection.
Swedish Authority for Privacy Protection's (IMY) website
Boverket (2025).
Boverket's processing of personal data – general information.
https://www.boverket.se/en/start/about-boverket/processing-of-personal-data-gdpr/boverkets-processing-of-personal-data/
Fetched 2025-10-14
Thank you for helping us to improve!
Was the information helpful?
We’re glad the information helped you! Tell us what you thought was good so we can get even better. Please note that you will not get a reply.
You can help us even more by filling out why you did not think the information was helpful. Please note that you will not get a reply.