PRIVACY POLICY

PERSONAL DATA POLICY (CUSTOMERS)

At Operan we prioritise your personal integrity, and always seek to achieve a high level of data protection (for example, we would never sell your personal data to another company). This integrity policy explains how we collect and use your personal details. It also describes your rights and how you can assert them.

It is important that you study and understand the personal-data policy and feel secure about the way we process your personal data. Please always feel free to contact us if you have any questions.

By referring to the table of contents below, you can easily navigate to the sections that particularly interest you.

TABLE OF CONTENTS

What is personal data, and what does the processing of personal data entail? 2
Who is responsible for the personal data processed by Operan? 2
What personal data about you as a customer does Operan process, and for which purposes? 2
From which sources do we collect your personal data? 6
With whom might we share your personal data? 6
Where do we process your personal data? 7
For how long do we save your personal data? 7
What are your rights as a data subject? 7
How do we deal with personal ID numbers? 9
What are cookies and how do we use them? 9
Can you control the use of cookies yourself? 9
How is your personal data protected? 10
What does the role of the Swedish Authority for Privacy Protection (IMY) as a regulatory body entail? 10
What is the easiest way for you to contact us if you have questions about data protection? 10

WHAT IS PERSONAL DATA AND WHAT DOES THE PROCESSING OF PERSONAL DATA ENTAIL?

Personal data is all kinds of information that can be directly or indirectly traced to a living physical person. For example, images and sound recordings processed using computers may be personal data, even if no names are mentioned. Encrypted data and various kinds of electronic identity (e.g. IP numbers) are personal data if they can be linked to physical persons.

Processing of personal data is everything that is done with the personal data. Every measure that is undertaken involving personal data constitutes processing, regardless of whether the measure is automated. Examples of normal processing are collection, recording, organisation, structuring, storage, transfer and deletion.

WHO IS RESPONSIBLE FOR THE PERSONAL DATA PROCESSED BY OPERAN?

Kungliga Operan AB, Corp. Reg. No. 556190–3294, Box 160 94, SE‑103 22 Stockholm, is the personal data controller for the company’s processing of personal data.

WHAT PERSONAL DATA ABOUT YOU AS A CUSTOMER DOES OPERAN PROCESS, AND FOR WHICH PURPOSES?

 

Purpose	Processing carried out	Categories of personal data
In order to be able to process orders/purchases (incl. gifts)	¤ Delivery of tickets ¤ Identification ¤ Process payments ¤ Handle complaints ¤ Communication concerning your purchase/gift (e.g. information on cancelled performances)	¤ Name ¤ Contact details (e.g. address, email address and phone number) ¤ Payment history ¤ Payment information
Legal basis: Performance of purchase contracts	Explanation: Collection of personal data is necessary so we can honour our commitments in accordance with the purchase contract. If the data is not provided our commitments cannot be honoured and we will thus have to deny you the purchase.
Storage period:	Until the purchase has been completed (including delivery and payment) and for a period of 48 months thereafter, for the purpose of dealing with any complaints

 

Purpose	Processing carried out	Categories of personal data
In order to be able to meet the company’s legal obligations	¤ Necessary handling in order to meet the company’s legal obligations in accordance with legal requirements, judgments and official decisions (e.g. the Swedish Bookkeeping Act)	¤ Name ¤ Contact details (e.g. address, email address and phone number) ¤ Payment history ¤ Payment information ¤ Your correspondence ¤ Information on date of purchase, place of purchase, any faults/complaints
Legal basis: Legal obligation	Explanation: This collection of your personal data is required by law. If the data is not provided, our legal obligation cannot be met and we will thus have to deny you the purchase.
Storage period:	Until completion of the purchase (including delivery and payment) and for a period of 48 months thereafter

 

Purpose	Processing carried out	Categories of personal data
To facilitate processing of customer-service matters	¤ Communication and answering any questions, e.g. those asked of customer service/the box office (by phone or using digital channels, including social media) ¤ Identification ¤ Investigation of any complaints and support matters (including technical support)	¤ Name ¤ Contact details (e.g. address, email address and phone number) ¤ Your correspondence ¤ Technical data on your equipment ¤ Health conditions (where appropriate), e.g. availability requests, state of health and allergies when booking)
Legal basis: Legitimate interest	Explanation: The processing is necessary so we can pursue our mutual legitimate interest in dealing with customer-service matters.
Storage period:	Until the customer-service matter has been concluded.

 

Purpose	Processing carried out	Categories of personal data
In order to evaluate, develop and improve our services, products and systems for customers	¤ Sending out questionnaires by TriggerMail in conjunction with attendance at performances/activities at Operan ¤ Adaptation of services so as to become more user-friendly ¤ Creating documentation in order to develop and improve our range ¤ Giving customers the opportunity to influence our offering/range ¤ Creating documentation in order to improve IT systems, with the aim of generally increasing security for the company and our visitors/customers ¤ Giving customers the opportunity to interact with Operan, e.g. through events (incl. any publication on Operan’s websites/social media)	¤ Date of birth/age ¤ Sex ¤ Name ¤ Contact details (e.g. postal address, email address and phone number) ¤ Place of residence ¤ Education/training ¤ Employment ¤ Income range ¤ Form of accommodation ¤ Country of origin (voluntary information) ¤ Correspondence and feedback regarding our services and products ¤ Purchase- and user-generated data (e.g. click history and visit history) ¤ Technical data concerning devices used and their settings
Legal basis: Legitimate interest	Explanation: The processing is necessary in order to meet our need and that of our customers to evaluate, develop and improve our services, products and systems
Storage period:	As from collection, and for a period of 48 months thereafter

 

Purpose	Processing carried out	Categories of personal data
In order to be able to prevent misuse of a service or avoid, prevent and investigate crimes against the company	¤ Prevention and investigation of any theft, fraud or other violation of the law (e.g. in the event of incidents in Operan’s public spaces) ¤ Prevention of spamming (e.g. phishing, harassment and attempted unauthorised login to user accounts etc.) ¤ Improving our IT environment and protecting it against attack and hacking	¤ Video recordings from camera surveillance ¤ Purchase- and user-generated data (e.g. click history and visit history) ¤ Technical data concerning devices used and their settings
Legal basis: Compliance with a legal obligation or catering to a legitimate interest	Explanation: In the absence of any legal obligation, the processing is necessary in order to cater to our legitimate interest in preventing misuse of a service or avoiding, preventing and investigating crimes against the company.
Storage period:	As from collection and for a period of 48 months thereafter   Video recordings from camera surveillance are deleted after 7 days.

 

Purpose	Processing carried out	Categories of personal data
In order to be able to send relevant communications and manage benefits and offers (direct marketing)	¤ Sending out newsletters and other information by email, text and post, e.g. containing information on performances and current offers ¤ Analyses of the data we collect for this purpose. Based on the data we collect (e.g. purchase history, date of birth, stated preferences) we perform an analysis at individual level that may result in your being sorted into a customer group or being given a unique profile. The results of the analyses form the basis of adapted communication, personal offers, adapted benefits etc. Different customers can thus receive different communications, benefits and offers.	¤ Name ¤ Contact details (e.g. postal address, email address and phone number) ¤ Sex ¤ Date of birth ¤ Purchase history ¤ User-generated data (e.g. click history and visit history) ¤ Stated customer choices regarding services and products
Legal basis: Consent given	Explanation: Processing takes place after the customer has consented to this personal data policy in conjunction with setting up an account or purchase, or with having registered as a recipient of Operan’s newsletters.
Storage period:	As from the time of giving consent up to and including the time when this consent is revoked

 

Purpose	Processing carried out	Categories of personal data
So as to be able to comply with directives on the part of Operan’s owners as well as current archiving regulations.	¤ Recording and archiving of video material from performances ¤ Provision of video recordings of performances through digital distribution (e.g. operan.se, the folk movement FHP {Folkets Hus och Parker} and OperaVision) ¤ Production and provision of trailer material for current performances through Operan’s marketing channels	¤ Photos ¤ Videos
Legal basis: Compliance with a legal obligation and catering to a legitimate interest	Explanation: The processing is necessary so as to allow fulfilment of the assignment imposed on the company by Operan’s owners, and in order to cater to the general interest concerning storage of material in Operan’s archive.
Storage period:	As from collection and thereafter in accordance with the Swedish Archives Act (1990:782).

 

FROM WHICH SOURCES DO WE COLLECT YOUR PERSONAL DATA?

As well as the data that you give us or that we collect from you on the basis of your purchases and your use of our services, we may also collect personal data from someone else (a so-called third party). The data we collect from third parties is as follows:

1) Address details from public registers, to ensure we have the correct address details for you.

2) Personal data from schools in conjunction with implementation of projects involving collaboration between schools and Operan.

WITH WHOM MIGHT WE SHARE YOUR PERSONAL DATA?

Personal data assistants. Where necessary so we can offer our services, we share your personal data with companies who act as so-called personal data assistants for us. A personal data assistant is a company that processes information on our behalf and in accordance with our instructions. We have personal data assistants that help us with:

1) Ticket sales (ticketing systems, customer analyses, customer mailouts).

2) Marketing (print and distribution, social media, media agencies and advertising agencies).

3) IT services (companies that manage the requisite operations and technical support, as well as maintenance of our IT solutions).

When your personal data is shared with personal data assistants, this only takes place for purposes compatible with the purpose for which we have collected the information (e.g. in order to be able to honour our commitments in accordance with purchase agreements). We check all personal data assistants to ensure they can provide adequate guarantees concerning security and confidentiality with regard to personal data. All personal data assistants have written agreements with us, through which they guarantee security regarding the personal data being processed and undertake to adhere to our security requirements as well as our restrictions and requirements concerning international transfer of personal data.

Companies that are independent data controllers. Some of the companies with whom we also share your personal data are independent data controllers, and in these instances we do not control the processing of the information passed on to them. Independent data controllers with whom we share your personal data are:

1) Government authorities (the police, the tax agency and other authorities), if we are obliged to do so by law or in the event of a suspected crime.

2) Companies that ensure delivery of services and/or products on Operan’s premises and with whom Operan has a valid service agreement (e.g. catering companies).

3) Companies that offer payment solutions (card-issuing companies, banks and other payment-service providers).

When your personal data is shared with a company that is an independent data controller, then that company’s integrity policy and personal-data management apply.

WHERE DO WE PROCESS YOUR PERSONAL DATA?

Our goal is always for your personal data to be processed within the EU/EEA, and all our own IT systems are within the EU/EEA. When it comes to systems support and maintenance, however, we may have no option but to transfer the information to a country outside the EU/EEA, e.g. if we share your personal data with a personal data assistant that is established or that stores information in a country outside the EU/EEA – either itself or through a subcontractor. In these instances the assistant may only be given access to the information relevant to the purpose (e.g. log files). Regardless of the country where your personal data is processed, we undertake all reasonable legal, technical and organisational measures to ensure that the level of protection is the same as within the EU/EEA. When personal data is processed outside the EU/EEA, the level of protection is guaranteed either through a decision by the European Commission, stating that the country in question guarantees an adequate level of protection, or through use of so-called appropriate protective measures. Examples of appropriate protective measures are an approved code of conduct in the recipient country, standard agreement clauses and binding internal corporate regulations. If you would like a copy of the protective measures that have been undertaken or information on where they have been made available, please feel free to contact us.

FOR HOW LONG DO WE SAVE YOUR PERSONAL DATA?

We never save your personal data for longer than is necessary for the purpose in question. See more about the specific storage periods under the relevant purpose.

WHAT ARE YOUR RIGHTS AS A DATA SUBJECT?

Right of access (so-called register extracts). We are always open and transparent about the way we process your personal data, and if you want more details of the specific personal data about you that we are processing, you can request access to this data (the information will be provided in the form of a register extract stating the purpose, the categories of personal data, the categories of recipient, the storage periods, information on the provenance of the information, and the incidence of automated decision-making).

Please bear in mind that if we receive a request for access we may ask for further information, in order to ensure efficient management of your request and so as to establish that the information is being passed on to the right person.

Right to rectification. You can request rectification of your personal data if it is incorrect. Within the parameters of the stated purpose you also have the right to supplement any incomplete personal data.

Right to erasure. You can request erasure of personal data about you that we are processing, if:

*The data is no longer necessary for the purposes for which it has been collected or processed.

*You object to our balancing of interests based on legitimate interest, and your reason for objecting weighs more heavily than our legitimate interest.

*You object to processing for direct-marketing purposes. The personal data is being processed unlawfully.

*The personal data must be erased in order to meet a legal obligation we are subject to.

*Personal data has been collected concerning a child (under the age of 13) for whom you have parental responsibility, and the collection was in conjunction with offering information society services (e.g. social media).

Please bear in mind that we may have the right to deny you your request in the event of legal obligations that prevent us from immediately erasing certain personal data. These obligations derive from legislation regarding accounting, tax, banking, money-laundering and consumer matters. The processing may also be necessary so we can ascertain, assert or defend legal claims. Should we be prevented from complying with a request for erasure, we will instead block use of the personal data for purposes other than the purpose preventing the requested erasure.

Right to restriction. You have the right to request that our processing of your personal data be restricted. If you contest the correctness of the personal data we are processing, you can ask for restricted processing during the time we need for a review of whether the personal data is correct. If we no longer need the personal data for the purposes established, but you on the other hand need it to allow you to ascertain, assert or defend legal claims, you can ask for restricted processing of the data on our part. This means you can ask us not to erase your data.
If you have objected to our balancing of legitimate interests as a legal basis for a purpose, you can ask for restricted processing during the time we need for a review of whether our legitimate interests weigh more heavily than your interest in getting the data erased.
If the processing has been restricted in accordance with one of the above situations, then apart from the actual storage we will only be allowed to process the data so as to ascertain, assert or defend legal claims, in order to protect someone else’s rights or if you have given your consent.

Right to object to some types of processing. You always have the right to stop use in newsletters and direct marketing, and to object to all processing of personal data based on a balancing of interests.

Legitimate interest: If we use a balancing of interests as a legal basis for a purpose, you will have the option of objecting to the processing. In order to be able to continue processing your personal data after such an objection we would have to be able to demonstrate a compelling legitimate reason for the current processing that weighs more heavily than your interests, rights or freedoms. We may otherwise only process the data in order to ascertain, exercise or defend legal claims.

Newsletters and direct marketing: 
You have the option of objecting to the processing of your personal data for despatch of newsletters and direct marketing. This means all types of outreach marketing measures (e.g. by post, email and text message). Marketing measures for which you as a customer have actively chosen to use one of our services – or have otherwise sought us out in order to obtain more detail about our services – do not count as direct marketing (for example representational recommendations or other functions and offers, e.g. at operan.se).

If you object to use in newsletters or direct marketing we will stop processing your personal data for those purposes and will discontinue all types of direct-marketing measures.

Please remember that you can always revoke your consent regarding use in newsletters and direct marketing by stating this on your account at operan.se, or can deregister via one of the emails we have sent you.

You can also influence the channels we will use for mailings and personal offers. For example, you can choose to only receive offers from us by email, and not by text message, in which case you should not object to direct marketing as such but should instead restrict our communication channels.

Right to data portability: If our right to process your personal data is based either on your consent or on adherence to an agreement with you, then you have the right to request that the data that concerns you and that you have passed on to us be transferred to another personal data controller (so-called data portability). A prerequisite for data portability is for the transfer and automation thereof to be technically viable.

HOW DO WE DEAL WITH PERSONAL ID NUMBERS?

We will only process your personal ID number when the purpose clearly justifies this processing, if the processing is necessary for secure identification or if there is some other noteworthy reason. We will always minimise use of your personal ID number as far as possible.

WHAT ARE COOKIES AND HOW DO WE USE THEM?

Cookies are small text files comprising letters and digits that are sent from our web server and are stored on your browser or device. The cookies we use normally improve the services we offer. Some of our services need cookies in order to function correctly, whilst others improve the services for you. We use cookies for overall analytical information on your use of our services and in order to store functional settings such as languages and other data.

CAN YOU CONTROL THE USE OF COOKIES YOURSELF?

Yes! Your browser or device allows you to change the settings regarding the use and scope of cookies. Go to the settings for your browser or device to find out more about how to adjust the cookie settings. Please bear in mind that some of our services will perhaps not work if you block or delete cookies. You can read more about cookies in general on the website of the Swedish Post and Telecommunications Regulator pts.se. If you wish to read more about Operan’s use of cookies you can do so here.

HOW IS YOUR PERSONAL DATA PROTECTED?

We use IT systems to protect confidentiality, integrity and access to personal data. We have undertaken special security measures to protect your personal data against unlawful or unauthorised processing (e.g. unlawful access, loss, destruction or damage). The only people allowed to access your personal data are those who actually need to process this data so we can achieve our stated purpose.

WHAT DOES THE ROLE OF THE SWEDISH AUTHORITY FOR PRIVACY PROTECTION (IMY) AS A REGULATORY BODY ENTAIL?
IMY is responsible for monitoring application of the legislation (the Data Protection Regulation), and anyone deeming that a company is managing personal data incorrectly can submit a complaint to IMY.

WHAT IS THE EASIEST WAY FOR YOU TO CONTACT US IF YOU HAVE QUESTIONS ABOUT DATA PROTECTION?

As we take data protection very seriously we have special customer‑service employees who manage matters in this particular regard, and you can always reach them at [email protected].
We may make changes to our personal data policy. The most recent version of the personal-data policy is always to be found at operan.se. In the event of updates of crucial importance to our processing of personal data (e.g. a change in the stated purpose or categories of personal data) or updates that are not of crucial importance to the processing but that may be crucially important to you, you will receive information at operan.se and by email (if you have stated your email address) well before the updates come into force. When we make information on updates available we will also explain what they entail and how they may affect you.