Go to content
You are here:
About Swedavia
/
Integrity policy

Integrity policy

It is important for us at Swedavia that your personal data is handled in a secure and appropriate way.

We care about your privacy. When you use our services – for example, booking parking, flying from our airports, connecting to WiFi, using our apps or staying in the airport area – we process personal data to be able to deliver services, create security, meet legal requirements and develop our business.

You always have the right to:

  • find out what data we process about you and why
  • request correction or deletion of data
  • object to certain processing or withdraw consent
  • submit a complaint to the supervisory authority

We never sell personal data to third parties. When we use suppliers or transfer data outside the EU/EEA, we do so with strong safeguards.

Data Controller

Swedavia AB, 556797-0818
190 45 Stockholm-Arlanda
Phone: 010-109 00 00

The Data Protection Officer can be contacted via: personuppgifter@swedavia.se

What personal data we process and why

1. Security check

Purpose of processing: We process personal data to ensure that the traveler is authorized to enter the authorized area. In the event of a suspected crime or an ongoing police investigation, we need to be able to establish the identity of the traveler for crime prevention and investigation purposes. We also conduct customer surveys to evaluate security checks.

Personal data: Booking number, check-in number, FQTV number (loyalty program), flight number. For customer surveys: Email address, destination or place of departure

Legal basis for the processing: '

Security controls: Article 6(1)(c) – compliance with a legal obligation incumbent on the controller

Customer surveys: Article 6(1)(f) – legitimate interest. Our legitimate interest is to collect customer feedback in order to improve our services and deliver a better customer experience. Participation in customer surveys is voluntary for travelers.

Storage time:

Personal data from security checks is deleted after 90 days unless there are special needs that justify a longer storage period, for example in connection with criminal investigations.

Personal data from customer surveys is deleted 3 months after the end of the survey.

2. Cookies and website use

Purpose of processing: We use web statistics and analytics to improve our digital services and marketing. This means that we analyze how the website is used, report visitor volumes, measure important events on the website and evaluate the impact of marketing efforts. The information is also used to make our offers more relevant, for example for parking, and to produce web statistics for companies that receive marketing support from Swedavia. This is done on all of Swedavia's web and sub-web platforms, such as resor.swedavia.se and bokabiljett.swedavia.se.

Personal data:

  • Technical information
    • IP address (for collection)
    • Location data derived from IP (country, region, city)
    • Device type, operating system, screen size, language setting, and more.
  • Identifiers used in analytics
    • Client ID (_ga-cookie)
    • Google Signals data (e.g., location, search history, YouTube history—if enabled)
    • Firebase app data (features, device, usage time)
  • User Behavior
    • Page views, scroll, clicks, session time
    • Conversion events (e.g., booking, form, video engagement)
  • Target group information
    • Aggregated behavioral data used for analytics and advertising

Legal basis for the processing: Consent

Storage period: IP addresses are anonymized immediately, and other data is stored for 14 months.

3. If you park your car with us

Purpose of processing: Swedavia collects and processes personal data for the purpose of providing, administering and charging for its services and ensuring that agreements are fulfilled.

The personal data is also used to investigate, prevent and prosecute crimes, as well as for statistical and analysis purposes.

Personal data: The personal data that Swedavia processes is primarily the personal data that you provide yourself when registering and paying for the services (for example, first and last name, company details, e-mail address, telephone number, personal identity number, masked payment card number and vehicle registration number).

Information can also be obtained from, for example, vehicle registers to identify vehicle owners.

Swedavia also collects data in connection with entry and exit, in the form of logs and pictures of the vehicle's registration number.

Legal basis for the processing:

The processing is based on the following provisions of the General Data Protection Regulation (GDPR):

  • Article 6(1)(b) – Performance of contracts
  • Article 6(1)(c) – Performance of a legal obligation incumbent on the controller
  • Article 6(1)(f) – legitimate interest

Swedavia's legitimate interest is to ensure safe, efficient and correct management of its services, to prevent and investigate misuse or crime, to protect the company's and customers' assets, and to enable the development and improvement of operations through statistics and analysis.

Storage period:
Personal data processed due to legal obligations, such as the Accounting Act, is stored for 7 years.

Personal data that is not required to be stored by law is retained for a maximum of 430 days to enable annual invoicing based on transaction data.

Logs and images of the vehicle registration number are stored for 92 days, which corresponds to the maximum parking time.

4. If you use our VIP services

Purpose: We process your personal data to be able to deliver the ordered VIP service.

Personal data we may collect from you

Name, customer number, account number, invoice number, passport number, destination or place of departure, residential address, e-mail address, telephone number, mobile number, date of birth, vehicle registration number.

We may receive your personal information from someone else

In some cases, we will receive your personal data from someone else, e.g. booking company, booking agent, document agent, secretary, government agency, event company, travel agent or other person on your behalf.

Legal basis for the processing: Contract (Art. 6(1a)), consent (Art. 6(1b))

Storage period: Thinning takes place annually

5. Camera surveillance of the airport area

The purpose of camera surveillance for the prevention, detection or investigation of crime.

Personal data: Images, film sequences and, in some cases, sound.

Legal basis for the processing: To perform a task in the public interest based on the requirement of security measures resulting from laws and regulations.

Storage period: Information from the surveillance of the airport area is deleted within one month. In special circumstances and related to specific cases, such data may be stored for a longer period.

6. Assistance Management (PRM)

Purpose: We process personal data to be able to perform the tasks and responsibilities that comply with the PRM Regulation ((EC) No. 1107/2006).

Personal data we may collect from you

Name, need for PRM assistance, identity information (e.g. booking number).

We may receive your personal data from airport operators, flight operators and individuals if there is a need for PRM assistance.

Legal basis for the processing

As a basis for the processing, reference is made to Article 6(1)(c) of the General Data Protection Regulation (fulfilment of a legal obligation incumbent on the controller). The processing of personal data is necessary for us to be able to comply with the legal obligations that follow under the EU PRM Regulation and for the processing to be necessary for the establishment, exercise or defense of legal claims (Article 9(2)(f)).

Storage period: Personal data is stored for 18 months.

7. Our open WiFi

Purpose: The purpose of collecting data in connection with the use of our open WiFi is to improve the websites and functions of the offered WiFi service and, if necessary, to be able to target marketing offers to you.

Personal data: Information about the connected device and email address.

Legal basis for the processing

Personal data processed in connection with your use of our open WiFi is processed based on Article 6(1)(f) of the General Data Protection Regulation, with reference to the fact that the processing is necessary for the following legitimate interests pursued by Swedavia, such as:

  • Improvement of the service and necessary functionality
  • be able to target marketing of our products and services if necessary
  • to some extent check that our open WIFI is not used to download illegal material or otherwise be used in violation of Swedish law

Storage period: Information saved about WIFI usage within the airport area is deleted within one month. In special circumstances and related to specific cases, such data may be stored for a longer period.

8. Handling of taxi and ride-hailing agreement with Swedavia

Purpose. The purpose of the processing of personal data is to be able to ensure the fulfilment of contracts and the establishment of a company register for administrative management. Taxi drivers' personal data will be processed to:

  • Ensuring contract fulfillment
  • Establish business records for invoicing
  • Establish business registers
  • Communication
  • Statistics
  • Investigating, preventing and prosecuting breaches of contract
  • Legal basis for the processing

Personal data:

The personal data we process are: first and last name, contact details, corporate identity number (sole proprietorship), vehicle registration number, logs from transponder.

We process the personal data provided by taxi companies in connection with the signing of contracts and we collect data in connection with entry and exit and parking, in the form of logs and pictures of vehicles.

Legal basis for the processing

As a basis for the processing, reference is made to Article 6(1)(c) of the General Data Protection Regulation (fulfilment of a legal obligation incumbent on the controller) and Article 6(1)(f) of the General Data Protection Regulation: the processing is necessary for purposes relating to the legitimate interests of the controller or a third party. The legitimate interest of the controller is to carry out checks to ensure compliance with the terms of the contract and to prevent fraud.

Storage time

Personal data that is processed for the purpose of managing contract fulfilment, such as the establishment of a business register, financial management, is stored in accordance with the provisions of the Accounting Act. Personal data for the purpose of investigating, preventing and prosecuting breaches of contract is stored for 92 days.

Sharing and Recipients of Personal Data

We never sell personal data.

Data can be shared with:

  • Suppliers who perform services for us (IT operations, payment, CRM, parking systems, camera surveillance)
  • Authorities when required by law
  • Airlines and their suppliers if required for customer service or handling a case where you have requested support
  • All suppliers process data in accordance with data processing agreements and are not allowed to use data for their own purposes.

Information about current recipients can be provided upon request.

Transfer to countries outside the EU/EEA

Our starting point is to process personal data within the EU/EEA. In some cases, information may still be transferred to countries outside the EU/EEA, for example when a supplier has operations or support functions in another country.

When this happens, the transfer is based on one of the following grounds:

  • The European Commission has decided that the country ensures an adequate level of protection.
  • We have put in place appropriate safeguards, such as Binding Corporate Rules (BCRs) or EU Standard Contractual Clauses (SCCs).
  • The transfer is needed in a specific situation, for example to perform a contract with you or to deal with a legal claim.

You can contact us if you want to know what safeguards apply to a specific transfer.

Your rights

You have the right to:

  • Access your data
  • request correction of incorrect information
  • request deletion in certain cases.
  • request restriction of processing
  • object to processing based on legitimate interest
  • receive your data in a structured format (data portability)
  • withdraw consent at any time

Requests are made via: personuppgifter@swedavia.se

You also have the right to file a complaint with the Integritetsskyddsmyndigheten (IMY)

Cookies and Tracking

When you visit our websites, we use cookies and similar technologies for functionality, security and statistics.

You can always:

  • Choose which categories of cookies you accept
  • change or withdraw your consent
  • Read more in "Information about cookies"

Information security

We use technical and organizational security measures, including:

  • Encryption and access control
  • Logging and security monitoring
  • Continuity and incident processes
  • Regular tests and audits

In the event of a personal data breach, affected individuals are notified when required by law.