Last updated: 2026-06-12. Version 1.3. Next review: 2027-06-12.
This is a public summary of Skolkoll's Records of Processing Activities (ROPA) under GDPR article 30. The full internal ROPA is in version control and can be requested as an extract by Municipal Licence customers. The summary is structured so a municipal lawyer or procurement officer can get a complete picture without needing infrastructure-level detail.
1. Roles — municipality vs Skolkoll
- For Municipal Licence data (user accounts within the organisation, billing data, watchers, and support cases concerning the customer's users or organisation): the municipality is the data controller; Skolkoll is the data processor.
- For our own data (visitors to skolkoll.se without an account, anonymous analytics, public support/sales enquiries not concerning Municipal Licence data): Skolkoll is the data controller.
- No joint controllers: we do not share data with third parties under joint control.
2. Data category overview
| Category | Contents | Legal basis | Retention |
|---|---|---|---|
| User accounts | Email, name, organisation membership, role, login timestamps | Contract (art. 6.1.b) | Until account deletion; 36 mo of inactivity → automatic deletion |
| Organisation data | Organisation name, organisation number, billing address, customer number (SK-NNNNN) | Contract (art. 6.1.b) | Active for the lifetime of the subscription |
| Billing history | Invoices, payment metadata (card details never pass through Skolkoll's servers) | Legal obligation (art. 6.1.c) — Swedish bookkeeping act | 7 years |
| Watchers | Selected school/municipality, event type, email for digest | Contract (art. 6.1.b) | Until the user deletes the watcher |
| Mail contacts (newsletter) | Email, name, list memberships, opt-in token | Consent (art. 6.1.a) for newsletters; contract (6.1.b) for transactional | Until unsubscribed; anonymised hash for 24 mo |
| Analytics events (raw) | Random sessionId, page path, event name — no personal data, no IP, no UA | Legitimate interest (art. 6.1.f) — product development | 90 days; aggregated summaries retained indefinitely (no PII) |
| Zoho PageSense (consent-based web analytics) | Page views, clicks/scrolling, heatmaps, session recording, experiment variant, device and browser info on public pages. PageSense does not run on noindex/account/admin pages. | Consent (art. 6.1.a) | According to the selected PageSense plan, max 12 months for Skolkoll's use |
| Zoho Desk (customer support) | Support cases from paying customers: name, email address, organisation membership, ticket content, ticket history, and voluntarily attached technical material. | Contract (art. 6.1.b) and legitimate interest (art. 6.1.f) — support, troubleshooting, and contract follow-up | Maximum 36 months after case closure, or shorter on customer request when no legal obligation requires retention |
| Audit log | Admin actions with timestamp, target and before/after | Legitimate interest (art. 6.1.f) — security/traceability | 2 years via expiresAt and Firestore TTL once the policy is active |
| Account deletion audit | uid, email hash (SHA-256), deletion status and timestamps — no raw email address | Legitimate interest (art. 6.1.f) — accountability (art. 5.2) that an erasure request was carried out | 12 months via expiresAt and Firestore TTL once the policy is active |
| API quota | Number of calls per organisation per month | Legal obligation (art. 6.1.c) — billing reconciliation | 13 months |
| AI chat conversation | Browser sessionStorage only — never on our server | Consent (art. 6.1.a) | Deleted when the browser tab is closed |
The full internal ROPA contains per Firestore collection: exact field list, exact subprocessor link, exact retention mechanism. Municipal Licence customers can request the extract as an annex via support@skolkoll.se; delivered within 5 working days.
3. Subprocessors
Current list published at Data protection and subprocessors section 2 — includes Google Cloud, Stripe, Resend, Sentry, Zoho PageSense, Zoho Desk and Anthropic/OpenAI on consent. 30-day prior notice for subprocessor changes to Municipal Licence administrators.
4. International transfers
Primarily within the EU/EEA, including Firestore in Google Cloud europe-west1 (Belgium). For transfers to a third country (USA): Standard Contractual Clauses (SCCs) per EU Commission decision 2021/914 and, where applicable, the EU-US Data Privacy Framework. Transfer Impact Assessment (TIA) performed per provider — summary available on request to Municipal Licence customers.
5. Data subject rights — operational owner
| Right | Contact | Timeline |
|---|---|---|
| Access (art. 15) | info@skolkoll.se | 14 days (GDPR limit 30) |
| Rectification (art. 16) | info@skolkoll.se | 14 days |
| Erasure (art. 17) | Self-service in the portal, or support@skolkoll.se | Self-service: immediate. Mediated: 14 days. |
| Portability (art. 20) | info@skolkoll.se | 14 days |
| Object (art. 21) | info@skolkoll.se | 14 days |
| Restriction (art. 18) | info@skolkoll.se | 14 days |
6. DPIA assessment
A simplified DPIA (DPIA-light) is published at Data protection and subprocessors section 5. A full DPIA is not required because the processing does not meet high-risk criteria (no large-scale monitoring, no special categories, no automated decision-making with legal effect on individuals).
7. Incident response
The Incident Response runbook (internal process) is followed for any personal data breach:
- 72-hour notification to the Swedish Data Protection Authority (IMY) per GDPR art. 33.
- Customer notification direct via email — for Municipal Licence customers also to organisation administrators.
- Roles: Incident Commander, Communications Lead, Legal/Compliance Lead (all coordinated by Skolkoll).
- Post-mortem published within 14 days of the incident.
The full IR runbook is delivered as an annex to the Municipal Licence agreement and can be requested before signing via info@skolkoll.se.
8. Review and update
This ROPA summary is reviewed and updated:
- Quarterly — review of the subprocessor list against actual system calls.
- Pre-release — every feature that adds a new collection or subprocessor updates the ROPA in the same PR.
- After every incident — updated with lessons learned.
- Annually — full re-read with date stamp.
Related documents
- Data protection and subprocessors — operational GDPR detail.
- DPA template — data processing agreement.
- SLA — uptime, support, escalation.
- Privacy policy — for end users and anonymous visitors.