Last updated: 2026-04-28. Version 1.0. Next review: 2027-04-28.
This is a public summary of Skolkoll's Records of Processing Activities (ROPA) under GDPR article 30. The full internal ROPA is in version control and can be requested as an extract by Municipal Licence customers. The summary is structured so a municipal lawyer or procurement officer can get a complete picture without needing infrastructure-level detail.
1. Roles — municipality vs Skolkoll
- For Municipal Licence data (user accounts within the organisation, billing data, watchers): the municipality is the data controller; Skolkoll is the data processor.
- For our own data (visitors to skolkoll.se without an account, anonymous analytics, support enquiries): Skolkoll is the data controller.
- No joint controllers: we do not share data with third parties under joint control.
2. Data category overview
| Category | Contents | Legal basis | Retention |
|---|---|---|---|
| User accounts | Email, name, organisation membership, role, login timestamps | Contract (art. 6.1.b) | Until account deletion; 36 mo of inactivity → automatic deletion |
| Organisation data | Organisation name, organisation number, billing address, customer number (SK-NNNNN) | Contract (art. 6.1.b) | Active for the lifetime of the subscription |
| Billing history | Invoices, payment metadata (card details never pass through Skolkoll's servers) | Legal obligation (art. 6.1.c) — Swedish bookkeeping act | 7 years |
| Watchers | Selected school/municipality, event type, email for digest | Contract (art. 6.1.b) | Until the user deletes the watcher |
| Mail contacts (newsletter) | Email, name, list memberships, opt-in token | Consent (art. 6.1.a) for newsletters; contract (6.1.b) for transactional | Until unsubscribed; anonymised hash for 24 mo |
| Analytics events (raw) | Random sessionId, page path, event name — no personal data, no IP, no UA | Legitimate interest (art. 6.1.f) — product development | 90 days; aggregated summaries retained indefinitely (no PII) |
| Audit log | Admin actions with timestamp, target and before/after | Legitimate interest (art. 6.1.f) — security/traceability | 90 days |
| API quota | Number of calls per organisation per month | Legal obligation (art. 6.1.c) — billing reconciliation | 13 months |
| AI chat conversation | Browser sessionStorage only — never on our server | Consent (art. 6.1.a) | Deleted when the browser tab is closed |
The full internal ROPA contains per Firestore collection: exact field list, exact subprocessor link, exact retention mechanism. Municipal Licence customers can request the extract as an annex via info@skolkoll.se; delivered within 5 working days.
3. Subprocessors
Current list published at Data protection and subprocessors section 2 — four primary subprocessors (Google Cloud, Stripe, Resend, Anthropic/OpenAI on consent). 30-day prior notice for subprocessor changes to Municipal Licence administrators.
4. International transfers
Primarily within the EU/EEA. For transfers to a third country (USA): Standard Contractual Clauses (SCCs) per EU Commission decision 2021/914 and, where applicable, the EU-US Data Privacy Framework. Transfer Impact Assessment (TIA) performed per provider — summary available on request to Municipal Licence customers.
5. Data subject rights — operational owner
| Right | Contact | Timeline |
|---|---|---|
| Access (art. 15) | info@skolkoll.se | 14 days (GDPR limit 30) |
| Rectification (art. 16) | info@skolkoll.se | 14 days |
| Erasure (art. 17) | Self-service in the portal, or info@skolkoll.se | Self-service: immediate. Mediated: 14 days. |
| Portability (art. 20) | info@skolkoll.se | 14 days |
| Object (art. 21) | info@skolkoll.se | 14 days |
| Restriction (art. 18) | info@skolkoll.se | 14 days |
6. DPIA assessment
A simplified DPIA (DPIA-light) is published at Data protection and subprocessors section 5. A full DPIA is not required because the processing does not meet high-risk criteria (no large-scale monitoring, no special categories, no automated decision-making with legal effect on individuals).
7. Incident response
The Incident Response runbook (internal process) is followed for any personal data breach:
- 72-hour notification to the Swedish Data Protection Authority (IMY) per GDPR art. 33.
- Customer notification direct via email — for Municipal Licence customers also to organisation administrators.
- Roles: Incident Commander, Communications Lead, Legal/Compliance Lead (all coordinated by Skolkoll).
- Post-mortem published within 14 days of the incident.
The full IR runbook is delivered as an annex to the Municipal Licence agreement and can be requested before signing via info@skolkoll.se.
8. Review and update
This ROPA summary is reviewed and updated:
- Quarterly — review of the subprocessor list against actual system calls.
- Pre-release — every feature that adds a new collection or subprocessor updates the ROPA in the same PR.
- After every incident — updated with lessons learned.
- Annually — full re-read with date stamp.
Related documents
- Data protection and subprocessors — operational GDPR detail.
- DPA template — data processing agreement.
- SLA — uptime, support, escalation.
- Privacy policy — for end users and anonymous visitors.