pa|Subscribe to our newsletter and get the latest GDPR news! We send one newsletter a month. Want to know how we process your personal data? - GDPR Hero helps both the private and public sector adapt to the new data protection regulation. Our tool is fully scalable, user-friendly and tailored for both small and large enterprises and organisations. We help you, regardless of if your organisation focuses on B2B or B2C. Together with the law firm Sällberg & Co, we also offer help with everything from education and project management to quality assurance and support. We give you the opportunity to continue with your core activities without interruptions, in addition to complying with and taking advantage of the new EU legislation. GDPR Hero is a cloud-based tool that helps you map out, structure and document all the personal data you process. Among else, you receive help with legal bases, purpose, access and organisation of all the personal data. Our service is continuously updated to reflect the latest legal developments. All organisations will benefit from maintaining their documentation electronically so they can easily add to, remove, and amend it as necessary. Mapping out all of your company’s personal data might feel like an impossible task. You need to go through all documentation, IT systems and all your processing activities. The solution is called GDPR Hero – a cloud service which gives you an overview of all of your personal data. You receive checklists and all the education you need to comply with the new regulation. And the best part – you get all of this for the same price as an hour of consultation per quarter of a year. GDPR contains complex rules regarding e.g providing information to the data subjects, keepand cooperating with the supervisory authority. GDPR Hero helps you to quickly create reports and to show that you live up to the requirements. GDPR also require systematic work with data protection for personal data. GDPR Hero is a user-friendly tool to facilitate and streamline the work of, among many things, keeping records of processing activities and to show accountability. We help you methodically and in the right order solve all the small details needed to fulfil the new regulation. Get help from our checklists, user guides and workflows both during implementation and during your continuous work with GDPR compliance. Throughout GDPR Hero you will find information boxes helping you to fill in the right information, as well as references to the related provision in GDPR. GDPR Hero is a long-term solution which creates a detailed map over your personal data processing. Our service makes your GDPR-work more effective, which in turn saves time, gives you more control and ensures that you comply with the rules. First on the market – a product which not only helps with structuring, mapping and the personal data in a, it also all the personal data in your system for you (by AI technology). How convenient? This is the most reliable way to have records which are up to date as well as includes all personal data. di| st|Newfor all businesses GDPR Hero helps you to comply with the obligation to keep records of personal data processing (Article 30 GDPR) and to show compliance and accountability (Article 5(2) GDPR). h1|GDPR Hero h2|the simple solution to the GeneralWe will keep you updated Thank you! You will now receive our newsletters. Do you want more information? Ready to get started? References h3|GDPR Hero is an easy-to-use cloud-service for businesses, with establishment in the Union or processing personal data relating to data subjects within the Union, for complying with GDPR by keepingWant to know more about GDPR Hero? Factual compliance – our latest service! sp|Log in SV Select Page Click here! Subscribe On May 25, 2018 the new General(“GDPR”) became applicable, with tougher rules for processing of personal data than previous legislation in the area. GDPR applies to all businesses which are established within the Union as well as businesses outside of EU/EEA processing personal data of data subjects who are in the Union. A company that does not comply with the rules can be subject administrative fines up to 4 % of worldwide annual turnover of the preceding financial year or up to EUR 20 million. i E-Record  GDPR Hero makes it easier  Compliance & accountability R Checklists Among many things, GDPR Hero enables thorough documentation, which serves as important basis for data management. bo|Because of the new regulation you will need to review all documentation and map every part in your processing of personal data to fulfil the requirements. finds pa|Subscribe to our newsletter and get the latest GDPR news! We send one newsletter a month. Want to know how we process your personal data? - GDPR Hero helps both the private and public sector adapt to the new data protection regulation. Our tool is fully scalable, user-friendly and tailored for both small and large enterprises and organisations. We help you, regardless of if your organisation focuses on B2B or B2C. Together with the law firm Sällberg & Co, we also offer help with everything from education and project management to quality assurance and support. We give you the opportunity to continue with your core activities without interruptions, in addition to complying with and taking advantage of the new EU legislation. GDPR Hero is a cloud-based tool that helps you map out, structure and document all the personal data you process. Among else, you receive help with legal bases, purpose, access and organisation of all the personal data. Our service is continuously updated to reflect the latest legal developments. All organisations will benefit from maintaining their documentation electronically so they can easily add to, remove, and amend it as necessary. Mapping out all of your company’s personal data might feel like an impossible task. You need to go through all documentation, IT systems and all your processing activities. The solution is called GDPR Hero – a cloud service which gives you an overview of all of your personal data. You receive checklists and all the education you need to comply with the new regulation. And the best part – you get all of this for the same price as an hour of consultation per quarter of a year. GDPR contains complex rules regarding e.g providing information to the data subjects, keepand cooperating with the supervisory authority. GDPR Hero helps you to quickly create reports and to show that you live up to the requirements. GDPR also require systematic work with data protection for personal data. GDPR Hero is a user-friendly tool to facilitate and streamline the work of, among many things, keeping records of processing activities and to show accountability. We help you methodically and in the right order solve all the small details needed to fulfil the new regulation. Get help from our checklists, user guides and workflows both during implementation and during your continuous work with GDPR compliance. Throughout GDPR Hero you will find information boxes helping you to fill in the right information, as well as references to the related provision in GDPR. GDPR Hero is a long-term solution which creates a detailed map over your personal data processing. Our service makes your GDPR-work more effective, which in turn saves time, gives you more control and ensures that you comply with the rules. First on the market – a product which not only helps with structuring, mapping and the personal data in a, it also all the personal data in your system for you (by AI technology). How convenient? This is the most reliable way to have records which are up to date as well as includes all personal data. di| st|Newfor all businesses GDPR Hero helps you to comply with the obligation to keep records of personal data processing (Article 30 GDPR) and to show compliance and accountability (Article 5(2) GDPR). h1|GDPR Hero h2|the simple solution to the GeneralWe will keep you updated Thank you! You will now receive our newsletters. Do you want more information? Ready to get started? References h3|GDPR Hero is an easy-to-use cloud-service for businesses, with establishment in the Union or processing personal data relating to data subjects within the Union, for complying with GDPR by keepingWant to know more about GDPR Hero? Factual compliance – our latest service! sp|Log in SV Select Page Click here! Subscribe On May 25, 2018 the new General(“GDPR”) became applicable, with tougher rules for processing of personal data than previous legislation in the area. GDPR applies to all businesses which are established within the Union as well as businesses outside of EU/EEA processing personal data of data subjects who are in the Union. A company that does not comply with the rules can be subject administrative fines up to 4 % of worldwide annual turnover of the preceding financial year or up to EUR 20 million. i E-Record  GDPR Hero makes it easier  Compliance & accountability R Checklists Among many things, GDPR Hero enables thorough documentation, which serves as important basis for data management. bo|Because of the new regulation you will need to review all documentation and map every part in your processing of personal data to fulfil the requirements. finds pa|A cloud-based tool for managing and facilitating compliance with the General Data Protection Regulation, GDPR. GDPR Hero is designed to be scalable and fit different sizes of customers, and can do so from companies, associations, organizations and public authorities. GDPR Hero has the opportunity to structure the company’s personal data in a clear way. It is possible to enter unlimited categories of personal data processing into an account. Recipients of personal data, such as data processors or data controllers, as well as your own assignments as data processor can be documented. The tool gives you a good overview of the personal data management and you also get help with organizing your data processeing agreements, preparing data breach reports to individuals and to the supervisory authority. Further you can compile a report that can be used as partial documentation to fulfill the right of access by your data subjects. In addition, GDPR Hero has a full menu of features regarding technical security measures and how you work with them. The subscriptions also include news coverage and online support. In short, it functions as a bookkeeping program of personal data. You structure the personal data that you process and associate it with the category of data subject that it refers to. All data you enter into GDPR Hero is categorized data and not actual personal data (they may remain in your existing systems). All categorization then becomes a record of personal data processing required in accordance with Article 30 GDPR. You also have the opportunity to document transfer of personal data to e.g. authorities and other personal data controllers. It is possible to create documentation and reports of incident reports when a personal data incident has occurred, both to the data subject concerned and to the supervisory authority. In addition, you can create reports that you can communicate to data subjects upon request when exercising the right of access. Of course! We arrange free demonstrations through Teams (no software is needed) – and you can request a demo by ! Yes, we know for experience that it is nice to try something new first – so we offer 30 days of trial. Which means that you are able to end the service (for free) within 30 days of registration, so if you cancel the service during the first 30 days, we will credit your invoice. Yes, a GDPR Hero-subscription is 12 month. The subscription fee is invoiced for the whole period at once and we have very competitive prices (from EUR 39/month). You always have 30 days of trial, from the date of registration (read more in the section above). To make the payment process as smooth as possible we offer invoice to all our customers (terms of payment is 30 days). This is an easy way to be able to try out our service – which you have fo 30 days, after signing up for an account. The invoice can be send by e-mail (PDF-file) or letter – which you choose yourself in the registry form when signing up. GDPR Hero do not use integrations or connections (API etc.) to other systems. It is developed and designed so you do not have to enter any large amount of personal data, to avoid unnecessary processing of personal data, because we cherish your data protection! You can find all information about security and how we handle security measures ! We will gladly answer your question, just fill in and submit the form below and we will reply to you. di| Share This Facebook Twitter LinkedIn st|SMALL MEDIUM PREMIUM h5|What is GDPR Hero? How does GDPR Hero function? Can we get a demonstration of GDPR Hero? Can we try GDPR Hero? Is there a subscription period? What payment method do you offer? Is GDPR Hero a tool for us? Can we get help to get started? Where is the data we enter into GDPR Hero stored? sp|Log in SV Select Page In the tool you show organizational security measures through system descriptions and access to the data, where you also have the opportunity to get an overview of how the access to the various personal data is within your organization. You can get an overview of your relationships with personal data processors, and also the situations where you act as data processor yourself. Yes! We have built GDPR Hero to be scalable and also adjustable for different sizes and types of organizations. We offer three different sizes of subscriptions; SMALL, MEDIUM and PREMIUM. A subscription means that you have access to one account and one set of log in credentials. This subscription is adapted for the small organization where there is one person active in GDPR Hero. A subscription includes the feature of creating an unlimited number of user accounts, which makes it possible to involve several employees in this important work. This is our most popular subscription and tailored for companies that have some involved people who handle GDPR related work and thus get individual user accounts. The largest subscription we offer is , which consists of an account hierarchy. The highest level is the master account from which you can create so called “GDPR Hero-accounts”. One GDPR Hero-account can be used by an affiliated company or a certain division of the company. You can create the account hierarchy that suits your business. The lowest level in the hierarchy is the user accounts that can be handed out to the relevant staff. This subscription is aimed at companies with a larger organization such as a group of companies or a business who has operations in several countries, or a business that have large departments that individually wish to keep a. We know that it can be difficult to get started with a new system! If you haven’t already attended a demo of GDPR Hero we recommend you to do so now ( ) – you will get an introduction of the different sections and functions within GDPR Hero. If you want to have more customized help to get started, we offer additional services to get you and your company right on track! Find out more by contacting us at Did you not find an answer to your question? * * pa|CEO Daniel is passionate about making law more easily accessible and helping companies see value and not just a cost in each assignment. With new legal work models and tools, he sees an opportunity to make law a competitive advantage for both large and small companies. Business controller CTO GDPR Hero Support Karolina is one of our dedicated student workers that works with the support for GDPR Hero, besides her master studies in European Business Law at Lund University. She has a large interest for international law and of course the GDPR! Laywer Josefin is one of our talented lawyers with specialization within the field of GDPR. Josefin assists our clients with support, input and evaluation in our data mapping program GDPR Hero. She has the ability to see the whole picture and at the same time see details to ensure the quality of her work. Josefin is also one of our competent educators who has helped many companies to get started with their GDPR-work and is phenomenal in explaining law in an accessible language. Lawyer and development manager di| Share This Facebook Twitter LinkedIn st| h1|Our team h2|A wonderful mix of lawyers, IT technicians, business developers, entrepreneurs and passionate support and film team members are behind GDPR Hero. We have developed a product that we ourselves want and the development never stops. Read a little about some of us below – and don’t hesitate to contact us if you have any questions! h4|Daniel Sällberg Ola Andersson Jörgen Lönnborn Karolina Jivebäck Josefin Karlström Julianne Ahlesten Do you want to join our team? ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Ola is responsible for marketing and partnerships and have great experience in entrepreneurship and business development. Jörgen is our IT star and lead programmer, who is responsible for the development of GDPR Hero. He ensures that all customers get the best functionality with his technical experience of programming and his smart solutions. Julianne is our star in planning, structuring and development of GDPR Hero, with a sense of detail and a strong quality thinking. With a background in equestrian sports, she knows how to take on tough challenges and with great enthusiasm she helps our clients get started with new ways of mindset and work methods to comply with the new Data Protection Regulation. Our team is a great mix of law students, programmers, lawyers, developers and more. Our common vision is to create a user-friendly legal tech product! Want to join our exciting journey? We are always interested in new exciting colleagues and talents. If you are a student, you can work extra with us alongside your studies – you can for example help with marketing, programming, legal development – and develop your skills and talents! Please send a spontaneous application to pa|Fill in the form below to place your order and at the same time create your account. Do you want to know more about our different subscription plans? di|If you want the invoice sent to an email other than the contact person. If you purchase through one of our parters. Share This Facebook Twitter LinkedIn st| h1|Want to sign up for a GDPR Hero subscription? sp|Log in SV Select Page After you have submitted the form we will provide you with the log in details. * * * * * * * * * * * * pa|Here you will find some GDPR Hero logo to download. Logo in PNG-format Logo in EPS-format di| Share This Facebook Twitter LinkedIn st| h1|Press material sp|Log in SV Select Page pa|Suited for organisations and businesses with one appointed person to work with GDPR Hero. You can save everything in one place and have one account for your GDPR-work. per month Medium-subscription consist of one Entity Account, with the function to create an unlimited number of users. This enables you to engage the persons responsible for the work in GDPR Hero. The administrator in the Entity Account can create users with two different access levels; either edit/delete or only read. Here you have an account which gives you the possibility to have more people involved, who can take part and contribute to the valuable register and documentation you create in GDPR Hero! per month The Master Account is at the top of the hierarchy ( ) and lets you create Entity Account(s). An Entity Account can for example be assigned to one company in a company group or a part of the organisation in a particular area or department. There are no limits to the scalability! The Entity Account(s) can create users with the access to enter/delete information or only read the information already entered. The users can see all the information entered into the Entity Account which it is connected to, including the information entered by other users in the same Entity Account. di| Share This Facebook Twitter LinkedIn st| h1|Our prices h2|SMALL MEDIUM PREMIUM FREE OF CHARGE h3|Our smallest subscription, adapted for start-ups, smaller organisations and businesses. h4|48 EUR 120 EUR From 180 EUR per month – CONTACT US ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page GDPR Hero The register to simplify your GDPR-work! SMALL A SMALL-subscription consists of one Entity Account with one set of login information. MEDIUM – Suited for small and medium enterprises who wants to save all work in one place. PREMIUM Designed for medium to large businesses and corporate groups with the desire to both macro and micro manage under the same documentation structure. The Master Account can see everything that is entered into the Entity Account(s), but it cannot edit or delete the information. Therefore, the Master Account can be suitable for a DPO to administer. EUR 48 / month All documentation in the cloud Record of processing activities Reports Standard documents News coverage Onlinesupport EUR 120 / month SMALL-subscription and: The possibility to create an unlimited number of users Kontakta oss MEDIUM-abonnemang samt: Funktionen med master-konton, fullt skalbart och anpassat för större organisationer och myndigheter. Organisations with a 90-account EUR 0 / month We know that the GDPR can be a challenge for smaller aid organisations, therefor we offer organisations with a registered 90-account a possibility to create a SMALL-subscription without charge. em|our most popular subscription! see the picture on the right All prices presented on this website are excl. VAT. pa|This page is as much for our own sake as for you as a visitor. It’s easy to forget how it all started when you just look ahead and everything goes very, very, fast. Although, everything from idea to development, launch and expansion has been going on for less than three years, it is difficult to include everything without it becoming too long – but here comes a, hopefully, manageable version: Trots att allt från idé till utveckling, lansering och expansion, gått på mindre än två år är det svårt att få med allt utan att det blir för långdraget – men här kommer en, förhoppningsvis, hanterbar version: really started when Daniel Sällberg and Ola Andersson sat down at IDEON in Lund and noticed that they tried to solve the same problem from different directions – sometime in the early autumn of 2016. In short, Ola had an IT company and Daniel a law firm (albeit in a student apartment of 11 square) – and both wanted to find a solution for all small business owners that they felt would not have a chance to meet when new demands from large companies, the EU and the Supervisory Authorities from May 25, 2018 , just under two years ahead. They wanted to find a solution to the “problem”, or let’s say the challenge (and later the “opportunity”), with the new Data Protection Regulation, or GDPR as the English abbreviation reads. they gave themselves was to help all companies and organizations that do not want, or can, spend thousands of euros on a solution that requires both IT and legal expertise. Daniel set out to build on a legal requirement specification for a cloud service where the target was the user, regardless of size or industry, that could go from section 1 to 7 and when the entry was complete, all requirements of the regulation would be met – but no more. Lean and correct were the key words, and I remember that we were more annoyed than pleased at all the attention we received from companies in the size of 500 employees + and how difficult it was at the same time to convince small businesses. One advantage of having to start developing what became a fully launched and in itself complete (but unpolished) product within six months is that we received both the benefits of our minimalist approach (where no additional work is created in an already tough challenge) and the equally great benefits that come from companies with ten times more lawyers and IT technicians constantly demanding more and more functions. , after just a little more than a year after GDPR became applicable, 25 May 2018, we focuses to establish good relationship with our customers and continue the development of GDPR Hero. // Daniel Sällberg, CEO di|Denna sida är lika mycket för vår egen skull som för er som besökare. Det är nämligen lätt att glömma hur allt startade när man bara ser framåt och allt går väldigt, väldigt, fort. Share This Facebook Twitter LinkedIn st|Everything The mission In the summer of 2017 At the beginning of 2018 Now h1|Our background h2|The little tool that turned out to be fantastically scalable and efficient. Our focus has always been to help the 900,000 Swedish companies, and 25-50 million Europeans, who will find it difficult to meet all the requirements of the regulation without a constantly updated and very educational e-register tool. sp|Log in SV Select Page , both our English, Danish and Norwegian versions of the tool came, and between April and August ten new lawyers were hired – five students and five seniors. Jönköping Municipality started a public procurement, which we won, and GDPR Hero GOV was born. we were 15 employees and many more connected to us through collaborations and agreements. We are still very lean, still have the ambition to help everyone with a cheap and legally and technically strong product, but along the way it has become clear how many different skills and backgrounds are needed to help everything from an ornithological association to an international group or public authority. We have senior business developers, a large group of lawyers with expertise niches within niches within GDPR and data protection, our own IT-stars and a large network of competencies through all partners. What we “miss” is sales. We do not have a single seller and never have – which surprises many, but it simply is not needed. pa|The functionality of GDPR Hero and the service’s server environment and network are proactively protected by monitoring and analyzing its firewalls and system logs. The service has comprehensive backup routines that ensure continuity of service. Backups are made daily and saved for four weeks and the encryption of customer data remains on the backups. In addition, all servers are continuously searched for viruses, Trojan horses and worms. Of course, all our staff have a duty of confidentiality regulated in strict agreements. The information shared with us is handled in a secure manner and is not shared without the consent of interested parties To ensure your safety with the service, our support is available all working days – by phone, mail and chat. Our service desk will assist you with both technical and legal issues regarding GDPR Hero. Did you not find what you were looking for? Please do not hesitate to contact us at ! di| Share This Facebook Twitter LinkedIn li|ISO 27001-certified data center Intrusion Detection System 24/7 24/7 CCTV camera monitoring Extra security is ensured by protected storage spaces with electronic ID-scanners System for early fire detection (VESDA) Fireproof spaces according to cell design F120 Harmless argon fire extinguishing system UPS and emergency operation systems for uninterrupted power supply Fuel storage in case of longer interruptions at the power supplier 24/7 operative monitoring of the data center’s infrastructure with several message techniques N + 1 Temperature 24 ° C (± 5 ° C) 24/7- h1|Safety first. Always. h2|GDPR Hero is a cloud service created by leading IT lawyers and professionals who know the importance of secure systems and reliable tools. A large part of our work therefore goes to ensure that the service can provide exactly the security required. Your data is safe with us Technical specifications h3|Our systems Privacy Support Technical protection Fire protection Power supply Climate system sp|Log in SV Select Page We offer the storage of your data on servers located in IBM’s data center in Frankfurt, which is the most modern and secure of its kind. In an environment adapted to the needs of the technology, your information is protected with the fire safety technology VESDA, fireproof spaces and harmless extinguishing methods such as argon. Fully air-conditioned rooms, uninterruptible power supply and multi-level access control provide ideal conditions for stable operation of our infrastructure. -monitoring of security services Protocoled access to the system with a card reader Annular connection to 10kV net redundant storage cabinets and cooling towers monitoring of HVAC and pipelines pa|GDPR Hero AB Bankgatan 1a 223 54 Lund Sweden +46 (0)46 – 273 17 17 di| Share This Facebook Twitter LinkedIn st| h4|Hover over the images to browse more videos using the arrows. There are a total of seven different introductory videos, each showing a specific section in the tool. ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Curious to see how GDPR Hero works? Watch our introduction videos where you get a closer view of the different parts of GDPR Hero and how the tool functions. Contact our support if you have any further questions – by using the chat box in the right bottom corner. * Please note that we continuously update GDPR Hero and that some features and terms in the videos might be changed or further developed. GDPR Hero helps you to comply with the new regulation With the web-based tool, you minimize your consulting costs and avoid the costly mistakes that can occur when you are overwhelmed by incomplete and sometimes contradictory information. With GDPR Hero you get an overview … Over which personal data you process and the basis for deciding which data you want to keep. You will receive help in clear steps-by-step functions with checklists, information boxes and data protection news coverage. But above all, we gather all your processing in the same place. This way you process the personal data for the right purpose, under the responsibility of the right people within the organisation. pa|Teleservice is an expansive IT company that has been developing solutions to the needs of its customers since 1973. Then as now they have always focused on constant development and exemplary service – they are passionate about making it as easy as possible for their customers. ibon creates innovative solutions for digital environments. They are located in ten different places in Sweden and are more than 130 employees. Crossnet is a Swedish IT company headquartered in Stockholm. They believe in close relationships with their customers in order to be able to offer the best solutions in Cloud Hosting and Consulting. di| Share This Facebook Twitter LinkedIn st| h1|Our partners h2|Sällberg & Co Teleservice Skåne AB HiQ Silenta Saldab IT 24Solutions Gibon Crossnet Axiell Are you interested in becoming our partner? h3|Please let us know! sp|Log in SV Select Page Sällberg & Co is a law firm with 100% focus on GDPR! They can assist with all types of legal matters and questions related to GDPR and data protection, e.g create or review Data Processing Agreements (DPA), Data Protection Impact Assessment (DPIA), and consultation prior to new personal data processing. HiQ’s passion is to create simple solutions to complex challenges. Silenta Information Security offers services that helps companies easily and educationally with data protection matters. Saldab IT has more than 20 years of experience in delivering IT services and system operation. Experts in protection of sensitive personal data with IT operations that are secure and accessible. Axiell offers innovative products and IT solutions adapted for libraries – all over the world. * * * em|“Our solutions help institutions organize and share culture and knowledge with the world.” pa|We are happy to invite you to a free online demonstration of GDPR Hero. Get answers to your questions about keeping ain accordance with GDPR, a good overview of our tool and information about our customer services. Please fill in your details below and we will contact you to book a time that suits you! di| Share This Facebook Twitter LinkedIn st| h1|Book a demo of GDPR Hero sp|Log in SV Select Page * * * pa|Cookies är små textfiler med information som lagras på din dator när du besöker en webbplats (även surfplattor med internetuppkoppling och telefoner omfattas). Cookies används för att få webbsidor att fungera mer effektivt men även för att ge viss information till ägaren till en hemsida. Cookies gör det möjligt att hålla isär olika användare från varandra, vilket i sig kan ge respektive användare en mer positiv upplevelse av webbplatsen. De flesta webbläsare har en standardinställning som accepterar användningen av cookies. Du kan ändra dessa inställningar så att du som användare varnas så fort en cookie skickas till din dator eller skapa en huvudregel som innebär att cookies blockeras. Du kan också välja att radera alla de cookies som finns lagrade på datorn. Vill du inte acceptera kakor kan din webbläsare ställas in så att du automatiskt nekar till lagring av kakor eller informeras varje gång en webbplats begär att få lagra en kaka. Genom webbläsaren kan också tidigare lagrade kakor raderas. Se webbläsarens hjälpsidor för mer information. Det kan innebära att vissa tjänster på webbplatsen inte fungerar. di| Share This Facebook Twitter LinkedIn st| h1|Om Cookies h2|Vad är cookies? Neka cookies sp|Log in SV Select Page pa|We write and publish blog posts about the latest GDPR news, as well as informative posts about provisions in GDPR. An important part of the GDPR is to know whether your organisation is controller or processor for a certain processing. In some cases, your organisation might even be joint controller with another organisation. We have written about this before but it can not be... We receive many questions regarding relatives’ data. Data concerning relatives can be collected in different contexts. First and foremost, many think that data concerning relatives is collected regarding relatives of employees, but it might be of interest to... In the GDPR, some of the articles only apply to certain categories of personal data. These specialised articles are important to understand in order to process personal data legally. The categories of personal data that is often called sensitive is one of the... As we are in the middle of a global pandemic, we of course have to behave differently than we are used to. But what does it actually mean in relation to the GDPR? New situations create new questions regarding the collecting of personal data, e.g. what actually... On the 16th of July we finally got a long-awaited judgment of the Court of Justice in the interesting case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd (Facebook Ireland) and Maximillian Schrems. There were many questions referred, and we will in... Now that the GDPR has been in force for two years, many companies have started to deepen their knowledge in specific parts of the regulation. It can therefore be easy to forget some of the more basic but fundamental parts such as: is the GDPR applicable to this... Personal data breach is a common word since the GDPR came into effect almost two years ago. It is important to have basic knowledge regarding personal data breaches and routines to be able to handle a potential data breach. Unfortunately, much of the information... The personal integrity is considered worth protecting. It is difficult to define exactly what the personal integrity is, but it involves personal information regarding a person and the persons personal life. This information should be protected from attacks by... If your business operates in Sweden, you have probably noticed that Datainspektionen is the Swedish Supervisory Authority. This means that Datainspektionen is responsible for monitoring compliance with GDPR (and other data protection laws) of Swedish companies,... In this interesting case, previously covered in this blog post, Advocate General (AG) Henrik Saugmandsgaard Øe gave his opinion on the 19 of December 2019. In this blog post we will cover the most important aspects of the opinion, which might give some guidance in... When is our organization a data controller respectively a data processor? These terms can be hard to understand and get a grasp of, but it is important if you want to fulfil obligations in the GDPR. We at GDPR Hero receive many questions regarding the assessment... A personal identity number is considered to be personal data, thus it shall be dealt with in accordance to GDPR and other complementary national legislation. You might deal with personal identity numbers in various situations; for example in email, salary slips,... According to the GDPR, it is either the data controller or the data processor that can be held liable if the regulation is not followed. This is in most cases a legal person. In this blog post we will examine if only these actors can be held liable or if, in... The ongoing case; C-311/18 Facebook Ireland and Schrems is a very interesting one in regard to data privacy and mass surveillance when data is being transferred from the EU to the US. In this blog post we will look more into it and explain the most important... We still get many questions regarding when it is legal to process personal data and if companies always have to collect consent to be able to process the data. We will therefore describe in this article the six legal grounds you can base your personal data... Many companies (e.g. social media platforms and email providers) have as a large component of their business model to collect your personal data and share it with third parties. They are using the personal data they get from your public profile on their online... Many of us are free during the summer, but the development in the field of law never ceases. GDPR Hero have put together three of the most important aspects about the Swedish Data Protection Authorities work and the development in the field of GDPR. 1. The Swedish... In chapter V in the GDPR you will find a special regulatory framework which regulates transfer of data to third countries. A third country is a country outside of EU/EEA. To transfer personal data to a third country you will need a legal ground for it in conformity... Many companies want to retain information in order to keep statistics, which often requires information to be stored for a long time. By pseudonymizing or anonymizing the personal data, you create a safer processing, which may even fall outside the scope and applicability of the GDPR. However, there are high requirements for a personal data to be considered anonymous. In this blog post we go deeper into what anonymization and pseudonymization means. I dagens samhälle är det vanligt att ens arbetsmejl innehåller flertalet personuppgifter och olika typer av behandlingar. Vi får många frågor kring hur e-postmeddelande ska hanteras enligt GDPR. Därför beskriver vi i detta blogginlägg hur ni kan hantera er e-post på ett GDPR-smart sätt! Even if you have not entered into a contract with an individual or collected the individuals consent there is sometimes an opportunity to process his/her personal data anyways. The legal ground this form of processing is based on is called “legitimate interest”,... I detta blogginlägg kommer vi informera om ett annat GDPR-avtal – ett s.k datadelningsavtal. Vi kommer reda ut när det behövs och hur det ska utformas. Till skillnad från ett personuppgiftsbiträdesavtal, är alla parter i ett datadelningsavtal personuppgiftsansvariga och bestämmer tillsammans ändamål och medel med personuppgiftsbehandlingen. Many organisations have a list of contact information to at least one family member of their employees. The purpose of this list is to be able to contact the family member if something would happen e.g. an accident or similar at the workplace. What does GDPR state... GDPR entails a right for the person whose data is being processed by an organisation to request access to their data. This is the so called “right of access”. You might also have heard about “extraction from the”. However, the right... Det är enligt artikel 9.1 GDPR förbjudet att hantera uppgifter om en persons hälsa. Nu kanske du tänker att ”Oj, ska vi inte få skriva upp att en anställd sjukanmält sig!?”. Så är det inte riktigt. Förbudet mot att hantera uppgifter om en persons hälsa är en utgångspunkt, det finns flera användbara undantag till förbudet. The Generalcontributes with a lot of new, and sometimes difficult, concepts that are of course not explaining themselves. We will in this article go through and clarify some of the most important concepts in the regulation which are good... di|Förordningen började tillämpas den 25:e maj 2018. En förordning är (till skillnad från tidigare direktiv) tillämplig lag i alla EU:s medlemsländer och det finns mycket få möjligheter till lokal anpassning eller speciallösningar i respektive land (undantagen gäller främst myndigheters verksamhet och kulturella skillnader som när en registrerad ska räknas som vuxen). Sveriges riksdag har genom medlemskapet i EU överlåtit en del av sin beslutandemakt till EU:s institutioner. Detta har skett i olika grad. Inom vissa områden, till exempel inom handels- och konkurrenspolitiken, får Sverige inte lagstifta över huvud taget. Där har EU så kallad exklusiv behörighet. Personuppgifter hamnar under Rättsliga och Inrikes frågor (närmare bestämt de grundläggande rättigheterna). Här gäller så kallad delad befogenhet (se artikel 4 i EUF-fördraget). Vid delad befogenhet kan medlemsländerna lagstifta, men endast om EU väljer att inte göra det. Från och med den 25 maj 2018 kan svensk lagstiftning alltså endast täcka in områden där GDPR inte gäller. Det finns områden där GDPR lämnat åt medlemsländerna att bestämma och där vi inväntar ett antal statliga utredningar och lagförslag, men det gäller främst personuppgifter i offentlig förvaltning. I vissa fall kommer vi också se skärningspunkter mot andra mänskliga rättigheter, som även EU är bundet av (till exempel tryckfriheten). Den som skriver en blogg kan exempelvis ansöka om ett utgivningsbevis och få helt andra möjligheter till behandling av personuppgifter i sitt publicerade material. Share This Facebook Twitter LinkedIn st|direkt h2|Welcome to our GDPR Hero-blog Want to get help with GDPR right now? h5|När trädde förordningen i kraft? Hur förhåller sig GDPR till annan lagstiftning? sp|Log in SV Select Page 10 Nov, 2020 14 Oct, 2020 15 Sep, 2020 24 Aug, 2020 30 Jul, 2020 4 Jun, 2020 27 Apr, 2020 27 Mar, 2020 23 Mar, 2020 11 Mar, 2020 21 Feb, 2020 6 Feb, 2020 23 Jan, 2020 7 Nov, 2019 4 Nov, 2019 31 Oct, 2019 22 Oct, 2019 19 Jul, 2019 18 Jun, 2019 21 Feb, 2019 16 Jan, 2019 30 Oct, 2018 31 Jul, 2018 26 Jul, 2018 13 Jun, 2018 26 Jun, 2017 pa|Senast uppdaterad: 2019-03-11 Version 2019:4 All personuppgiftsbehandling utförd av GDPR Hero AB (org. nr 559088-5116) (härefter “GDPR Hero”) sker i enlighet med gällande dataskyddslagstiftning. På GDPR Hero värnar vi om din personliga integritet och eftersträvar en hög nivå av dataskydd. I denna integritetspolicy redogör vi för hur vi samlar in och behandlar dina personuppgifter samt beskriver dina rättigheter och hur du kan göra dem gällande. Med hjälp av innehållsförteckningen nedan kan du lätt navigera till de avsnitt som är av särskilt intresse för dig. Vid frågor om GDPR Heros personuppgiftsbehandling, vänligen kontakta oss på: GDPR Hero AB E-mail: Bankgatan 1a Telefon: 046-27 317 17 223 52 Lund Detta innefattar alla som kommer i kontakt med oss för att ta del av vårt nyhetsbrev, men som inte är kund hos oss. : Skicka nyhetsbrev med GDPR-releterad information och nyheter. : E-postadress : Personuppgiftsbehandlingen stödjer sig på samtycke. : Personuppgifterna inhämtas då den registrerade fyller i formuläret för prenumertion av nyhetsbrev på vår hemsida eller på annat sätt informerar oss om att de vill erhålla vårt nyhetsbrev. Du kan när som helst avprenumerera dig på vårt nyhetsbrev genom länken längst ned i repsektive nyhetsbrev. : Syftet är att kunna behandla supportärenden, besvara frågor, skicka ut offerter och ge information om verktyget till potentiella kunder. : Namn, e-postadress, telefonnummer, företagsnamn och adress : Personuppgiftsbehandlingen stödjer sig på lagstödet berättigat intresse. Vi har ett intresse att behandla personuppgifter i syfte att tillgodose kundens förfrågningar. : Personuppgifterna inhämtas vid mottagande av e-post och gallras som senast ett (1) år efter att kommunikationen avslutats. : Syftet är att kunna behandla supportärenden och inkommande förfrågningar samt kommunicera med potentiella kunder. : Namn, e-postadress, företagsnamn, platsinformation, webbläsaversion och operativsystemversion : Personuppgiftsbehandlingen stödjer sig på lagstödet berättigat intresse. Funktionen är frivillig och chatten kan ske anonymt, men det ligger ofta i användarens och dennes uppdrag/arbetsgivares intresse att identifiera sig för att snabbare hantera ärenden. Vi behandlar enbart de personuppgifter som besökaren lämnar till oss och det är fullt möjligt att vara anonym. : Personuppgifterna inhämtas när en potentiell kund skickar ett meddelande via vår supportchatt till oss och gallras eller anonymiseras ett (1) år efter att kommunikationen avslutats. : Skicka nyhetsbrev med GDPR-relaterad information och de senaste nyheterna om GDPR Hero. : Namn, e-postadress och företagsnamn : Personuppgiftsbehandlingen stödjer sig på lagstödet berättigat intresse vid första utskick och sedan inhämtas samtycke för fortsatta utskick. : Personuppgifterna inhämtas när kund registrerar sig hos oss och en kontaktperson överlämnar sina kontaktuppgifter. Du kan när som helst avprenumerera dig på vårt nyhetsbrev genom länken längst ned i respektive nyhetsbrev. : Uppfylla avtalsförpliktelserna, fakturera samt kontakta kundens kontaktperson vid viktiga händelser. Detta kan innebära att vi administrerar ditt konto, skapar inloggningsuppgifter, hanterar kundtjänstärenden etc. : Namn, e-postadress, telefonnummer, företagsnamn, organisationsnummer och företagsadress : Personuppgiftsbehandlingen stödjer sig på lagstödet berättigat intresse. Intresset hos GDPR Hero ligger i att tillhandahålla dig våra tjänster och fullgöra våra avtalsförpliktelser till dig. : Personuppgifterna inhämtas när uppgifterna i formuläret ”Skapa konto” på vår hemsida fylls i. Personuppgifterna kommer gallras tio (10) år efter avtalets upphörande i enlighet med preskriptionslag. : Syftet är att kunna behandla kundsupportärenden och kommunicera med nuvarande kunder. : Namn, e-postadress, inloggningsuppgifter, telefonnummer, företagsnamn och adress : Personuppgiftsbehandlingen stödjer sig på berättigat intresse, för att upprätthålla avtalet med användarens arbets- eller uppdragsgivare. : Personuppgifterna inhämtas vid mottagande av e-posten och gallras eller anonymiseras tio (10) år efter avtalets upphörande i enlighet med preskriptionslag. Uppgifter som behövs för att uppfylla rättsliga förpliktelser kan sparas längre. : Syftet är att kunna behandla kundsupportärenden och kommunicera med nuvarande kunder. : Namn, e-postadress, användarnamn och företagsnamn : Personuppgiftsbehandlingen stödjer sig på lagstödet berättigat intresse. Det ligger i GDPR Heros intresse att behandla personuppgifterna i chatten för att möjliggöra kommunicering med kund. : Personuppgifterna inhämtas vid varje nytt initierat meddelande via vår supportchatt och gallras eller anonymiseras tio (10) år efter att avtalet har upphört. Uppgifter som behövs för att uppfylla rättsliga förpliktelser kan sparas längre. : Syftet är att kunna behandla fakturaunderlag, verifikat och andra räkenskapshandlingar. : Namn, fakturareferens, företagsuppgifter, fakturaunderlag och räkenskapshandlingar : Personuppgiftsbehandlingen stödjer sig på lagstödet rättslig förpliktelse. GDPR Hero har en skyldighet att behandla uppgifter i enlighet med lag. : Personuppgifterna inhämtas vid ingående av avtalet och sparas sedan i sju (7) år i enlighet med bokföringslagen. : Kunna tillhandahålla demonstration av verktyget för företag, föreningar och myndigheter. Detta görs genom mottagande av bokningar och utskick av bokningsbekräftelser. : Namn, e-postadress och företagsnamn : Personuppgiftsbehandlingen stödjer sig på lagstödet berättigat intresse. Det berättigade intresset ligger i att kunna tillhandahålla demonstration av registerverktyget. : Personuppgifterna inhämtas när den registrerade fyller i sina personuppgifter i boka demo-formuläret och raderas eller anonymiseras ett (1) år efter att demonstrationen av verktyget har genomförts. : : : : : Syftet är att kunna ha en fast kontaktpunkt hos våra kunder, samarbetspartners och återförsäljare, till vilka vi kommunicerar viktig information om våra tjänster. : Namn, befattning, adress, e-postadess, telefonnummer och företagsuppgifter : Personuppgiftsbehandlingen stödjer sig på lagstödet berättigat intresse. : Personuppgifterna inhämtas när kontaktpersonen först kommer i kontakt med oss och lagras som längst tio (10) år efter avslutad relation. Uppgifter som behövs för att uppfylla rättsliga förpliktelser kan sparas längre. : Syftet med behandlingen är att kunna ta emot och kommunicera med personer som önskar att arbeta på GDPR Hero. : Namn, adress, e-postadress, telefonnummer, födelsedatum, meritförteckning, personligt brev och CV : Personuppgiftsbehandlingen stödjer sig på berättigat intresse. GDPR Hero har ett berättigat intresse att behandla dina personuppgifter för din spontana arbetsansökan i syfte att tillgodose dina önskemål. : Personuppgifterna inhämtas när arbetsansökan inkommer och gallras två (2) år efter sista kontakt i enlighet med diskrimineringslagstiftning. I detta stadie kommer GDPR Hero inte att efterfråga fler uppgifter. Personnummer och/eller känslig information undanbedes därför. : Syftet med behandlingen är att kunna ta emot, besvara och utvärdera arbetsansökningar för en utannonserad tjänst. : Namn, adress, e-postadress, telefonnummer, födelsedatum, meritförteckning, personligt brev och CV : Behandlingarna är nödvändiga för att tillgodose vårt berättigade intresse att kunna administrera rekryteringen i syfte att bl.a. kunna bedöma vilken kandidat som bäst uppfyller vår kompetensprofil. : Dokumentation och underlag som krävs för att GDPR Hero ska fullgöra sina skyldigheter enligt diskrimineringslagstiftning sparas i två (2) år. I detta stadie kommer GDPR Hero inte att efterfråga fler uppgifter. Personnummer och/eller känslig information undanbedes därför. På vår hittar du en uppdaterad lista över de parter vi delar dina personuppgifter med (underbiträden, gemensamt personuppgiftsansvariga och tredje part). GDPR Hero tillser att ett personuppgiftsbiträdesavtal eller motsvarande arrangemang finns på plats med dessa aktörer samt att dessa uppfyller samtliga krav som ställs i gällande dataskyddslagstiftning. Vill du veta mer om vilka säkerhetsåtgärder vi har implementerat så kontakta oss så berättar vi gärna mer. Du har rätt att begära rättelse av dina personuppgifter om de är ofullständiga eller på annat sätt felaktiga. Du har rätt att begära att dina uppgifter raderas om behandlingen grundar sig på samtycke eller behandlats på ett olagligt sätt. Radering gäller dock inte de uppgifter som GDPR Hero genom lagkrav är skyldiga att bevara. Du har rätt att begära att vi tillfälligt begränsar behandlingen av dina personuppgifter. Begränsningen av personuppgifter skulle t.ex. vara aktuellt: i. under den tid det tar oss att kontrollera att dina uppgifter är korrekta; ii. under den tid det tar oss att kontrollera om vårt berättigade intresse av en behandling väger tyngre än dina intressen och grundläggande rättigheter; iii. för att du ska kunna fastställa, göra gällande eller försvara rättsliga anspråk; iv. om behandlingen är olaglig men du vill att behandlingen ska begränsas istället för att raderas. Du har rätt att invända mot behandling av personuppgifter som baseras på vårt berättigade intresse. Om du gör en sådan invändning, tar GDPR Hero din invändning och gör en helhetsbedömning mellan våra berättigade intressen och dina fri- och rättigheter. Du har rätt att få ut dina personuppgifter i ett strukturerat, allmänt använt och maskinläsbart format för de personuppgifter som grundar sig på samtycke eller avtal och som du själv har tillhandahållit oss. Du har även rätt att begära att vi överför dina personuppgifter direkt till en annan personuppgiftsansvarig. di| Share This Facebook Twitter LinkedIn st|Ändamål Kategorier av personuppgifter Laglig grund Lagringsperiod Ändamål Kategorier av personuppgifter Laglig grund Lagringsperiod Ändamål Kategorier av personuppgifter Laglig grund Lagringsperiod Ändamål Kategorier av personuppgifter Laglig grund Lagringsperiod Ändamål Kategorier av personuppgifter Laglig grund Lagringsperiod Ändamål Kategorier av personuppgifter Laglig grund Lagringsperiod Ändamål Kategorier av personuppgifter Laglig grund Lagringsperiod Ändamål Kategorier av personuppgifter Laglig grund Lagringsperiod Ändamål Kategorier av personuppgifter Laglig grund Lagringsperiod Ändamål Kategorier av personuppgifter Laglig grund Lagringsperiod Ändamål Kategorier av personuppgifter Laglig grund Lagringsperiod Ändamål Kategorier av personuppgifter Laglig grund Lagringsperiod Ändamål Kategorier av personuppgifter Laglig grund Lagringsperiod a) Rätt till tillgång b) Rätt till rättelse c) Rätt till radering d) Rätt till begränsning e) Rätt till invändning f) Rätt till dataportabilitet h1|Integritetspolicy h2|Inledning h3|Kontaktuppgifter 1 Intressenter och potentiella kunder 2 Nuvarande kunder 3 Demodeltagare 4 Kontaktpersoner hos återförsäljare 5 Arbetssökande 6 Vem lämnar vi dina personuppgifter till 9 Kontaktuppgifter till Datainspektionen 10 Ändring av integritetspolicy h5|1.1 Prenumeration av nyhetsbrev 1.2 E-post från potentiella kunder 1.3 Chatt med hemsidebesökare 2.1 Prenumeration av nyhetsbrev 2.2 Administration av tjänsten och kundvård 2.3 E-post från kunder för supportärenden 2.4 Supportärenden genom chatt 2.5 Bokföring och räkenskaper 3.1 Boka demo-formulär 4.1 Inkommande förfrågningar genom återförsäljarformulär 4.2 Kontaktpersoner hos våra återförsäljare 5.1 Spontanansökan 5.2 Ansökan för utannonserad tjänst sp|Log in SV Select Page Övriga upplysningar: Övriga upplysningar: Dina uppgifter behandlas som utgångspunkt endast av oss. Vissa behandlingar, som sker med hjälp av underleverantörer eller samarbetspartners (t.ex. IT-leverantörer, återförsäljare och revisorer) kan komma att delas med dessa parter – men endast i den mån det behövs. 7 Överföring av dina personuppgifter utanför EU/EES GDPR Hero har personuppgiftsbiträden som behandlar personuppgifter utanför EU/EES (tredjeland). GDPR Hero säkerställer att de personuppgiftsbiträden som hanterar dina personuppgifter gör detta på ett lagligt och säkert sätt i enlighet med dataskyddslagstiftning. Detta innebär att GDPR Hero tillser att personuppgiftsbiträdet har en adekvat skyddsnivå för sin behandling av sina personuppgifter (att det är ett land som EU-kommissionen har beslutat tillräckligt skydd för personuppgiftsbehandling) eller att det annars finns lämpliga säkerhetsåtgärder (t.ex. standardavtalsklausuler, uppförandekod eller certifieringsmekanismer etc.). 8 Dina rättigheter Du som har lämnat dina personuppgifter till oss har möjlighet att utnyttja dina rättigheter enligt nedanstående av oss kostnadsfritt genom att kontakta oss. Får vi in en sådan begäran kan vi behöva säkerställa din identitet med lämpliga säkerhetsåtgärder i syfte att hindra obehöriga från att få tillgång till dina personuppgifter. Vi kommer att besvara din begäran utan dröjsmål men senast inom en (1) månad efter det att din begäran var oss tillhanda. Du har rätt till nedanstående rättigheter: Du har rätt att begära tillgång till och besked om vilka kategorier av personuppgifter som behandlas om dig. Informationen är lättbegriplig och utlämnas kostnadsfritt i elektronisk form. Vi ber dig att alltid kontakta oss först för att ge oss chansen att avhjälpa eventuella missförstånd eller felaktigheter från vår sida när det gäller behandling av dina personuppgifter. Du har dock alltid rätt att vända dig till ansvarig tillsynsmyndighet för klagomål om du anser att vi inte uppfyller de krav som ställs på oss. Datainspektionen är ansvarig tillsynsmyndighet för behandling av personuppgifter i Sverige och du kan komma i kontakt med dem . GDPR Hero kan vid behov ändra sin integritetspolicy. Uppdateringarna kommer publiceras på vår hemsida. Om materiella ändringar i integritetspolicyn sker kommer vi att skicka ut ett e-mail om detta i god tid på förhand. pa|If you have any questions please contact us! GDPR Hero’s support team di| Share This Facebook Twitter LinkedIn st|Best regards, sp|Log in SV Select Page 20th August 7 a.m. to 5 p.m. (CET): The Service will be unavailable due to a transfer to new servers. bo|Posted: 2020-08-14 Scheduled maintenance pa|GDPR Hero är personuppgiftsansvarig för uppgifter som vi erhåller från företag, myndigheter och organisationer som har någon avtals- eller affärsrättslig relation till oss. Dessa personuppgifter lagras vidare hos andra företag som vi använder som leverantörer och som vi har ansvar för. Dessa leverantörer utgör personuppgiftsbiträden till GDPR Hero och behandlar personuppgifterna för vår räkning. Fortnox För att kunna sköta fakturering av våra tjänster. Nej Mailchimp För att kunna skicka nyhetsbrev till våra kunder som har anmält att de vill ta emot nyhetsbrev. Ja Zendesk För att vi ska kunna upprätthålla skyndsam och effektiv kommunikation med våra befintliga kunder och intressenter samt besvara frågor använder vi oss av Zendesks chattfunktion. Ja Binero För att kunna upprätthålla kommunikation och svara på frågor från våra befintliga kunder samt intressenter, samt kunna inleda en affärsrelation med nya kunder använder vi oss av Bineros mejlhanteringssystemet. Ja Dropbox För att kunna lagra kundinformation. Ja GDPR Hero använder ett antal leverantörer för att kunna bedriva verksamheten och ge kunderna den bästa upplevelsen. Dessa leverantörer agerar som underbiträden till GDPR Hero och behandlar personuppgifter, på uppdrag av oss, för våra kunders räkning. Vi har ingått personuppgiftsbiträdesavtal med samtliga leverantörer. OMMH Scandinavia AB För att utveckla och upprätthålla funktionaliteten i GDPR Hero är OMMH Scandinavia leverantör av systemutveckling. Nej IBM Domino Applications on Cloud För att kunna upprätthålla vår molntjänst använder vi IBM som en leverantör för servrerlagring. Nej di| Share This Facebook Twitter LinkedIn st| h1|Våra underbiträden h2|Nedan återfinns en lista över de företag som GDPR Hero AB anlitar för att behandla personuppgifter åt vår räkning. Biträden till GDPR Hero Företag Underbiträden till GDPR Hero Företag h3|Syfte Överförs uppgifter utanför EU? Syfte Överförs uppgifter utanför EU? sp|Log in SV Select Page pa|Ver. 2020:01 1.1 These General Terms and Conditions (“Terms”) is a contract between you (“Customer” or “you”) and GDPR Hero AB (559088-5116) with corporate domicile Bankgatan 1A, SE-223 52 Lund, Sweden (“GDPR Hero”, “we”, “our” or “us”). 1.2 GDPR Hero provides a Software as a Service product (“Service”). The purpose of the Service is to provide a tool for Customer to establish a Register of Processing in compliance with Article 30 of the GDPR. 1.3 These Terms govern your access to, and use of, the Services. If you agree to these Terms on behalf of a company or other entity, you warrant and represent that you are the agent or authorized representative of that company or entity and that that you have read, understood and agree to enter into a legally binding agreement with GDPR Hero and to be bound by these Terms. means Master Account(s) and Entity Account(s). means an End User who administrates Customer’s Master Account and/or Entity Accounts. means these Terms, invoices and agreed Order Form. means the period of months for which you agree to prepay fees under an Order Form, which will be the same as the Subscription Term. means the natural person that the Customer provided contact information to in the Order Form at the time of applying for an Account, or updated Contact Person following 7.3 below. means any information entered by Customer in the Service including, but not limited to, personal data. means a natural person authorized by Customer to access the Service. means an account where Customer Data is entered by a User. The Entity Account, accessed by an Administrator, may have the option to administer, create and delete End Users, if the function is included in the subscription. means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), any and subsequent EU regulation. means an account with the option to administer, create and delete Entity Account(s). The Master Account have reading access to all Customer Data provided in the Entity Account(s). means a personal set of login information to reach the Entity Account. The Users can have either reading access or edit/delete access. means the order document, form or page for the Service. means a reseller authorized by GDPR Hero, listed on GDPR Hero’s website. means the monthly fee prepaid for the Billing Period. Subscription Term is a period of twelve (12) months beginning the day Customer applies for an Account through an Order Form or through a Reseller. means a legal or natural person, other than the Costumer. 3.1 Customer agrees to these Terms by applying for one or more Accounts by means of an Order Form. If the Parties agree to other terms in writing, the other terms will take precedence over these Terms. 3.2 Customer has the option to create additional Accounts during the Subscription Term. 4.1 Unless otherwise specified, the first thirty (30) days of the first Subscription Term is a Trial Period (“Trial Period”). During the Trial Period either Party is free to terminate these Terms without cause. The Subscription Fee for the Subscription Term shall be repaid if the Trial Period is cancelled. 4.2 Unless otherwise specified, the Trial Period is restricted to once (1) per Customer and company group, subject to Section 4.4, below. 4.3 Subscription Term is a period of twelve (12) months. 4.4 Unless otherwise specified, following the Subscription Term or a Renewal Term, the subscription to the Services will automatically renew for a new Subscription Term (“Renewal Term”), unless either party gives the other written notice of termination at least sixty (60) days prior to the expiration of the then-current Subscription Term or Renewal Term. 4.5 This Agreement is ongoing, and Customer is invoiced yearly in advance, unless otherwise specified. 5.1 Customer will pay GDPR Hero or Reseller’s all applicable Subscription Fees for the Services, in the currency and pursuant to the payment terms indicated on the Order Form, or in the applicable agreement between Customer and Customer’s Reseller. Customer authorizes GDPR Hero, or Reseller, to charge Customer for all applicable Subscription Fees using Customer’s selected payment method, and Customer will issue the required purchasing documentation. 5.2 Customer will pay GDPR Hero invoices on the payment interval set forth in these Terms. GDPR Hero may suspend or terminate the Services if Subscription Fees are past due. Customer will provide complete and accurate billing and contact information to GDPR Hero or to Customer’s Reseller. Terms of payment are thirty (30) days, unless otherwise specified. 5.3 Unless otherwise agreed to by the Parties, the Subscription Fee for the Services published at GDPR Hero’s website at the time the Customer enters the Order Form, or order an Account from a Reseller, applies. 5.4 Subscription Fees are exclusive of taxes and Customer is responsible for all taxes. GDPR Hero, or Customer’s Reseller, will charge taxes when required to do so. 5.5 The Subscription Fee will remain fixed during the Subscription Term unless you: (a) upgrade the Service, (b) add additional Accounts, (c) subscribe to additional features or products, or (d) unless otherwise agreed to by the Parties. 5.6 GDPR Hero may once (1) per calendar year revise Subscription Fee by providing Customer at least thirty (30) days’ notice prior to the next charge. Changes will not take effect until the following Renewal Term. 6.1 Templates are features in the Service. The Service provides general templates without extra charge in the Account(s). GDPR Hero may add custom templates in the Service on the inquiry of a Customer. The customised templates is an additional feature and comes with an extra charge, in accordance with Section 4.4. Customers who want to order customised templates for their Account(s) may contact GDPR Hero. 6.2 We may provide other features, services and products, following demand and availability. A list of the features, services and products available is published at our website. 8.1 Customer is responsible for complying with other instructions set forth in the Service. 8.2 Customer is responsible for ensuring that the information entered in the Service are in accordance with applicable laws. 8.3 Customer is responsible for providing GDPR Hero with updated contact information to the Contact Person. Further, Customer is responsible for notifying GDPR Hero if there are changes to billing information. 9.1 The Service includes legal information for educational purposes only, not to provide specific legal advice. Information within the Service should not be used as, or considered a substitute for, legal advice. Instead, make sure to seek appropriate counsel for your specific situation. 9.2 You are aware, acknowledge and agree that any and all information provided by GDPR Hero’s personnel does not constitute legal advice. Information should not be used as, or considered a substitute for, legal advice. Instead, make sure to seek appropriate counsel for your specific situation. 9.3 The Service may include hyperlinks to other websites, content or resources. GDPR Hero may have no control over any websites, content or resources which are not provided by GDPR Hero. 9.4 You are aware, acknowledge and agree that GDPR Hero is not responsible for the availability of any external sites, content or resources, and does not endorse any advertising, products or other materials on or available from such websites, content or resources and that GDPR Hero is not liable for any loss or damage which may be incurred by you as a result of the availability of those external sites, content or resources, or as a result of any reliance placed by you on the completeness, accuracy or existence of any advertising, products, information or other materials on, or available from, such websites, content or resources. 10.1 We try to make the Service available 24 hours a day, 7 days a week, except for planned down-time for maintenance. Planned down-time maintenance will be announced at our website and on the Service’s homepage, five (5) days in advance. 10.2 GDPR Hero is not responsible for any failure of the Services or for failure to meet agreed availability, if GDPR Hero can demonstrate that this was caused by events that was beyond GDPR Hero’s control (“Force Majeure”). Force majeure means that GDPR Hero is not obliged to pay compensation loss or damage which the Customer may suffer as a result of preventing or substantially hampering the fulfilment of GDPR Hero’s obligations by circumstances which GDPR Hero or its subcontractor could not reasonably control or anticipate, including but not limited to labour conflict, war, riot or riots, lockout or other labour conflict, earthquake, fire, flood or water damage, legislation and government restrictions. 11.1 GDPR Hero will use industry standard technical and organizational security measures to transfer, store, and process Customer Data (“Security Measures”). The Security Measures are designed to protect the confidentiality and integrity of Customer Data and guard from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer data. 11.2 Any and all GDPR Hero personnel who have access to Customer Data will be bound by appropriate confidentiality obligations. 11.3 You are aware, acknowledge and agree that you are responsible for maintaining the confidentiality of passwords associated with the Account(s) you use to access the Service and, accordingly, that you will be solely responsible to GDPR Hero for all activities that occur under your Account(s). 11.4 You specifically agree that you will (a) use commercially reasonable efforts to prevent unauthorized access to, or use of, the Service; (b) promptly notify GDPR Hero if you become aware of, or reasonably suspect any, illegal or unauthorized activity or a security breach involving your Account(s), including any loss, theft, or unauthorized disclosure or use of a username, password, or Account(s). 11.5 As a security measure, automated backup copies will be taken of your Account(s). 12.1 GDPR Hero is the data controller for Administrators personal data requested by us in the context of the Service. 12.2 Customer is the data controller for any and all personal data that is not requested by GDPR Hero and is stored in the Service by Customer. GDPR Hero is the data processor in these situations. 12.3 Personal data processing is regulated in a separate agreement, Data Processing Agreement. 12.4 Customer warrants not to process any special categories of data or data relating to criminal convictions or offences, by definition of Articles 9(1) and 10 of the GDPR, in the Service. 13.1 GDPR Hero hereby grants Customer, during the Subscription Term, a limited non-exclusive license to use the Service and in accordance with this Agreement. This license is non-exclusive, non-transferable and non-sublicensable. 13.2 These Terms do not grant: (a) GDPR Hero any intellectual property rights in Customer Data; or (b) Customer any intellectual property rights in the Services or GDPR Hero trademarks and brand features. 14.1 GDPR Hero may update the Service from time to time. If GDPR Hero changes the Service in a manner that materially reduces its functionality, GDPR Hero will notify your Contact Person, the Contact Person may provide notice within thirty (30) days of the change to terminate these Terms. 14.2 Either Party may terminate these Terms, including all Order Forms, if: (a) the other Party is in material breach of these Terms and fails to cure that breach within thirty (30) days after receipt of written notice; or (b) the other Party ceases its business operations or becomes subject to insolvency proceedings. 14.3 If these Terms terminates: (a) the rights and licenses granted by GDPR Hero to Customer will cease immediately; (b) Customer may, prior to termination, request reasonable additional time to export its Customer Data, provided that GDPR Hero may charge Customer for such extended access based on GDPR Hero’s then-current standard fees; and (c) GDPR Hero will delete any Account(s) and Customer Data within a commercially reasonable period of time following receipt of a Contact Person’s request to do so. 14.4 If these Terms terminate, the Account(s) and the Customer Data in the Account(s) will be stored for sixty (60) days, unless the Customer requests GDPR Hero to delete the information at an earlier date. 15.1 Customers may not transfer or make this Service accessible to a Third Party. Example of such undertakings are selling, lending or in other ways distribute the Service. 15.2 The Parties will maintain confidentiality regarding business secrets, unless it is required by law, public authorities or similar to provide information. 16.1 You are aware of, acknowledge and agree that the Agreement constitutes the entire agreement and understanding between you and GDPR Hero relating to the subject matter hereof (but excluding any services which GDPR Hero may provide to you under a separate written agreement) and supersedes all written or oral commitments, undertakings and agreements which have preceded the Agreement. 16.2 You are aware of, acknowledge and agree that any amendment, change or modification of the Agreement, other than as set out above, may only be made by a written agreement between the Parties. 16.3 Changes can be made to these Terms to reflect changes in law or precedence or to improve the Terms or regulate changes to the Service. Changes must be notified at least fourteen (14) days before they are implemented. Changes will be notified to the email address of your Contact Person. If Customer does not agree with the changes, Customer can terminate their subscription within 30 days of notice. The remaining Subscription fee will be repaid. 16.4 You are aware of, acknowledge and agree that in no event shall any delay, failure or omission of a Party in enforcing, exercising or pursuing any right, claim or remedy under this Agreement be deemed as a waiver thereof, unless such right, claim or remedy has been expressly waived in writing. 16.5 If any court of law, having the jurisdiction to decide on this matter, finds that any provision of the Agreement (or the application thereof) shall be declared or deemed void, invalid or unenforceable in whole or in part for any reason, that provision shall be enforced to the maximum extent permissible so as to affect the intent of the Agreement and the remaining provisions of the Agreement shall continue in full force and effect. 16.6 You are aware of, acknowledge and agree that GDPR Hero may provide you with notices, including those regarding changes to these Terms, by email, regular mail, or postings on or through the Service. The English language shall be the governing language in your relationship with GDPR Hero. 17.1 These Terms, and your relationship with GDPR Hero under these Terms, shall, to the maximum extent permitted by applicable mandatory law in your jurisdiction, be governed by and construed in accordance with the substantive laws of Sweden without giving effect to the choice of law principles thereof. 17.2 Any dispute, controversy or claim arising out of or in connection with these Terms, or the breach, termination or invalidity thereof, shall be settled by a Swedish court of general jurisdiction and the Lund District Court (Sw: Lund tingsrätt) shall be the court of first instance. 17.3 Before filing a claim, each Party agrees to try to resolve the dispute by contacting the other Party through the notice procedures. If a dispute is not resolved within thirty (30) days of notice, Customer or GDPR Hero may bring a formal proceeding. 17.4 Notwithstanding the above you are aware of, acknowledge and agree, that GDPR Hero shall always be allowed to apply for injunctive remedies (or an equivalent type of urgent legal relief) in any jurisdiction and through any court of competent jurisdiction. 17.5. If there is a conflict between the documents that make up this Agreement, the documents will control in the following order: (a) the invoice, (b) the Order Form, (c) the Terms. The Agreement will be considered the confidential information of GDPR Hero, and Customer will not disclose the information to any third parties. Customer agrees that any terms and conditions on a Customer purchase order will not apply to this Agreement and are null and void. 18.1 To the extent permitted by law, in no event shall either Party be liable for any indirect damage, loss of profit or revenue. 18.2 To the extent permitted by law, in no event shall GDPR Hero be liable for damage of more than five times the Subscription Fee of the past twelve (12) months. 18.3 If Customer uses any Third Party service or applications, such as a service that uses a GDPR Hero API, with the Services: (a) GDPR Hero will not be responsible for any act or omission of the Third Party, including the Third Party’s access to or use of Customer Data; and (b) GDPR Hero does not warrant or support any service provided by the Third Party. Customer will comply with any API limits associated with the Services plan purchased by Customer. 19.1 In connection with the conclusion of the agreement, in accordance with 3.1 above, the Customer grants GDPR Hero the right to use the Customer’s company logo and company name as a reference in its marketing. 19.2 Marketing through email can be cancelled by the Customer at any time by using the link in the email(s). di| Share This Facebook Twitter LinkedIn st|Account Administrator Agreement Billing Period Contact Person Customer Data End User Entity Account GDPR Master Account User Order Form Reseller Subscription Fee Third Party h1|GDPR Hero – General Terms and conditions h3|1 INTRODUCTION 2 DEFINITIONS 4. TRIAL PERIOD, SUBSCRIPTION TERM AND AUTO-RENEWAL 5. FEES AND PAYMENT 6. ADDITIONAL FEATURES AND PRODUCTS 7. SUPPORT 8. CUSTOMERS RESPONSIBILITY 9. INFORMATION AND THIRD-PARTY LINKS 10. AVAILABILITY 11. DATA SECURITY 12. PROCESSING OF PERSONAL DATA 13. INTELLECTUAL PROPERTY 14. TERMINATION 15. TRANSFER OF ACCOUNT 16. GENERAL PROVISIONS 17. GOVERNING LAW AND DISPUTE RESOLUTION 18. LIABILITY 19. MARKETING sp|Log in SV Select Page Applicable from 1 February 2020 3 CONCLUSION OF AGREEMENT 7.1 Technical support regarding the Service will be provided by GDPR Hero to Customer through chat, email and telephone. 7.2 Legal support will be provided at no additional cost during the first month of the Subscription Term, up to two (2) hours per Customer. If Customer wishes to use further legal support, you can order our additional services, subject to Section 5.2, above. 7.3 The legal support provided by GDPR Hero should not be used as, or considered a substitute for, legal advise. Instead make sure to seek appropriate counsel for your specific situation. pa|GDPR Hero AB Bankgatan 1a 223 54 Lund Sweden +46 (0)46 – 273 17 17 di| Share This Facebook Twitter LinkedIn st|We are happy h1|Career sp|Log in SV Select Page to receive spontaneous applications! As an expanding company, in many ways, we are in need of increased resources a bit all the time. We are therefore looking for talents in several different areas, such as law, IT, finance and marketing. Sounds interesting? You are welcome to submit your application at ! pa|A client sends an email and asks for access to all personal data you have on them. How should you act in order to make sure that everything is done properly? The regulation posts a time frame in regard to when the data subjects´ (the person whose data you are processing) request shall have been processed. The main rule is that the question shall be handled swiftly, and the data subject shall be informed of what measures you have taken absolutely latest within a month from the request. If you find that the request of access is not possible to meet, you have to motivate this position of yours. If the request is complicated or if you at the time being have many requests, the time frame can be lengthened with two months. You always have to inform the data subject about the delay. There are no administrative formalities, meaning requirements, for how the data subjects shall request the access to their data. The regulation therefore does not state any demands for e.g. an ID or signature. However, you as an organisation must be able to ensure that the extraction from theends up with the right person. If the personal data fall into the wrong hands it constitutes a personal data breach, that in some cases must be reported to the Supervisory Authority. In some cases of request for access, it can therefore be necessary that the registered shows ID and signature. In other cases, a phone call from the data subject can be enough for you to feel sure that it is the right person requesting the access. Although, it is important to keep in mind not to ask for more personal data of the data subject than you actually need. Only when you have reasonable doubts about the identity of the person requesting access, you may ask for more information in order to confirm his/her identity. You consequently have to secure the identity through a suitability assessment. To simplify how a suitability assessment can work we will illustrate it with two different scenarios below! You have some close client relations and one of the clients now want an extract from the register of what personal data you have on him or her. The client makes the request through a phone call. The responsible person at your workplace recognize the clients voice based on previous contacts and is therefore certain that the personal data is requested access to by the right person. No other measures therefore have to be taken to secure the identity of the data subject. A client sends an email with a request of access. Since you have not had any contact with the client before you want to make sure that the person sending the email really is the owner of the personal data requested. You therefore ask the person to send a copy of their ID. The data subject shall amongst other things receive the following information: The extraction from thecan be made available both in writing and by electronic means. If the data subject leaves a request of access by electronic means, the extraction from theshall be made available with electronic means unless the data subject requests something else. The information can also be made available orally, if the data subject requests it. Also, in this situation it is crucial that you can identify the data subject. There is, as mentioned before, no administrative formalities for how a request for access should look like. The same situation concerns you as a data controller – no special rules are imposed on you in this concern. However, in order to prevent a personal data breach, it is important to follow certain safety guidelines. To ensure that the extraction from theis sent to the data subject it is always the safest alternative, but not a must, to send it to his/her officially registered address. Your client has requested access to their personal data. The client is identified, and you have put together the information in a report. The client asks you to send the extraction to her work address since she is working a lot. At her company there are many workers. Since you are aware of the risk that an unauthorized person might access the personal data if you were to send the extraction to her work address, you tell her that it will be sent to her officially registered address instead. An extraction shall not cost the data subject anything. The handling shall be cost free for the data subject exercising his or her right to access. The only situation when you can charge a fee is when the request is manifestly unfounded or unreasonable, e.g. if the request is recurring. If the data subject wants several copies of the same extraction you are allowed to charge a fee for the administrative costs (recurring request). You have to comply with the data subjects request of access. To do an exception from this is only possible if you are not capable of identifying the data subject. The data subject is then allowed to, but do not have to, give more information that can simplify the identification process. Within national legislation, e.g. Swedish legislation, it is also stated that personal data within a continuous text that is not in its final form, does not have to be handed out (however, maximum one year). Also, personal data within memos and similar is being exempted. If the data is protected according to law, for example the Swedish Law on Official Secrets (offentlighets- och sekretesslagen), you do not have to provide the data subject with the data. Remember the time limit – you have one month. To organize and constitute an action plan on how the extraction from the record on processing activities shall be made helps you save time. Always do a suitability assessment for what should be demanded of the data subject to secure his or her identity – the information shall never end up in wrongful hands! GDPR Hero has as a part of its tool a report function that rapidly and easily helps the user to identify and put together the information that all categories of data subjects are entitled to. The information is further administrated via a finished report ready for printing or being emailed as a PDF. Do you want to know more or to get a free demonstration of GDPR hero? You are always welcome to contact our support team at or book a demo ! 046 – 273 17 17 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|For what purpose you process the personal data. What categories of personal data you process. E.g. name, address and phone number. You shall also provide the data subject with a copy of the personal data, in this case; what name(s), address(es) and phone number(s) you have on the person. If you provide another party with the data within the EU or a third country. E.g. when you use subcontractors. The presupposed period during which personal data will be stored. Information regarding the right to submit a complaint to the Supervisory Authority. st|1. Act on time – within a month 2. What can you demand in order to identify the data subject? 3. What shall the extraction from the register to the data subject include? 4. Shall the extraction from thebe provided in paper or by electronic means? 5. Where shall the extraction from thebe sent? 6. What does an extraction from thecost? 7. In what cases do you not have to comply with the right to access? 8. Summary Get help from GDPR Hero! Victoria Limnefelt Nygren h1|Right of access – if someone requests their personal data h3|GDPR entails a right for the person whose data is being processed by an organisation to request access to their data. This is the so called “right of access”. You might also have heard about “extraction from the”. However, the right of access constitutes some question marks and confusions – how shall the proceedings be made in order to fulfil the requirements within GDPR? Does the data subject really have to provide a copy of his or her ID and shall the extract from thealways be sent to the data subjects officially registered address? We at GDPR Hero are now sorting out these questions! h4|Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|Scenario: Example: Example: Example: support@gdprhero.se pa|Information that an employee has the coronavirus is considered to be personal data regarding their health. Thus, this kind of personal data shall be dealt with carefully, as it falls under special categories of personal data based on the GDPR. You therefore need an exception in order to be able to process this kind of data. If you want to read more about GDPR in relation to healthcare, you can read our Swedish, more general, blogpost about it . The Swedish supervisory authority, Datainspektionen, also states that information that a person is being held in quarantine probably counts as personal data concerning their health. Although, information that an employee has returned from a risk area doess not count as personal data concerning their health. The same goes for information that a person is living in so called “voluntary quarantine”, meaning that the person out of precautionary considerations stays at or works from home. These kinds of personal data must however, of course, still be processed in accordance with the other provisions within the GDPR. What is then the situation when an employee has the coronavirus? What are you, as the employer, really allowed to communicate to the coworkers? It should normally be enough to inform the other employees that a person at their workplace has gotten the virus. You are only in exceptional cases allowed to provide their name. It must, in such a situation, be absolutely necessary to provide it, and the sick employee must have been informed about it in advance. It is namely important to, in accordance with the principle of data minimization, never provide more information than necessary. What is also important is that the information is objective and not offensive for the data subject in any way! When it comes to information concerning that an employee works from home after being in a risk area, you should think twice before giving out that information. Internally you can of course inform that the person works from home in order for other people to know how to contact them. However, you have to evaluate if it is really necessary to provide that information to people outside the organization. In both scenarios, the Swedish supervisory authority states that you inform why that person is not at the workplace. Regarding the question if an employer can perform medical check-ups on their employees, you have to look at national laws relating to employment or health and safety. The employer should only have access to and process such data if they have legal obligations to do so. Most education have during this spring been carried out via distance. In relation to this, many new questions have emerged, also regarding the GDPR. One of those questions is who the controller is for personal data being processed in relation to online lectures. You might think that the teacher or the principal is the controller in such a situation. However, that is not the case. In e.g. a Swedish public school the Board of undergraduate studies within the municipality is the controller, as they decide the purpose and means of the processing of the personal data. For a private school the controller is a limited company. Regarding online lectures it is also important for the school to think about data minimization, e.g. just use sound and/or video of the students if it is really necessary. This is specifically the case in relation to children, as their personal data is considered worthy of extra protection based on the GDPR. It is also important to keep in mind that the more sensitive the personal data is considered to be, the higher the requirements are for the security measures taken in order for the personal data to be considered protected. All balancing made between your need to collect the personal data versus the students need to not have their data collected should be documented and saved. Before starting to have online lectures, it is therefore important for the school to make sure their work regarding information security is in compliance with the GDPR. The Swedish supervisory authority has created a short checklist for this, which can be found (however in Swedish). Moreover, it is, as always with the GDPR, important to have a legal basis for the processing of personal data. The legal basis “consent” should definitely be avoided as there is an imbalanced correlation of power between the students and the school. Instead, the legal basis “public interest” can be used both for private and public schools. We hope you liked this blog post! If you have any further questions regarding GDPR you are more than welcome to contact us at GDPR Hero via email or phone 046 – 273 17 17. You can also book a demonstration of GDPR Hero here or contact our partner Sällberg & Co via email or phone 046 – 273 17 10. 046 – 273 17 17 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn st|Published 24 August 2020 Karolina Jivebäck h1|Personal data and covid-19 h4|As we are in the middle of a global pandemic, we of course have to behave differently than we are used to. But what does it actually mean in relation to the GDPR? New situations create new questions regarding the collecting of personal data, e.g. what actually constitutes personal data concerning health, how you should act as an employer or what responsibility the teacher actually has when personal data is being collected in connection to online lectures. We shall therefore, in this blogpost, look more into situations and problems which can emerge at the workplace and in school. At the workplace In school Further questions? Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? Do we have to report all data breaches? em|should not support@gdprhero.se pa|The scope of the GDPR is usually divided in two parts: the material scope and the territorial (geographical) scope. For the GDPR to be applicable to a certain processing, the processing must fall within both the material and the geographical scope. In addition to this, there are certain exemptions when the GDPR is not applicable. If one or more exemptions are at hand, either all of the GDPR or certain articles of the GDPR are not applicable to the processing. Article 2 of the GDPR states that the GDPR applies to: A processing can be partly automated If an organisation collects personal data manually to later enter the personal data into an automated filing system. Processing by other than automated means relates to manual processing. Manual processing is when the personal data is written on paper. If a processing of personal data is in paper form, the personal data must form part of a filing system or be intended to form part of a filing system. For something to be a in accordance with the GDPR, the filing system must be searchable according to specific criteria. When making the assessment whether it is a filing system, it should be taken into account if it is structured in such a way that information regarding a specific person easily can be found. As a general rule, you can bear in mind that there should be two separate search criteria. For example, if you collect personal data in the form of name and address regarding your members, you process personal data regarding your members, which are part of a filing system. The filing system in this example have two search criteria: name and address, and the GDPR most likely applies to the processing. You can read more about who is protected by the GDPR (in Swedish). Except for the material scope, the processing must be within the geographical scope of the GDPR. Article 3 of the GDPR regulates the geographical scope. This article intends to determine whether the GDPR applies to a certain processing and not a certain legal or natural person. Article 3 of the GDPR stipulates that the GDPR is applicable to: An organization is considered to be established in the EU if there is a real and effective activity, even if it is minimal, if the activity is performed through a stable arrangement. The GDPR can also apply to a processing if it is conducted in connection with activities performed by an organization that is established in the EU. This means that it does not necessarily has to be the organization in question which process the personal data, as long as the processing is connected to an organization established in the EU. Furthermore, it is not relevant where the processing takes place. The relevant factor is that the other organization is established in the EU. or If the data controller or the data subject are not established in the EU, it does not necessarily mean that the GDPR is not applicable. It is enough that the data subject whose personal data is being processed is within the borders of the EU and that: a) The data controller or processor offers goods and service to the data subject or b) The data controller or processor monitor the data subject´s behaviour (within the EU). In order for an organization to be considered to either “offer goods and services to data subjects in the EU” or “monitor data subjects within the EU”, the activity must be intentional. It is not enough if an organization temporarily or by mistake target people in the EU. If a data controller or a processor is not established in the EU, but either offer goods and services or monitor people in the EU, the organization must appoint a representative within the EU. To summarize, the GDPR is not applied to a processing of personal data if: In addition to the above mentioned, there are certain exemptions when the GDPR is not applied to a processing of personal data. Some of these exemptions are described below. Even if a certain processing falls within both the material and the geographical scope of the GDPR, there might be an exemption in which case the GDPR might not be applicable to the processing. In some cases, only certain articles of the GDPR are applied to the processing and in some cases, all of the GDPR is not applied to the processing. One exemption is if a processing is performed by a natural person and the processing is of private nature or is connected to his or her household. If these circumstances are at hand, no part of the GDPR is applicable. This might be the most common exemption to the applicability of the GDPR. This exemption can be at hand if a parent takes a picture of his or her child and puts it on the fridge in the family´s house. Please note that the situation is different if the parent e.g. posts the picture on social media. You can read more about what to think about when you process personal data regarding children (in Swedish). Another exemption is if someone process personal data in connection with exercising their right to freedom of expression and information. This means that in Sweden, constitutional law is in priority to the GDPR. This is possible because in the GDPR, there is an article that gives the member states a possibility to, in national law, make an exemption for just this – the freedom of expression and information, which Sweden has chosen to do. If you have any questions regarding the GDPR, you are welcome to contact us at or 046 – 273 17 17. You can already now book a demo of GDPR Hero to receive information about how you can make GDPR-compliance easier. You can book a demo . 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|Wholly automated processing, Partly automated processing and Processing by other than automated means, which form part of a filing system or are intended to form part of a filing system. It is a manual processing, where the personal data does not form part of a filing system or are intended to form part of a filing system. The processing is performed by an organization that is not established in the EU and does not offer goods and services to someone in the EU alternatively monitor people who are in the EU. st|1. Data controllers and data processors who are established in the EU. Josefin Karlström h1|When is the GDPR applicable? h4|Now that the GDPR has been in force for two years, many companies have started to deepen their knowledge in specific parts of the regulation. It can therefore be easy to forget some of the more basic but fundamental parts such as: is the GDPR applicable to this processing? We will therefor in this blog post give you a reminder of when the GDPR is applicable. Because believe it or not – the GDPR is not applicable to all personal data processing´s! Two different aspects The material scope The geographical scope Is there an exemption to the applicability of the GDPR? Not sure how to apply the GDPR? Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US Do we have to report all data breaches? em|Published June 4th 2020 filing system 2. Data controllers and data processors who are not established in the EU, but who offers goods and services to data subjects in the EU Data controllers and data processors who are not established in the EU, but who perform processing activities related to the monitoring of data subjects behaviour, if it takes place in the EU . josefin.karlstrom@gdprhero.se pa|Maximillian Schrems filed a complaint with the Irish Data Protection Officer (the Commissioner) in 2013, requesting that his personal data should not be transferred by Facebook Ireland to the US, as it was not ensured adequate protection there because of the US surveillance activities. His request was rejected because of the Commission Decision 2000/520, where it was stated that the US provide for adequate protection, and he therefore took the case to court. The High Court in Ireland made a request for preliminary ruling on the matter, and in case C-362/14 the Court of Justice declared decision 2000/520 invalid (paras 52, 53 of the present judgment). Following this judgment, the referring court annulled the rejection of Mr. Schrems complaint, and the case was referred back to the Commissioner. Facebook Ireland stated that they transfer a large part of the personal data from the EU to the US based on Standard Contractual Clauses (SCC). Because of this, Mr. Schrems was asked to modify his complaint, which he did. He stated that the transfer of data could not be justified based on SCC, as the personal data transferred had to be made available to US authorities such as FBI and NSA. This type of surveillance was according to him incompatible with Article 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (the Charter). The Commissioner took the view that the reformulated claim of Mr. Schrems raised the issue of the validity of the SCC. The Commissioner, therefore, made a new action before the High Court, which also made a new request for preliminary ruling to the Court of Justice (paras 54 – 57). In some cases, transfer of personal data does not fall under the GDPR. However, the Court of Justice come to the conclusion that in a situation as the one in the present case; namely that the transfer (from the EU to a third country) is between two economic operators for commercial purposes, and that there is a possibility that the personal data transferred either at the time of the transfer or thereafter is processed for the purpose of public security, defense and state security of the authorities of the third country, the transfer cannot be excepted from the scope of the GDPR (para 86). The supervisory authority decides what actions are appropriate to take, after taking in all necessary circumstances regarding the transfer of personal data in question. However, the Court of Justice points out the need for supervisory authorities to act with all due diligence when they get a complaint from a data subject. The exercise of the responsibility to monitor the application and enforcement of GDPR is, as the Court of Justice states, of particular importance when the personal data is being transferred to a third country (paras 108, 109, 112). When there is an adequacy decision (like the Privacy Shield Decision) and data subjects complain of the transfer of their data, the supervisory authority must still be able to examine independently if that transfer of personal data complies with the requirements laid down in the GDPR. If not, they have to bring the case in front of their national court, which can make a reference for preliminary ruling regarding the validity of the adequacy decision (para 120). Thus, the Court of Justice points out the importance of the supervisory authorities to act on complaints from data subjects! The Court of Justice come to the conclusion that the SCC Decision is valid. However, companies like Facebook cannot just simply rely on a SCC when transferring personal data to third countries. The Court points out the fact that in recital 109 of the GDPR it is clearly stated that the controller should be encouraged to provide additional safeguards as supplements, when relying on a SCC. It is, therefore, foremost the responsibility of the controller or the processor to analyze on a case-by-case basis if the law of the third country ensures adequate protection of the personal data transferred, and to otherwise ensure such adequate protection by providing additional safeguards. In a case like the present one, where the law of the third country allow for public authorities to interfere with the rights of the EU citizen, to only have a SCC is not enough. When the controller or the processor fail to provide adequate additional measures, it is instead the responsibility of the competent supervisory authority, and if they are failing, the transfer of personal data to the third country should be terminated (paras 126, 132, 134, 135 and 149). The Court finally comes to the conclusion that the Privacy Shield Decision is invalid as the Commission disregarded the requirement set out in Article 45(1) GDPR read in the light of Article 7, 8 and 47 of the Charter, when deciding that the US provide for adequate protection of personal data being transferred from the EU to organizations in the US (under the EU-US privacy shield). US surveillance programs are, based on the Privacy Shield Decision, not given any limitations to their power in relation to foreign intelligence or non-US citizen targeted by those programs. The principle of proportionality is therefore not fulfilled (see paras 163, 180, 198 and 201). Another thing not sufficiently provided for was efficient judicial protection under Article 47 of the Charter. The ombudsperson mechanism in force under the Privacy Shield Decision cannot be equalized to a tribunal, as they are for example not proven to be independent. The Court argues that the ombudsperson is appointed by the secretary of state and is an integral part of the US State Department. Moreover, there is nothing indicating that the ombudsperson can actually adopt decisions that are binding to the previously mentioned surveillance services and, thus, cannot be seen as providing for any legal safeguards for the data subjects (paras 195-197). The Court of Justice points out that there is no risk of creating a legal vacuum when making the Privacy Shield Decision invalid, as Article 49 GDPR details the conditions for transfer of necessary personal data to third countries when no adequacy decision or appropriate safeguards is in place (para 202). Thus, there will be no problem transferring personal data from the EU to the US as it can, for example, be based on consent from the data subject or be allowed if it is necessary to fulfill a contract. It will therefore be like transferring personal data to most other third countries. The European Data Protection Board (EDPB) reacted to this case in a . The EDPB welcomed the judgment as it emphasizes the fundamental right to privacy. Following, they stated the importance of creating a new agreement between the EU and US to ensure an adequate level of protection of personal data being transferred to the US. The EDPB further informed that they will continue to analyze the case and come with more clarification for stakeholders and guidance on how to transfer personal data to third countries. As a starting point, the EDPB have created a FAQ, which can be found . It will be interesting to see if any other adequacy decision of the Commission will emerge in relation to the transfer of personal data to the US. However, such a decision can first come into place when the US provides further safeguards for the personal data of Europeans! A limitation of their surveillance measures would, in that regard, be necessary. We hope you liked this blog post! If you have any further questions regarding GDPR you are more than welcome to contact us at GDPR Hero via email or phone 046 – 273 17 17. You can book a demonstration of GDPR Hero . You can also contact our partner Sällberg & Co via email or phone 046 – 273 17 10. 046 – 273 17 17 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn st|Published July 30 2020 Karolina Jivebäck h1|Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US h4|On the 16th of July we finally got a long-awaited judgment of the Court of Justice in the interesting case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd (Facebook Ireland) and Maximillian Schrems. There were many questions referred, and we will in this blog post go through the most important parts of the judgment. If you are interested in reading our previous blog posts about this case, you can find them and . We will however start this blog post with a short recap of what has happened so far, in order to refresh our memories. Recap of previous events The ruling of the Court of Justice What are the effects of this judgment? Further questions? Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 When is the GDPR applicable? Do we have to report all data breaches? em|The applicability of the GDPR Supervisory Authorities Standard Contractual Clauses support@gdprhero.se pa|The data controller is the one who decides for which purposes the personal data shall be processed. The data controller is the one who decides how, when and why the personal data will be processed. The data controller is usually a legal person and not e.g. a CEO or other employees. Natural persons can be data controllers in certain situations. One of those situations Is if a natural person has a company with individual ownership. You are the data controller if you e.g. collect personal data regarding your employees (name, address, e-mail, salary) when you sign the employment contract. You are also the data controller if you collect personal data (name, e-mail) regarding your customers to administer a newsletter. The assessment can stop here if you do not send this personal data to another organization. If you do send the personal data to another organization that begins to process the personal data, this other organization might be a data processor. The other organization is a data processor if it processes the personal data on your behalf. You might be a data processor if someone else determines the means of processing. The data processor is not within the same organization as the data controller and processes the personal data on behalf of the data controller. The data controller is usually a legal person, as was the case with the data processor. Bear in mind that there are more possibilities than one, the relationship does not always have to be that between a controller and a processor. In some situations, the organizations can be joint controllers or individual controllers. You can read more about it . The following examples are situations when personal data is transferred between organizations. The transfer can be from a controller to a processor or from a controller to another controller. You have collected personal data regarding your employees. You hired an external company to manage the payment of salaries to your employees. Therefore, you transfer the necessary personal data to the other company. You decide the purpose of processing (the other company are only allowed to use the personal data to pay your employees salary on the 25th each month) and they process the data on your behalf (they have received the personal data and instructions on how they have to process it from you). You have collected personal data regarding your customers. The data is stored on servers supplied by a third party, an IT-company. The IT-company has a server room, where all the information is stored, and the company takes care of maintenance of your IT-systems. In this example, the IT-company does not have the possibility to decide the purpose of the processing and it is a data processor. You hire a lawyer to pursue your claim in court. In situations where the counterpart’s main performance according to the agreement is not to process personal data, the counterpart is most often not a processor. One example is the above mentioned, when you hire a lawyer. The agreement between you and the lawyer means that the lawyer is to help you with a legal issue. For the lawyer to be able to help you with this, he or she must process personal data from your organization. In this situation, you do not decide what type of personal data or how it is to be processed, in this situation the lawyer is independent. However, you should do a case-by-case assessment. To say it in other words, it is generally the controller that decides. However, the controller can delegate which means to use, that is to say how a processing should be carried out, to a processor without their relationship changing. Example of factors that indicate that the relationship is that between a controller and a processor are if one of the operators is required by law to perform a task, where processing of data is necessary, and the other operator does not have their own interest in processing the personal data. The collaboration can sometimes mean that more than one processing is concerned. In these situations, it is important to identify the different processing´s and determine the relationship processor/controller for every processing. To determine the different processing’s, you can base your assessment in the purpose of the processing. According to the GDPR, both controllers and processors are many times obliged to keep records about their processing activities and to regulate the relationship between them. In GDPR Hero, you can easily enter all the companies you transfer personal data to or receive personal data from. You will also have support from us, through , chat or phone. Feel free to book a demonstration to learn more about how you can become GDPR-compliant. You can book the demo . 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn st|1. Controller – processor 2. Controller – processor 3. Controller – controller Josefin Karlström h1|When are we the data processor? h4|These terms can be hard to understand and get a grasp of, but it is important if you want to fulfil obligations in the GDPR. We at GDPR Hero receive many questions regarding the assessment whether an organization is a controller or a processor. With this blog post, we hope to give you the answer to this difficult but important question! Definition of data controller Definition of data processor Example GDPR Hero – the tool to help you! Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|When is our organization a data controller respectively a data processor? josefin.karlstrom@sallbergco.se pa|Before we will look into liability, it is good to clarify what a Data Protection Officer is and what they do. For some organisations, it is obligatory to appoint a Data Protection Officer. It is obligatory if: Also, when not mandatory, the European Data Protection Board (former article 29 working party) recommend that the organisation appoints a Data Protection Officer, especially when it concerns a private organisation exercising public service or public authority. The Data Protection Officer shall be appointed based on their professional qualifications and expertise of case-law and legislation in the field of data protection. The Data Protection Officer can therefore not be just anyone but need to have certain characteristics and competences. Further there are requirements that the Data Protection Officer’s contact information is published and informed to the Supervisory Authority, which is “Datainspektionen” in Sweden. It is important that the Data Protection Officer conduct his or her tasks independently. Meaning that the Data Protection Officer is prohibited to receive instructions in regard to how the operation shall be executed. The Data Protection Officer is also not to be subjected to sanctions because they are doing their job. The Data Protection Officers tasks is amongst other things to: It is of importance that the Data Protection Officers are given enough independence to be able to perform their tasks. The Data Protection Officer is not allowed to perform a task that could potentially lead to a conflict of interest with their role as a Data Protection Officer. This entails among other things that the Data Protection Officer cannot have a role to determine the purpose and means for different data processing’s. Read more about Data Protection Officers (in Swedish). It is the data controller or the data processor that shall make certain compliance with the GDPR. It is also the data controller or the data processor that must be able to prove that they process personal data in accordance with the regulation. There are two types of costs that might be imposed on data controllers or data processors based on GDPR: and The data controller or the data processor keeps the responsibility for legal compliance with GDPR also when an organisation has appointed a Data Protection Officer. The Data Protection Officer is not to be held liable personally, if GDPR is not complied with, even though it is the task of the Data Protection Officer to supervise compliance with the regulation. It is only the data controller or the data processor that can be responsible according to GDPR. With this said, the Data Protection officer can be responsible on other grounds. At this very moment, there are cases pending before the courts regarding personal liability for Data Protection Officers both in the UK and Switzerland. In both cases, the cost has affected the companies, who are claiming compensation from the Data Protection Officers. Switzerland is not a part of the EU or EEA, but their legislation regarding personal data protection is very similar to legislation within the EU. These two cases can therefore have a large impact on the EU case-law. Since personal liability is not a possibility for Data Protection Officers according to the GDPR, it is only at stake in certain cases. Since the GDPR does not have any exemption for Data Protection Officers, liability based on the Swedish Tort Liability Act´s (TLA) provisions in regard to employees can be a possible scenario. The provision that regulates liability for employees is in chapter 4 § 1 TLA. For this provision to be actualized some conditions have to be fulfilled: The result of the above mentioned is that the Data Protection Officer must have acted intentionally or through gross negligence for personal liability. If a Data Protection Officer reports correct information to the board of the organisation, they should be able to avoid being held personally liable. However, we await with anticipation more guidance within this field of law. We are always happy to help you with the evaluation as to if you need or would benefit from having a Data Protection Officer! You do know that our partner Sällberg & Co offer Data Protection Officer as a service? Contact them via or 046 – 273 17 10. Are you a Data Protection Officer? Book a demo of GDPR Hero today – the tool that makes your work easy! You can book your demo . 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|The processing is carried out by a public authority or a public body, The core of the business constitutes of processing that demands a large scale of regular and systematic surveillance of the data subjects, or The core of the business constitutes of processing in a large scale of special categories of personal data. Supervise the compliance with GDPR, Help with impact assessments, Act as a contact person for data subjects, the Supervisory Authority and internally within the organisation as well as cooperate with the Supervisory Authority, and Be involved with all questions concerning the protection of personal data. Damage have occurred for the employer. The damage has been caused because of the employees’ fault or negligence. It is necessary that there is a link of causation between the actions of the Data Protection Officer and the damage suffered. There are serious reasons. st|Josefin Karlström h1|Data Protection Officer’s liability h4|According to the GDPR, it is either the data controller or the data processor that can be held liable if the regulation is not followed. This is in most cases a legal person. In this blog post we will examine if only these actors can be held liable or if, in certain cases, a Data Protection Officer can personally be held liable based on the GDPR. What is a Data Protection Officer? What a Data Protection Officer can and cannot do Liability based on the GDPR Liability for Data Protection Officers Have you appointed a Data Protection Officer or are you a Data Protection Officer? Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|administrative fines liability for damages. josefin.karlstrom@sallbergco.se pa|1.1 Genom detta personuppgiftsbiträdesavtal (härefter Biträdesavtalet) uppfyller Parterna det krav som uppställs i Gällande dataskyddslagstiftning om att det ska finnas ett skriftligt avtal när den Personuppgiftsansvarige överlåter till ett Personuppgiftsbiträde att behandla personuppgifter för den Personuppgiftsansvariges räkning. Syftet med Biträdesavtalet är att säkerställa att den registrerades personuppgifter erhåller en adekvat skyddsnivå. Dessa begrepp, med inledande versal, används konsekvent i avtalet och definieras enligt följande: Med avses vid varje tidpunkt gällande användaravtal, tillgängligt . Med avses för Sveriges vidkommande Datainspektionen. Med avses detta skriftliga personuppgiftsbiträdesavtal mellan Parterna. Med avses Personuppgiftslagen (1998:204), Personuppgiftsförordningen (1998:1191), EU:s allmänna dataskyddsförordning (EU) 2016/679 (General Data Protection Regulation, ”GDPR”) och annan tillämplig dataskyddslagstiftning. Vid konflikt mellan lagarna har den allmänna dataskyddsförordningen företräde fr.o.m. den 25 maj 2018. Med avses Personuppgiftsansvarig eller Personuppgiftsbiträde. Med avses Personuppgiftsansvarig och Personuppgiftsbiträde. Med avses användare av GDPR Hero. Med avses GDPR Hero AB, organisationsnummer 559088-5116, Bankgatan 1A, 223 52 Lund. Med avses molntjänsten GDPR Hero. För vidare behandling utöver Biträdesavtal och Användaravtalen, ska den Personuppgiftsansvarige tillhandahålla kompletterande instruktioner till Personuppgiftsbiträdet. Instruktionerna ska vara skriftliga och den Personuppgiftsansvarige ansvarar för att de kompletterande skriftliga instruktionerna är tillåtna enligt punkt 3.1 och 3.2, ovan. Skulle instruktionerna strida mot punkt 3.1 eller 3.2 ovan, förbehåller sig Personuppgiftsbiträdet att vägra tillmötesgå den kompletterande behandlingen. Personuppgiftsbiträdet behandlar även kontaktuppgifter till Personuppgiftsansvariges användare av tjänsten, för att kunna uppfylla sina förpliktelser i enlighet med Användaravtalet. 5.2 Inom ramen för Personuppgiftsbiträdets rättsliga skyldigheter ska Personuppgiftsbiträdet bistå den Personuppgiftsansvarige med att fullgöra sina skyldigheter enligt Gällande dataskyddslagstiftning. Avser den Personuppgiftsansvariges begäran enligt första stycket ovan, samverkan avseende konsekvensbedömningar för dataskydd, samverkan avseende förhandssamråd med Integritetsmyndigheten eller annan behörig tillsynsmyndighet eller samverkan avseende utformningen av tekniska och organisatoriska åtgärder för dataskydd hos den Personuppgiftsansvarige, är Personuppgiftsbiträdet berättigat till ersättning enligt vid var tid gällande timtaxa. Personuppgiftsbiträdet ska skriftligen informera den Personuppgiftsansvarige om att det begärda arbetet ska debiteras i enlighet med vid var tid gällande timtaxa innan ett sådant arbete kan påbörjas. Personuppgiftsbiträdet ska genom lämpliga tekniska och organisatoriska åtgärder samt rutiner begränsa tillgången till personuppgifter till endast behörig personal. Detta ska särskilt ske genom att all personal som hanterar personuppgifter för Personbiträdets räkning har genomgått särskild utbildning avseende dataskydd samt att all personuppgiftshantering övervakas av en särskilt 7.1 För att Personuppgiftsbiträdet ska kunna uppfylla skyldigheterna enligt Tjänsteavtalet och detta Avtal har Personuppgiftsbiträdet rätt att anlita underbiträde. Om Personuppgiftsbiträdet avser att lägga till ett underbiträde kommer Personuppgiftsbiträdet att informera om detta så att den Personuppgiftsansvarige har möjlighet att göra invändningar mot sådana förändringar. 7.2 Om Personuppgiftsbiträdet anlitar underbiträde ska Personuppgiftsbiträdet ingå särskilt personuppgiftsbiträdesavtal med sådant underbiträde vad avser underbiträdets behandling av personuppgifter. I ett sådant avtal ska det framgå att underbiträdet har motsvarande skyldigheter som Personuppgiftsbiträdet har enligt detta Avtal. 7.3 Personuppgiftsbiträdet ska på Personuppgiftsansvariges begäran tillhandahålla kopia av de delar av Personuppgiftsbiträdets avtal med underbiträde som krävs för att utvisa att Personuppgiftsbiträdet uppfyllt sina åtaganden enligt detta Avtal. 7.4 Godkända underbiträden vid Avtalets ingång finns publicerade på . Förteckningen över godkända underbiträden uppdateras i de fall förändring sker. Vid förändring informeras Personuppgiftsansvarig enligt punkt 7.1. Samtliga förändringar dokumenteras även i denna förteckning, för att du som Personuppgiftsansvarig ska kunna ha full insyn. Tvist avseende tolkning eller tillämpning av detta Biträdesavtal ska avgöras enligt bestämmelserna om tillämplig lag och tvist i Användaravtalet. Användaravtalet har vid tvist om tolkning eller tillämpning tolkningsföreträde. di| Share This Facebook Twitter LinkedIn st|Användaravtal Behörig tillsynsmyndighet Biträdesavtal Gällande dataskyddslagstiftning Part Parter Personuppgiftsansvarig Personuppgiftsbiträde Tjänsten h2|3 Personuppgiftsansvariges ansvar och instruktioner 4 Behandling av personuppgifter av Personuppgiftsbiträdet 5 Personuppgiftsbiträdets organisatoriska och tekniska kapacitet 6 Säkerhet och sekretess 7 Underbiträden 8 Kommunikation mellan Parterna sp|Log in SV Select Page Personuppgiftsbiträdesavtal till Tjänsten GDPR Hero 1 Inledning 1.2 Biträdesavtalet utgör en bilaga till Användaravtalet till Tjänsten GDPR Hero och omfattar samma tidsperiod som Användaravtalet. Genom Biträdesavtalet och Användaravtalet ger den Personuppgiftsansvarige instruktioner till Personuppgiftsbiträdet om hur Personuppgiftsbiträdet ska utföra uppdraget. Ytterligare instruktioner om behandling av personuppgifter ska följa de formkrav som uppställs i detta Biträdesavtal. 2 Definitioner 3.1 Den Personuppgiftsansvarige ska säkerställa att all behandling av personuppgifter är tillåten enligt Gällande dataskyddslagstiftning. 3.2 Den Personuppgiftsansvarige får endast tillhandahålla Personuppgiftsbiträdet sådana personuppgifter som är nödvändiga för att uppnå ändamålet för behandlingen. 4.1 Enligt punkt 1.2 ovan, ska den Personuppgiftsansvarige genom detta Biträdesavtal och Användaravtal ge instruktioner till Personuppgiftsbiträdet om hur Personuppgiftsbiträdet ska behandla personuppgifter och fullgöra sina skyldigheter enligt Biträdesavtalet och Gällande dataskyddslagstiftning för den Personuppgiftsansvariges räkning. 4.2 Personuppgiftsbiträdet får endast behandla personuppgifter enligt Personuppgiftsansvariges instruktion och enligt Gällande dataskyddslagstiftning. Uppmärksammar Personuppgiftsbiträdet att den Personuppgiftsansvarige har lämnat felaktiga, ofullständiga eller bristfälliga instruktioner, ska denna utan oskäligt dröjsmål skriftligen meddela den Personuppgiftsansvarige om detta. 4.3 Personuppgiftsbiträdet behandlar personuppgifter åt den Personuppgiftsansvarige genom att tillåta lagring på Personuppgiftsbiträdets servrar. Lagring innefattar även back-up-hantering enligt Användaravtalet. 4.4 Personuppgiftsbiträdet får inte företräda den Personuppgiftsansvarige inför Behörig tillsynsmyndighet. Personuppgiftsbiträdet ska skriftligen informera den Personuppgiftsansvarige om kontakter som denna haft med Behörig tillsynsmyndighet avseende behandling av personuppgifter. 4.5 Förfrågan från en registrerad ställd till Personuppgiftsbiträdet om hur dennes eller dennas personuppgifter behandlas, ska utan oskäligt dröjsmål vidarebefordras till den Personuppgiftsansvarige. Personuppgiftsbiträdet får endast efter ett skriftligt godkännande av den Personuppgiftsansvarige lämna ut information till den registrerade om hur dennes eller dennas personuppgifter behandlas, såvida det inte finns en laglig skyldighet för Personuppgiftsbiträdet att tillhandahålla informationen. 5.1 Personuppgiftsbiträdet intygar genom detta Biträdesavtal att denne besitter tillräcklig och nödvändig teknisk och organisatorisk kapacitet samt förmåga, inbegripet tekniska lösningar, kompetens, ekonomiska- och personella resurser, rutiner och metoder för att kunna fullgöra sina skyldigheter enligt detta Biträdesavtal och Gällande dataskyddslagstiftning. 6.1 Samtliga representanter för Personuppgiftsbiträdet har genom sitt anställningsavtal tecknat ett sekretessavtal som omfattar samtlig behandling av personuppgifter åt Personuppgiftsansvarigs räkning som utförs inom Tjänsten. Personuppgiftsbiträdet får inte lämna ut Personuppgifter utan den Personuppgiftsansvariges skriftliga godkännande, om det inte finns en skyldighet för Personuppgiftsbiträdet enligt Gällande dataskyddslagstiftning att lämna ut Personuppgifterna. 6.2 Personuppgiftsbiträdet ska utan oskäligt dröjsmål och inte senare än tjugofyra (24) timmar, från att det kommit till Personuppgiftsbiträdets kännedom, underrätta den Personuppgiftsansvarige om förekomsten av, eller risken för en personuppgiftsincident. Underrättelse enligt första stycket, ovan, ska innehålla all nödvändig och tillgänglig information som den Personuppgiftsansvarige för att utreda en inträffad eller befarad personuppgiftsincident. All kommunikation mellan parterna ska i första hand ske skriftligt och i andra hand ska den ske muntligt. Kommunikationen ska i första hand ske på svenska och i andra hand på engelska. 9 Tillämplig lag och tvist em|Samtliga begrepp i avtalet ska tolkas i enligt med de definitioner som anges i Förordning (EU) 2016/679 (”allmän dataskyddsförordning”) och i enlighet med praxis. Lagstöd för all behandling av personuppgifter Endast personuppgifter som är nödvändiga för ändamålet Personuppgiftsbiträdets skyldigheter Personuppgiftsbiträdets uppgifter Kontakt med tillsynsmyndighet Förfrågan från en registrerad Personuppgiftsbiträdets ansvar Sekretess mellan Parterna utsedd arbetsledare med goda kunskaper och erfarenheter inom Gällande dataskyddslagstiftning. Utlämnande av Personuppgifter Vid personuppgiftsincident pa|There are three sets of , all based on the Data Protection Directive (95/46/EG), the directive which was the predecessor of GDPR. The standard contractual clauses came into force in 2001, 2004 and 2010. Two out of three regulates the situation when both sender and recipient are data controllers. The standard contractual clauses from 2010 are appropriate for the situation when the sender is the data controller and the receiver is the data processor. Read more about the relationship between data controllers and data processors in Swedish . When transferring personal data , previously a special regulatory framework was used; called the Safe Harbor system. In 2015 this system was annulled by the European Court of Justice (CJEU). The Safe Harbor principles were supposed to guarantee the data subjects of the union a sufficient protection for their personal data, when their data was transferred to the US. The annulment was based on the Commissions failure to observe through what measures the US took in its legislation or international obligations to attain an adequate level of protection. The generally formulated Safe Harbor principles also included that over the principles if the national legislation demanded so. In case of the national legislation had demanded a disregard of the Safe Harbor principles, it was showed that the disregard was not strictly necessary. Today, another certification system is used when transferring to the US, called Privacy Shield. This certification system is not used to other third countries, only the US. Which companies can choose to apply standard contractual clauses when a transfer of personal data Well, the standard contractual clauses demonstrate The structure of the clauses enables a third country’s national legislation to prevail over the principles of the standard contractual clauses in a way that can jeopardize the protection of personal data according to GDPR. When GDPR came into force, also provisions which should be taken into account when applying the standard contractual clauses came into force – that is to say something that the standard contractual clauses today does not satisfy. With GDPR comes for example stricter demands regarding internal arrangements which should be in place when a transfer of personal data is made between two data controllers. Regarding a transfer of personal data between a data controller and a data processor shall the provisions in article 28 of GDPR be complied with. The article is though not completely reflected in the standard contractual clauses from 2010. Therefore, it can be a good idea to, besides the contract with the standard clauses, complement these demands. Standard contractual clauses presented by the Commission are similar structurally to the Safe Harbor system, since they through certain clauses according to the wording are given space to set aside the standard contractual clauses for the national legislation; see for example recital 11 in the decision of the Commission 2010/87/EU (the standard contractual clauses from 2010) and article 1(2) in the decision of the Commission 2004/915/EG (the standard contractual clauses from 2004). The protection of personal data which is supposed to be applied within the EU could consequently be undermined through a usage of the standard contractual clauses. Therefore, it could be needed to complement the standard contractual clauses with further contractual terms that ensures a compliance with GDPR. Examples of demands in article 28 GDPR which is not included in the standard contractual clauses from 2010 (from data controller to data processor): It is mainly the CJEU that decides if the citizens of the Unions personal data is sufficiently being protected, when transferred to a third country, based on these instruments. Recently, 9 July 2019, was an oral hearing held in case C-311/18 Facebook Ireland v. Schrems concerning the application of standard contractual clauses. The decision will come soon, and we’ll update here when it has been submitted. If you have any further questions regarding transfer of personal data to a third country you are more than welcome to contact us at GDPR Hero via email support@gdprhero.se or phone 046 – 273 17 17. Do not hesitate to of GDPR Hero – it will be time well spend! 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|Confidentiality regulation, Time period for processing of personal data, Data processors obligation to contribute when a personal data breach occurs. st|Standard contractual clauses Safe Harbor What does this have to do with standard contractual clauses? Contact Victoria Limnefelt Nygren h1|Standard contractual clauses and GDPR h3|In chapter V in the GDPR you will find a special regulatory framework which regulates transfer of data to third countries. A third country is a country outside of EU/EEA. To transfer personal data to a third country you will need a legal ground for it in conformity with GDPR. One of the possible legal grounds is to use standard contractual clauses (SCC). Thus, there is always a risk that the standard contractual clauses are not equivalent of the protection for processing of data in GDPR. h4|Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Read more about the relationship between two data controllers in Swedish . Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? bo|Standard contractual clauses and GDPR em|from the EU to the US national legislation prevailed from the EU to other third countries than the US is made? similar flaws and structures as the annulled Safe Harbor system showed. support@gdprhero.com pa|Any information relating to an identified or “identifiable” natural person (also called data subject in the regulation). An identifiable natural person is someone who can be identified, directly or indirectly – namely also through a combination of information or by an exclusion method. Examples of personal data: name, identification number, location data, salary, allergies, physical and psychological identifiers, photo, IP-address and so on. An operation or set of operations which is either by automated means or not and concerns personal data, e.g. collection, organization, structuring, adaption or alteration, use, erasure, restriction and so on. A natural or legal person, public authority, agency or other body which determines the purpose and means of the processing of the personal data, either alone or jointly with others. Regarding legal persons the board is usually the ones that are mainly responsible and not the employees which are processing the personal data. A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The processor is always located outside the own organization. It could e.g. be an advertising agency which needs access to personal data in the form of addresses to your costumers to be able to send advertisements directly to them. A natural or legal person, public authority, agency or other body that is not the data subject, controller, processor and persons who under the direct authority of the controller or processor, are authorized to process personal data. In short, the third party is another data subject that can be affected negatively by your processing of personal data. The Data Protection Officer (DPO) controls that people within your organization works in accordance with the GDPR through informative measures. The DPO is independent from the controller and the processor. The controller and the processor are not allowed to give instructions to the DPO. Furthermore, the DPO is the contact person between your organization and the data subject and the Data Protection Authority. The DPO is the person who controls that you, within your organization, follows GDPR through informative measures. Measures within the IT-system regarding protection of personal integrity. The Swedish Data Protection Authority (Datainspektionen) states that the integrity questions shall affect the whole lifecycle of the system where you shall focus on minimizing the amount of personal data, limit the access to the data, protect the data subjects and develop user-friendly IT-systems. This is something that will probably be developed by IT-companies, thus it is important to have knowledge about this concept since the person in charge of handling the personal data (that is to say, you as data controller or data processor) is also responsible for GDPR-compliance. Profiling is automated processing of personal data to evaluate certain personal aspects relating to a natural person. In particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, behavior and so on. Pseudonymization is processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. This means that you remove the identifications to natural persons with the purpose to not be able to identify them, e.g. instead of you knowing the identity of your old customers you attribute to them a certain number. The condition for pseudonymization is that the complementing data is stored separately and that not everyone has access to it. A breach of security leading to the accidental or unlawful destruction, loss or alteration of personal data that is being processed. If a breach of security leads to unauthorized disclosure of, or access to, personal data it is also perceived as a personal data breach. If you have any questions, please at support@gdprhero.se or call us on 046 – 273 17 17. We are here to help you! 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn st|Personal data Processing Data controller Data processor Third party Data Protection Officer Privacy by design Profiling Pseudonymization Data breach Contact contact us Laurita Krisciunaite h1|10 important concepts within the GDPR! h2|The Generalcontributes with a lot of new, and sometimes difficult, concepts that are of course not explaining themselves. We will in this article go through and clarify some of the most important concepts in the regulation which are good to have knowledge about. h4|Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|support@gdprhero.com pa|A personal data breach is, simplified, all unplanned processing of personal data. The definition in the GDPR explains that a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. It can be a personal data breach when: There are three different types of data breaches: It is important to remember that it does not matter whether the data breach is intentional or not, it is still a data breach. There is not only one answer to what you should do if a personal data breach occurs. It depends on the nature of the personal data breach. However, there are some key points to bear in mind: If a data breach occurs, you might have to report the data breach to the correct supervisory authority within 72 hours. Initially, you have to do an assessment if the data breach is the type of data breach that has to be reported. A data breach has to be reported if it is likely that the data breach will result in a risk for the data subject or subjects. If the correct supervisory authority is Datainspektionen, you can report a data breach . Some data breaches must also be reported to the afflicted data subjects. The obligation to inform the data subjects is at hand if the personal data breach might lead to a high risk for the data subject’s rights and freedoms. If this is the case, the information has to be delivered without undue delay. To determine if there is a high risk, there are mainly two relevant factors: 1. How serious potential consequences might be and 2. How likely it is that these consequences occur. Remember that it is always important that you work to minimize the potential risks. When you contact the afflicted data subjects, it is important that you are clear with what has happened. You should also inform the data subjects which consequences that are likely to occur and what measures you have taken or planned to take. Furthermore, you should leave contact information to someone in your organization in case the data subject has questions. If the result of your assessment is that the data breach needs to be notified to the data subjects, the data breach also has to be reported to the supervisory authority. This is because the requirement for you to be obligated to report to the data subject is higher than the requirement for you to be obligated to report to the supervisory authority. Because of this, all data breaches that you have reported to the data subject, you have also reported to the supervisory authority, but all data breaches that you have reported to the supervisory authority have not been reported to the data subject. If a personal data breach occurs, it should always be documented internally. This means that whether or not you report the data breach, the data breach must be documented for your own interests. Here, you have the opportunity to document your decision to report or to not report the data breach and to motivate this decision. In GDPR Hero, there is an opportunity to document personal data breaches. You are welcome to where we can show you how this is done! A personal data breach can result in an administrative fine for the organization or the organizations involved. The size of the administrative fine depends on how serious the data breach is and what measures you have taken to minimize the potential consequences. An administrative fine might also result in an initiation of an audit by the supervisory authority. The audit will then result in a decision, based on the individual situation. You can read more about audits in Swedish . It is important that you remember that there are two sides to consider regarding the consequences of a data breach. Except for the potential consequences for the organization, a data breach might lead to consequences for the data subject whose personal data is involved in the data breach. A personal data breach can lead to physical or material damage for the individual. For example, possible consequences for the data subjects are identity theft, damaged reputation or economical loss. You can read more about personal data breaches in Swedish . If a personal data breach were to occur in your organization, we would be happy to help you to make sure that you fulfil your legal obligations. Please, contact us at or 046 273 17 17. You can already now book a demo of GDPR Hero to receive information about how you can be prepared if a data breach occurs. You can book a demo . 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|An employee sends an e-mail to the wrong person. A computer containing personal data is stolen. A patient´s medical records are not available in the hospitals´ systems when the patient has a scheduled appointment. = an availability breach means an unauthorised or accidental loss of access to personal data or that the personal data has been destroyed. In other words, the personal data is not available when it has to be or should be. = a confidentiality breach means unauthorised or accidental disclosure of or access to personal data. I = an integrity breach means that personal data has been altered by accident or by someone without authorisation. st|Josefin Karlström h1|Do we have to report all data breaches? h4|Personal data breach is a common word since the GDPR came into effect almost two years ago. It is important to have basic knowledge regarding personal data breaches and routines to be able to handle a potential data breach. Unfortunately, much of the information circulating is incorrect. In this blogpost, we therefor describe what a personal data breach is and some important aspects to bear in mind if a data breach were to occur in your organization. What is a personal data breach? What should you do if a personal data breach occurs? What can a personal data breach result in? Keep calm – we can help you! Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|Published April 27th 2020 Availability breach Confidentiality breach ntegrity breach 1. Report the data breach to the correct supervisory authority 2. Report the data breach to the data subject 3. Document the data breach josefin.karlstrom@gdprhero.se pa|Most e-mails contain personal data, often both in the shape of the e-mail addresses from the sender and the receiver as well as thecontent of the e-mail. When the personal data is stored in, send from or incoming to the mailbox, the personal data regarding the e-mail is being processed. Since e-mailing almost always means that personal data is being processed, your e-mail should be documented in your. Your use of your e-mail has to comply with the other provisions in the GDPR as well. One of these provisions, an important one, is that all processing of personal data has to be based on a legal basis. You can read more about the legal bases . Depending on the content of the e-mail and why you are processing the personal data in the e-mail, the legal basis may differ. Here are some examples: What makes the e-mail uncertain is that you have no control over the content of incoming e-mails. However, it is often necessary to process personal data in incoming e-mails for your organization to work. For this processing, it is possible to use the legal basis legitimate interest for the private sector. For the public sector, the personal data in incoming e-mails can be processed based on public interest. These legal bases will probably be useful for the initial processing, when the e-mail is received in the inbox. When you have read the e-mail, you have to decide if the content can be saved and, if it can be saved, what legal basis you will use to keep the content. In addition to this, you have to decide how long the content in the e-mail can and should be saved. If it is possible, you should transfer the information from the e-mail to another system, where it is easier to ensure that you comply with the GDPR. You have a responsibility to inform the data subject when you process their personal data. This include processing in e-mail. If you receive an e-mail, you should inform the sender how you process their personal data. One way to fulfil your obligation is to have a Privacy Policy on your website and a link to this policy in your e-mail signature. In e-mails, it is common to mention people who are not included in the e-mail conversation. To fulfil your information obligation, it might be required of you to send information to people who are mentioned in the conversation. To determine if you have to send information to everyone, weigh the following: your workload to contact the person and the importance for the data subject to receive the information. Remember that the principle of proportionality (what is reasonable?) is a part of your GDPR-work. Salary statements essentially always contain personal data and is often send through e-mail to employees. In some cases, information about sick leave is in the salary statement. Information about sick leave is a special category of personal data. Special categories of personal data are considered extra sensitive and deserve extra protection according to the GDPR. You can read more about sensitive personal data in Swedish . If a salary statement contains information about e.g. health, it should be handled with care. There is no explicit demand in GDPR that forbids e-mails containing salary statements, but to fulfil the safety demands within the regulation it can be a good idea to not choose e-mail as the means of communication for salary statements. The assessment has to be made by the data controller in regard to what level of safety is necessary, based on what personal data that is concerned within respective processing. One question that can be of concern is what happens to the e-mails of an employee when that person stops working for the company. To continue processing the personal data within that person’s inbox and sent folder you can base the processing on the legal ground legitimate interest, if your interest of processing the personal data outweigh the person’s interest of not having his or her data processed. This concerns personal data from the former employee and the people he or she had contact with. Here too, it is necessary that you fulfill your information obligation and it is important that you have routines for the handling of former employees’ e-mail. Bear in mind that it is usually multiple kinds of processing’s within your e-mail. You probably send e-mails to colleagues, customers, members, suppliers and so on. It is therefore not possible to decide only one legal ground for all the processing within your e-mail. We would like to inform you what this means for your organization! Please contact us via email; , or phone; 046 – 273 17 17. We and our partner would love to help you with the handling of personal data! 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|You are e-mailing with a customer, with whom you are about to enter into a contract with. In this case, the processing of personal data can be attributed to the contract and the processing can be based on the legal ground contract. You are advertising through e-mail and the e-mails are being sent to your previous customers. Your previous customers might be interested in buying another service or product from you. If you have a valid legitimate interest assessment for the processing, that resulted in your interest weighing heavier than the data subjects’ interest, the legal basis legitimate interest can be used. Read more about legitimate interest . st|Josefin Karlström h1|Guidance regarding e-mail and the GDPR h3|It is common in today´s society that your work e-mail contains a lot of personal data and different types of processing. We receive many questions about how to use your e-mail in accordance with the GDPR. In this blog we therefor describe how you can handle your e-mail in a GDPR-smart way! h4|Processing of personal data The dark side of the e-mail Information to the data subject Salary statements in e-mail In regard to termination of employment Multiple processing’s Do you want to know more? Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|josefin.karlstrom@sallbergco.se pa|Before concluding an agreement, it is important that you evaluate the relationship of the parties and what processing of personal data that is concerned. Does it concern a data processor-relation or are you joint data controllers? To enable an answer to this question we will firstly demonstrate what those different concepts mean. Data controller is the party that decides the purpose and means for the processing of personal data. The data controller is in principle always a legal person, e.g. a company, an organization or a municipal. Data processor is the party that process personal data on the behalf of the data controller. If the situation at hand is one where personal data flows freely between a data processor and a data controller, you need a Personal Data Processing Agreement as stated in our . A Data Sharing Agreement is instead important to have in a situation when the personal data is transferred between two data controllers that together decide the purpose and means of the processing. Example of a situation like that is when company X joins company Y in the launching of a new product. Company X and Y create a website in order to market the product together. Through the website the user’s data is being saved, e.g. their IP addresses. Company X and Y have jointly decided what data shall be processed and in what way. They become joint data controllers since they pose the purposes and means for the processing together. However, it is important to look at the actual situation in order to decide what kind of relation they have. A Data Sharing Agreement is a way to fulfil the demand of having an internal arrangement in case you are seen as joint data controllers. A Data Sharing Agreement should therefore constitute information regarding; It is an advantage to, in addition to the points above, include information about the retention period and the security measures implemented for the processing. The content of the agreement can favourably be made available to the data subjects. If you have any questions, you are welcome to contact GDPR Hero at , we are available weekdays between the hours 8-17. Do you need help to determine a relationship or to draw up a Data Sharing Agreement? We are proud to present our partner, the law firm Sällberg & Co. They can help you with your legal questions. Contact them through . 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|The joint data controllers’ respective roles. What are your different tasks in the cooperation? Why personal data is shared between the joint data controllers, what the purpose of the processing is and what type of data that will be shared between the parties. It can for example concern information regarding salaries of the employees or agreements with clients. How the data subjects can exercise their rights and the responsible organization. Both parties have a responsibility to make sure that the data subjects have a possibility to exercise the rights given to them in the GDPR. There are many rights in the GDPR, e.g. right of access and right to be forgotten. The obligation to inform the data subject. Which legal ground is used for the processing. The joint controllers´ relationship towards the data subjects. st|Josefin Karlström h1|What is a Data Sharing Agreement, really? h3|In our Swedish blog, we have written about . Those agreements concern the situation when personal data flows between a data controller and for example a subcontractor. In this blogpost we will inform about another kind of GDPR agreement, namely a Data Sharing Agreement. We will answer the questions; when it is necessary and how it should be put together? In difference to Personal Data Processing Agreements, all parties are data controllers and decide together the purpose and means for the processing of personal data. h4|When a Data Sharing Agreement is necessary – joint data controllers What a Data Sharing Agreement should look like Do you need more help? Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|josefin.karlstrom@sallbergco.se pa|The Commission recently made a questionnaire about Europeans social media habits. They asked 27 000 Europeans if they had ever tried to change their privacy settings regarding their own personal profile on an online social network. The answer the Commission got was that the majority (56 %) of the people actually tried to change their privacy settings. 1 % answered “don’t know”. Thus, there was a large group (43 %) of the people asked that answered “no” to the question. The main reasons behind it was that they trusted the sites to set appropriate privacy settings, closely followed by the answer that they did not know how to change the settings. With GDPR came new rules on data protection, and with this came enhanced rights for the data subjects. If the company is processing your data based on consent, you as a data subject always have the right to withdraw that consent. But how do you know if they are processing based on consent? It is actually quite easy; For you as a data subject it is furthermore always a good idea to read through the terms and conditions of the online platforms you use, especially in regard to disclosure of your data to third parties. If a company is not corresponding with the rules on data protection, you can always lodge a complaint with your own national Data Protection Authority. If you have been harmed by your data being processed wrongly, you may also be entitled to damages from the controller or controllers involved in the processing. GDPR gives, beyond what is stated above, the data subject certain rights that are good to keep in mind; Thus, as a starting point: keep you rights in mind, make sure to optimize your privacy settings and take control over your own virtual identity! You as a data controller always have to inform the data subject when you are processing his/her data. In short, you have to state that you are processing the data, what specific data is being processed and why you process it. You also have to inform the data subject if you are providing the data to a third party. When you are processing personal data, you need to base it on a legal ground. As stated above, the legal ground “consent” can always be withdrawn by the data subject and is therefore a legal ground you should use only if no other legal ground is applicable in your specific case. If you want to know what other legal grounds there is, we have a blog post coming up soon describing the six different legal grounds and when they should be used. If you have any further questions regarding GDPR and your rights as a data subject or your responsibilities as a data controller you are more than welcome to contact us at GDPR Hero via email or phone 046 – 273 17 17. You can also book a free demonstration of GDPD Hero . You can also contact our partner Sällberg & Co via email or phone 046 – 273 17 10. 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|Firstly, they have to inform you that they want to process your data based on your consent. Secondly, this consent has to be expressed through an affirmative action from your side. The consent should also be freely given! They can never force you to give it. Right to information, when your data is being processed. Right to rectification, when data being processed is inaccurate or missing important information. Right to erasure, e.g. if the data is no longer needed for the purposes for which it was collected. Right to limitation of processing, e.g. in relation to when you as a data subject think the data is inaccurate and has requested rectification. Data portability, if the legal base is consent or the performance of a contract and you as a data subject e.g. want the personal data to be transferred from one social media account to another. Right to object, in certain cases you as a data subject can object to your data being used e.g. when the data is being processed in order to carry out a task in the public interest or for direct marketing. st|Many companies (e.g. social media platforms and email providers) have as a large component of their business model to collect your personal data and share it with third parties. They are using the personal data they get from your public profile on their online platform to map your virtual identity. Bear in mind that they may use even more information than the one you actively share with them. This could for example be tracking of your email, location or the pages you show interest in. All of the information they manage to collect about you, your interests and your preferences, contribute to the mapping of your virtual identity. The companies then monetize on your personal data for targeted advertising. Karolina Jivebäck h1|Are you controlling your virtual identity? h3|Special Eurobarometer 487b QB11, 2019 How to take control of your virtual identity Not happy with how your data is being used? What companies should think about in this regard Further questions? h4|Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|karolina.jiveback@gdprhero.se pa|In 2019, approximately 19 400 cases were registered at Datainspektionen. These cases can for example concern questions sent in by e-mail or reports of data breaches. One third of all questions Datainspektionen received concerned which the right legal basis for processing personal data is. There are six legal bases in GDPR, e.g. contract and legitimate interest. You can read more about the different legal bases . Except ensuring compliance with GDPR in Sweden, Datainspektionen is cooperating with the European Data Protection Board (EDPB) to get a coherent interpretation of GDPR within the EU. Datainspektionen has tried to lift questions relevant to Swedish companies and organizations. The work with the EDPB means that Datainspektionen, together with other Supervisory Authorities, work on writing guidelines and similar to be used by companies, organizations and public entities. Furthermore, Datainspektionen has worked operational with cross-border cases. During 2019, Datainspektionen received 4 800 reports on data breaches. This is an increase from 2018. However, this increase or the fact that a business reports many breaches does not necessarily mean something negative according to Datainspektionen. Instead, this can be an indication that the business has a well-functioning routine to discover and report data breaches. A reported data breach can lead to an audit concerning the business. Around ten audits have been initiated this way. The data breach must generally be serious or indicate systematic problems for Datainspektionen to initiate an audit based on reports regarding data breaches. The handling of data breaches was manual during 2019, but this has now changed. Datainspektionen has recently launched an e-service to report data breaches. During 2019, Datainspektionen initiated 51 audits. These audits where mostly focused on identified risk areas. Some of these risk areas are healthcare, school and consent as a legal basis. Datainspektionen hopes to have optimal impact concerning the protection of the personal integrity through risk-based audits. Most of the audits initiated during 2019 are not finished. The procedure often takes a considerable time because of the lack of practice and because the application of GDPR have to be uniform in the EU. Datainspektionen writes that most of the on-going audits will be finished during the first six months of this year. Audits are necessary to ensure compliance with data protection laws. E.g. three out of four data protection officers report that their business has guidelines for handling personal data. This means that 25 % of all businesses with a data protection officer most likely do not have basic routines for processing personal data. Datainspektionen writes that they also know that many small enterprises generally have not come as long as larger enterprises regarding the organizations´ data protection. Do you need help to become GDPR compliant? ! Data subjects have the right to complain to the Supervisory Authority. The data subject that files a complaint shall, as a main rule, obtain a decision within three months. Datainspektionen received over 3 500 complaints during 2019. This is an increase in the number of complaints and this increase can be seen in many countries in the EU. This increase might be an indication that people become more and more aware of their rights. Another indication that people become more aware of their rights is that 53 % of all calls to Datainspektionen were made by private individuals. It is not only reports regarding data breaches that are relevant to determine where audits might be necessary. Complaints are also used this way by Datainspektionen. With the help of complaints, Datainspektionen determines where audits should be initiated. The complete picture from the complaints means that Datainspektionen knows where to focus their work. They use the complaints to know in which companies, organizations or public entities there might be great risks regarding the protection of personal data. Through different complaints, they have initiates audits against e.g. Klarna and Spotify. Datainspektionen claim that they have noticed that many companies, organizations and public entities are on the next level regarding their compliance-work during 2019 compared to 2018. This is noticed by the fact that the number of questions sent to their e-mail decreased. The questions during 2019 were also more qualified and often required legal interpretations and assessments. However, Datainspektionen points out that they can not answer questions with a specific answer in a particular situation. GDPR often requires that the business in question does the assessments themselves and document these. The reason for this is the principle of accountability in GDPR. We hope you liked this blog post! If you have any further questions regarding GDPR you are more than welcome to contact us at GDPR Hero via email or phone 046 – 273 17 17. Are you interested in our tool for recording of processing activities? Book a free demo . 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn st|Josefin Karlström h1|The Swedish Supervisory Authority’s annual report h4|If your business operates in Sweden, you have probably noticed that Datainspektionen is the Swedish Supervisory Authority. This means that Datainspektionen is responsible for monitoring compliance with GDPR (and other data protection laws) of Swedish companies, organizations and public entities. Datainspektionen has now released its annual report for 2019 and we will in this blog post summarize some of the most important aspects of it! The work of Datainspektionen Data breaches Audits Complaints Table listing corrective measures (in Swedish) Next level Further questions? Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|Source: Datainspektionens annual report 2019 Read the whole report . josefin.karlstrom@gdprhero.se pa|Personal identity numbers are not regulated specifically in the GDPR, however they fall under one of the special areas where it is open for the Member States to regulate on their own. In Sweden, we have chosen to make personal identity numbers into personal data deserving extra protection. This constitutes that personal identity numbers have to be processed in a special way, since there are higher demands for it to be classified as a legitimate processing of personal data. These demands are beyond the ones that are posed for “ordinary” personal data. The main rule is that personal identity numbers should only be processed if the data subject have given their consent to the processing, meaning explicitly said ”yes” to it. However, there are exceptions to when your organization can process the personal identity number even though you have not been given any explicit consent from the data subject. These exceptions are: The other demands following the GDPR are also at stake here. Hence, you are in need of a legal basis on which you base your processing of personal data (consent, contract, legal obligation, protect vital interests, exercise of official authority, public interest or legitimate interest) as well as making sure to follow the other principles of GDPR for a lawful processing of the data. Since personal identity numbers are regarded as personal data in need of extra protection, they shall be exposed as little as possible. They are e.g. not to be exposed on a letter. You must also assess if the personal identity number is actually needed. Maybe it is enough to have just the date of birth? Examine in what situations you process the personal identity number and check if you actually need it for that type of processing. As a guidance, you might look at the purpose of processing to figure out if the personal identity number is necessary to process or not. If you do not have consent for processing the data, you need to make sure that the usage is clearly motivated based on any of the exceptions mentioned above. Lists of members as well as their personal identity numbers are normally occurring in associations and member organizations. They are in many cases published on the association’s website, or e.g. in connection with a sports event. Often your organization have a purpose of processing personal identity numbers, for example you might get grants of the municipal for members of a certain age. However, it might be good to look into how you process personal identity numbers and if the processing can be motivated. Not only personal identity numbers are in need of special handling or deserves extra protection. This concerns also so called “sensitive data”. To learn more about how it should be handled, you can take a look at our Swedish blog post on the subject . We can help you handle personal identity numbers in a correct way. Do not hesitate to contact us at or 046 – 273 17 17. Do you want to know how we can make your GDPR-work easier? Book a demo of GDPR Hero . 046-273 17 17 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|When it is clearly motivated considering the importance of a secure identification; When it is clearly motivated considering the purpose of the processing; When it is clearly motivated considering any other noteworthy reason. st|Victoria Limnefelt Nygren h1|Are we allowed to handle personal identity numbers? h4|A personal identity number is considered to be personal data, thus it shall be dealt with in accordance to GDPR and other complementary national legislation. You might deal with personal identity numbers in various situations; for example in email, salary slips, employment contracts or disease-related documents. Something you might not know is that the personal identity number is classified as integrity sensitive personal data, also known as personal data deserving extra protection. In this blog post we will go through when a personal identity number can be processed and how it shall be processed according to present law. Why are personal identity numbers in need of special handling? When are you allowed to process personal identity numbers? How to handle personal identity numbers? Personal identity numbers in associations and member organizations Other personal data that needs special handling according to the GDPR Do you handle personal identity numbers? Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|support@gdprhero.com pa|For starters, we can note that there are three different types of data according to GDPR, which are processed in slightly different ways. The different types are: 1. Personal data 2. Pseudonymized data 3. Anonymized data is information that relates to an identified or identifiable natural person, and is fully covered by the GDPR requirements (Article 4(1) GDPR). is information that can only be linked to an identifiable natural person by means of additional information (Article 4(5) GDPR). is information that can not identify a natural person and is therefor not covered by the GDPR. This type of data can be stored e.g for research reasons of for the purpose of creating (anonymized) statistics. Pseudonymization is defined in Article 4(5) GDPR: As mentioned, this type of data are still possible to relate to and natural person with the help of additional information, and because of that these data are still covered by GDPR. Dessa uppgifter är som sagt fortfarande möjliga att koppla till en identifierbar fysisk person med hjälp av kompletterande information, och på grund av det omfattas uppgifterna fortfarande av GDPR. Pseudonymization is a type of technical security measure to reduce the possibility of relating information to natural persons. This technical security measure is strongly encouraged by GDPR, and is considered a way to ensure security in the processing of personal data under Article 32(1)(b) GDPR. However, pseudonymization does not preclude other organizational and technical security measures (see recital 28 GDPR). The anonymization procedure consists of two parts; 1. It must be irrevocable; and 2. It has been made in a way that it is impossible (or extremly impractical) to identify the natural person. For example, it is not enough to remove the name of a natural person in a CRM system where there are other information relating to the individual, because based upon the remaining information you are till able to identify (and therefore the personal data regarding the individual have not been anonymized). In order for the anonymization to be properly performed, it should in principle be impossible to identify the natural person after the implementation. To determine if it is possibly to identify a person, using other information available, one must see if it is reasonable for the person to be identified directly of indirectly though the information. What is considered “reasonable” depends on the costs and time spent in identification, available technology at the tie of processing and technological development. The former Article 29 Data Protection Working Party has with more technical details on how anonymization can be done (which is based on the former Data Protection Directive (95/46/EC)). Not so long ago, the Danish Data Protection Agency decided to report the taxi company Taxa 4×35 (Taxa) to the Danish police and recommended an administrative fine of DKK 1.2 million for violating GDPR. The Danish Data Protection Agency considered that Taxa failed to delete or anonymize personal data. Taxa, which provides an application where the user orders taxis for travel in Copenhagen, collects information about the customer’s name, telephone number, travel date, start time and end time, the length of the journey, payment details, address and GPS coordinates. Taxa kept the personal data for two years, and then they “anonymized” the data by removing the customer’s name. After another five years, the remaining data were deleted. The reason why taxi kept the data was to develop their application. The Danish Data Protection Agency discovered that Taxa had stored personal data on nearly 9 million travelers for five years. The company was not considered to have completed the anonymization of the personal data after two years, because it was still possible to identify the persons by means of addresses and telephone numbers. In addition, the Authority considered that the processing of personal data did not fulfill the purpose because the telephone numbers were not needed for the company to be able to analyze data on customers’ driving habits and thus develop the app. In most of the EU member states, the national supervisory authority can itself impose administrative penalties, but the rules differ in some countries, such as Estonia and Denmark. There, the national supervisory authority evaluates and assesses the situation, and if they consider that someone have acted in violation of the GDPR they will report this to the police. The police will then investigate whether there is a basis for imposing an administrative fine, and in the end the case will be judged by the court who haw the authority to sentence administrative fines. If you have questions and concerns regarding pseudonymisation or anonymisation of personal data, you are most welcome to contact ut either by email or by phone +46 (0)46 – 273 17 17. +46(0)462731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn st|Different types of data Personal data Pseudonymized data Anonymized data Pseudonymization Anonymization Contact us Nicole Chen h1|Pseudonymization and anonymization of personal data h3|Many companies want to retain information in order to keep statistics, which often requires information to be stored for a long time. By pseudonymizing or anonymizing the personal data, you create a safer processing, which may even fall outside the scope and applicability of the GDPR. However, there are high requirements for a personal data to be considered anonymous. We have in a previous blog post mentioned that anonymization is an important GDPR concept. In this blog post we go deeper into what anonymization and pseudonymization means. h4|Taxi 4×35 risks DKK 1.2 million in administrative fine Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Good to know! Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|”‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;” support@gdprhero.se pa|The AG starts with pointing out that he finds the present case falling within the scope of EU law. Schrems and the Irish Data Protection Commissioner (DPC) argued for this conclusion (para 103), contrary to the view of Facebook Ireland who thinks the case falls outside the scope. The AG also clarifies that the Data Protection Authorities have a duty to act, which of course is an important part of the enforcement procedure based on GDPR. They can therefore not decide not to act, e.g. when it comes to a big influential and important company for their country’s economy. So, basically, the AG is telling the DPC that they cannot choose when to act, and when not to: they must always act when Fundamental Rights are being violated! That statement is based on the duties within GDPR conferred upon the supervisory authorities, see Article 58(2) GDPR. The DPC argued for that the mentioned provision left some discretion for the supervisory authorities, but AG is of the same opinion as Schrems: namely that there is an obligation for the supervisory authorities to act to ensure a proper application of GDPR, see also Article 57(1)(a) GDPR in this regard (paragraphs 144, 145 of the Opinion). In Article 52 GDPR it is also clearly stated that the supervisory authority must be independent from any external influence when exercising its powers granted under GDPR. This is of course an important aspect since it has to monitor all companies under its jurisdiction and should in no way be influenced by them when doing so. The AG states certain doubts about the conformity of Privacy Shield with Article 7, 8 and 47 CFR as well as Article 8 ECHR since it might not provide an adequate level of protection. This is an interesting opinion as Privacy Shield is a way for US companies to certify themselves into having an adequate protection of personal data. Based on a decision by the Commission, data controllers in the EU are allowed to transfer data to companies in the US having Privacy Shield protection. The validity of Privacy Shield is based on the “essential equivalence” standard, meaning that the US must have essentially equivalent protection of data subject’s personal data when being transferred from the EU to the US. This standard is supposed to be essentially equivalent to the protection under GDPR, CFR and when EU law is not applicable; ECHR (see paragraph 247 of the Opinion). The AG for example poses some specific questions regarding if the basis for the US surveillance measures are defined clear and precise enough not to pose any risk of abuse (paragraph 289). The AG is also questioning how efficient the role of the Ombudsperson Mechanism is. The Ombudsperson is appointed by, and reporting to, the Secretary of State and is therefore a part of the US State Department. European data subjects have the possibility to lodge a complaint with the Ombudsperson, when their data is being transferred from the EU to the US. AG is however questioning if this mechanism is sufficient to cover for the lack of judicial protection of the persons whose data is being transferred to the US (see paragraph 335 of the Opinion). It can for example be questioned how independent the role of the Ombudsperson actually is. If the Court were to follow the argumentation by the AG there might be some interesting change in what kind of protection is needed, when transferring data to a third country. The AG is relying on cases based on the European Charter of Human Rights (ECHR), not ones based on the Charter of Fundamental rights (CFR) in this regard. CFR is one of the primary sources of EU law. According to Schrems this is a much more surveillance friendly approach, and he believe that the Court will have a much more privacy friendly approach which he means they’ve had in previous cases. It will be interesting to see if that will be the case! The AG also states that the Decision 2010/87/EU on SCC (Standard Contractual Clauses) is not shown to be invalid, even though the DPC had that view. If there in a specific case would be any problem with US law, then the DPC would have the opportunity, based on Article 4 SCC, to suspend data flow to the US. The DPC could in that way protect data subject’s personal data and there is therefore no need to invalidate the entire system of SCC. It will be interesting to see if the court decides to follow the opinion of AG or not. It will also be interesting to see if this judgment will affect US legislation in any way. Making it more concerned with data subjects and the protection of their personal data. If that would be the case, would the US then get rid of the system of Privacy Shield completely, or would they find a way to improve it? We hope you liked this blog post! If you have any further questions regarding GDPR you are more than welcome to contact us at via email or phone 046 – 273 17 17. You can also book a demonstration of GDPR Hero here. You can also contact our partner via email or phone 046 – 273 17 10. 046 – 273 17 17 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn st|Karolina Jivebäck h1|Regarding C-311:18: update to the case with the AG opinion h4|In this interesting case, previously covered in , Advocate General (AG) Henrik Saugmandsgaard Øe gave his opinion on the 19 of December 2019. In this blog post we will cover the most important aspects of the opinion, which might give some guidance in how the Court will judge as well. As mentioned in the previous blog post, the opinion of AG is not binding for the court but can be very useful as guidance both for the court and us. Within the scope of EU law? Data Protection Authorities have a duty to act Privacy Shield European Charter of Human Rights in regard to US surveillance Standard Contractual Clauses To conclude… Further questions? Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|support@gdprhero.se pa|The GDPR sets the limits to judge whether a processing is allowed or not. For example, it might follow from a contractual obligation or a provision in law that you are under obligation to process personal data. There is no general prohibition in the GDPR toward processing personal data, but for the processing to be legal, certain considerations must have been made and you must follow the demands set out in the regulation. Regarding member´s relatives´ personal data, it is mostly name, relationship with the member and phone number that will be collected. These types of personal data are not sensitive personal data (read more about sensitive personal data in Swedish ), which means that there, in most cases, should not be any major obstacles for processing the personal data. Even though the personal data is not sensitive, the requirements set forth in the GDPR must be met. These requirements mainly mean that you 1) must have a purpose with the processing at hand and 2) must have a legal basis for the processing at hand. It is also important to work in accordance with the other principles that controls all processing of personal data. I will describe these important parts of the GDPR below. In order for a processing to be legal, the controller must have a legal basis for the processing in question. In the GDPR, there are six different legal bases. These are: Generally, two different legal bases can be used when processing relatives´ personal data: consent or legitimate interest. you can collect a valid consent from the relative whose personal data you are going to process. It is important to remember that it is not possible to give consent for someone else. This means that the member can not give consent for the relative. Instead, the consent must be collected from the relative directly. In order for a consent to be valid, the request for consent must be clear and precise. The relative must be given information regarding inter alia that it is possible to withdraw a consent, the purpose of the processing and which types of personal data that will be processed. This information must be given before the consent is given. A consent must be given voluntarily, which means that the data subject should not feel forced to give consent to something she or he does not really want to. Finally, a consent has to be unequivocal, which means that it has to be actively given by the data subject. The data subject must take action in order to give a consent to a certain processing. it is possible to do an assessment in order to determine whether you, with the support of a legitimate interest, have the right to process personal data regarding your members´ relatives. Your interest of processing the personal data, e.g. in order to contact relatives in case of an emergency, must then outweigh the loss of integrity for the relative and the relative’s rights and freedoms. This impact assessment should be documented. A number of conditions are stipulated in order for a valid consent or an impact assessment, but you as a controller have many possibilities to process personal data in your organization – as long as you do it right. We are happy to help you ensure a legal processing of personal data. Contact us for help. You can read more about the other four legal bases . Another important part of the GDPR are the principles. Controlling all handling of personal data, these principles are a large part of the GDPR and if you work after the principles, you have come a long way in fulfilling the GDPR. There are six different principles stipulated in the GDPR. These are as follows: Every processing must have an explicit and clear purpose. It is often not a major issue to determine a purpose for a specific processing. On the contrary, a processing usually has a purpose even if you haven´t thought about it when initiating the processing. However, it might be problematic to formulate this purpose in a clear and precise way. When processing relatives´ data, the purpose might be e.g. in order to contact relatives if a member were to be involved in an accident. If this is the purpose of the processing, relative’s personal data can not be used for a different purpose, unless the new purpose is compatible with the original purpose. The relative must also be given information regarding what the purpose of the processing is before the processing is initiated in order for the relative to know what the personal data will to be used for. GDPR Hero, together with our partner , are happy to help you with your GDPR-related questions – no matter how small or big they might be. Please, do not hesitate to for further information! 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|Consent, Contract, Legal obligation, Public interest or exercise of official authority, Vital interest and Legitimate interest. the personal data shall be processed lawfully and fairly. It shall also be transparent, which inter alia means that the data subject shall be given information regarding the processing. the personal data has to be collected for a specified, explicit and legitimate purpose. This purpose determines how the personal data is processed and the data can not later be processed in a manner that is incompatible with the original purpose. There is reason to describe this principle more, which will be done in the section below. the personal data collected has to be necessary in relation to the purpose of the processing. The personal data has to be adequate, relevant and not to extensive. the personal data that is collected or stored has to be correct and updated. Wrongful personal data shall be erased or rectified without delay. the personal data shall not be stored longer than what is necessary in order to fulfil the purpose. the personal data shall be processed in a way that ensures appropriate security. What is appropriate security can vary depending on the type of personal data being processed and how sensitive the personal data is. For example, if it is just name and phone number that is being processed, the safety demands are not as high as if the processing includes diagnoses and medical conditions. st|Published October 14th 2020 Consent: Legitimate interest: Lawfulness, fairness and transparency – Purpose limitation – Data minimisation – Accuracy – Storage limitation – Integriry and confidentiality – Josefin Karlström h1|Can we collect personal data concerning members´ relatives? h4|We receive many questions regarding relatives’ data. Data concerning relatives can be collected in different contexts. First and foremost, many think that data concerning relatives is collected regarding relatives of employees, but it might be of interest to collect data concerning relatives in other contexts as well. One example is data concerning relatives of members. Many companies, associations and organizations have members. We will therefor in this blogpost discuss if and how you can collect, and thereby process, personal data concerning member´s relatives. What does the GDPR stipulate? Legal basis Principles Purpose limitation Do you need help? Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? Do we have to report all data breaches? em|josefin@gdprhero.se pa|In GDPR there are six different legal grounds to rely on for lawful processing. These six are: consent, contract, legitimate interest, legal obligation, public task and protection of vital interests. To be able to use the legal ground “legitimate interests” you need a legitimate interest for the processing. This is motivated by that your interest to process the data is stronger than the persons interest of not having his or her data processed. You can think of this relationship as a pair of scales! Have the pair of scales in mind! The motivation of your legitimate interest shall be made through an overall assessment based on the relevant data, the relevant processing and the interests and rights of the data subjects concerned. What is demanded of you as data controller is to make a thorough assessment where you test if the data subject at the time when you collect the data, in relation to this, reasonably could expect that you use the personal data for the intended purpose. The expectations are assessed with regard to your relationship with the concerned – for example it could be mentioned that the concerned data subject is your costumer or employee. If so, the data subject might not be so shocked that you are processing their personal data for something new. A rule of thumb could therefore be to ask yourself: “will the data subject be surprised that I process his or her data for this specific purpose?”. A surprised reaction from the data subject could be an indicator that your interest of processing is not stronger than the interest of the data subject to not have his or her data processed. The legitimate interest assessment shall therefore contain: As a data controller, you have a responsibility in accordance with the GDPR and it is not always certain that you have a legitimate interest for your processing of personal data. It is therefore always important that you document your legitimate interest assessment where you motivate why your interest is stronger than the fundamental rights and freedoms of the data subject. This legitimate interest assessment should preferably be approved by the board, since the board is ultimately responsible for your GDPR-work. We will now look at what happens when you transfer personal data within a corporate group and base it on a legitimate interest assessment. When groups of companies are in a corporate group it can cause some confusion – are you actually allowed to transfer personal data based on legitimate interest to another company within the corporate group? The answer is the same as stated above – yes, if you have a legitimate interest! Also, in this scenario it is important to document your legitimate interest assessment in the same way as when you document your personal data processing, thus it can often be motivated by an administrative purpose. This concept means that a company is directly contacting the customer, and in the preamble of the GDPR it is stated that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. A notorious example is telemarketing. As we can see here, it is a necessity to have a legitimate interest assessment as stated above, since the wording ”may” demonstrates that the interest is not always legitimate. Public authorities should generally not use legitimate interest in their processing of personal data, since they should preferably base their processing on law. The person (data subject) whose personal data is being processed based on legitimate interest always has the right to object to that processing. If the person objects and asks you to stop using his or her personal data for the purpose of processing, you must stop doing it directly after the objection has been received. Thus, you are always entitled to make a new legitimate interest assessment. We can strongly recommend and proudly present our partner who can help you with your legal questions. Contact: info@sallbergco.se. Do your organization need help on how to become GDPR-compliant? Book a demonstration of GDPR Hero or create an account . 046-273 17 17 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|What categories of personal data that are affected by the specific processing, for example name, birth date and phone number; A motivation of your interest of processing the personal data; A motivation of why your interest of processing the personal data is legitimate; A description of the data subjects’ fundamental rights and freedoms and why they might not have an interest in having their personal data processed; A motivation of why the processing of personal data is necessary to achieve the intended purpose. st|Even if you have not entered into a contract with an individual or collected the individuals consent there is sometimes an opportunity to process his/her personal data anyways. The legal ground this form of processing is based on is called “legitimate interest”, and for this it is necessary (as you might guess) to have a legitimate interest for the data processing. In this article we will go through when and how an assessment of legitimate interest shall be used and give examples of when an interest can be legitimate. We will also go through what shall be done internally in your business. What is a legitimate interest assessment? How do you make a legitimate interest assessment? Should the legitimate interest assessment be in writing? Transfer based on legitimate interest within a corporate group Direct marketing When is legitimate interest a no-go? Remember – right to object Do you want to know more or do you need help to make a legitimate interest assessment? Victoria Limnefelt Nygren h1|What is a legitimate interest and when can we rely on one? h4|Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|support@gdprhero.com pa|There are six legal grounds within GDPR that states when an operator can process personal data. The legal grounds are stated in article 6 GDPR. It is enough that you base your processing of personal data on one of these. Of course, it takes more than a legal ground for the processing to be legal. For example, you shall also follow certain principles, see our about this. However, it is always important to have a clear knowledge about the legal grounds. The first legal ground mentioned in article 6 GDPR is consent. We have a previous article about how consent should be applied on our where we state that consent is not always the best legal ground for processing of personal data. This is due to the fact that the data subject has to be able to withdraw the consent and that the consent always have to be voluntarily given. The voluntary aspect makes consent complicated in a relationship where one party has a lot of power, e.g. a public authority or an employer, and the other party does not have the same amount of power. For public service, consent is therefore basically never usable. Many people think that you always need consent to be allowed to process personal data. This is not true! If you can base your processing on one of the other legal grounds mentioned below, it is most of the times better to do so. You only need one legal ground, and it is not necessary to have consent in most situations. A consent shall always be freely given by the data subject, you shall inform about the data processing and it should be clear that it is based on consent. It shall also be possible for the data subject to withdraw his or her consent. If you were to collect consent from a child it is important to think about that the child has to be older than 13 years old to be able to independently give you his or her consent in regards to, for example, social media. It is more difficult to set out an age limit in other contexts. The Swedish Data Protection Authority (Datainspektionen) have stated that children under the age of 15 generally cannot give a consent on their own. You always have to make an assessment on a case to case basis and the age of the child and maturity should be taken into account. If you decide that consent is the legal ground most suitable for you, you should always document the following: a) Who has given his or her consent, b) When the consent was given, c) How the consent was given, and d) What information was given to the data subject prior to the consenting. The documentation can easily be done within our tool for recording of processing activities, GDPR hero. You can read more about it . Contract is the second legal ground mentioned within the GDPR. In many cases, processing of personal data is necessary for the performance of a contract. It can for example concern contact information and delivery address to the costumer. What is of importance here is to know who you are entering into a contract with and that all data being processed is necessary for the fulfillment of the contract or entering into the contract. Bear in mind! If a natural person is a party of the contract, the legal ground for processing of his or her data is ”contract”. If it is a company that is party of the contract you cannot use this legal base, see more about this under legitimate interest assessment. In certain situations, organizations do not only have the possibility to process personal data, but also an obligation to do so. If it is stated in a legislation that certain data shall be saved, the organization in question is obliged to follow this legislation. It is often specified in the law how long a certain type of data shall be saved. GDPR prevails over Swedish national legislation but does at the same time open up for special provisions within Swedish legislation. In Sweden, collective agreements are seen as equal to provisions of law in this matter. Examples of laws that poses legal obligations are: This legal ground is possible to use when the data subject cannot give his or her consent, for example in the situation when that person is unconscious. This legal ground shall be used only in exceptional cases. The Swedish Data Protection Authority recommends that you only process personal data based on this legal ground if you have no other way of solving the situation. Public sector will probably use the legal ground public interest or in the exercise of official authority as a base for its processing of personal data. Private operators will generally not be able to use this legal ground, unless they perform a task of public interest e.g. as a private school or private healthcare provider. Exercise of official authority means that an authority wield power over an individual, that is to say that the authority adopts a decision which either favor or burden the individual. One example could be that a teacher grades a student or that an authority grants financial assistance. Official authority in this context can be both on state and municipal level, as well as private operators such as private schools and private healthcare providers. Information of public interest shall be established within a legislation, other provision, collective agreement or a decision that has been made based on one of these. Example of information of public interest is school, healthcare and public transportation. Other examples of public interests are sports facilities that the municipal freely have decided to operate. is the last legal ground of article 6 GDPR. To be able to apply this legal ground the data controllers’ interests have to override the data subjects’ interests. The processing of personal data also has to be necessary for the purpose of the processing. You have to make this decision on a case by case basis. If a data subject is surprised that you process his or her data, this is an indication that your interest of processing the personal data do not override the interests of the data subject. A typical situation when legitimate interest can be used is in customer relations which are B2B. If a company, X, enters into a contract with another company, Y, the contractual relationship is between those two companies. The processing of personal data that occurs regarding the employees of X and Y for the fulfillment of the contract could therefore not be based on the legal ground contract. Instead, this processing can be based on legitimate interest. Other examples of when legitimate interest can be used is when personal data has to be processed to hinder fraud or for direct marketing. It is, in this case as well, important to document your assessment. That proves that you have made a legitimate interest assessment before processing the data and demonstrates how you came to that result. This is an important part of your liability and you have to prove that you comply with the GDPR. Public authorities should be very careful in using this legal ground. They cannot use it when they process personal data to perform their tasks. We hope you liked this blog post! If you have any further questions regarding GDPR you are more than welcome to contact us at GDPR Hero via email or phone 046 – 273 17 17. Are you interested in our tool for recording of processing activities? Book a free demo . 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|The Swedish bookkeeping law (Bokföringslagen), within this law it is stated that accounting information shall be saved for seven years after the calendar year when the financial year was ended. The Swedish archive law (Arkivlagen), which demands that public documents shall be archived for the functioning of the principle of public access to official records. st|Josefin Karlström h1|First step to process personal data in accordance with GDPR h3|We still get many questions regarding when it is legal to process personal data and if companies always have to collect consent to be able to process the data. We will therefore describe in this article the six legal grounds you can base your personal data processing on to make sure that your processing is legal. Introduction 1. Consent 2. Contract 3. Legal obligation 4. Vital interests 5. Public interest or in the exercise of official authority 6. Legitimate interest Further questions? h4|Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|josefin.karlstrom@sallbergco.se pa|Many legal provisions are built this way, first something is forbidden, but then there are many exceptions when it is not forbidden. The prohibition together with the exceptions make it clear that the processing only is permitted when it falls under one of the exceptions. Every processing about a data subjects heath must fall under one of the exceptions in article 9.2 of the GDPR. Let us look at an example. In the morning, an employee sends a text to you, the manager: It does not require much for a personal record to be about health, it is enough that the personal record states that a person is sick. There are multiple purposes with processing these type of personal data, e.g. to adjust the staffing in the workplace, to pay the sick employee and to notify the proper administrative authority, in Sweden; Försäkringskassan. Regarding these examples there is an exception in article 9.2.b in the GDPR regarding fulfillment of obligations and rights in the workplace, which allows this processing. An example of such an obligation in Sweden is that the employer must report to the health insurance office if an employee has been on sick leave for more than 14 days. Bear in mind that every processing of special categories of personal data in article 9 of the GDPR still have to be based on a legal basis in article 6.1* of the GDPR. It is generally necessary for the fulfillment of the employment contract to process personal data about sick leave, which corresponds to the legal basis contract (article 6.1.b). There is also a legal obligation to notify the proper administrative authority after 14 days (in Sweden), which is a legal basis for the processing of personal data. This processing is based on the legal basis legal obligation (article 6.1.c). A principle that is a central part of the GDPR is that personal data is not to be saved for a longer period than what is necessary. This principle means that when the purpose of the processing is fulfilled, you have to erase the personal data that you no longer need. In this situation it is good to separate the different types of personal data that is being processed. If we go back to the text above, where Adam send information about his sickness, there is most likely no reason to save the information about what sickness he was infected by. However, the information that he called in sick has to be kept for a longer period, e.g. until the salary has been payed. There is an obligation for the employee to hand in a medical certificate after being on sick leave for eight days according to the Swedish law about sick leave. Another aspect of protecting the special categories of personal data is that they have to be kept in a safe way. The inbox of your e-mail or your text inbox is generally not considered to be safe places for saving personal data. This is because in most cases, the technical security is not high enough, but also because it is difficult to keep track of what personal data that should be erased. When Adam sends a text that he is sick, the recipient should delete the text and, if necessary, take a note about the sick leave in a file on his or her computer or in a ledger for this purpose. You do not have worry about not being allowed to take notes about an employee being sick, but you should ask yourself: what information is necessary to keep? How long is it necessary to keep it? In the text, references to the regulation is made. You can find the GDPR ! 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn st|Erik Jonzén h1|Am I not allowed to note that an employee has reported sick!? h3|According to article 9.1 in the GDPR it is forbidden to process personal data about a data subjects health. Now you might think “oh, so we cannot write down that an employee is sick!?”. This is not the case. The fact that you are not allowed to process personal data about health is a general principle, but there are many exceptions. Personal data regarding an employee’s health You still need a legal basis Secure processing is important h4|Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|“Hi! Seems like I have the flu! I have to stay home today. /Adam”. *The legal bases for processing personal data are consent, contract, legal obligation, vital interests, public interest or the exercise of official authority or legitimate interest. support@gdprhero.com pa|The categories of personal data that are often called “sensitive” are named “special categories of personal data” in the GDPR. In the regulation, there is an exhaustive list regarding which categories of personal data that are considered sensitive. These are: These different categories of personal data are considered to be extra sensitive because they can lead to significant risks for the fundamental rights and freedoms of the data subject. There are certain articles in the GDPR that regulate sensitive personal data. These articles stipulate that, as a main rule, you are not allowed to process sensitive data. This means that you are e.g. not allowed to collect personal data regarding an employee’s allergies. Naturally, many businesses must collect sensitive data to function. Therefore, there are many exceptions to this main rule. These exceptions give you the right to process sensitive data in certain situations, if adequate safety measures are taken. The exceptions are partly found in the GDPR, partly in national law. We will examine some of these exceptions under the heading below. The category of personal data that may cause the most headache is biometric data. Biometric data concerns a person’s “physical, physiological or behavioural properties”. Through biometric data, it is possible to identify a natural person, for example through fingerprint reading when you open your phone or computer. However, data that might be biometric data is not always classified as just that. It is only in certain situations where data is in fact biometric data. E.g. a picture of people is only biometric data when it is processed with technique that enables identification or authentication of a person. Biometric data must therefore be processed for the purposes of uniquely identifying a natural person. Generally, all companies, public authorities and organizations process sensitive personal data in some way, even if it is just for a short period of time. For example, if you are planning a dinner with your employees and you collect information regarding allergies to make sure that everyone can eat what they are served, you collect sensitive data. The fact that a certain employee is allergic to something is data regarding health. You can read more about data regarding health . Bear in mind that you have to conduct an impact assessment to determine whether a processing of personal data is likely to lead to high risk for a data subjects´ rights and freedoms. You can read more about impact assessments (in Swedish). In article 9 of the GDPR there are many exceptions to the prohibition against processing sensitive personal data. In the situations mentioned in article 9, you are allowed to process sensitive data, given that you fulfil the other requirements in the GDPR. The exceptions are as follows: There is also a paragraph in the GDPR that stipulates that member states are allowed to retain or adopt new conditions and limitations regarding processing genetic or biometric data or data regarding health. This means that there might be provisions in national law that take precedence over the GDPR. The conditions and limitations that the member states retain or adopt are not allowed to hinder the free movement of personal data within the EU. Some of the exceptions mentioned above also requires a basis in national or European regulation or a collective agreement in order for the exception to be in force. This is the case with the following exceptions: 2) employment and social security and social protection law, 7) necessary for reasons of substantial public interest, 8) within preventive or occupational medicine, 9) the area of public interest and 10) archiving purposes, scientific or historical research purposes or statistical purposes. In Sweden, much of the supplementing legislation is found in the Swedish Data Protection Law (dataskyddslagen). This law supplements the GDPR in Sweden. Do not forget to verify the exceptions with national legislation! for public authorities, there are a number of exceptions in the Swedish Data Protection Law, which means that public authorities often have more exceptions to rely on than private actors. For example, the Swedish Data Protection Act states that… The Swedish Supervisory Authority issued an administrative fine on May 11, 2020. The fine was issued towards a public health department, partly on the basis that the department had processed sensitive personal data wrongfully. The sensitive personal data that the department had processed was information that the natural person was admitted to a forensic psychiatry clinic and that he or she was subject to urine sampling. This information was published on the department’s webpage. The information that someone is admitted to a forensic psychiatric clinic might reveal that the person suffers from a serious mental illness and the information that someone is subject to urine sampling might reveal that the person has or have had a drug addiction. This information regards health, which is sensitive personal data according to the GDPR. Among other things, the Swedish Supervisory Authority mentioned that the department had not identified an exception to the prohibition against processing sensitive personal data as justification to the outcome of the decision. Due to the fact that the personal data was sensitive, the publication on the webpage was not considered a minor violation. Due to this wrongful processing, the department was imposed a fine of 120 000 SEK. You can read the whole decision , in Swedish. If you have any questions regarding the GDPR, you are welcome to contact us at or 046 – 273 17 17. You can already now book a demo of GDPR Hero to receive information about how you can make GDPR-compliance easier. You can book a demo . 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|Racial or ethnic origin, Political opinions, Religious or philosophical beliefs, Trade union membership, Genetic data, Biometric data, Data concerning health and Data concerning a natural person´s sex life or sexual orientation. The data subject has explicitly given his or her consent to the processing of those personal data for one or more specific purposes. The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law. The processing is necessary to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent, e.g. if someone collapses and therefor can not consent to the processing. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. Processing relates to personal data which are manifestly made public by the data subject. With this exception, it is important to remember that the data subject must intend to make the information public, e.g. if someone in a television programme represents a certain political party. Processing is necessary for the establishment, exercise or defence of legal claims. Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems. Processing is necessary for reasons of public interest in the area of public health. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Public authorities are allowed to process sensitive personal data if it is necessary to fulfil the public authority’s obligation to investigate. Public authorities are allowed to process sensitive personal data if it is necessary to be able to process cases. st|Published September 15th 2020 Public authorities in Sweden: Josefin Karlström h1|How you can process personal data in accordance with the GDPR h4|In the GDPR, some of the articles only apply to certain categories of personal data. These specialised articles are important to understand in order to process personal data legally. The categories of personal data that is often called sensitive is one of the certain categories that deserve extra protection according to the GDPR. In this blogpost, we will examine how this extra protection works. Main rule: you are not allowed to process sensitive data Exceptions to the prohibition In addition to the GDPR Sensitive personal data – administrative fine Not sure how to apply the GDPR? Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? Do we have to report all data breaches? em|josefin.karlstrom@gdprhero.se pa|During this year, the Swedish Data Protection Authority has initiated multiple audits. An audit is initiated when a Data Protection Authority sends a written document to an operator who is included in the GDPR. The public sector has been of special interest for the Swedish Data Protection Authority, who recently initiated audits of Region Uppsala and Umeå University. Region Uppsala has notified two personal data breaches to the Swedish Data Protection Authority. After the notification, the Swedish Data Protection Authority has chosen to initiate an audit of the breaches and if the region had a right to process the personal data the way they did. The Swedish Data Protection Authority has furthermore initiated an audit of how Umeå University process special categories of personal data after complaints from the Swedish Police authority. However, it is not only the public sector but also the private sector that is in the Swedish Data Protection Authorities interest. The Swedish Data Protection Authority has initiated an audit with the purpose of controlling how consent is used to obtain customers personal data. Consent is one of six legal grounds for a legal processing of personal data. You can read more about the legal grounds in Swedish . The purpose of the audit is not only to review the companies, but also to give guidance on how to use consent. Consent is a legal ground that is often misused, and it is a part of the Swedish Data Protection Authorities inspection plan for 2019/2020 to review consent. Many have asked us if and when fines will be rendered in Sweden. We can now let you know that the first fine has been rendered. The amount? 200 000 SEK (approximately 20 000 euro). The Swedish Data Protection Authority, Datainspektionen, is the supervisory authority for personal data processing and is responsible for issuing GDPR fines. A fine is rendered when an operator that is obliged to apply GDPR does not apply it correctly. The amount of the fine can vary depending on if the operator is a public or private actor and how serious the violation is. The Swedish Data Protection Authority has issued the first GDPR fine to a municipality for the incorrect processing of students personal data. The school has processed biometric data, facial recognition, to keep track of students´ attendance to classes. The school has used consent as their legal basis for the processing, but according to the Swedish Data Protection Authority, consent is not applicable in this situation because there is an imbalance between the students and the school. Read more about the legal basis consent in Swedish . A Data Protection Authority has more possibilities than fines. It can give warnings and limit the operator’s possibility to process personal data. When choosing what type of sanction to apply, a Data Protection Authority have to consider the breach´s nature, complexity and duration. In the case with camera surveillance of the students, special categories of personal data concerning children were being processed. The Swedish Data Protection Authority does not think this was a minor breach. A fine was therefore the relevant sanction. The Swedish Data Protection Authority’s decision has been appealed by the municipality. We will have to wait and see what the end result will be. One of the purposes with the GDPR is to harmonize how personal data is being processed within the EU and what consequences that are relevant when the legal framework has been violated. A working party has been set up in the EU. The working party´s purpose is to harmonize the GDPR fines. Equal cases should be treated equally within the EU. Sweden is one of the presidency countries within this working party. The other presidency countries are Great Britain and the Netherlands. The guidelines are estimated to be finished next year. The operators that are obligated to follow the GDPR will have more insight into the amount of a possible fine for a certain violation of the legal framework. We hope that this blog article gave you some guidance! If you have and questions regarding the GDPR or GDPR Hero you are welcome to contact us. Our phone number is 046 – 273 17 17 and our email is support@gdprhero.se. If you want a free demonstration of GDPR Hero, click . Don´t forget – we offer GDPR Hero in English! 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn st|1. The Swedish Data Protection Authority (Datainspektionen) has continued with its audits. 2. The first GDPR fine in Sweden has been rendered! 3. The work with harmonization of GDPR fines in the EU countries – and Sweden is one of the chairmanship countries. Do you have any questions? Josefin Karlström h1|What is new in the field of GDPR – the first GDPR fine in Sweden h4|Many of us are free during the summer, but the development in the field of law never ceases. GDPR Hero have put together three of the most important aspects about the Swedish Data Protection Authorities work and the development in the field of GDPR. Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|josefin.karlstrom@sallbergco.se pa|The first aspect is to decide what your role is in the processing at hand. The legal status as a controller or processor must always reflect on the actual situation. It does not matter whether an entity is named controller or processor in a contract, if the entity in question in fact acts as the other. The controller is the entity that determines the purpose and means of the processing. This means that a controller is a body that decides certain key elements about the processing: the processing is taking place and this objective shall be reached. In some cases, the controller is determined by law. In other cases, you have to see which entity has the factual influence over a certain processing. An assessment must be made regarding each individual processing. For example, if Company A and Company B work together to advertise an exhibition, Company A might be the controller for one processing related to the exhibition and Company B for another. The fact that Company A is the controller for the first processing does not mean that it is the controller for the second processing. However, it is not always just one controller for a certain processing. Controllers might be jointly responsible. This is the case when the purpose and means of the processing are determined by more than one entity. The assessment of joint controllership is simply put the same as the one made for controllers, with the difference that an entity does not decide the purpose and means of the processing on its own but together with another entity. In order for a controllership to be joint, the controllers must decide the purpose and means . Both the purpose and the means of the processing must be determined by all entities concerned for it to be joint controllership. The determination of joint controllership should be carried out on a factual analysis on the purposes and means of the processing. The processor process personal data on behalf of the controller. The processor is serving someone else´s interests and may not carry out processing for its own purposes. The processor is always a separate entity in relation to the controller. Some of you might have noticed that the processer sometimes decides how to carry out the processing. For example, if a controller hires a processor to handle their IT and external storage, the processor might have a greater knowledge in these fields than the controller. Therefore, the processor has a possibility to decide some elements regarding how the processing is to be carried out without becoming the controller. These elements relate to more practical aspects of implementation, such as the choice for a particular type of hardware. The result of this is that the processor sometimes decides the means of the processing without becoming the controller. However, the processor can not decide the purpose of the processing without becoming the controller. The controller is responsible for compliance with the GDPR. The controller also has a duty to only hire processors that meet the security measures in the GDPR. This means that even though the processor might decide some elements regarding the means of the processing, the controller remains responsible for the implementation of appropriate technical and organisational measures. This duty does not end when the controller and processer sign a contract. Instead, the controller must verify the processor´s guarantees throughout the contract. In order for the controller to be able to demonstrate the lawfulness of the processing, it is advisable to document at the minimum necessary technical and organisational measures in e.g. a contract between the controller and the processor. You can read more about a so called Data Processing Agreement (in Swedish). The qualification of joint controllers will mainly have consequences in terms of allocation of obligations for compliance with data protection rules and in particular with respect to the rights of individuals. In a joint controllership, it becomes very important to determine which controller is responsible for compliance with the obligations in the GDPR. The joint controllers must therefore organise and agree on how and by whom the information to data subjects will be provided and how and by whom the answers to the data subject’s requests will be provided. This can be done in a so called Data Sharing Agreement (read more ). When regulating “who does what”, the controllers avoid blind spots, whereby some of the obligations in the GDPR are not fulfilled by either entity. This also ensures that the protection of personal data is not reduced. However, the data subject may contact either of the joint controllers to exercise his or her rights. Furthermore, both controllers are responsible for ensuring that they both have a legal basis for the processing. As you can see, some requirements in the GDPR are applicable to all entities that are controllers – jointly or alone. Another example is the requirement for controllers to keep a. This must be done by each of the joint controllers. Do you have a? We at GDPR Hero are specialized in this area of the GDPR and will be more than happy to help you fulfil this requirement. Do not hesitate to ! The processor must always comply with, and act only on, instructions from the controller. The processor shall not go beyond what is instructed by the controller. The processor must make sure that anyone it allows to process the personal data is committed to confidentiality and make sure to implement appropriate technical and organizational security measures. Moreover, the processor has an obligation to assist the controller and to make available all information necessary for the controller to demonstrate compliance. It is not only the controller that has to demonstrate compliance with the GDPR. The processor shall also be able to demonstrate compliance. The GDPR lays down obligations directly applicable specifically to processors. Processors can be fined in case of non-compliance with the obligations of the GDPR that are relevant to them and both controllers and processors are directly accountable towards supervisory authorities. A processor can also be held liable or fined in case it acts outside or contrary to the lawful instructions of the controller. According to the GDPR, both controllers and processors are many times obliged to keep records about their processing activities and to regulate the relationship between them. In GDPR Hero, you can easily enter all the companies you transfer personal data to or receive personal data from. You will also have support from us, through , chat or phone. Feel free to book a demonstration to learn more about how you can become GDPR-compliant. You can book the demo . 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn st|Published November 10th 2020 why together Josefin Karlström h1|Clarification regarding the concepts of controller and processor h4|An important part of the GDPR is to know whether your organisation is controller or processor for a certain processing. In some cases, your organisation might even be joint controller with another organisation. We have written about this before but it can not be stressed enough. The rules for determining whether an organisation is controller or processor are clear in theory, but in practice, difficult considerations must be made. Moreover, it is important to know the consequences that are attached to the different roles. Determine what your role is Responsibilities for controllers Responsibilities for joint controllers Responsibilities for processors GDPR Hero – the tool to help you! Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? Do we have to report all data breaches? em|how josefin@gdprhero.se pa|The CJEU is actually a combination of different courts. It has different chambers, including the Grand Chamber (for important cases) and are assisted by Advocate Generals who give opinions suggesting how the court should judge in different cases. If the case is not that big or “groundbreaking” the opinion from an Advocate General is usually not needed. The CJEU have different tasks. Generally, there are three ways the CJEU can make precedents: 1. The CJEU can judge in cases when a national court has referred a question of interpretation of EU law to the court, which is the preliminary reference procedure, based on article 267 Treaty on the Functioning of the EU (TFEU). 2. The court also judge in cases brought directly in front of it which is called judicial review/action for annulment, based on article 263 TFEU. The judicial review is a direct action and the preliminary reference procedure is an indirect action. This constitutes that you as an applicant only can use the preliminary reference procedure (indirect action) if you do not have a clear standing based on the judicial review (direct action). 3. The CJEU also judge in cases regarding state liability, based on article 258 TFEU, and this concerns cases when a Member State of the union is not complying with EU law. It can either be based on the fact that the Commission “policed” EU law, figuring out that a Member State is not complying with EU law, or that another Member State is looking into the actions of the Member State, arguing for that it does not comply with EU law (article 259 TFEU). So, the CJEU is judging in cases regarding EU law, either in regard to interpretation of it, or validation of it. Therefor the case-law from the CJEU is really important as a source of EU law, in for example understanding the provisions within the Treaties, regulations or directives. The importance of the case-law from the court can be explained by the fact that the EU legal order is a mix between common law and civil law systems. As stated above, the preliminary reference procedure based on article 267 TFEU, is one of the three main ways of providing cases to the CJEU and is therefore an important base for interpretation of EU law. But when can a national court use this procedure? And can all of them do it or just the last instance within the national system? National courts can use the preliminary reference procedure when a question of EU law is important for the national case in question. The courts within the national system who are adjudicating at the last instance must refer such a question to the CJEU. But there are some exceptions to this based on case-law from the CJEU that fall under the so called “Act Claire”. Meaning, that national courts do not have to refer a question of preliminary ruling to the CJEU if; But what about the courts adjudicating at lower instances? They , but do not have to, refer a question of preliminary ruling to the CJEU. This is good because then you are not forced to exhaust the national system in order to get a preliminary ruling from the CJEU. It makes the system more efficient, which is an important principle within the EU. The original complaint was made by Max Schrems against Facebook in 2013. The complaint was based on the disclosure by Edward Snowden that Facebook provides access to personal data of Europeans to the US Intelligent Service, and the complaint seeks (also in the present case) therefore to stop the transfer of personal data from the EU to the US in this regard. The case therefore concerns the protection of fundamental rights of EU citizens. Since Facebook has its main establishment within EU in Ireland, the national Data Protection Authority involved is the Irish Data Protection Commissioner (DPC). The DPC initially rejected the case, but after judicial review in Ireland and a preliminary reference to the CJEU the DPC had to investigate it. In the same case the CJEU in 2015 (C-362/14) ruled that the former “Safe-Harbor” agreement was invalid and that transfer of data from the EU to the US could not be based on this. Further on, the DPC, after investigating Facebook Ireland, came to the conclusion that their transfer of personal data was never based on the “Safe-Harbor” system, but instead on “Standard Contractual Clauses” (SCC). If you want to know more about these two systems, take a look at our . Schrems further on adapted his complaint to this, and therefore the transfer of personal data based on SCC from the EU to the Facebook US is what is being questioned. The DPC filed a lawsuit against Facebook and Schrems at the Irish High Court in 2016 and in 2018 the Irish High Court referred 11 questions based on the preliminary reference procedure to the CJEU, since the court found that the US Government is involved in mass processing of Europeans personal data. One of the questions from the national court referred to CJEU is if the transfer of personal data based on SCC is violating article 7 (right to privacy) and/or article 8 (right to protection of personal data) of the Charter of Fundamental Rights (CFR). Another question is if the level of protection afforded by the US respect the essence of the right to judicial remedy for breach of the individuals data privacy rights guaranteed by article 47 CFR. If the answer to this question is yes, the follow up question is if the derogation from the protection in article 47 in the context of US national Security is proportionate in accordance with article 52 CFR. The two last mentioned questions above are therefore referring to an essence test and proportionality assessment, that the CJEU makes to see if the limitation of the fundamental rights were not too far reaching. It will be interesting to see what the CJEU has to say in this regard! If you would like to see all the questions referred to the CJEU you can find them . Now the case is listed under C-311/18, and there was a second hearing the 9th of July. The hearing was an eight hours oral argumentation. The judgment is expected before the end of this year, and in December the Advocate General in the case; Henrik Saugmandsgaard Øe said he will give his non-binding opinion. After the judgment, when the case is referred back to the national court, the DPC will eventually have to make a decision on the complaint. We hope you liked this blog post! If you have any further questions regarding GDPR you are more than welcome to contact us at GDPR Hero via email or phone 046 – 273 17 17. You can also book a demonstration of GDPR Hero . You can also contact our partner via email or phone 046 – 273 17 10. 046 – 273 17 17 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|the question is already subject to preliminary ruling (Case Da Costa), the question is irrelevant, the community provision has already been interpreted by the court or the correct application of EU law is so obvious as to leave no scope of any reasonable doubt (Case Cilfit). st|Karolina Jivebäck h1|C-311/18 Facebook Ireland and Schrems – Preliminary ruling and what it entails h3|The ongoing case; C-311/18 Facebook Ireland and Schrems is a very interesting one in regard to data privacy and mass surveillance when data is being transferred from the EU to the US. In this blog post we will look more into it and explain the most important aspects of it. Since it is a case of preliminary ruling, we will start with explaining what that procedure entails and the role of the Court of Justice of the European Union (CJEU) within the Union. The role of the CJEU Preliminary ruling/reference procedure C-311/18 Facebook Ireland and Schrems So, where are we now? Further questions? h4|Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|can karolina.jiveback@gdprhero.se pa|If someone process personal data regarding e.g. someone else´s personal life in a wrongful way, there are mainly three different ways claim responsibility: administrative fine in accordance with GDPR, damages in accordance with GDPR or criminal sanctions in accordance with the Swedish Penal Code. This blog post will describe these three ways to enforce accountability. An administrative fine is similar to fines imposed on someone driving too fast: it is a public authority that imposes the fine, in Sweden Datainspektionen, and the amount accrues to the State. However, it is as a main rule not possible to impose an administrative fine on a natural person. Generally, administrative fines can only be imposed on legal persons. This means that if an employee in e.g. a company process personal data wrongfully, it is the company that have to pay the administrative fine and not the employee. It is usually the company that is the controller or the processor and, according to the GDPR, fines are imposed on the controller and/or the processor. Administrative fines can be imposed on a natural person, if the natural person is considered to be the controller. This can be the case with sole proprietors. Natural persons can also be the controller for certain processing’s that do not occur within a company, e.g. if a natural person spreads pictures by publishing them on social medias. An administrative fine has to be effective, proportionate and dissuasive. For private entities, the amount of an administrative fine can be up to 20 million euros or 4 % of the total annual worldwide turnover. For public entities, the amount can be up to 10 million euros (in Sweden). A natural person has right to damages following one or several infringements of provisions in the GDPR. Just like fines, damages are mostly imposed on a legal person. However, there are some very important differences between damages and administrative fines: In most cases, both the controller and the processor can be forced to pay the total amount of the damages. This means that, even if more than one controller and/or processor is involved, the person afflicted can make one of them pay for the whole damage. This is to ensure that the individual actually can receive the damage he or she is entitled to. The controller and the processor can regulate how to manage the cost internally. The amount of the damage depends on how great the damage that the individual has suffered is. If there are many afflicted, the total amount of the damage can be very large. Read more about damages . Natural persons are generally not controllers or processors. This means that administrative fines or damages are most often not imposed on natural persons. However, a natural person can be punished according to the Swedish Penal Code for crimes that involves processing personal data. Criminal law protects against violations of privacy between individuals. One example of a crime that protects people’s integrity is the crime “unlawful breach of privacy”. The provision was added to the Swedish Penal Code last year to adjust the legislation to the digital development. Unlawful breach of privacy means that someone spreads images or other information, e.g. information in writing. The information or images must be of a particular character, e.g. pictures of someone in a very vulnerable situation or information regarding someone’s health. It can, in other words, not be just any type of images or information, but only the ones mentioned in the legislative text. For someone to be convicted of this crime, the information or image have to be spread. This means that the information or image have to be made available to more than a few people. However, these people do not need to actually take part of the information or the image. It is enough that they have the possibility. The crime unlawful breach of privacy must be denounced for criminal prosecution by the plaintiff or prosecution can be of general interest. If one of these two situations apply, the public prosecutor is in charge of the process. If someone is sentenced for unlawful breach of privacy, the penalty can be fines or imprisonment for up to six months. Except for the crime unlawful breach of privacy, the Swedish Penal Code contains crimes such as: With these three different ways to claim responsibility, people´s personal integrity can be considered well protected. However, GDPR does not extend to all processing’s of personal data. In Sweden, it is possible to receive a so called Publication License, which means that a business can receive protection by constitutional law for a database. If a business receives this protection, GDPR does not apply to the database. A Publication License is issued by the Authority for press, radio and television (Myndigheten för press, radio och TV). Mass media is automatically included in this protection through the Swedish Law on the Freedom of the Press, whereas other businesses have to apply to be included. The other businesses are then included in the voluntary protection by constitutional law because of the Publication License. There are no demands for the business to have a specific purpose to be granted a Publication License. We hope you liked this blog post! If you have any further questions regarding GDPR you are more than welcome to contact us at GDPR Hero via email or phone 046 – 273 17 17. Are you interested in our tool for recording of processing activities? Book a free demo . 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|A fine accrues to the state, whereas damages are payed to the person or persons afflicted. The process to receive damages does not involve Datainspektionen or any other supervisory authority. Instead, the afflicted person can go directly to the entity responsible or sue the party in a District Court (in Swedish: tingsrätt). The person entitled to damages can make their claim towards either the controller or the processor. which means that someone identifies someone else as criminal, without this being true. which among other things mean that someone expresses something derogatory about someone else and that this is meant to be offensive. which means that someone e.g. illegally and in secret takes a picture of someone located in a housing. st|Josefin Karlström h1|Different ways to claim responsibility for wrongfully processing personal data h4|The personal integrity is considered worth protecting. It is difficult to define exactly what the personal integrity is, but it involves personal information regarding a person and the persons personal life. This information should be protected from attacks by external parties. But how is the personal integrity protected by law and can individuals somehow be punished for violations of these laws? Different ways to responsibility 1. GDPR – administrative fine 2. GDPR – damages 3. The Swedish Penal Code – penalties Publication License – how companies can avoid responsibility Further questions? Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|Published March 27th 2020 Slander, Insult, Offensive photography, josefin.karlstrom@gdprhero.se pa|It could be seen as a safety measure for the employees that the employer has someone to call if something were to happen during work time. Many companies therefore have lists with phone numbers to at least one dependant per employee. That kind of list usually contain personal data. Mostly it constitutes of name, phone number and possibly information in regard to what kind of relationship the dependant has to the employee. The first question the organisation has to ask is on what legal ground the data shall be processed. Of the six legal grounds, three are more at issue in this regard, namely; Many processing’s within an employment relationship can be based on the legal ground “contract” (article 6.1.b GDPR). This have to concern data that is necessary for the fulfilment of the contract. Within this statement falls everything from salary statements to personal identity numbers, depending on how the employment relationship looks. However, this legal ground only concerns contracts where the data subject is one of the parties. Thus, processing of dependants’ data cannot be based on this legal ground. A valid consent provides a large freedom to carry out almost any kind of processing. However, the employee cannot consent to the processing of the dependant’s personal data. You can only consent to the processing of your own personal data (children excluded, see the Swedish blog post about children and personal data). So, the consent has to come from the dependant, either directly or through a warrant. It is not impossible to collect consent from all dependants, but it can be quite burdensome. The organisation needs to be able to prove that they have gotten a valid consent. This issue can be solved if the dependant signs a consent form. To administrate this can be quite time consuming. It all gets even more complicated by the fact that the consent can always be withdrawn from the dependant. If you want to know more about what is needed for a valid consent, see our Swedish blog post about . The most useful legal ground in this regard is legitimate interest (article 6.1.f). It concerns weighing the organizations legitimate interest for the processing against the interest of personal integrity of the dependant. The significant advantage with legitimate interest in relation to consent is that no action is demanded by the data subject. The legitimate interest assessment is made based on how the processing is constructed in different workplaces and what data is needed for the purpose in every specific case. Often a list of dependants can be regarded as a legitimate interest for the organisations to have and should therefore outweigh the dependants’ interest of personal integrity. To be able to base a processing of personal data on legitimate interest, the decision must be made on a high level within the company. The motivation of the legitimate interest must be documented, which can easily be done within a register for your data processing. you can read more about why it is important to have a good register (in Swedish). Thus, processing of personal data is therefore easiest to legitimise based on the legal ground legitimate interest. Contract can in many cases not be used, and consent can be quite troublesome. On the list of dependants, the only personal data that is allowed is data that is necessary in relation to the purpose. This means in practice that the organisation must figure out what data is actually necessary to have. Other data than what is necessary shall not be on the list at all. It is also of importance to make sure that there is no wrongful data on the list. As soon as the data no longer fulfil the purpose for processing, it shall be deleted. Your organisation is therefore in need of routines for how the list should be updated and when the data should be erased. In regard to lists of dependants, it is for example of importance that the data is erased when the employee terminates his or her employment. After that point there is simply no longer any need for keeping it. Within GDPR you find the so called “right to information”. In the present case this right constitutes that the data subject must be informed that his or her data is being processed. The data subjects must, inter alia, be informed about what data is being processed, what the purpose of the processing is, on what legal ground the processing is being based and when the personal data will be erased. If you want to know more about the effect GDPR have on the workplace, you can read our two Swedish blog posts (LINK part 1 and 2) about practical information for the workplace, part 1 and part 2 . Please, do not hesitate to contact us! Email: Phone: 046 – 273 17 17 046-2731717 di|The content presented in this blog contains general information and is not to be considered as advice. Use of this information is at your own risk. Share This Facebook Twitter LinkedIn li|Contract (article 6.1.b GDPR) Consent (article 6.1.a GDPR) Legitimate interest (article 6.1.f GDPR) st|Only use contract in regard to personal data concerning the employee Consent can be troublesome Legitimate interest is easiest Erik Jonzen h1|Are we allowed to have a list of phone numbers to family members of our employees? h3|Many organisations have a list of contact information to at least one family member of their employees. The purpose of this list is to be able to contact the family member if something would happen e.g. an accident or similar at the workplace. What does GDPR state about this kind of lists? Does the organisation need to take any actions in order to be allowed to process the information? Legal grounds Limitations to your processing Inform the data subjects Contact h4|Previous blog posts ADDRESS INFORMATION Contact us Social Media sp|Log in SV Select Page Clarification regarding the concepts of controller and processor Can we collect personal data concerning members´ relatives? How you can process personal data in accordance with the GDPR Personal data and covid-19 Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US When is the GDPR applicable? em|support@gdprhero.se