On May 25, 2018, the Data Protection Regulation entered into force, which places more demands on how we as a company handle personal data in our work. In order to meet the changes, Skrået has produced the following document with the most important changes and a new way of working.
THE DATA PROTECTION REGULATION
A new EU law that replaces the Personal Data Act (PuL) for how the processing of personal data must be handled. The regulation is the same throughout the EU, which makes it easier to work with personal data between European countries, and it also imposes higher security and information requirements than PuL on companies and organizations that process personal data. The Data Protection Regulation focuses on the data subjects' rights to their data and therefore attaches great importance to these rights and the accompanying obligations that the companies that process data have.
Personal data is data that alone or together with other data can be used by someone to identify a living natural person. Company details are therefore not covered.
Examples of personal data are: Social security number, address, e-mail, telephone number, property designation, member number/customer number, registration number, IP address and photographs of people.
All data that alone or together with other data can be used to identify a natural person is personal data. This means that we, as a company that processes data, must also secure data that alone cannot identify a person but which, in combination with one or more other data, could do so.
Sensitive personal data
Certain categories of personal data have been judged to be so sensitive that they may only be processed if there is direct support in law or the data subject has given his express permission. If processing is permitted, extra consideration must also be given to the security and privacy of the data subject.
These data are: ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health or sexual orientation.
This means that it is very important when registering new quotes, changing saved quotes or data to check that they do not contain any sensitive personal data that we do not have the legal right to process. Only if it is really justified, such information may be saved in the computer system. If a customer writes or sends in material that, for example, contains health information and it is not absolutely necessary for the performance of our mission, such information should not be saved but deleted after any other information has been noted in the computer system
When Skrået does something with personal data, it is called processing the data. When data is processed, it must be done securely and with protection for the integrity of the personal data. A processing is not only when we take up information about a property or an object and read or change it, but also storing the data, when we first register the data in the system or taking a backup of the database is processing data.
The responsibility of the business
The responsibility for the processing of the data being carried out correctly rests with the entire Skrået, with the CEO and the board as ultimately responsible.
The club must not have information in its computer systems that we do not need. "Good to have" information must not be saved just because it is good to have. It is therefore important not to save personal data in email or in other places than where it should be. For the completion of the assignment to the municipality, it may be required that data be saved. The municipality instructs Skrået to store information in the control book.
A person who is registered in one of Skrået's data systems has the right to have his information corrected if it is incorrect. This means that when a registered person contacts Skrået and indicates that the information is not correct, we must investigate whether the information that the registered person believes to be incorrect actually is. We can do this, for example, by comparing the information with the population register or other sources and see if it matches. If it turns out that the information we have recorded is incorrect, we must correct it as soon as possible.
We always have to investigate whether the information is correct but do not need to change it if it turns out that the information provided by the data subject does not match what we know or can see in public records. A customer cannot therefore force us to register a new address if we believe that the new address is incorrect.
A person who is registered in one of Skrået's data systems has the right to have their data deleted if there is no longer a need to keep the data. The registered person must then contact Skrået and inform them that they want us to delete all information about the person in our computer systems.
When a data subject requests to be deleted, we must investigate as soon as possible whether the data really should be deleted. If we come to the conclusion that we no longer need the data, they must be deleted without delay. If the investigation shows that we still need the data, for example if it is required to have a correct control book, then the data must not be deleted.
A person who is registered in one of Skrået's data systems has the right to receive an extract from the data system with everything that is registered about the person. The register extract is free of charge for the registered person and is either provided electronically or physically, depending on what the registered person wishes. If the person requests several register extracts in quick succession, Skrået has the right to charge a fee for releasing the material or in some cases refuse to release the information. However, denying such a request requires that we can really justify that it is not reasonable to disclose the information, so the main rule is that we must disclose the requested material.
Safety as standard
The Data Protection Ordinance requires that computer systems where personal data are processed put security first, not only technically but also physical security in the premises as well as routines for how we work with personal data in the system.
This means, among other things, that we have restrictions on how users have the right to use the systems. The systems therefore have several levels of security, employees will only be able to see the information they need to be able to carry out their duties.
The abuse rule (E-mail and running text)
In the past, running text in, for example, word documents or e-mails in the e-mail program have been exempted from the personal data rules, as long as the processing did not offend anyone or was abused (hence the name abuse rule).
This exception disappears when the data protection regulation is introduced, which means that personal data contained in such programs must now be treated with the same security and privacy considerations as other data systems. We are therefore still allowed to receive e-mails and write personal data in excel and word, but they must be processed in the same safe and legal way as all other personal data processing.
Right to process the data
In order to process the data, Skrået must have a legal basis that allows us to process the data. The legal grounds are listed in the data protection regulation and none other than those expressly written there are permitted.
The bases that may be relevant for Skrået are:
- Consent from the data subject
- The processing is necessary to fulfill an agreement
- There is a general interest in the service being performed
- There are legal requirements or authority decisions that require the data to be processed
- The association has a legitimate interest in processing the data
When it comes to sweeping, we have a general interest in dealing with the task. This means that it is in society's interest that sweeping and fire protection work as it should, and since it is such a socially important, and even legislated, service, it is also permitted to process personal data in connection with this.
Contact details for people who work for customers or suppliers are also personal data and must be treated as such. For the processing of such data, Skrået has what is called a legitimate interest in processing the data. With each new such processing, we assess whether we have a greater interest in keeping the data than the data subject has in us deleting it.
Other data in our systems may have a different basis and if a registered person contacts us with questions regarding rights and obligations according to the data protection regulation, the person is referred to the person responsible for data protection issues at Skrået.
Personal data assistants
The association uses subcontractors for various things in its business, for example printing and sending letters. These subcontractors often process personal data that Skrået has collected and is thus also responsible for. Skrået has signed personal data assistant agreements with all personal data assistants.
Personal data incident
A personal data incident is when personal data is accidentally or unlawfully destroyed, lost, changed, disseminated or otherwise processed in a way that may harm or offend the data subject.
Examples of personal data incidents are:
- Someone steals a computer where personal data is saved
- Someone loses their mobile phone which is linked to the work email and contains saved files with personal data
- A hacker gets into the database where all debtors are saved
- A CD with personal data is accidentally lost or destroyed
- Several notifications with different recipients end up in an envelope that is sent out to a property owner
- An employee mistakenly deletes a person as a property owner
- The telephone exchange system breaks down and no one can contact us during regular opening hours
- One or more computers have their hard drives encrypted by a virus
Please note that the list is not exhaustive and that more situations may qualify as personal data incidents.
Data does not have to be stolen or have come into unauthorized hands
Data does not have to be stolen or sent to an unauthorized person for it to count as an incident. For example, as seen in the list, it is enough for data to be destroyed even though it should be saved for it to qualify as an incident.
If something has happened with data registered at Skrået that was not supposed to happen, it may be a personal data incident. Therefore, check with the person responsible for data protection issues if a situation arises where personal data is exposed to risk.
Some incidents must be reported to the authorities
All personal data incidents must be registered in Skrået's own incident register, but more serious incidents must also be reported further. In the case of particularly serious incidents, the data subjects affected must also be informed.
A serious personal data incident must be reported to the Data Protection Authority (Datainspektionen) within 72 hours of the Skrået becoming aware of the incident. The report is standardized, a template for reporting personal data incidents has been developed and is available to the person responsible for data protection issues at Skrået.
If personal data is sent incorrectly, is lost, is changed without permission or the like
Contacted immediately The IT manager or person responsible for data regulation issues as soon as the error is discovered. It is very important that responsible personnel receive the information as early as possible as the deadline for reporting an incident is short and begins to run immediately when it is discovered, regardless of who discovers it.
We collect as much information as possible about what happened but do not change or delete anything before the responsible personnel can begin the investigation.
Collection of consent
In certain situations, Skrået should collect consent from the data subject in order to process certain data. Examples of this are if a representative of a company gets in touch and wants an invoice sent to their private address or when a person wants us to note sensitive information such as health and medical conditions.
Information is not displayed
Thinning of personal data can take place after the information is out of date, when our right to process the data ends or on behalf of the municipality. After the information has been thinned, there is nothing left, so it is not possible to recreate the information afterwards.