GDPR - The law on the processing of personal data.
GDPR is in charge of the General Data Protection Regulation and is a new data protection regulation from the EU that will become a law in all EU member states from 25 May 2018. GDPR will replace the current law of the Swedish Personal Data Act (PUL). The law is intended to protect the integrity of individuals and to modernize, harmonize and strengthen protection within the EU.
Within each EU member country there is a supervisory authority that will check this. In Sweden, this authority is called the Integrity Protection Authority (Integritetskyddsmyndigheten), former Computer Inspectorate (Datainspektionen). On their website there is more information and help that you can check to find out what you need to do. https://www.datainspektionen.se/dataskyddsreformen/ (Page is in Swedish)
You may also find an English page on GDPR here: https://www.eugdpr.org/
Processing of personal data.
The law describes how to process personal data, which has two important concepts to understand. Personal data can be explained as any information relating to an identified or identifiable individual (also called a registered person), an identifiable physical person being a person identified directly or indirectly, in particular with reference to an identifier such as a name, an identification number, a location or online identifiers, or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of the physical person. Processing of this data means that you undertake an action or combination of personal data or a set of personal data, regardless of whether they are performed automatically or not. Examples of such treatment are collection, structuring, storage, processing, dispersion or deletion.
Sensitive personal data.
There is a special category of personal data that the law addresses and which you as a personal data controller need to pay extra attention to, it is sensitive personal data. Examples of sensitive personal data are data revealing ethnic origin, political opinions, religious or philosophical beliefs or information on health and sex life. The starting point is that it is forbidden to process this personal data, but there is a number of exceptions. In Sweden, an investigation is being carried out on these tasks and they are looking forward to developing supplementary Swedish legislation. Read more about sensitive personal information here. (It in Swedish, but there is a translation provided by the website).
Personal Data Responsible and Personal Data Counselor.
In the processing of personal data, there are primarily two roles that you should know about and depending on what role you have, there are different areas of responsibility. The personally responsible person (PuA) is the one who, under the law, has ultimate responsibility for the treatment and determines the purpose and means. The person responsible for personal data will ensure that the law is followed, inform the persons, whose personal data is processed and ensure compliance with the privacy data. The Personal Data Adviser (PuB) processes the personal data on behalf of the Data Protection Officer and is responsible for the technical and organizational security measures.
Responsible and assistant for the tasks in Examinare Services.
All processing of personal data in the programs is your sole responsibility. Examinare is a personal information officer and takes technical and organizational security measures to make sure that your collected personal data is processed safely and in accordance with the law. Examinare Technical and Organizational Actions are described under Security.
Examinare as personally responsible.
Basic principles of GDPR.
The law is based on 7 basic principles:
- Legality, Correctness, and Transparency
- Purpose Limitation
- Data Minimization
- Storage Minimization
- Integrity and confidentiality
What the basic principles mean, you can read about here: https://www.datainspektionen.se/dataskyddsreformen/dataskyddsforordningen/principer-for-behandling-av-personuppgifter/ (The link is in Swedish, but English translation is provided by the website).
In compliance with the principle of legality, regularity and transparency, you need support in the Data Protection Regulation to allow the processing of personal data. These legal bases are what you need to have an agreement, legal obligation, basic interests, public interest, authority or balance of interests to process personal data.
Legal basis for information in Examinare services.
What legal grounds exist for the processing of personal data in Examinare Fortnox Services, you as the sole responsible for personal information must find out and document. It may vary on a case-by-case basis depending on the activity, which laws you need to follow, if you collect information that is required or that may be good to have.
In PUL we have had an exception in Sweden, where we did not have to think about how personal data is processed. This exception is called "Code of abuse"(Missbruksreglen). It meant that we have been able to have personal data in so-called unstructured material, which is running text and free text such as document, e-mail, web pages or notepad in a system. The abuse rule now disappears through GDPR and means that you need to chart which personal data is contained in all unstructured materials and need to begin handling it in the same way as structured material.