GDPR - The law on the processing of personal data.

GDPR is in charge of the General Data Protection Regulation and is a new data protection regulation from the EU that will become a law in all EU member states from 25 May 2018. GDPR will replace the current law of the Swedish Personal Data Act (PUL). The law is intended to protect the integrity of individuals and to modernize, harmonize and strengthen protection within the EU.

Within each EU member country there is a supervisory authority that will check this. In Sweden, this authority is called the Integrity Protection Authority (Integritetskyddsmyndigheten), former Computer Inspectorate (Datainspektionen). On their website there is more information and help that you can check to find out what you need to do. https://www.datainspektionen.se/dataskyddsreformen/ (Page is in Swedish)
You may also find an English page on GDPR here: https://www.eugdpr.org/

Processing of personal data.

The law describes how to process personal data, which has two important concepts to understand. Personal data can be explained as any information relating to an identified or identifiable individual (also called a registered person), an identifiable physical person being a person identified directly or indirectly, in particular with reference to an identifier such as a name, an identification number, a location or online identifiers, or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of the physical person. Processing of this data means that you undertake an action or combination of personal data or a set of personal data, regardless of whether they are performed automatically or not. Examples of such treatment are collection, structuring, storage, processing, dispersion or deletion.

Sensitive personal data.

There is a special category of personal data that the law addresses and which you as a personal data controller need to pay extra attention to, it is sensitive personal data. Examples of sensitive personal data are data revealing ethnic origin, political opinions, religious or philosophical beliefs or information on health and sex life. The starting point is that it is forbidden to process this personal data, but there is a number of exceptions. In Sweden, an investigation is being carried out on these tasks and they are looking forward to developing supplementary Swedish legislation. Read more about sensitive personal information here. (It in Swedish, but there is a translation provided by the website).

Personal Data Responsible and Personal Data Counselor.

In the processing of personal data, there are primarily two roles that you should know about and depending on what role you have, there are different areas of responsibility. The personally responsible person (PuA) is the one who, under the law, has ultimate responsibility for the treatment and determines the purpose and means. The person responsible for personal data will ensure that the law is followed, inform the persons, whose personal data is processed and ensure compliance with the privacy data. The Personal Data Adviser (PuB) processes the personal data on behalf of the Data Protection Officer and is responsible for the technical and organizational security measures.

Responsible and assistant for the tasks in Examinare Services.

All processing of personal data in the programs is your sole responsibility. Examinare is a personal information officer and takes technical and organizational security measures to make sure that your collected personal data is processed safely and in accordance with the law. Examinare Technical and Organizational Actions are described under Security.

You can find the Security information here.

Examinare as personally responsible.

All processing of personal data about you as a customer, user or participant in our training is our responsibility for the personal information, when you order Examinare Services, Contact Us or register for any of our programs. What we do or not, with your personal information, we have described in our Privacy Policy.

You can find our Privacy Policy here.

Basic principles of GDPR.

The law is based on 7 basic principles:

  • Legality, Correctness, and Transparency
  • Purpose Limitation
  • Data Minimization
  • Correctness
  • Storage Minimization
  • Integrity and confidentiality
  • Accountability

What the basic principles mean, you can read about here: https://www.datainspektionen.se/dataskyddsreformen/dataskyddsforordningen/principer-for-behandling-av-personuppgifter/ (The link is in Swedish, but English translation is provided by the website).

In compliance with the principle of legality, regularity and transparency, you need support in the Data Protection Regulation to allow the processing of personal data. These legal bases are what you need to have an agreement, legal obligation, basic interests, public interest, authority or balance of interests to process personal data.

Unstructured material.

In PUL we have had an exception in Sweden, where we did not have to think about how personal data is processed. This exception is called "Code of abuse"(Missbruksreglen). It meant that we have been able to have personal data in so-called unstructured material, which is running text and free text such as document, e-mail, web pages or notepad in a system. The abuse rule now disappears through GDPR and means that you need to chart which personal data is contained in all unstructured materials and need to begin handling it in the same way as structured material.

Back to top