The purpose of the General Data Protection Regulation (GDPR) is to promote the protection of personal data by companies. One of the biggest requirements for companies is the requirement to document that personal data is processed in accordance with the rules. All companies, large and small, are subject to the rules of the General Data Protection Regulation. This can be a daunting task, which is why you can benefit from contacting LegalUp, which can help you create an overview of your company’s collection and use of personal data and prepare the necessary documents.
Below, we review and describe a number of personal data law documents, all of which are relevant to small and medium-sized companies.
Privacy policy
What is a privacy policy?
It is a statement of the use of customers’ personal data. A privacy policy will explain how a company or website processes its customers’ personal data, what the basis for collecting data is, and who has access to their customers’ personal data.
Why is a privacy policy important?
It is important for you as a company, as the law states that there is a duty to provide information when collecting personal data. Therefore, a privacy policy will be the best tool to inform the customer about how you process their personal data. If a company does not comply with the law and processes data that they are not allowed to touch, this can result in a fine.
Examples of what a privacy policy can contain:
Contact information for the data controller
Contact information for a possible data protection officer
What personal data is
What personal data is collected
The purposes of collecting personal data, and the legal basis for the processing
Period for storing personal data
Who has access to personal data
Sharing personal data with third parties
Protection of personal data
What rights you have as a customer
Complaint options
Internal procedures
What are internal procedures?
Management must develop procedures and guidelines for how and how employees may and must collect, process and disclose personal data. The procedures can be advantageously targeted at the employees’ different functions, so that each department receives specific procedures that are tailored to the individual department’s work tasks.
Why are internal procedures important?
This is important for companies to implement, as it provides employees with guidelines on how work with personal data should be processed.
Examples of what internal procedures should contain information about:
Data processor list
Deletion policy
Data subject rights
Risk assessment
Consent from customers, employees and potential employees
Website policy
Data protection officer
Data processing agreements
What is a data processing agreement?
It is an agreement between the data processor and the data controller. It is a document that functions as an instruction to the data processor regarding how the data processor is obliged to process data. It is stated directly by law that a written data processing agreement must be in place. If you do not have a data processing agreement, a written data processing agreement must be made immediately in order to be up to date with the Personal Data Protection Act.
Why is the data processing agreement important?
It is important because this agreement regulates, among other things, how the data processor may process personal data collected by the data controller on behalf of the data controller and for what purpose this information is to be used. It obliges the data processor to process according to clear instructions, so that the processing will be carried out with care and security.
Examples of what a data processing agreement may contain:
Background of the data processing agreement
Obligations and rights of the data controller
The data processor acts on instructions
Confidentiality
Security of processing
Use of sub-processors
Transfer of information to third countries or international organizations
Assistance to the data controller
Notification of use on personal data security
Deletion and return of information
Supervision and audit
The parties’ agreements on other matters
Entry into force and termination
Contracting parties
Appendix A: Information on the processing
Appendix B: Conditions for the data processor’s use of sub-processors and list and approved sub-processors
Appendix C: Instructions regarding the processing of personal data
Appendix F: The parties’ regulation of other matters
Agreement on joint data responsibility
What is an agreement on joint data responsibility?
The company may enter into an agreement on joint data responsibility with one or more parties. This means that the company, together with one or more parties, is responsible for a processing operation and all parties have the right to use the collected information for their own purposes. Therefore, there is no joint data responsibility if a processing operation is carried out for the purposes of only one party.
Why is a data responsibility agreement important?
A joint data responsibility agreement is important because this agreement can minimize the
