FAQ
In brief, GDPR is an EU regulation that comes into effect on 25 May 2018. In Sweden it is called the data protection regulation, while within the EU it is commonly referred to as GDPR (General Data Protection Regulation). The new regulation applies to all EU member states and replaces existing national regulations, for example the Personal Data Act (or “PUL”) in Sweden.
Read more about how we can help you with the entire GDPR process
GDPR applies to all organisations and all industries and sectors where personal information about employees or customers is managed and processed. This means that new procedures and processes are required to ensure the secure management of registers and impose appropriate requirements on those responsible at management level. A reverse burden of proof applies, which entails more stringent requirements on documentation.
According to the Swedish Personal Data Act, personal data refers to all types of information which can directly or indirectly be related to a living natural person. Images (photos) and audio recordings of individuals that are processed in a computer may also be classified as personal data, even if no names are mentioned. Encrypted data and different types of electronic identities, for example IP addresses, are classified as personal data if they can be connected to natural persons.
Source: The Swedish Data Protection Authority
The personal data controller (or simply “controller”) is normally the legal person (for example a limited company, foundation or association) or the authority that processes personal data within its operations and determines what data is to be processed and for what purposes the data is to be used.
For example, if a limited company maintains a customer register, the company is the controller in relation to the processing of the personal data contained in the register. It is the company that has decided that a customer register shall be established and the purposes for which such a register shall be maintained, and the company is thus responsible (the “controller”) for the personal data contained in the register. The fact that an employee within the company has decided that a customer register shall be established can never mean that the employee (person) in question is the controller for the personal data in the register. Nor can a person who is the Systems Manager within a company or an authority be deemed to be the personal data controller.
If several legal persons decide over a certain processing of personal data, they can jointly be the controller in relation to such data. The same applies to databases used jointly by authorities (unless something to the contrary is stipulated by law or regulation).
On the other hand, a person who processes personal data on his own behalf (outside the scope of any employment relationship) is himself the personal data controller for such processing. Sole traders represent one example of persons who themselves can be the personal data controllers for the processing of personal data. A business that is run on a sole trader basis is not a separate legal person, and the sole trader is personally responsible for ensuring that personal data is processed in accordance with the Swedish Personal Data Act.
The role of personal data controller in a municipality normally rests with the municipal boards that are so independent that they are administrative authorities. A municipal board that is an administrative authority is thus the controller in relation to the processing of personal data that is carried out by the board.
The identity of the personal data controller for a certain type of processing can also be specifically stipulated by law or ordinance, for example in special register laws.
Source: The Swedish Data Protection Authority
All forms of operation involving personal data constitute personal data processing, for example collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Source: The Swedish Data Protection Authority
A regulation is a type of binding EU act that can be adopted by the European Union’s institutions. Regulations represent the most forceful type of EU act and are used to introduce uniform and directly applicable provisions within the EU. Regulations have general validity and are binding in their entirety and are directly applicable in all member states. They can be invoked in a national court of law just like a national law, without any requirements on a member state to have undertaken any implementation measures. The main purpose of a regulation is to determine uniform provisions. All regulations must have legal grounds in the EU’s treaty. Regulations that are adopted in accordance with a legislative procedure represent legislation. If the European constitution had come into effect, the term ”regulation” would have been replaced with ”European law”.
Vitaprivata GDPR certification is a tool designed to manage and facilitate compliance with the new data protection regulation, GDPR.
GDPR certification can be used by companies, associations, organisations and authorities.
GDPR certification provides the opportunity to structure the company’s personal data in a clear manner that allows for a good overview. It is possible to include an unlimited number of categories of personal data in one account. It is also possible to document personal data processors (“processors”) and assignments. The tool provides a good overview of the management and processing of personal data and is an excellent aid when it comes to organising processor agreements, producing personal data breach reports for individuals and for the supervisory authority, and producing documentation to facilitate communication in accordance with the duty of information to your data subjects. Furthermore, GDPR certification has a menu full with functions when it comes to technical security measures and how to work with these.
When you create an account under My Pages and commence the business’ GDPR process, you pay a subscription fee of €9.90 per month as well as the one-off start-up fee of €399. This gives you access to the business’ account at My Pages during the subscription period, for which you are charged SEK 99 each month (initial period of at least three months). In this way you can continuously update your documents under My Pages.
You can choose to pay the start-up fee and the first month’s subscription fee by way of invoice via Vitaprivata or through a credit/debit card company.
Quarterly invoices apply if you choose the invoice alternative, in other words you will be required to pay for three months at once.
There is no minimum commitment period in terms of how long you must have an active GDPR account (other than the standard notice period of three months), but we strongly recommend that you subscribe to the service so that you can update your GDPR account on an ongoing basis.
As mentioned, a notice period of three months applies for cancellation of the subscription, which means that you must pay for a further three months after you notify us of your intention to cancel your subscription. Naturally you continue to have access to your account throughout the entire notice period. If, after cancelling your subscription, you subsequently realise that you need your GDPR account again, you will have to go through the whole process again, including payment of a new start-up fee.
Your data is stored on servers that are owned by Vitaprivata AB in Gothenburg
We can help you with all these issues via our extra services. Certain issues can be addressed directly at Vitaprivata, while others need to be managed via an external consulting firm.
Read more about our expert help here!
Vitaprivata AB
Skiftesvägen 8, 475 45 Fotö, Sweden.
Phone +46 702 203020
E-mail info(at)vitaprivata.org
Org. nr. 559141-8834