Global Data Protection Regulation (GDPR) Policy
Bruks Siwertell gathers and uses certain information about individuals in different parts of its organisation. The purpose of this policy is to make sure that Bruks Siwertell handles this information in compliance with applicable laws including the General Data Protection Regulation (GDPR). The policy includes all digital information where information about individuals appear.
GDPR is applicable only to EU/ /EEA citizens.
This policy includes all employees at Bruks Siwertell and any contractor working on behalf of Bruks Siwertell.
2 Practice and revision
The management team is responsible for making sure that the personal data handled by Bruks Siwertell follows this policy. The policy is reviewed and established on an annual basis.
The HR Director is responsible for the annual update of the policy, as well as ensuring that any changes in the GDPR are implemented in the policy.
3 Organisation and responsibility
The Managing Director for each unit within Bruks Siwertell Group is responsible for the content of this policy and will ensure that the organisation complies with its requirements. The implementation of the policy has been delegated to the HR Director.
Both Bruks Siwertell employees and contractors working on behalf of Bruks Siwertell are responsible for ensuring that they act in accordance with the requirements of the policy.
3.1 Overall responsibility - GDPR
The HR Director is responsible for ensuring that Bruks Siwertell complies with the GDPR. This means that the HR Director will inform the management team of any security risks following each annual review. The HR Director will ensure employees comply with and are informed about the practical application of the policy and will process any requests for transcripts of personal data.
The IT Manager is responsible for making sure that all IT systems, servers and equipment used to store personal data are up-to-date and meet security demands. The IT Manager will also regularly review software and hardware and evaluate any personal data stored by a third-party belonging to Bruks Siwertell.
Any information relating to, directly or indirectly, an identified or identifiable person (‘data subject’); in particular by reference to an identifier such as a name, an identification number, location data or an online identifier.
The individual to whom personal data relates.
Any operation or set of operations performed on personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
A ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement, signifies agreement to the processing of personal data relating to him or her.
Bruks Siwertell’s obligation to inform data subjects of any personal data that is stored.
Agreement with a natural or legal person, public authority, agency or body other than Bruks Siwertell (the controller) who under the direct authority of the controller, is authorised to process personal data.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law. (Bruks Siwertell is the data controller in this policy).
5 Processing personal data
All personal data shall be processed according to the following principles:
5.1 Lawfulness, fairness and transparency
All personal data must be processed lawfully, fairly and in a transparent manner in relation to the data.
5.2 Purpose limitation
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
5.3 Data minimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Personal data must be accurate and, where necessary, kept up-to-date; every reasonable step must be taken to ensure that personal data that is inaccurate, with regard to the purposes for which it is processed, is erased or rectified without delay.
5.5 Storage limitation
The data has to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; storage limitation is filed under ‘Central document GDPR’.
5.6 Integrity and confidentiality
Personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Bruks Siwertell (the data controller) is responsible for, and able to demonstrate compliance with the law. Therefore, all personal data registers are documented in one central document called the-‘Central document GDPR’. Procedures are in place to ensure all employees and Siwertell contractors adhere to the regulation.
5.8 Processing new data and changes in processing data
Before processing new data or making changes to the way in which data is processed, a number of considerations have to be taken into account. Is it necessary to gather the personal data and are there any risks for the individuals whose personal data we intend to process?
The first questions the controller needs to ask are: what personal data is necessary in order to fulfill a certain purpose, and does the process follow the six principles of data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.
If the process can pose any risk for the data subjects, or for special categories of personal data, such as sensitive information, an analysis of the impact and control measures to prevent or limit data risk must be implemented to ensure adequate data security. Please read further under section 5.11.
5.9 Processing unstructured information
When processing unstructured information, such as personal data, images and video in emails or documents, contracts and letters, a simplified process is applicable.
This facilitates the day-to-day processing of personal data without obstructing integrity and freedom. This simplified process applies to the protection of unstructured personal data stored on web servers, held in documents and email correspondence and in images and videos. Names and phone numbers of employees are also included.
This means that processing everyday personal data is allowed as long as the data subject is not violated. Processing personal data that violates the data subject is still prohibited.
5.10 Rights of the data subject/informing data subject of personal data
The data subject must be informed of data processing activities. To meet GDPR requirements, Bruks Siwertell has templates in place to present data processing information to data subjects. The templates include information about the personal data the company has in collection, as well as how the company processes this data. The template also includes the rights of the data subject and data controller contact information.
Usually, the main contact assigned to the customer, employee or vendor is responsible for informing the data subject of the personal data process. For example, the HR director is responsible for informing new Bruks Siwertell employees about the company’s personal data processing policy.
Information about Bruks Siwertell’s personal data processing activities can be found at: www.bruks-siwertell.com.
5.10.1 Data subject’s right of access
If a data subject wants access to his or her personal data, he or she, or an agent with valid power of attorney, can send a request for data extraction. The information is then sent to the data subject or approved contact. The data subject is always entitled to escalate any follow-up questions or queries to the Managing Director.
The recipient of a personal data inquiry must make sure that the identity of the person asking for the access is verified. If the inquiry is received electronically, the personal data can also be sent electronically if the data subject wishes.
The delivery of the personal data must be sent in a safe way, either encrypted or password-protected or sent by registered letter. The data subject will receive a copy of his or her personal data for free within 30 days after the request is received by the data controller.
5.10.2 Data subject’s other rights
If a data subject contacts the data controller regarding personal information that he or she perceives as wrong or incomplete, the data controller will rectify the information without delay. When applicable, the data subject has the right to have his or her personal information deleted. For example, if the personal information is no longer applicable.
A data subject is also entitled to object to the processing of his or her personal data based on interests. If the data controller wants to continue processing the personal information, it must provide reasons that outweigh the interest, rights and freedom of the data subject.
Above mentioned requests by any data subject will immediately be forwarded to and processed by the HR Director.
5.11 Special categories of personal information
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic and biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
Special categories of personal information can be processed if the data subject has given explicit consent to the processing of the personal data or if processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment and social security and social protection law.
5.12 Children’s personal data
Guardians are not automatically entitled to act on behalf of their child without the consent of the child when it comes to personal data. This is because children are individuals and have rights according to the GDPR.
5.13 Obligations to reveal personal data
In some cases, the data controller is obliged to reveal personal data. For example, the data controller is obliged to reveal personal data if it receives inquiries from tax and other authorities.
6 Personal data assistant agreement
Other companies with access to and involved in the processing of personal data are known as personal data assistants. Occasionally, third-party system suppliers can access personal data belonging to the data controller. Bruks Siwertell has a personal data assistant agreement in place with these suppliers with the following persons entitled to sign agreements: Managing Director, Purchasing Director, IT Manager and HR Director.
7 Routines and instructions
7.1 Information for all employees
All Bruks Siwertell employees are obliged to comply with this policy. Instructions are available in the document entitled ‘GDPR – instruction for all employees’.
7.2 Storage limitation – deleting information
Personal data will only be stored in a way that makes identification of the data subject possible, for as long as it is necessary for its designated purpose. When the personal data is no longer needed it must be deleted or de-identified. The data controller has set up routines to make sure that personal information is not stored for longer than is necessary. Information regarding storage limitation for different personal data is set up in ‘Central register GDPR’. The HR Director is responsible for following-up on the limitation of storing personal data.
7.3 Lawfulness of processing
Lawfulness of processing has to be established for every processing act of personal data performed by the data controller. Processing is lawful if: part of fulfilling a contract with the data subject; it is necessary to fulfil a legal obligation; if the company has explicit consent from the data subject; or if the processing fulfils the demands set up according to ‘weighing of interest’. All weighing of interest has to be documented and filed. The lawfulness of data processing is documented in the ‘Central register GDPR’.
Processing of personal data is documented in the ‘Central register GDPR’. Demands regarding the processing of personal data according to the GDPR, have to be ensured when developing and purchasing IT services and solutions, and will be a part of specified demands and any agreements.
Follow-up and evaluation of personal data processing will be performed at least once a year.
7.6 Notification of personal data breach
Any personal data breach which occurs in the company must immediately be reported to the HR Director, who, without undue delay and, no later than 72 hours after having been made aware of it, will inform the supervisory authority of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Questions regarding GDPR
If you have any questions with regards to our GDPR policy, please contact our HR Director Katarina Åkesson firstname.lastname@example.org