On 27 April 2016 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (“General Data Protection Regulation”). The General Data Protection Regulation will replace the national data protection laws in every EU country and will be applied equally in every EU country, except for minor special regulations. The rules contained in the General Data Protection Regulation do not differ significantly from the current rules on the processing of personal data in accordance with the Swedish Personal Data Act (1998:204), except for the fact that more extensive obligations have been introduced for the processors and that larger fines have been introduced for breaching the General Data Protection Regulation. According to the decision, the General Data Protection Regulation will come into force from 25 May 2018. At Softronic personal data mainly appears in two different areas – staff-related systems (e.g. HR systems, payroll systems, travel expenses, etc.) and systems that contain personal data that are run on behalf of customers. It is the controller who is responsible for this information being processed correctly – it is Softronic who is the responsible party in the first instance (i.e. the controller) and customer who takes on this role in the second instance – Softronic is then the processor. In the latter case, a data protection agreement and data protection instructions must be drawn up between Softronic and the customer that clarify which personal data is to be processed and how this data is processed. It is important to maintain privacy. Personal data must be processed with extreme care and in accordance with the relevant laws, EU 2016/679 GDPR and statutory requirements.
- This regulation aims to strengthen the rights of individuals by giving them greater control of their own personal data.
- The General Data Protection Regulation covers all operations that process personal data, information about employees, customers, users, suppliers, etc.
Personal data must be processed securely in accordance with laws and statutory requirements in order to protect a person’s privacy.
General data protection policy
The following applies to Softonic when processing personal data:
- information containing personal data must be classified as a minimum as:
- confidentiality – confidential;
- accuracy – critical;
- accessibility – no minimum requirements;
- if an external party is hired to process personal data within the remit of Softronic’s responsibility, for example a supplier of services, a data processing agreement and personal data instructions must be drawn up clarifying how personal data is to be processed;
- if an external party is hired to process personal data that Softronic processes on behalf of a customer, i.e. where Softronic is a processor, a subprocessor agreement and subprocessor instructions must be drawn up clarifying how personal data is to be processed – this agreement and these instructions must be approved by the customer or provided by the customer;
- personal data must be processed in accordance with prevailing legislation;
- the data protection officer must check that personal data is being processed correctly, and report any deviations to the personal data manager or to a supervisory authority.
- Data that Softronic no longer needs for contractual and/or legal compliance are deleted as soon as possible.
- Adequate protection must be given to personal data. To ensure this, a DPIA (Data Protection Impact Analyses) must be performed to highlight any risks involved with processing data and to be able to assess the correct level of protection in relation to costs, the categories of the data being processed, and technological developments.