EU's Privacy Regulation (GDPR)
The EU's Privacy Regulation (GDPR) was adopted in April 2016, and came into force for all businesses in the EU and in Norway on May 25, 2018. GDPR is short for the General Data Protection Regulation.
Does the regulation apply to my business?
Yes, the regulation applies to all businesses in the EU and Norway that process personal data electronically or in personal registers in connection with work related and / or commercial activities.
Principles
The privacy regulation is based on established privacy principles, which in general aligns well the previous Norwegian Personal Information Act. An employer has legal authority to process a variety of personal information about employees without the consent of the employee, but the employer has to evaluate which data is required, the purpose of the processing, how the data is secured and for how long the data should be kept.
The following principles are leading in the regulation:
- Transparency and anchoring in the law for the processing and use of personal data. One must be clear with the registered on how personal information is used and what legal base is required to process the data.
- Processing of personal data shall be limited to specified, legitimate and explicit purposes . Data obtained for a legitimate purpose can not be reused for "incompatible purposes" - and the regulation sets criteria for what is to be regarded as "incompatible".
- Minimizing data collection and storing personal information to what is relevant to the purpose. Data that is only "nice to have" should not be collected.
- One must ensure that personal information is correct and it should be possible to delete or correct data. Systems that store personal data must have these mechanisms built in.
- The storage time for personal data shall be limited to the period necessary to achieve the purpose of the processing of the data.
- One must ensure that personal information is processed and stored with security, integrity and confidentiality. It is the employer (the controller) who is responsible for the processing of personal data through technical and organizational measures.
- An organizational measure may, for example, be to limit the number of people in the organization who have access to personal data.
- A technical measure (as an example) may be that personal data is protected by encryption when the data is stored or sent electronically.
- A leading principle is that the controller needs to do a risk assessment for personal data processing and that measures should be dimensioned for the risk (mitigating the risks in an appropriate manner).
Simployer has always followed the Data Protection Inspectorate guidelines and we sign separate Data Processing Agreements with all our customers. Our systems have mechanisms built in to enable employers to fulfill their duties as controllers.
All data belongs to the Customer
Data created by the customer and customer's users in Simployer, is the Customer's property and this has always been the case. The EU regulation is thus nothing new on this matter.
Important roles
The privacy regulation, GDPR, clarifies three roles:
Data Controller = The Customer
The Controller owns, and is responsiple for its own data, and determines which data that is stored and how long the data is to be kept.Data Processor = Simployer
The Data Processor shall process personal information on instructions from the Controller, the Customer."The registered"
This is the person for which personal information is processed. In Simployer, this will for the most part be employees. The registered has rights under the GDPR, amongst them:- The right to be forgotten
- The right to demand a restriction on the data processed
- The right to data portability
- The right to oppose processing
These rights must be maintained by the Controller. Be aware that there are differences in legal base for processing of personal data for private citizens versus private data for employees.
Handling of deviations
Requirements for dealing with security breaches was intensified when the regulation entered into force. The main rule in the regulation is that all breaches regarding personal data should be reported to the Data Inspectorate. Exceptions to this apply if it is unlikely that the deviation will endanger the rights or freedoms of individuals. At the same time, it is required that the deviation notice is to be reported to the Data Protection Inspectorate within 72 hours. The company must have documentation of all deviations and what measures have been taken. Employees or other individuals may also be required to be alerted if it is likely that the breach of security will entail a high risk for the rights and freedoms of persons.
As a processor, Simployer shall notify the Customer, as the controller, of breaches of security and, in this way, enable the customer to notify the Data Inspectorate and, where appropriate, its employees. Simployer has routines for notifying customers, and we also offer customers a separate module for the customer's internal deviation management.
Use of subcontractors and Data outside the EU
The regulation imposes strict requirements on how personal data may be stored. There are no requirements in the regulation for storage in specific regions or jurisdictions but any processing outside of the EU/EEA requires more controls, checks and guarantees to make the processing legal.
Simployer is using several subcontractors, so-called subprocessors but all hosting-providers are located inside EU/EEA, and service-specific subprocessors outside of EU/EEA is evaluated and monitored to ensure compliance with GDPR.
To see the list - and the geographical location - of all subprocessors, click here.
Relevant content
Loading child pages...