Purpose
The purpose of this policy is to describe how Adtollo handles personal data, what we use them for and who can access it. The policy is based on current data protection legislation, such as the General Data Protection Regulation ( (EU 2016/679), General Data Protection Regulation, GDPR) and, where applicable, other laws and regulations describing the processing of personal data. The policy clarifies our actions to safeguard the rights and privacy of individuals when storing their personal data. For example, people who reported that they want information from us, applied for a job with us, suppliers, employees, partners, customers, or former employees.
Background
We primarily handle personal data to fulfill our obligations. Our starting point is to not collect or store any more personal information than is necessary for the purpose, to delete personal data that we no longer need, and we always strive to use no more privacy-sensitive data than necessary.
We also use personal data to run our business and provide good service. This may be e.g. in sales and marketing, follow-up, internal and external information or in conducting different types of surveys. We may also need personal data to comply with government laws and regulations or to comply with existing agreements.
When we collect information about a person for the first time, that person shall be informed of what the data will be used for and consent will be obtained (if this is required, see below). If the collection of data is based on consent the data subjects may object directly or later to the fact that we store the data, in which case their data is deleted or anonymized. They can also object to using the data for certain purposes, such as direct marketing. When processing personal data, we ensure not to create registries that we do not need, to send or distribute them safely and delete files when they are no longer used.
Guidelines
Legal processing of personal data
Personal data may only be collected for specific, explicitly stated and legitimate purposes. Basic principles of privacy protection are not collecting more information than needed, not storing information longer than necessary and not using data for any other purpose than intended when it was collected. If the data subject has consented to the processing of personal data, processing is usually allowed. A consent must be specific, individual, feely given and unambiguous. The data subject must prior to the consent be informed of the intended processing of the personal data provided. The data subjects may at any time withdraw consent, after which processing is no longer permitted.
In some cases, no consent is required under Article 6 of the General Data Protection Regulation. This applies to processing in the following cases:
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.
Unauthorized processing
Specific rules apply to sensitive personal data. Article 9 of the GDPR prohibits the processing of sensitive personal data. Sensitive personal data is personal data revealing
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Health, sex life or sexual orientation
- Genetic and biometric data
An exception to this rule can be made if the processing is absolutely necessary or the data subject has given explicit consent for the processing.
What personal data do we process?
We process only personal data when we have legal right to do so. Here are examples of personal data we process:
- Name, username, e-mail address, phone number, address, date of birth, bank account number, social security number, photos, etc.
- Information that employees, clients or others have given freely and voluntarily registered
- Information that data subject themselves have published, so-called user-generated content
When do we collect personal information?
We collect personal data when required, see the section Legal Processing of Personal Data. When collecting personal data, we shall obtain consent when required. The consent may be revoked at any time, after which the data is deleted or anonymized, provided that the information is not required to fulfill our obligations under law, agreement or other legitimate interest.
We may also access personal information, for example when:
- People seek employment with us, visit us or otherwise contact us
- Individuals sign up for our courses, seminars, newsletters and other mailings
- Individuals respond to polls and surveys
- Our employees receive personal data in customer assignments
- We receive information from authorities and public records
Is personal information processed in a safe way?
We have developed routines and an IT security policy that describes how we handle personal data safely. The ground rule is that only persons in our organization who need the personal data to perform their duties shall have access to them. For access to sensitive personal data special authorization is required. We have appropriate physical and electronic protection for personal data storage and we do not transfer personal data from one place to another for purposes other than those specified in this policy. We have procedures for detecting and reporting personal data breach in accordance with applicable data protection legislation.
When do we disclose personal information?
The ground rule is to disclose personal data to third parties only if it is necessary to fulfill our obligations under law or agreement or if consent has been given beforehand. In cases not relating to disclosure by law, we implement non-disclosure agreements with third parties and ensure that personal data is handled and processed in a safe manner.
If the third party is outside the EU, we will follow EU’s standard agreement clauses (http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm). The purpose of the EU’s standard agreement clauses is to provide adequate guarantees that individuals’ rights are protected in the transfer of personal data to countries that do not have an adequate level of protection.
The rights of the data subjects
The main rights of the data subjects include the right to:
- Access their personal data (registry extract) (right of access by the data subject)
- Get incorrect personal information corrected (right to rectification)
- Get their personal data deleted (right to erasure)
- Oppose the use of personal data for automated decision making and profiling (right to object and automated individual decision-making)
- Move the personal data that the data subject himself has provided to us (right to data portability)
The GDPR contains an obligation to provide, on request, information to the data subject on what personal data relating to the data subject is processed by the data processor. When such a request is handled, additional information such as how long the personal data will be stored and the right to have incorrect information corrected shall be shared with the data subject. If such a request is made electronically, the data subject must also be able to request to receive the information electronically.
Responsibility
Adtollo is responsible for all personal data the company processes which means that the company is responsible for data storage, how it is processed and that the rights of individuals are met.
This also includes personal data processed on behalf of our customers, for example in the form of cloud services or consulting services.
Adtollo is responsible for ensuring that the products offered to the market have such features that our customers can comply with the requirements for processing personal data.
Record List
Adtollo shall maintain record of personal data processing activities under its responsibility.
The record shall include unstructured data.
Consent
When the company is not authorized to collect or process certain personal data, consent shall be obtained.
Before initiating processing of personal data that could lead to a high risk of privacy infringement, e.g. a comprehensive registry with sensitive personal data, the data controller must carry out an assessment of the consequences for the data subject(s). This is called an impact assessment and assess the risk and the severity of a personal data breach. The result of the assessment determines which measures need to be taken. Measures need to be planned and implemented to address the risks including safeguards, security measures and mechanisms to ensure the protection of personal data in relation to implementation costs. If the assessment shows that the personal data processing would lead to a high risk without the data controller implementing the preventive measures, the supervisory authority must be consulted.
The most important principles are not to gather more information than is necessary, to not retain the information longer than necessary, and to not use the data for anything other than the specified purpose. Consider the possibility of limiting access to the data.
Personal Data Processor Agreement
As a personal data controller, Adtollo must always sign a personal data processor agreement with a subcontractor if the subcontractor is processing personal data on our behalf. This applies to both processing of our personal data and in cases where the subcontractor processes personal data of our customers.
Companies shall also sign a personal data processor agreement with their customers in cases where processing of personal data is to be performed on behalf of our customers.
Personal data breach
In the event of an accidental or illegal destruction, loss or alteration of the personal data processed, such as a data violation (unauthorized access to our system) or an accidental loss of personal data (an employee loses their mobile phone, computer or memory stick), we may need to document the incident and report it to the regulatory authority within 72 hours. It does not need to be done if it is unlikely that the incident will lead to any risks to individuals’ rights (the lost computer contained few or no personal data or the content was encrypted and the computer provided with other security protection). We may also need to inform the data subjects of, for example, the risk of identity theft or fraud.
Changes to the policy
Adtollo reserves the right, at any time and for any reason, to make additions to and amend this policy. Changes may be called upon in particular as a result of changes in laws and regulations.
The policy should be evaluated annually and, if necessary, amended.