The EU's new Privacy Regulation(GDPR) was adopted in April 2016, and will come into force for all businesses in the EU and in Norway on May 25, 2018. GDPR is short for the General Data Protection Regulation.
Consultation on a draft new Personal Information Act to introduce GDPR in Norway is now available for consultation. The consultation deadline is 16.10.2017. Therefore, some questions about how the regulation will work in Norway has not yet been clarified.
The Infotjenester Group consists of the companies Infotjenester AS, Capitech AS, Tholin & Larsson AB and Netcompetence AB, hereafter named as Simployer. Simployer works with necessary adjustments in products and agreements. These will be adapted to the requirements of the Regulation before it comes into force.
Will the regulation apply to my business?
Yes, the regulation will apply to all businesses in the EU and Norway that process personal data electronically or in personal registers in connection with commercial and / or commercial activities. This will in practice involve all Norwegian businesses.
The privacy regulation is based on established privacy principles, which largely follow todays Personal Information Act. If you have followed current legislation and the Data Protection Authority's guidelines, it is therefore a good starting point for fulfilling the requirements of the new regulation.
The following principles are leading in the new regulation:
- Transparency and anchoring in the law for the processing and use of personal data. One must be clear with the registered on how personal information is used and what legal authority is required to process the data. Today, an employer has legal authority to process a variety of personal information about his employees without the consent of the employee. This is also the case after the regulation, but the amount of information that can be processed may change.
- Processing of personal data shall be limited to specified, legitimate and explicit purposes . Data obtained for a legitimate purpose can not be reused for "incompatible purposes" - and the regulation sets criteria for what is to be regarded as "incompatible".
- Minimizing data collection and storing personal information to what is relevant to the purpose. Data that is only "nice to have" should not be collected.
- One must ensure that personal information is correct and it should be possible to delete or correct data. Systems that hold personal data must have these mechanisms embedded.
- The storage time for personal data shall be limited to the period necessary to achieve the purpose of storing the relevant data.
- One must ensure that personal information is processed and stored with security, integrity and confidentiality. It is the employer (the controller) who is responsible for the processing of personal data through technical and organizational measures. An organizational measure may, for example, be to limit the number of people in the organization who have access to personal data. For example, a technical measure may be that personal data is protected by encryption when the data is stored or sent electronically. The leading principle is that the controller needs to do a risk assessment for personal data processing and that the measures should be dimensioned for the risk.
Simployer has always followed the Data Inspectorate's guidelines and we sign separate data-processing agreements with all our customers. Our systems have mechanisms built in to enable employers to fulfill their duties as controllers.
All data belongs to the customer
Data created by the customer and customer's users in Simployer is the customer's property, and this has always been the case. The new EU regulation is thus nothing new.
Simployer never mixes personal data from different customers, and each customer has its own dedicated database.
The new privacy regulation clarifies three roles:
Data Controller = Customer
Data Processor = Simployer
|The controller owns his own data, and determines which data that is stored, where the data is to be stored and how long the data is to be kept.||The Data Processor shall process personal information on instructions from the Customer.|
This is the person for which personal information is recorded. In Simployer, this will for the most part be employees. The registered has gained new rights in GDPR:
Several of these rights are intended for the "registered" as an individual.
The regulation clarifies the obligations that lie in the role of a data processor. In the past, most of the obligations were placed on the controller, and the controller (the customer) had to make agreements with the data processor (supplier) in the form of a data processor agreement. The obligations for a data processor still applies and is enforced in the new regulation.
Requirements for dealing with security breaches are intensified when the regulation enters into force. The main rule in the regulation is that all violations of personal data protection should be reported to the Data Inspectorate. Exceptions to this apply if it is unlikely that the deviation will endanger the rights or freedoms of individuals. At the same time, it is required that the deviation notice is to be reported to the Data Inspectorate within 72 hours. The company must have documentation of all deviations and what measures have been taken. Employees or other individuals may also be required to be alerted if it is likely that the breach of security will entail a high risk for the rights and freedoms of persons.
As a processor, Simployer shall notify the Customer, as controller, of breaches of security and, in this way, enable the customer to notify the Data Inspectorate and, where appropriate, its employees. Simployer has routines for notifying customers, and we also offer customers a separate module for the customer's internal deviation management.
Data outside the EU
The regulation imposes strict requirements on how personal data may be stored outside the EU. There are no requirements in the regulation for storage in Norway or Sweden
Infotjenester, Tholin and Capitech use Norway as a base for storage, and personal data is never stored outside the EU.
Netcompetence stores data in Microsoft Azure (Holland and Ireland), and data is never stored outside of the EU.
Use of subcontractors
If a data processor uses subcontractors for processing and / or storing personal data, then the requirements of the data processing agreement shall be continued to the subcontractors. The customer shall be kept informed of which subcontractors are used to process personal information and shall consent to the use of subcontractors.
Simployer uses professional third parties as hosting partners. Current hosting partners is agreed with the customer.
- No labels