Choose Language

Information about GDPR to partners of Solid Insurance 

On May 25th 2018, new rules for processing personal data will come into effect - the EU General Data Protection Regulation (GDPR) (2016/679). The regulation will have the force of law within all EU member states and is intended to improve protection of the individual in connection with processing of personal data. In Sweden, this regulation and certain complementary legislation will replace the Personal Data Act (PuL). PuL currently regulates the processing of personal data in Sweden, but will cease to apply once the data protection regulation takes effect.

The GDPR will affect all sectors, businesses and organisations which handle personal data. It is therefore important that those who process personal data introduce procedures for how this will be performed.

When is the GDPR applicable? 

The GDPR is applicable to the processing of personal data which is performed fully or partly automatically, but also to other processing of personal data where this is or will be part of a register. In principle, this means that all processing of personal data will be covered by the Regulation.

Who is obliged to comply with the GDPR? 

The GDPR applies to the processing of personal data with a certain connection to the EU. This is the case when the person processing the personal data has a business address within the EU and processes personal data in connection with the business carried on there. In other words, the actual location of the processing is of no significance. Under certain circumstances, the GDPR is applicable even where the enterprise has been established outside the EU. For example, the GDPR will apply where a data controller or a data processor who are not established in the EU offer goods and services to persons inside the EU or when the data controller or data processor supervise the activities of persons within the EU. The last-named circumstance includes, for example, tracking an individual person's behaviour on the Internet for the purpose of creating customer profiles or similar.

New requirements arising from the GDPR 

Many of the requirements laid down by the GDPR already exist in the PuL. To a certain extent, the GDPR is merely an updating and tightening of the PuL. An important part of the improved protection for individuals whose personal data is being processed, the so-called data subjects, is that there are higher demands placed on those performing the processing, i.e. all enterprises, organisations and authorities who process personal data. So, for example, one new and important feature of the GDPR is that it explicitly states that the person who processes personal data is responsible for and must be able to demonstrate compliance with the provisions of the GDPR (accountability). In brief, this means that persons processing personal data must be able to demonstrate compliance with the basic principles of the GDPR, and otherwise follow the requirements of GDPR. The basic principles of the GDPR are equivalent to those in the PuL. You can read about these principles in Chapter II - Principles of the GDPR.

The rights of data subjects have been extended, enhanced and specified in the GDPR, compared to the PuL. Generally speaking, the responsibility for informing data subjects in various ways and the requirements as to which information is to be supplied to them are being extended by the GDPR. In summary, they mean that data subjects must receive information about when and how their personal data is being processed and they must have control over their own information. Data subjects have in the same way as previously the right to receive information about which personal data affects them and is being processed (register excerpts). What is new is that an application to viewsuch information need no longer solely be made in writing in an ordinary letter, but can also be made in other ways, e.g. electronically. A new feature is that a person who has supplied their personal data is entitled in certain cases to withdraw that data and request that it be transferred to another data controller, where technically possible (data portability).

The GDPR also contains a requirement for integral data protection (privacy by design) and standard data protection (privacy by default), which, briefly put, means that the integrity protection rules need to be taken into consideration right from the time of creation of the IT system and procedures, and that the person processing the personal data must ensure that under standard circumstances, the personal data is not needlessly processed. In addition the so- called misuse rule in the PuL will disappear when the GDPR comes into force. Roughly speaking, this rule means that, at present, simpler rules for personal data may be used in unstructured material. The GDPR must be applied in its entirety to all automated processing of personal data and thus will also be valid, e.g. in the case of publication of personal data on a website or other continuous text.

Data controller and data processor 

A person who processes personal data on behalf of one or more entities is to be regarded as a data processor, while an entity who determines the purposes for which personal data is to be processed and how the processing should be made is to be regarded as a data controller. The GDPR regulates the role of the data processor mainly in Articles 28-31 and related provisions. When the data controller engages a data processor, the GDPR stipulates a written agreement. The data processing agreement must specifically provide that the data processor may only process personal data at the documented instruction of the data controller. One new feature of the regulation is that some of the duties which previously attached to the data controller now also apply to the data processor, e.g. the requirements for keeping a record of processing activities, for ensuring a suitable level of security and, in certain cases, for appointing a Data Protection Officer. The data processor may also be the subject of supervision or administrative penalties and be held liable for damages. It is therefore important that a data processor is aware of the rules in the GDPR.

Persons processing personal data must ensure a suitable security level for their work, both technically and organisationally. For example, a data processor must provide adequate guarantees, particularly with regard to expertise in processing personal data, accuracy and resources, that appropriate technical and organisational measures will be carried out to ensure that processing meets the requirements of the GDPR and that the rights of the data subject are protected. This includes, where applicable, the use of pseudonymisation and encryption of personal data, the capacity for continuous assurance of confidentiality, integrity, availability and resilience in the processing systems and services, the capacity to restore availability and access to personal data in a reasonable time in the event of an incident, and finally the regular testing, inspection and assessment of the technical and organisational measures for ensuring the security of the processing.

Furthermore, the data processor must ensure that all natural persons carrying out work under the data processor's supervision, and who have access to personal data, only treat it according to instructions from the data controller, unless EU legislation or the national law of the Member States requires them to do so. This also includes ensuring that persons authorised to process personal data have made an undertaking to comply with confidentiality or are covered by appropriate statutory professional secrecy.

The duties of a data processor also include, having regard to the nature of the processing, and to the extent possible, assisting the data controller through appropriate technical and organisational measures so that the data controller can fulfill the obligation to respond to a request from data subjects who wish to exercise their rights under the GDPR. Moreover, the data processor must enable and assist with scrutiny and inspections carried out by the data controller or other auditor authorised by the data controller.

Sensitive personal data 

Certain items of personal data are by their nature particularly sensitive, and are therefore more strongly protected by the GDPR. Such personal data includes information which reveals race or ethnic origin, political opinions and health conditions. In the GDPR, such personal data are called special categories of personal data. The term sensitive personal data is also often used. Specific requirements are made for the processing of sensitive personal data.

Appointing a different data processor (including consultants) 

The data processor may not engage another data processor unless separate or general prior written consent has been received from the data controller or a general written consent has been received. In the event that a data processor engages another data processor to carry out a specific act of processing on the data controller's behalf, the sub-contractor must have the same duties in respect of data protection as were laid down in the agreement between the data controller and the data processor. If sub-contractors fail to fulfill their data protection obligations,

the original data processor must be held fully responsible to the data controller for the performance of the sub-contractors' duties.

A note on third-country transfers 

The GDPR means that all EU member states (including EEA countries Norway, Iceland and Liechtenstein) have equavalent protection of personal data and personal integrity. Personal data may therefore be transferred freely and without limitations within this area. As there are no general rules ensuring similar guarantees outside the EU and EEA, it has been deemed that transfer to countries outside the EU and EEA (so-called third-country transfers) must only be performed under special conditions. Such transfers thus require special rules, see Articles 44-50 of the GDPR. A data processor may only use third-country transfers on written instructions from the data controller, unless the work is required under EU legislation or the legislation of a member state which the data processor is covered by.

Record keeping 

Both data controllers and data processors are responsible under the GDPR for keeping a record of their personal data processing activities. The contents of the record are expressly laid down by the GDPR, see Article 30.

Impact assessment and prior consultation 

Sometimes the persons processing the personal data, i.e. both the data processor and the data controller, will need to make an impact assessment regarding data protection. The GDPR lays down the cases where such requirements will occur, see Article 35 of the GDPR. So, for example, this may be relevant when evaluating or scoring persons such as in a credit assessment enterprise or an enterprise which profiles Internet users, if large volumes of personal data are being processed or if personal data from two or more processing activities are being combined in a way which the data subject would not have expected, e.g. when coordinating registers, or if personal data is processed in a way which prevents the data subjects from accessing a service or entering into an agreement. The aim is to limit the risk of such processing of personal data which entails a high risk. If it is nonetheless deemed that there is a high risk in the personal data processing, advice must be sought from the Swedish Data Protection Authority before starting processing, see Article 36 on prior consultation.

Reporting requirements in case of data infringements and other personal data breaches 

If anything occurs which presents a risk of personal data ending in the wrong hands, you must report this to the Swedish Data Protection Authority. A personal data breach must in general be reported to the Swedish Data Protection Authority by the data controller no later than 72 hours after the incident has come to the controller's knowledge. A data processor who becomes aware of a personal data breach must inform the data controller without unnecessary delay.

Data Protection Officer 

Anyone who processes personal data and is covered by the GDPR, i.e. including data processors, must make their own assessment of whether they need a Data Protection Officer, see separate Articles 37-39 of the GDPR and related provisions. It may be the case that a data processor needs a Data Protection Officer even if the client does not need one. This could, for example, be the case where the data processor has many similar customers and processes large volumes of personal data from many different customers.

Codes of conduct and certification mechanisms 

Persons processing personal data will be able to sign a code of conduct to show that they are following the provisions of the GDPR. A code of conduct consists of guidelines for the processing of personal data according to the GDPR within a particular enterprise, sector or segment of society, and may be drawn up by a trade organisation, for instance. Codes of conduct must be approved and registered with the Swedish Data Protection Authority. Approval may not be granted before the GDPR comes into force on 25 of May 2018. The GDPR also mentions that certifications, seals and data protection marks may be used for showing that the provisions of the GDPR are being followed.

  

Sanctions 

The GDPR contains provisions for administrative penalties, the aim of which is to ensure that the rules in the Regulation are followed. Penalties may amount to up to EUR 20 million in the case of an enterprise, or up to 4% of the total annual turnover in the previous budgetary year, whichever is the higher. In addition, every EU member state has the option of adopting other sanctions for breach of the GDPR.

Solid Insurance's work on the GDPR - in summary 

Solid Insurance is currently working on reviewing its business to ensure that it fulfils the requirements laid down in the GDPR. This work includes ensuring that Solid Insurance supplements the information about personal data processing given in or in connection the agreement and terms and conditions for the company’s services. Solid Insurance is reviewing its data processor agreements to ensure that they fulfil the requirements of the GDPR, and has appointed a Data Protection Officer to ensure that Solid Insurance follows the Regulation.

For more information, please see Chapter IV on the Data Controller and Data Processor in the GDPR and the Swedish Data Protection Authority's information about the GDPR.

If you have any questions, please feel free to contact us at gdpr@solidab.se.