Proclamation

All employees in the company are familiar with the company’s rules for handling and storing personal data. Violation of the rules can have devastating consequences for the company, which is why it is considered a significant breach of the terms of employment if these are not followed, which in serious cases can lead to dismissal from the company. All employees of the company declare that they have read, understood and intend to comply with the rules.

In general

The company does not process personal sensitive information in its normal day-to-day operations. An official DPO has not been appointed who must comply with the rules for this function, but the practical tasks and responsibility for all procedures rest with the appointed DPO.

It is not permitted for any employee in the company to store any kind of controversial or personally sensitive information on employees, former employees, customers, suppliers and contact persons. This includes, but is not limited to, religious affiliations, sexual preferences, political views, memberships of associations or organizations, on any media, private or owned by the company, as long as an employee is within the company’s area of responsibility.

Only employees of the company and data processors have access to the company’s personal data. Personal data must not be copied and removed from the company or its systems, stored on own media, shared with outsiders without written acceptance from the DPO.

It is the duty of every employee to make the DPO aware of the presence of data that no longer has any practical meaning or value and which should therefore no longer be stored in the company.

All personal data that is not on the systems described must be deleted, shredded, destroyed or otherwise made inaccessible immediately after it has been stored correctly. It must not be taken into account that stakeholders with criminal intent or experts with sufficient resources can recreate this information.

The company must under no circumstances exchange personal data with persons, companies or organizations that do not have a clearly documented need for the information and in cases where access is granted, all business partners must have documented that they comply with the Personal Data Act through an updated and valid data processing agreement.

Deviations in the collection and storage of personal data

It requires special permission from the company’s DPO to store personal data that goes beyond; Name, address of the company where the contact person is employed, e-mail address, direct telephone number, mobile phone number, technical areas of interest relevant to the company, as well as commercial interests.

In the event of a breach of security in the company, whether it is the company itself or one of the naming data processors, it is the company’s responsibility to help secure all personal data. The company must, within 24 hours of starting, collect information that uncovers what and extent of which data is affected by the incident and extent. The company begins to inform the affected persons within 72 hours. The company will then do what can be considered reasonable and timely to correct the cause of the security breach and ensure direct and factual communication with the affected persons. The DPO will be the coordinator and responsible for ensuring that this part of the process proceeds in a timely manner.