VALID FROM 2018
This policy shall be reviewed by the Board of Directors on a yearly basis.
Minor changes such as wording or amendments that do not have an impact on the scope of this Policy may be finalized by the DPO of Nordkap AB. Finalizing such chan ges results in a new version y.x to y.(x+1) (i.e. 1.0 to 1.1).
Changes to this Policy that have an impact on the scope shall be finalized by the Board of Directors.
Finalizing such changes result in a new version y.x to (y+1).x (i.e. 1.0 to 2.0).
Record the policy updates including the mandatory annual reviews here. Record the author, the reviewer and the approver name, signature and date. Also record a brief summary of the updates or changes to the policy. For mandatory annual reviews that did not result i n any updates, record “No updates” in summary of changes column.
In the same way as for society as a whole, Nordkap AB ( Nordkap) our customers, employees and suppliers are affected by digitization and globalization which has led to a significant increase in the use and spreading of personal data. Digitization means increased opportunities, but also a greater need for protection of the data subjects' personal data and integrity. This policy describes the overall principles that apply to personal data processing within Nordkap.
The Nordkap Policy is approved by the Nordkap Board of Directors.
The purpose of this policy is to define the Nordkap responsibility, and appoint roles and responsibilities, in order to comply with the General Data Protection Regulation (GDPR).
The objective is that Nordkaps processing of personal data is done on lawful grounds and in accordance with the principles of the GDPR to ensure our customers, employees and suppliers we handle their personal data in a safe and transparent way.
In this policy the following definitions are used:
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by union or member state law, the controller or the specific criteria for its nomination may be provided for by union or member state law;
The natural living person to whom personal data relates to. A Data Subject is in this policy defined as any natural person that Nordkap has any kind of relation with, e.g. private customer, employee, consultant and other.
A natural or legal person, public authority, institution or other body handling personal data on behalf of the personal data controller.
Data Protection Laws:
a) in EU countries, the Directive (95/46/EC) as superseded by the General Data Protection Regulation (Regulation (EU) 2016/679);
b) in non - EU countries, any similar or equivalent laws, regulations or rules relating to Personal Data;
c) any enforceable guidance and codes of practice issued by any local regulatory authority responsible for administering Data Protection Laws; and/or
d) any amendments, re - enactments or changes to the items described in (a) to (c) above, from time to time
The member states of the European Union, Iceland, Liechtenstein, Norway and Switzerland.
EEA Personal Data:
Personal data of a Data Subject in the EEA.
Any kind of information relating to an identified or identifiable natural person (also referred to as a "Data Subject"), an identifiable physical person being a person identified directly or indirectly with reference to an identifier such as a name, identification number, location or online identifier or several factors specific to the physical, physiological, genetic, economic, cultural or social identity of the physical person.
An action or combination of personal data or sets of personal data, whether performed automated or not, such as collection, registration, organization, structuring, storage, processing or modification, production, reading, use, transfer by transmission, dissemination or provision otherwise, adjustment or assembly, restriction, erasure or destruction.
The scope of this policy is limited to Personal Data processing as required by the General Data Protection Regulation (GDPR). This covers Nordkap AB, external consultants performing tasks on behalf of Nordkap and Data processors performing data processing on behalf of Nordkap.
In addition to the general guidelines set out in this policy, detailed requirements in local data protection laws must, as applicable, be followed by employees when processing personal data.
In the case Nordkap is Data Processor for an external organisation the data processing should be done in accordance with this policy, unless otherwise stated in a Data Processing Agreement between Nordkap and a Data controller.
1.5. Target groups
The Data Protection Policy applies to all staff, who performs tasks on behalf of Nordkap regarding processing of personal data. It is also intended to be the basis for information to data subjects regarding personal data processing. It also applies to data processors who perform personal data processing on behalf of Nordkap.
2. Roles and Responsibilities
The CEO shall ensure that Nordkap is appropriately organized with delegated responsibilities and sufficient resources for the processing of personal data within Nordkap.
The Chief Information Security Officer (CISO), or equivalent, has the responsibility to identify information security risks, propose appropriate information security controls and follow up compliance towards, and efficiency of, the information security controls.
2.3. Data Controller
The Controller is always responsible for the processing of personal data. The Controller is always the legal person who controls and decides the handling of personal data. Nordkap may be a Data Controller of either employee, private customers or supplier data.
2.4. Data Protection Officer (DPO)
For many organizations the DPO is a mandatory role. The main task of the DPO is to ensure provision of the GDPR in his/her organization . The DPO is also required to keep a register of all of the processing operations involving personal data carried out by the organization.
2.5. Data Processor
External suppliers of IT operations, cloud services and similar where personal data is processed on behalf of Nordkap are called Data Processors. A data processor shall perform the data processing as specified in a data processing agreement.
All employees are personally responsible for the legal and correct processing of personal data in their daily work. By following Nordkap governing documents relating to personal data processing, the employees contribute to compliant personal data processing.
3. Data Protection Requirements
3.1. Personal Data Inventory
A personal data inventory covering the whole Nordkap shall be compiled and maintained as a prerequisite to govern personal data processing in a lawful way. Nordkap is responsible for documenting all processing.
3.2. Legal ground for Processing
Personal data may only be processed if certain conditions are met, for example
a) if the individual to whom the personal data pertains has given his or her consent to the processing
b) the processing is necessary for the performance of a contract to which the individual is a party
c) the processing is necessary for compliance with a legal obligation of Nordkap ; or
d) Nordkap ’s legitimate interest to process personal data outweighs the individual’s interest of not having his or her personal data processed.
3.3. Data Processing Principles
· Lawful processing – When processing Personal Data within Nordkap we shall make sure that the processing is lawful and that we are transparent towards the Data Subjects.
· Data minimisation - Within Nordkap we shall never collect and handle more Personal Data than is required to perform the purpose for which the data was collected. That means that we must ask ourselves at each collection of Personal Data, if it is required. If the purpose for the data processing has expired, we must delete the Personal Data that is no longer needed.
· Purpose limitation – When collecting Personal Data, we must have a clear and legitimate purpose with the collection and further processing. If the purpose ends, we must delete the Personal Data processed under that purpose. If we want to process Personal Data for a new purpose, it must not be incompatible with the original purpose, for instance outside of what the Data Subject concerned would reasonably expect. We must also make sure to inform the Data Subject about this, and under which legal ground we are processing the Personal Data.
· Accuracy – Personal data must be accurate and up to date. Personal data that is inaccurate or incomplete should be erased or corrected.
· Storage limitation – Personal data should only be stored for as long as is necessary for the purposes for which it is processed, or as required by applicable law. When the retention period has expired, it should be erased in a permanent and secure way. If we want to keep Personal Data for a longer period than required for the purpose which it was collected, we must see to it that the data no longer can be connected to a Data Subject, directly or indirectly (anonymization). For Personal Data received from a Data Subject that we have a customer like relation with, we keep the Personal Data for a time period constituting best practise determined by the national Data protection authorities in each country.
3.4. Data Subjects rights
Nordkap shall respond to Data Subject’s requests in the manner required by applicable law or otherwise deemed reasonably practical and appropriate in consultation with the DPO.
· Transparency and information - Individuals whose personal data is being processed should be provided with notice thereof. Such notice should be concise, easily accessible, be written in clear and plain language, and must contain certain specific information.
· Access rights - An individual may request to receive information regarding Nordkap ’s processing of personal data.
· Rights to rectification and erasure – An individual may request to have personal data corrected or erased.
· Right to object – An individual may request the (automatic) processing of personal data to be restricted.
· An individual has the right to complain against Nordkap’s processing of his/her personal data.
· An individual has the right to compensation for damage.
3.5. Data Controllers and Data Processors Obligations
Where processing is to be carried by a processor on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Data Protection Laws and ensure the protection of the rights of the data subject.
There shall be a legal binding agreement between the Data controller and the Data Processor, which fulfils the requirements in the Data Protection Laws, and in which the distribution of responsibilities between the parties is specified regarding the personal data processing:
· Personal data inventory - As stated in chapter 3.1 of this policy.
· Data protection by design and by default - Each new service or business process introduced by Nordkap that involves the processing of personal data should be designed to take the protection of such data into consideration, for example by ensuring that necessary security measures are built into its design (“privacy by design”). Each such new service or business process should also be designed to ensure that, by default, only personal data which is necessary for the specific purpose of the processing is processed (“privacy by default”).
· Data protection impact assessment - Where a type of processing, in particular one using new technologies such as new IT systems or cloud services, is likely to result in a high risk to the privacy of an individual, Nordkap should, prior to the processing, carry out an assessment of the impacts the contemplated processing activities may have on the protection of personal data. The data protection impact assessment should be done in consultation with the DPO.
· Data breach notification - Employees who suspect that this policy or relevant data protection laws have been violated should contact the DPO immediately in order for Nordkap to be able to comply with statutory notification requirements.
· Provision of all Data Subjects rights – As stated in chapter 3.2 of this policy.
· Security measures- An employee who has access to personal data must only process the data in accordance with the purpose of the processing, and may not share, distribute, or otherwise disclose the personal data to a third party unless instructed to do so by Nordkap. Appropriate technical and organisational measures should be implemented to protect personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access, and any other unlawful forms of processing. Such measures should be appropriate to the risks represented by the processing, and the nature of the personal data.
· Cross border data transfers - Transfers of personal data to entities outside the EEA, is only allowed when the importing entity has provided sufficient assurances that the personal data will be adequately protected. This may be accomplished by using one of the EU Commission’s standarddata transfer agreements. Consult the DPO for further information.
· Training and awareness- Nordkap provides adequate training for all employees consistent with Nordkap’srisk profile and appropriate to employee responsibilities.
4. Internal Audit
Nordkap will conduct objective, comprehensive audits of this Policy, including data protection, on a periodic basis.
The CEO of Nordkap is responsible for the overall oversight and implementation of this Policy . The DPO is responsible for Nordkap ’s day - to - day compliance with this policy and Data Protection Laws.