Processing personal data
The General Data Protection Regulation, known as GDPR, applies to all companies operating within the EU and exists to ensure safe handling of personal data. As an entrepreneur, you are responsible for the personal data of customers, employees and suppliers and for compliance with the law.
Navigate this page
The GDPR fundamental principles
GDPR contains a long series of rules and requirements for how personal data may be handled in an organization. All these rules, reasons and other legal text of the regulation are based on a few basic principles and you will get far by just following these three points:
- Do not collect more personal data than is necessary and only for a specific, predetermined purpose.
- Inform about what data you save and do not save it longer than necessary.
- Protect the personal data you handle in the company.
Read more about these basic principles at the Swedish Authority for Privacy Protection's (IMY)
This is a personal data
Personal data is all information that can be directly or indirectly linked to a living person. Typical personal data is social security number, name and address. Photos of people are also classified as personal data.
In some cases, various types of electronic identities, such as IP addresses, are also considered personal data if they can be linked to a certain living person.
Read more about personal data at IMY
Grounds for collecting personal data
You must have support in the data protection regulation in order to handle personal data. It is called having a lawful ground. Companies can use these four:
1. Legal Obligation
In some cases, companies are obliged to register personal data, such as to fulfill the accounting obligation in the Accounting Act.
2. Agreement
Employment agreements, customer agreements and supplier agreements are examples of agreements where companies must register and handle personal data. However, the company may only register the information needed to fulfill the agreement.
3. Consent
Another legal basis is consent, which means that you ask to register data about the person. If your company is to collect data, the person must first receive clear information about what data is being collected and what it will be used for, in order to then be able to give their approval.
4. Balancing of interests
It is also possible to handle personal data after a so-called balancing of interests if your company can demonstrate that it has a legitimate need to handle the data and that this need outweighs the individual's right to data protection.
Read more about the lawful grounds at IMY
It is important to know that personal data may only be collected for "specific, explicitly stated and legitimate purposes and not later processed in a way that is incompatible with these purposes". Thus, data collected for a certain purpose must not be used for completely different purposes.
For example, a company can equip its cars with special GPS equipment that is used for electronic driving records to simplify reporting to the Tax Agency. But the employer may not use the data that the GPS collects to check how long breaks the employees take.
Inform the people whose data you use
When you collect information about a person, you must inform the person in question. In the data protection regulation there is a long list of what information must be given, but in short you must say that you are collecting personal data, what data it is and why you are doing it.
If you are going to pass on the information to others, you must tell that to the person. Remember that the information must be clear, comprehensible and preferably in writing.
Read about the data subject’s rights at IMY
Protect data against theft and unauthorized access
An important principle in the regulation is that the personal data that you have in the company must be protected so that it is not stolen, accidentally deleted or that someone unauthorized accesses it. On occasions hackers have come across large amounts of personal data and often credit card information.
Regardless of size, companies that lose control over information about their customers can expect costs in bad will, not least from the people who submitted their information to the company in the belief that it would be handled in a responsible and legal manner.
Risk of fines
IMY can decide that a company that does not comply with the rules of the regulation must pay an administrative penalty fee, which is a form of fine. The penalty fee can be up to 20 million euros or four percent of the global annual turnover. The size of the amount depends, among other things, on how serious the violation of the rules is, how much damage has occurred, whether it is a question of sensitive personal data and whether the violation is intentional. However, the highest amounts are intended for the most serious violations and for the largest organizations.
Competitive advantage to follow the rules
In several industries there are codes of conduct and certifications for companies that want to be able to demonstrate that they conduct their business in an ethical, social or environmental manner. You can also connect your company to a code of conduct relating to personal data management. Then customers and suppliers can feel secure about how you handle their data, something that can become a competitive advantage.
In the same way that poorly protected personal data can give your company costs in badwill, you can count on goodwill if you can demonstrate in a good and clear way that you follow the rules of the data protection regulation.
More about codes of conduct and certification at IMY
The same rules throughout the EU
One of the intentions with the data protection regulation is to ensure that the same rules for how personal data may be handled must apply throughout the EU. This makes it easier for companies to expand and operate in several EU countries.
A Swedish company that complies with the data protection regulation therefore does not need to worry that the rules for how information about, for example, customers may be handled are different in any other EU country. Therefore, the company is prepared for future expansion.