Data Protection Service

(DP Service)

General Data Protection Regulation

GDPR

Kristian Boe Helweg Hansen Torben Nordquist

KBHH@DPService.dk TN@DPService.dk
Copyright © 2018 Data Protection Service / www.DPService.DK
 GDPR

Regulation (EU) 2016/679 (General Data

Protection Regulation)

Danish Privacy Act May 2018

Copyright © 2018 Data Protection Service / www.DPService.DK

 New words - new concepts and new ways of working

Chaos - or?
Complient

Appropriate technical and organisational measures

Copyright © 2018 Data Protection Service / www.DPService.DK
 About DP Service
Objective: We help small and medium-sized enterprises to be compliant
with the EU Personal Data Regulation

The starting point is; You can do it yourself! We give you an action plan
that gives you an overview and shows you how to do it.
1. Through consulting, auditing and workshops, we help companies and
organisations
2. And then we help those with limited time to reach compliance
3. Map - DP Service translates GDPR rules into practice

Copyright © 2018 Data Protection Service / www.DPService.DK

 DP Service og GDPR

Actions plans IMPLEMENTATION COMPANIES IN

PROJECTS GDPR PROGRESS
39 98 1165

After-work WORKSHOPS
meetings
10 28

Copyright © 2018 Data Protection Service / www.DPService.DK

 Some of our customers

Copyright © 2018 Data Protection Service / www.DPService.DK

 Today's program: How do we get through GDPR?
• The general • Management
• Concepts and definitions • Focus on GDPR / Follow-up
• Customer Input • HR, knowledge and education
• Where do your customers come • Employees, CVs / Images /
from? Consent documents
• IT / Data processing • Risk assessment
• IT systems who have access to • What measures have you taken?
your data?
• The fun
• Data processing • Marketing / Social Media / Image /
• Customers / Staff / Video /
Marketing

Copyright © 2018 Data Protection Service / www.DPService.DK

 Privacy

Any kind of information that can be related to specific

people

Copyright © 2018 Data Protection Service / www.DPService.DK

 Personal information: Categories
Race,
ethnic origin, Confidential personal information
political opinions,
religious,
Sensitive personal information philosophical beliefs,
Sensitive personal information
Social security numbers
trade union membership, Criminal offenses
genetic data, biometric data Other personal data of a private
for the purpose of uniquely nature that should be able to be
identifying, health, sex life or sexual exempted from disclosure,
orientation. including, for example, income and
wealth, employment training and
Criminal convictions and offences employment conditions, and internal
family relationships (suicide
attempts, accidents)
Important social problems, other purely
Ordinary personal private matters, economy tax, debt, sick
days, service conditions, family
information relationships, housing, car, exam,
application, CV, date of employment,
position, work area, work phone, name,
address, date of birth

Crime and CPR number - the national part

Copyright © 2018 Data Protection Service / www.DPService.DK

 Definitions
The data
subject

Data Data Processor

controller

Data
Processing Data
for Data Data Processing
Processor Processing for Data
for Data Processor
Processor

Copyright © 2018 Data Protection Service / www.DPService.DK

 Geographical scope
• EU/EØS
• Privacy shield (USA)
• (Approved by EU)

Note - access by people

must also be approved!

Copyright © 2018 Data Protection Service / www.DPService.DK

 Basic principles and information
obligation
It is the CVR number that must comply with the Personal Data Regulation

Copyright © 2018 Data Protection Service / www.DPService.DK

 Basic principles
• Legality, reasonableness and
transparency:
• Data must be processed legally,
reasonably, and in a transparent
manner
• Purpose limitation:
• Data is collected for explicitly stated
and legitimate purposes
• Later treatment not incompatible
with collection purposes
• Data minimization:
• Need to know – not nice to know
• Correctness:
• Updated - reasonable steps
Copyright © 2018 Data Protection Service / www.DPService.DK
• Storage Limitations:
• Not for longer than necessary for the
purpose
• Integrity and Confidentiality:
• Security - unauthorized access,
destruction etc.
• Appropriate technical and
organisational measures
• Accountability:
• Your company must be able to
demonstrate compliance with rules!
 Information to be provided
1. Who are you? - CVR no. on website / e-mail etc.
2. Customers have insight into what information you have
3. Customers have the right to get corrected information if they are incorrect
(however other legislation such as the healthcare sector etc.)
4. Customers have the right to have data transferred to a readable media
5. Customers have the right to have their data deleted (you must still comply
with other legislation, e.g. the Accounting Act)
6. Customers must be able to complain to (you?) and Danish Data Protection
Agency
7. Finally, you must state about the use of cookies (another regulation that
has been in force for several years)

Copyright © 2018 Data Protection Service / www.DPService.DK

 How do you meet your customers?

Copyright © 2018 Data Protection Service / www.DPService.DK

 Customer entrance

Informations
Customer entrance to be
provided

Websites /
Phones / SMS /
Customer rights
Mails / Personal
inquiry ...

Copyright © 2018 Data Protection Service / www.DPService.DK

 Summe summe
Make a diagram or list
about how you meet
your customers
My
business

Copyright © 2018 Data Protection Service / www.DPService.DK

 How will you inform your customers about their rights?
1. Privacy Policy (Website?)
2. Welcome letter / mail?
3. Brochure?
4. Other things?

We look at Privacy Policy

Copyright © 2018 Data Protection Service / www.DPService.DK
 Data processing

Copyright © 2018 Data Protection Service / www.DPService.DK

 Data Processing : Ordinary personal data
Most used:
• Consent
• Fulfillment of contract
• Observe legal obligation
• Protecting a person's vital interests
• Legitimate interest

Data without legal data processing basis must be

deleted!

Collection of information from Facebook about

people?
Common data responsibility

Copyright © 2018 Data Protection Service / www.DPService.DK

 Processing of special categories of personal
data
It's basically forbidden!

Exceptions:
• Express consent
• Work, Health, Social Obligations
• Define or defend legal requirements
• If information is published by the data subject
• Etc.

Data without legal data processing basis must be

deleted!

Copyright © 2018 Data Protection Service / www.DPService.DK

 Summe summe
Let's hear some bids on what your treatment basis is

Does anyone use legitimate interest?

Have you made an interest-weighting test?

Examples of consent statements: Look in folder

Copyright © 2018 Data Protection Service / www.DPService.DK

 Data Processing Agreements

Copyright © 2018 Data Protection Service / www.DPService.DK

 Data Processing Agreements
• Who has access to your data
• Which IT systems are in use?
• People who have access to IT
systems
• Others who have access to for
example physical papers
Copyright © 2018 Data Protection Service / www.DPService.DK
• Websites where you collect data => Data
processing agreement
• Use of external business systems =>
Data processing agreement
• Mail => Data processing agreement
• Transfer to external without legal data
processing basis => Data processing
agreement (otherwise consent - balance
of interests - contract etc.)
• Phone / SMS / Bank => No agreements
• Cleaning? => confidentiality agreements
 Summe summe: IT systems/Customers
Make a drawing or list
over your IT systems

And others who have access

Customer
to your personal information

Copyright © 2018 Data Protection Service / www.DPService.DK

 Data Processing Agreements

Let's look at what a data processing agreement contains

What do I do if I am unsure if I need a data processing agreement?

What do I do if someone says you should not have a data processing agreement?

Copyright © 2018 Data Protection Service / www.DPService.DK

 HR - processing storage and data
processing agreements

Copyright © 2018 Data Protection Service / www.DPService.DK

 HR & Employees
• Documentation of the process from recruitment to retirement
• Handling of:
• Application
• Broadcast by mail - or should they be placed in folders where few have access?
• Storage max. 6 months for those you do not hire
• Employment contracts
• Store under the Accounting Act?
• Sickness absence (generally you should not save cause of illness)
• MUS, Courses
• Store up to 1 year after departure from company
• Redundancies / Terminations

Copyright © 2018 Data Protection Service / www.DPService.DK

 HR & Employees
• Employment contracts / paper for all employees

• Internship

• Staff manual - handling of personal data

• Access to an employee's mail?

• SoMe policy

• Pictures of employees on website - consent (voluntary)

Copyright © 2018 Data Protection Service / www.DPService.DK

 Summe summe: HR
Make a drawing or list
over your IT systems

And others who have access

The
to your personal information employee

Copyright © 2018 Data Protection Service / www.DPService.DK

 Data processing:

Description for the Danish Data

Protection Agency

Copyright © 2018 Data Protection Service / www.DPService.DK

 Data processing

• Customers
• Employees
• Video surveillance
• Marketing
• Etc.

Copyright © 2018 Data Protection Service / www.DPService.DK

 Summe summe
We look at the provided templates on data processing

• Handling clients/customers
• Handling employees

Copyright © 2018 Data Protection Service / www.DPService.DK

 Management - education

Copyright © 2018 Data Protection Service / www.DPService.DK

 Summe summe
• Management • Employee
• Focus on GDPR / Follow-up / • Knowledge sharing
Self-control ... • Education in the "New Normal"
how we treat / personal data in
the future

Let's hear some suggestions on how you will get it

implemented in your company!

Copyright © 2018 Data Protection Service / www.DPService.DK

 Risk assessment

Copyright © 2018 Data Protection Service / www.DPService.DK

 Risk assessment; probability / damage
• Change password / common • Back-up / storage
password • Storage and access to
• Common codes on the door equipment
• Physical storage and disposal of • Network management
paper • Software upgrade
• Encryption Yes / No • Contract.
• IT consultant with external
access

Appropriate technical and organisational measures:

Continuous assessment
Copyright © 2018 Data Protection Service / www.DPService.DK
 Summary
• Customers - information To the Danish Data Protection Agency
• Privacy policy / welcome letter etc. • Dataflow (drawing) is always good
• Customers - treatment basis • Data processing - use template
• Consent Statements
• Data Processing Contracts
• Data Processing Contracts
• Risk assessmentg
• Declarations of silence in some cases
• HR paper for all employees
• Consent Statements
• Management: Determine policy and
how your employees are trained

Use the checklist for the ongoing follow-up!

Copyright © 2018 Data Protection Service / www.DPService.DK
 PersondataSmiley

Showing you have prepared GDPR documentation

First mover?

www.persondatasmiley.dk tn@persondatasmiley.dk

Copyright © 2018 Data Protection Service / www.DPService.DK

 Useful websites
• https://www.datatilsynet.dk/forside/

• https://www.privacyshield.gov/participant_search

• https://privacykompasset.erhvervsstyrelsen.dk/vaerktoejer

• http://www.privacy-regulation.eu/da/information.htm

Copyright © 2018 Data Protection Service / www.DPService.DK

 Too hard, confused or just don't
have time?
Call a friend

DP Service
+45 70 23 01 01
Info@DPService.DK

Copyright © 2018 Data Protection Service / www.DPService.DK