Within the Company, we work in a structured manner to ensure that personal data is processed correctly and lawfully. This policy describes our overarching procedures for the handling of personal data.
The Managing Director (CEO) has overall responsibility for driving and overseeing the matters addressed in this policy. All managers are responsible for ensuring compliance within their respective areas of the organization.
We shall act responsibly in our handling of personal data, whether it concerns employees, customers, suppliers, or other business partners. Issues relating to the processing of personal data arise throughout all parts of our operations, and we therefore encourage that the processing of personal data is included as a review item on all meeting agendas.
Personal data shall be processed in a lawful, fair, and transparent manner in relation to the data subject. We shall be transparent about which personal data we process and ensure that individuals whose data is registered with us are able to effectively exercise their rights.
Personal data shall only be collected for specific, explicit, and legitimate purposes, and we shall only collect data that is necessary for those purposes. We actively work to limit storage by deleting data in accordance with our data retention policy and, where appropriate, through automated deletion. We shall take reasonable measures to ensure that personal data is accurate.
In order to ensure and demonstrate compliance with legal requirements, all documentation relating to our data protection efforts shall be collected and maintained in a single location.
When procuring IT services, such as software or operational and support services, we shall first conduct a risk and vulnerability assessment and then select the solution or supplier based on the outcome of that assessment.
When engaging data processors, we shall only use processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing meets the requirements of applicable legislation and safeguards the rights of data subjects. The considerations made, including documentation of security levels and similar matters, shall be documented. Furthermore, a data processing agreement shall be entered into.
Where possible, we avoid transferring personal data to third countries. Where such transfers are deemed appropriate or necessary, they shall only take place after adequate safeguards have been implemented and documented.
We shall continuously conduct risk assessments of the personal data processing activities we perform. Appropriate technical and organizational measures shall be implemented to achieve a level of security appropriate to the risk. Risk analyses and decisions regarding measures shall be documented.
Written access control instructions shall exist for all IT systems that contain personal data. The basic principle is that access rights shall be granted only to individuals who require access to personal data to perform their duties. Depending on the sensitivity of the data, access rights may be more or less restrictive.
All security incidents shall be documented in an incident management log, including details of the circumstances surrounding the personal data breach, its effects, and the corrective actions taken. A security incident refers to an event that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data that has been transmitted, stored, or otherwise processed.
Where required by law, incidents shall also be reported to the Swedish Authority for Privacy Protection (Datainspektionen) and/or the data subject.
We have adopted an IT policy and an IT security policy that more specifically regulate employees’ conduct in relation to the IT environment.
We shall maintain a record of personal data processing activities. Each system owner is responsible for ensuring that the record is kept up to date when changes occur.
If a processing activity, in particular one involving new technologies and taking into account its nature, scope, context, and purposes, is likely to result in a high risk to the rights and freedoms of natural persons, we shall, in accordance with the General Data Protection Regulation (GDPR), carry out an assessment of the impact of the envisaged processing operations on the protection of personal data prior to the processing. This assessment is referred to as a Data Protection Impact Assessment (DPIA).
Even where the threshold for a DPIA is not met, we shall, where appropriate, conduct a simplified risk assessment. This analysis shall form the basis for selecting appropriate technical and organizational security measures.
We shall proactively evaluate opportunities to implement technical measures, such as pseudonymization and data minimization, in order to effectively comply with the requirements of the GDPR and protect the rights of data subjects.
We shall also implement appropriate technical and organizational measures to ensure that, by default, only personal data that is necessary for each specific purpose of the processing is processed.
Our employees shall receive relevant information and training on the processing of personal data in accordance with a separate annual training plan. Where necessary, more in-depth or targeted training shall be provided to employees who handle sensitive data. Participation in training activities shall be documented.
We shall continuously evaluate whether our data protection efforts comply with applicable legal requirements and implement changes where necessary.
This Policy was adopted by the Board of Directors on 9 August 2021.