PRIVACY POLICY - STRATMINDS
1. Background and purpose
Stratminds protects its customers, partners and employees privacy and is always careful to follow current privacy regulations. Each and every one has the right to protection of the personal data that concern him or her.
In light of the above Stratminds has adopted this Privacy Policy.
On 25 May 2018 the General Data Protection Regulation (GDPR) went into effect, which entailed a strengthened protection for people whose personal data are processed and it prescribes more and stricter rules and requirements for organizations that process personal data.
If a processing of personal data would be in violation of the provisions in GDPR, there is a risk of breach of data secrecy and privacy for the data subject, but also the risk of damaged reputation for Stratminds. Furthermore, Stratminds can also be obliged to pay damages or be imposed a fine of up to 20 million euros or 4 % of the total annual worldwide turnover, whichever is the greatest. To avoid such consequences, all co-workers are obliged to follow these guidelines. All of Stratminds co-workers are familiar with this Policy and have bound themselves to strictly follow it.
2. Scope and extent of application
This Policy is applicable for Stratminds partners, employees and consultants, in all markets and at each and every time.
The board of directors of Stratminds and Stratminds Managing Partner (MP) has a strict obligation to ensure that this Policy is complied with, which inter alia includes education for all employees. The information to the employees shall also include information that a violation of this Policy can lead to, for example, consequences with respect to their employment.
3. Fundamental principles
The fundamental principles that are described below shall always be complied with when personal data are processed. Stratminds is responsible for and shall be able to demonstrate that the following principles are being complied with:
Lawfulness, fairness and transparency – Personal data shall be processed lawfully, correctly and transparently in relation to the data subject. That means that every type of processing shall be based on a valid so called legal basis, such as for example performance of a contract, compliance with a legal obligation, performance of a task carried out in the public interest, legitimate interest or consent (see section 5 below). If it is not possible to identify a legal basis that is applicable for the processing, the processing is not permitted to be carried out. The basis of this principle is clear communication with the data subject about inter alia for which purposes personal data are processed, what type of processing that is carried out, if and how personal data are shared with others, how long the personal data are stored and how one can contact Stratminds. The data subjects shall be given clear and transparent information about the processing of their personal data.
Purpose limitation – Personal data may only be collected and in other ways processed for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimization – Personal data that are processed shall be adequate, relevant and limited to what is necessary in relation to the purposes. Make sure that the data that are collected really are needed and do not ask for information just because it might be good to have.
Accuracy – Personal data that are processed shall be accurate and, where necessary, kept up to date. Take appropriate actions to ensure that inaccurate or incomplete data are rectified, for example routines to change the address when someone has moved with a compilation of systems and records where the address is stored. Avoid, however, to store copies of data in several systems to avoid sources of errors and that inaccurate information is saved.
Storage limitation – Personal data shall not be stored for a longer period than what is necessary for the purposes of the processing. When the data are no longer needed the data either need to be erased or made anonymous.
The principle on accountability means that Stratminds has to be able to demonstrate compliance with GDPR. Consequently, for example Stratminds has to document implemented and planned processes and measures that regard data privacy. Furthermore, a record shall be maintained of all types of processing of personal data that are carried out and Stratminds has to be able to display such a record for the supervisory authority when required.
4. Personal data
Personal data means all information relating to an identified or identifiable natural person and that directly or indirectly can identify a person. Examples of personal data are names, contact data, location data or factors that are specific for a person’s physical, economic, cultural or social identity. Data that alone do not fulfil the criteria can together still constitute personal data.
All processing of personal data is subject to GDPR and its regulations. Processing means an operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. Personal data in e-mail and in documents in servers, in a simple list, on webpages and in other unstructured material are also included.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation (so called special categories of personal data) is prohibited by law as a general rule. For such a process to be permitted, a valid exception from the prohibition is required. The most common exceptions are that the data subject has given consent or has manifestly made the data public, to carrying out the obligations and exercising rights in the field of employment, to establish, exercise or defend legal claims or for health and health care purposes.
Processing of personal identity numbers is only permitted if it is clearly justified in relation to the purpose of the processing, the importance of a secure identification or another notable reason.
Processing of personal data relating to violations of the law (criminal convictions and offences or related security measures but not likely data relating to suspicion of crime) is only permitted in certain specific cases. Stratminds are permitted to process personal data if (i) the processing is necessary to ensure that there is no conflict of interest.
5. Legal basis for processing of personal data
A processing of personal data is only lawful if and to the extent that at least one of the following basis is applicable.
– The data subject has given consent to the processing of his or her personal data for one or more specific purposes. There are specific requirements that need to be fulfilled for a consent to be binding.
– The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
– The processing is necessary for compliance with a legal obligation to which Stratminds is subject. As an example statements of earnings for employees or consultants and mandatory reporting’s to the Tax Authority can be mentioned.
– The processing is necessary in order to protect the vital interests of the data subject or of another natural person (e.g. when there is danger to life).
– The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
– The processing is necessary for purposes of the legitimate interests pursued by Stratminds or by third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (legitimate interests). When measuring the respective colliding interests, there are further specific requirements concerning documentation regarding the assessment that has been made.
6. Protection measures, access control, erasure
Personal data shall be processed in a manner that ensures appropriate protection for the personal data through implementation of technical and organizational measures. Organizational protection measures can include that accessibility restrictions are used for the systems that contain personal data, logging of access to personal data or that computers and similar that contain personal data shall be stored so that unauthorized access is more difficult and not be left about. Examples of technical measures that have to be reviewed are if Stratminds has sufficient back-up routines, sufficient firewalls, password protected wireless networks, updated anti-virus software, password protection for mobile devices such as mobile phones and tablets, protection against unauthorized internal access, password requirements, encryptions when required, logging of access to and use of IT systems etc.
Personal data are not permitted to be stored longer than what is necessary in relation to the purpose of the processing. By implementing and complying with an erasure routine for every database/processing, one ensures the structured erasure work. Personal data in so called unstructured material such as documents on servers, in a simple list, on webpages etc. also need to be erased when the purpose of the processing is fulfilled.
7. Transfer to third countries
Any transfer of personal data to countries outside EU and EES (so called third country transfer) is subject to specific regulations. The result of GDPR is that all EU member states and the EES countries have an equivalent protection of personal data and personal privacy and consequently personal data can be transferred within that territory without restrictions. However, there are no general rules for countries outside that territory that would provide equivalent guarantees and consequently, third country transfers are only permitted under certain conditions. This is applicable to every form of transfer of information over the borders, e.g. many online IT services, cloud based services, services for external access or global data bases etc., and needs to be analyzed separately.
8. Data protection impact assessment
Stratminds has a certain routine in place for identifying and handling certain privacy risks within the business and for structured monitoring. Certain risks for the rights and freedoms of natural persons can for example exist in connection with a certain type of processing of personal data, especially sensitive personal data, when the scope of the processing is exceptionally extensive, use of new technology or similar.
If a new or changed type of processing of personal data in a certain respect is likely to result in a high risk to the rights and freedoms of natural persons, the routine shall be complied with and an assessment of the impact of the envisaged processing operations on the protection of personal data shall be carried out prior to the processing.
Prior to commencing such a processing of personal data, the office manager shall be contacted to review if an impact assessment is required and if it is required, the impact assessment will be carried out together with the responsible by answering certain questions, work meetings and risk assessment.
9. Copy and disclosure
GDPR provides the data subjects with several rights regarding processing of personal data. It is Stratminds duty to fulfil these rights and ensure that there are sufficient procedures in place to accommodate the data subjects.
– The data subject has the right to information when the personal data are collected. This information shall be provided in an accessible written form and in a clear and plain language. GDPR prescribes a number of clear requirements that need to be fulfilled and the requirements vary depending on whether the information is collected from the data subject or from a third party.
– The data subject has a right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, get a copy of the personal data undergoing process (extract from the register). This right exists irrespective of the place where the personal data are being processed.
– Where personal data that are processed are incorrect or incomplete, the data subject has the right to obtain rectification. If the data subject shows that the purpose of the processing of the personal data is no longer permitted, necessary or reasonable under the circumstances, the personal data in question shall be erased, unless there are other legal provisions stating otherwise.
– The data subject has the right to transfer personal data which he or she has provided to Stratminds to another controller (right to data portability) if the processing is based on the legal bases contract or consent. The personal data shall be provided to the data subject in a structured, commonly used and machine-readable format. Where technically feasible, the data subject has the right to have the personal data transmitted directly to another controller. The right only applies to the personal data that the data subject has provided to Stratminds.
– The data subject has in certain cases the right to obtain from Stratminds restriction of processing of his or her personal data, i.e. restriction of the processing to certain, defined purposes. The right to restriction of processing is applicable inter alia when the data subject has contested the accuracy of the personal data and has requested that the personal data shall be rectified. The data subject can then request that the processing of personal data shall be restricted during the period when the accuracy of the personal data is verified. Before the restriction is lifted, the data subject shall be informed.
– The data subject has the right to object to processing of personal data that is based on legitimate interest as legal basis. Where the data subject objects, the firm shall no longer process the personal data unless the firm can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or if the processing is being carried out for the establishment, exercise or defense of legal claims.
– In certain cases, the data subject has the right to obtain the erasure of personal data concerning him or her (“the right to be forgotten”). One example is when consent is the legal basis for the processing and the data subject withdraws his or her consent.
– Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
10. Personal data breaches
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. Examples of personal data breaches can be theft of customer records, accidental disclosure of salary information via e-mail to the wrong receiver, an employee who brings an unencrypted work computer home that is subsequently stolen in a burglary and which leads to disclosure of employees or customers, personal data that are published online by mistake, a laptop containing personal data that is lost or stolen etc.
Personal data breaches need to be notified to the supervisory authority not later than 72 hours after having become aware of the breach, if it is likely that that the personal data breach will result in a risk to the rights and freedoms of natural persons. Any personal data breaches shall be documented and the data subject might need to be informed.
11. Miscellaneous
For definitions of terms used in this Policy, reference is made to GDPR.
This Policy shall be updated annually or when required based on instructions from the board of directors of Stratminds
12. Questions
Where there are any questions regarding the processing of personal data, please contact ludvig.arbin@stratminds.se
Policy adopted by Stratminds on 1 December 2021.
©STRATMINDS 2022