Your obligations (if you run a company)

If you run a company you have the same obligations as Loopia and all other companies regarding how you handle personal data about your customers.

Below are some tips from us about what you need to keep in mind for your business to comply with the General Data Protection Regulation (GDPR).

Are everyone in your organization aware of the EU's new data protection regulation?

  • Make sure everyone in your organization is aware of what GDPR means in general.
  • Make sure that decision makers and key people know that GDPR is replacing the Personal Data Act and what the differences are.
  • Investigate how your organization will be affected and identify the areas you need to work with.

What personal data do you process?

Investigate and compile what personal data you collect and process today, as well as with whom the information is shared and why.

Are you using the abuse rule today?

The Personal Data Act has allowed processing of unstructured personal data (such as body text on a website) as long as the processing does not constitute an infringement of the data subject's integrity. This exception will disappear when GDPR is implemented. It is important to review how you have addressed this earlier and implement changes if needed.

What information do you provide when collecting personal data?

What information do you provide when collecting personal data?

  • ...why do you collect the information?
  • ... how long is the data saved?
  • ...what legal basis do you have for collecting the data?

How will you meet your customers/users rights?

Your customers/users have rights you must be able to comply according to GDPR.

The most important parts are that they have the right to...

  • ...get access to their personal data.
  • ...get incorrect personal information corrected.
  • ...get their personal data deleted.
  • ...object to the use of personal data for direct marketing.
  • ...object to the use of personal data for automated decision making and profiling.
  • ...move personal data (data portability).

Do you process personal data without a legal basis?

Investigate the legal basis for processing personal data, and delete all data for which you have no legal basis.

With GDPR there is a requirement that you inform according to what legal basis the personal data is collected. It also means that you may not use personal data for anything other than the legal basis you stated without obtaining consent.

That is, even if the customer/user give you an email address to become a customer or make an order, you will not be able to send marketing to the customer via email if they do not explicitly approve to this.

How do you collect consent?

Investigate how you obtain consent, what information you provide and how you save the information that consent has been given by the customer/user.

There can not be any doubts that your customer/user has actively approved the processing of personal data. For example, it is not accepted to use a silent consent or a pre-checked box on a website to collect consent.

Are you processing personal data about children?

The GDPR introduces stronger protection for childrens personal data. For example, if you offer Internet services to children, you must get the guardian's consent to process the child's personal data.

What will you do in case of personal data incidents?

If you are subject to data breach or in any other way lose control of the personal data you process, you must document the incident and report it to the regulatory authority within 72 hours. Create routines and determine who is responsible for making such a notification.

Are there any specific privacy risks with your personal data processing?

If you process personal data that could lead to serious privacy risks, such as storing sensitive personal data, profiling or comprehensive camera surveillance in public places, the requirements are high. You must consult the regulatory authority before that type of personal data processing can begin.

How do you protect personal data in your IT environment?

Some basic principles of privacy protection are to...

  • ...not collect more information than needed.
  • ...not save the information longer than necessary.
  • ...not use the data for anything other than the purpose defined when it was collected.

By taking these principles into account when developing new or changing existing IT systems, it becomes easier for the organization to comply with the rules of the GDPR.

You are also obligated to protect personal data with appropriate technical and organizational measures based on how sensitive your data is and what it is used for.

Who is responsible for data protection in your organization?

Determine who is responsible for data protection at your company.

For some types of organizations, a data protection officer is required. This applies for example to organizations that have extensive processing of sensitive personal data.

Do you operate in several countries?

If your organization is active in several different EU countries, you should find out which data protection authority is responsible for the supervision of the personal data processing in each country.

The GDPR rules about this are complicated but, in simplified terms, the responsible data protection authority is determined based on where your organization has its head office or where decisions on personal data processing are taken.

Do you have a data processing agreement with those who process personal data on behalf of you?

If you use a service or partner that processes your customers personal data on behalf of you, that partner is a data processor. This means that they will process the personal data in accordance with the instructions and guidelines provided by you as data controller.

In cases where Loopia acts as data processor, your rights and obligations will be regulated by our terms appendix Data processing agreement. For example, if you run a webshop at Loopia where your customers' orders are stored and processed on our servers, the email accounts you have with us or the data you store in our database services.

Hey, do you need assistance?

Weekdays: 8AM - 7PM Weekends: 11 AM - 3 PM