If you run a company you have the same obligations as Loopia and all other companies regarding how you handle personal data about your customers.
Below are some tips from us about what you need to keep in mind for your business to comply with the General Data Protection Regulation (GDPR).
Investigate and compile what personal data you collect and process today, as well as with whom the information is shared and why.
The Personal Data Act has allowed processing of unstructured personal data (such as body text on a website) as long as the processing does not constitute an infringement of the data subject's integrity. This exception will disappear when GDPR is implemented. It is important to review how you have addressed this earlier and implement changes if needed.
What information do you provide when collecting personal data?
Your customers/users have rights you must be able to comply according to GDPR.
The most important parts are that they have the right to...
Investigate the legal basis for processing personal data, and delete all data for which you have no legal basis.
With GDPR there is a requirement that you inform according to what legal basis the personal data is collected. It also means that you may not use personal data for anything other than the legal basis you stated without obtaining consent.
That is, even if the customer/user give you an email address to become a customer or make an order, you will not be able to send marketing to the customer via email if they do not explicitly approve to this.
Investigate how you obtain consent, what information you provide and how you save the information that consent has been given by the customer/user.
There can not be any doubts that your customer/user has actively approved the processing of personal data. For example, it is not accepted to use a silent consent or a pre-checked box on a website to collect consent.
The GDPR introduces stronger protection for childrens personal data. For example, if you offer Internet services to children, you must get the guardian's consent to process the child's personal data.
If you are subject to data breach or in any other way lose control of the personal data you process, you must document the incident and report it to the regulatory authority within 72 hours. Create routines and determine who is responsible for making such a notification.
If you process personal data that could lead to serious privacy risks, such as storing sensitive personal data, profiling or comprehensive camera surveillance in public places, the requirements are high. You must consult the regulatory authority before that type of personal data processing can begin.
Some basic principles of privacy protection are to...
By taking these principles into account when developing new or changing existing IT systems, it becomes easier for the organization to comply with the rules of the GDPR.
You are also obligated to protect personal data with appropriate technical and organizational measures based on how sensitive your data is and what it is used for.
Determine who is responsible for data protection at your company.
For some types of organizations, a data protection officer is required. This applies for example to organizations that have extensive processing of sensitive personal data.
If your organization is active in several different EU countries, you should find out which data protection authority is responsible for the supervision of the personal data processing in each country.
The GDPR rules about this are complicated but, in simplified terms, the responsible data protection authority is determined based on where your organization has its head office or where decisions on personal data processing are taken.
If you use a service or partner that processes your customers personal data on behalf of you, that partner is a data processor. This means that they will process the personal data in accordance with the instructions and guidelines provided by you as data controller.
In cases where Loopia acts as data processor, your rights and obligations will be regulated by our terms appendix Data processing agreement. For example, if you run a webshop at Loopia where your customers' orders are stored and processed on our servers, the email accounts you have with us or the data you store in our database services.
Copyright Loopia AB 1999 - 2024
Loopia is part of Loopia Group
Loopia AB, Kopparbergsvägen 8, 722 13 Västerås
Org.nr: 556633-9304
Loopia’s services run on renewable energy