Data protection policy
Operational since: 2021-11-16
Scheduled for review: 2022-02-02
Corporation: 46elks AB, registered in Sweden with company no 556838-8184.
This Data Protection Policy further specifies how 46elks should collect and process data to meet our data protection standards and comply with the law.
This policy exists to ensure that 46elks:
- Complies with data protection law and follow good practice
- Protects the rights of staff, customers, partners and individuals
- Is open about how we store and process individuals' data
- Protects itself from the risks of a data breach
Data Protection Law
The following rules apply regardless of whether data is stored electronically or using other methods.
EU regulation stipulates that personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
This policy follows these eight important data processing principles:
- Processed fairly and lawfully
- Obtained only for specific, lawful purposes
- Is adequate, relevant and not excessive
- Kept accurate and up to date
- Held for only as long as needed
- Processed in accordance with the rights of data subjects
- Protected in appropriate ways
- Kept inside the European Union unless specifically requested
This policy applies to all of 46elks' activities. Including work done by contractors and other people working on our behalf.
It applies to all data that the company holds related to identifiable individuals.
This can include names of individuals, postal & email adresses, telephone numbers and IP-adresses plus any other information relating to individuals.
This policy is constructed to protect 46elks from:
- Breaches of confidentiality.
- Failing to offer individuals choice.
- Reputational damage.
Everyone working for 46elks is responsible for ensuring personal data is collected and processed according to this policy. However, certain people have key areas of responsibility.
The CTO is responsible for:
- Keeping the board updated about data protection responsibilities, risks and issues.
- Reviewing agreements with third parties that may handle sensitive data.
- Approving any use of third-party services for processing data.
- Ensuring systems storing data meet acceptable security standards.
- Performing regular checks to ensure security systems are functioning properly.
- Working with other staff to ensure marketing initiatives abide by this policy.
- Reviewing all data protection procedures and related policies.
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from staff and anyone else covered by this policy.
- Dealing with subject access requests from individuals about data we hold about them.
- Addressing any data protection queries from the media.
General staff guidelines:
- You will be granted access to systems depending on your work.
- You might collect or receive personal data directly from individuals.
- Any personal data you process shall be processed according to this policy.
- The company provides training to help you understand your responsibilities.
- Request help from CTO if you are unsure about any aspect of data protection.
The following rules describe how and where personal data should be stored.
Personal data should be stored electronically, be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Access to databases should be done using private-public key systems such as ssh.
- Access to internal web systems containing personal data should be done over HTTPS.
- Using cloud computing services for personal data require consent from the CTO.
- Servers used for processing personal data should be owned by 46elks.
- Systems used for processing personal data should be designed to protect data integrity.
- Systems used for processing personal data should be backed up frequently.
- Backups of these systems should be tested regularly at least once a year.
- All systems used for customer or personal data should be properly secured.
Personal data is of no value to 46elks unless we can access and process it. However, this is when personal data is at the greatest risk:
- Employees should keep their computers secure.
- Employees should consider an extra level of security when accessing systems with databases, such as password-protected keys or two-factor authentication.
- Employees should not disclose personal data to unauthorised people.
- Transfer of personal data within our infrastructure should be done securely.
- Personal data should stay inside the European Union, unless transfer outside of the EU is explicitly requested by a customer.
- Employees are not allowed to access internal systems that contain personal data when they are physically located outside of the European Union, such as during an international conference.
- Extra copies of personal data from systems with customer data should be avoided unless strictly needed, and if copies are being made the CTO should be informed.
Data that can be used to identify an individual should not be sent over email, unless prior explicit or implicit consent has been received. An implicit consent can be in the form of receiving an error report from a customer, and thus replies to that error report with details about the specific case are allowed.
We are required by law to ensure the personal data in our systems is kept accurate and up to date. The effort put into ensuring it's accuracy should be related to the importance of the personal data. It is the responsibility of all employees who work with personal data to take reasonable steps to ensure it is kept accurate and up to date.
- Systems should be constructed to avoid duplication of personal data where technically feasible, and contain a clear indication of primary source when multiple copies are used.
- Employees that collect sensitive personal data should avoid unnecessary copies.
- Customer interactions should be used as an opportunity to update their personal data.
- Customers should generally be able to update their personal data themselves.
- Personal data should be updated as inaccuracies are discovered.
- Customers should be contacted routinely to ensure their contact details are correct.
Subject Access Requests
All individuals who are the subject of personal data held by 46elks may:
- Ask what information the company holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed how the company is meeting its data protection obligations.
This kind of request is called a subject access request and:
- Should be made by email to the 46elks Support.
- Individuals will be charged per subject access request according to the Terms of Service.
- Our aim is to provide the relevant data within 30 days.
- We will always verify the identity of anyone making a request before proceeding.
The above is governed by Post- och Tele-Styrelsen and Integritetsskyddsmyndigheten.
Disclosing Data For Other Reasons
Any requests by law enforcement agencies to disclose information should be approved by the CTO, to ensure legitimacy, before being fulfilled.
We aim to be open about how we process personal data. And to help anyone understand how data is being used and how your rights can be exercised.
+46 76 6861004
CTO, Johannes Ridderstedt
+46 70 4508449
CEO, Victoria Wagman
+46 70 6869206