GDPR – QUESTIONS AND ANSWERS
What is GDPR?
GDPR stands for General Data Protection Regulation. It is an EU-adapted data protection direction that will protect our personal integrity when personal data is processed. In Sweden, GDPR will replace the old Personal Data Act (PUL).
What is personal data?
Personal data refers to all types of information that directly or indirectly belong to a natural person who is alive. Images and audio recordings of individuals processed using computers may be personal data, even if no name is mentioned. Encrypted data and different types of electronic identifiers, such as IP numbers, are considered to be personal data if they can be connected natural persons.
What is the purpose of GDPR?
The purpose of the law is to strengthen protections for natural persons when their personal data is processed. Personal data may comprise information about employees or customers, as well as potential customers. Through GDPR, the EU hopes to establish a consensus amongst EU member states in relation to this type of regulatory framework. It has previously been up to each country to interpret the directive relating to the protection of personal data, but effective 25 May 2018 the same law will apply in all EU countries.
What impact will GDPR have on me as a customer of InExchange?
There will be no major changes except that InExchange and the customer must sign a personal data processing agreement. We will send this to customers or customers will be asked to approve the agreement via InExchange Network.
My invoices contain my customers’ sensitive personal data. How do you handle this?
As per the personal data processing agreement, InExchange processes personal data in accordance with the law.
Is my ‘storage time’ on InExchange Network affected by GDPR, and what happens to my invoices if I choose to stop being a customer of InExchange?
Your storage time is not affected by GDPR since the customer is entitled, in the balance of interests, to retain invoices that contain personal data.
Where is information created by the customer that is at our disposal physically stored?
Do you or any other parties use the information created by customers for anything other than its intended purpose? If it is used by another party, who are they?
What do you do in terms of monitoring and incident management?
There is 24/7 monitoring of the hardware and OS via our hosting partner. Internal components in the platform are monitored and maintained by technicians at InExchange.
Does GDPR only apply to private individuals, or do the rules also persons who are private companies?
Yes, persons who are private companies are now living natural persons and are thus covered by the personal data protection regulations contained in GDPR.
Does the Accounting Act, which says I must keep accounts on paper and digitally for seven years, take priority over GDPR?
No, GDPR is an EU regulation and takes priority over Swedish national law. However, GDPR allows you to store data that is required by EU or national law. For example, this includes the Swedish Accounting Act.
What does the ‘right to be forgotten’ involve?
Every person has the right to turn to a company or authority that processes personal data and request that data relating to them is deleted. If data is deleted at the request of the individual, the company or authority must also inform any parties to whom they have disclosed the information to of the deletion.
An external person who wishes to have their data held by InExchange deleted must turn to their own organisation. We are unable to delete data until the individual’s organisation submits confirmation that verifies that the correct person is to be deleted. The process must therefore be managed by the individual’s organisation.
How long until my data is gone after I request its removal?
The personal data will be marked for removal and will be deleted or anonymised after three months.
The Swedish Data Protection Authority’s Q&A about the EU’s data protection reforms are available here (in Swedish):