What is the new General Data Protection Regulation?
The new General Data Protection Regulation enters into force on 25 May 2018 and will harmonise the rules on personal data protection in the European market. Denmark already has a relatively high level of protection as a result of the current Act on Processing of Personal Data, but the Regulation will lead to further tightening.
What is personal data?
Personal data is a general term covering all information which can be attributed to a specific natural person, such as name and age, but also sensitive personal data such as health information. This also includes information which can only be attributed to a specific natural person in combination with other information. Sole proprietorships are also covered by the concept of personal data, as the information is attributable to the owner.
When is EWII allowed to process my personal data?
Processing of personal data must always take place in full compliance with the law. For EWII, this means that data will typically be processed when we provide the services required under our agreement with you, on the basis of an explicit consent or if we are required by law to do so.
EWII will only register, store and process personal data if you have given us your explicit consent, or if the personal data are relevant to the service you receive from us.
What does giving your consent to EWII imply?
As a general rule, we must always obtain your consent before processing your data. Consent must be explicit (i.e. not tacit or implied), freely given and specific, which means that the purpose of the processing must be clearly described.
In practice, this could mean, for instance, that you will be asked to tick a box in our self-service solution, which is accompanied by a description of the processing and the personal data that will be collected.
You may at any time withdraw your consent to the processing of personal data that is based on your consent.
How does EWII ensure compliance with 'the right to be forgotten'?
As a customer, you can request that your personal data are deleted if they are no longer relevant to the service that you are buying from us.
What will EWII do in case of personal data breach?
EWII will report personal data breaches to the Danish Data Protection Agency without undue delay and if possible within 72 hours. However, notification may be omitted if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. An example of personal data breach is making personal data available to people other than the employees that EWII has authorised to process the data.
In cases where a breach results in a high risk to the data subjects' rights and freedoms, EWII must notify the data subject without undue delay.
As regards EWII's role as a provider of publicly available electronic communications services (Internet services), as a general rule, EWII must notify the Danish Business Authority of personal data breaches no later than 24 hours after having discovered the breach.
Where are my data stored?
Your data are stored in EWII's own systems as well as with our external business partners in and outside Denmark. EWII has concluded processor agreements with all business partners who process personal data on behalf of EWII in order to ensure a high level of protection of your personal data.
The Regulation states that undertakings may transfer data to countries outside the EU and the EEA (third countries), where the receiving country ensures an adequate level of protection. In addition, data may be transferred to third countries when the transfer is necessary for the controller's legitimate purposes, and these interests are not overridden by the data subject's interests.
Can I request access to my own personal data?
The General Data Protection Regulation contains a number of rules on the rights of data subjects. These include a right of access to the data which have been collected concerning the data subject, a right to object to the processing and a right to rectify or delete inaccurate or misleading data.
As a general rule, EWII must respond to such a request within one month.
What is data portability?
A new feature in the General Data Protection Regulation is the so-called right to data portability.
Data portability means that you have the right to receive the personal data processed by the undertaking in a structured, commonly used and machine-readable format. If technically feasible, EWII may transmit the personal data directly to another controller on request. Data portability may be requested where the processing of personal data is based on consent or on a contract, and where the processing is carried out by automated means.
EWII ensures that data are deleted when they have been transmitted to another service provider, if it is no longer necessary to store the data for a particular purpose.
Does EWII use personal data for other purposes than what they were collected for?
If data collected may be used for other purposes than that for which they were collected, EWII will consider whether there is a link between the initial and the new purposes.
Another purpose is not incompatible with the original purpose just because it is different from the purpose for which the personal data were initially collected. However, the relationship between data and purpose must be assessed in each individual case. One of the important aspects of this assessment is whether the sources where and the time when the data were initially collected are compatible with the new purpose.
In this connection, EWII must assess the consequences of the new use for the people affected, and pay special attention to whether the data to be used for the new purpose are sensitive personal data. The decisive factor is whether the planned new use has consequences for the customer, i.e. the actual data protection, as well as whether the processing is fair, i.e. is within the customer's reasonable expectations about what his or her personal data may be used for.
If a specific assessment shows that the new purpose is not compatible with the initial purpose, EWII will obtain a new consent from the customer for the use of personal data for the new purpose.
Does EWII have data quality assurance procedures in place?
As a controller, EWII has adopted internal rules for the assurance of the quality of the personal data processed. It is specified who is responsible for checking that data are correct and up-to-date. Furthermore, all employees who process personal data are instructed about when and according to which procedures data must be checked and updated.
Does EWII have procedures in place for controlling access to personal data?
EWII's processing of personal data is based on established procedures for granting of rights to the relevant employees, including verification of their use of their access rights via logging and supervision.
Has EWII appointed a data protection officer (DPO)?
EWII will appoint a data protection officer (DPO) with special insight into personal data protection. The DPO is appointed to inform and advise about obligations in the data protection legislation. In accordance with the General Data Protection Regulation, the DPO is subject to a number of obligations, including informing and training employees involved in data processing, just as the DPO will assist in the internal audit of the processing procedures.