PRIVACY POLICY - PUBLIC AFFAIRS AND MANAGEMENT CONSULTING AB (PAMC)
1. Background and purpose
Public Affairs and Management Consulting AB (hereinafter PAMC) protects its customers, partners and employees privacy and is always careful to follow current privacy regulations. Each and every one has the right to protection of the personal data that concern him or her.
In light of the above PAMC has adopted this Privacy Policy.
On 25 May 2018 the General Data Protection Regulation (GDPR) went into effect, which entailed a strengthened protection for people whose personal data are processed and it prescribes more and stricter rules and requirements for organizations that process personal data.
If a processing of personal data would be in violation of the provisions in GDPR, there is a risk of breach of data secrecy and privacy for the data subject, but also the risk of damaged reputation for PAMC. Furthermore, PAMC can also be obliged to pay damages or be imposed a fine of up to 20 million euros or 4 % of the total annual worldwide turnover, whichever is the greatest. To avoid such consequences, all co-workers are obliged to follow these guidelines. All of PAMC’s co-workers are familiar with this Policy and have bound themselves to strictly follow it.
2. Scope and extent of application
This Policy is applicable for PAMC’s partners, employees and consultants, in all markets and at each and every time.
The board of directors of PAMC and PAMC’s Managing Partner (MP) has a strict obligation to ensure that this Policy is complied with, which inter alia includes education for all employees. The information to the employees shall also include information that a violation of this Policy can lead to, for example, consequences with respect to their employment.
3. Fundamental principles
The fundamental principles that are described below shall always be complied with when personal data are processed. PAMC is responsible for and shall be able to demonstrate that the following principles are being complied with:
Lawfulness, fairness and transparency – Personal data shall be processed lawfully, correctly and transparently in relation to the data subject. That means that every type of processing shall be based on a valid so called legal basis, such as for example performance of a contract, compliance with a legal obligation, performance of a task carried out in the public interest, legitimate interest or consent (see section 5 below). If it is not possible to identify a legal basis that is applicable for the processing, the processing is not permitted to be carried out. The basis of this principle is clear communication with the data subject about inter alia for which purposes personal data are processed, what type of processing that is carried out, if and how personal data are shared with others, how long the personal data are stored and how one can contact PAMC. The data subjects shall be given clear and transparent information about the processing of their personal data.
Purpose limitation – Personal data may only be collected and in other ways processed for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimization – Personal data that are processed shall be adequate, relevant and limited to what is necessary in relation to the purposes. Make sure that the data that are collected really are needed and do not ask for information just because it might be good to have.
Accuracy – Personal data that are processed shall be accurate and, where necessary, kept up to date. Take appropriate actions to ensure that inaccurate or incomplete data are rectified, for example routines to change the address when someone has moved with a compilation of systems and records where the address is stored. Avoid, however, to store copies of data in several systems to avoid sources of errors and that inaccurate information is saved.
Storage limitation – Personal data shall not be stored for a longer period than what is necessary for the purposes of the processing. When the data are no longer needed the data either need to be erased or made anonymous.
The principle on accountability means that PAMC has to be able to demonstrate compliance with GDPR. Consequently, for example PAMC has to document implemented and planned processes and measures that regard data privacy. Furthermore, a record shall be maintained of all types of processing of personal data that are carried out and PAMC has to be able to display such a record for the supervisory authority when required.
4. Personal data
Personal data means all information relating to an identified or identifiable natural person and that directly or indirectly can identify a person. Examples of personal data are names, contact data, location data or factors that are specific for a person’s physical, economic, cultural or social identity. Data that alone do not fulfil the criteria can together still constitute personal data.
All processing of personal data is subject to GDPR and its regulations. Processing means an operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. Personal data in e-mail and in documents in servers, in a simple list, on webpages and in other unstructured material are also included.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation (so called special categories of personal data) is prohibited by law as a general rule. For such a process to be permitted, a valid exception from the prohibition is required. The most common exceptions are that the data subject has given consent or has manifestly made the data public, to carrying out the obligations and exercising rights in the field of employment, to establish, exercise or defend legal claims or for health and health care purposes.
Processing of personal identity numbers is only permitted if it is clearly justified in relation to the purpose of the processing, the importance of a secure identification or another notable reason.
Processing of personal data relating to violations of the law (criminal convictions and offences or related security measures but not likely data relating to suspicion of crime) is only permitted in certain specific cases. PAMC are permitted to process personal data if (i) the processing is necessary to ensure that there is no conflict of interest.
5. Legal basis for processing of personal data
A processing of personal data is only lawful if and to the extent that at least one of the following basis is applicable.
– The data subject has given consent to the processing of his or her personal data for one or more specific purposes. There are specific requirements that need to be fulfilled for a consent to be binding.
– The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
– The processing is necessary for compliance with a legal obligation to which PAMC is subject. As an example statements of earnings for employees or consultants and mandatory reporting’s to the Tax Authority can be mentioned.
– The processing is necessary in order to protect the vital interests of the data subject or of another natural person (e.g. when there is danger to life).
– The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
– The processing is necessary for purposes of the legitimate interests pursued by PAMC or by third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (legitimate interests). When measuring the respective colliding interests, there are further specific requirements concerning documentation regarding the assessment that has been made.
6. Protection measures, access control, erasure
Personal data shall be processed in a manner that ensures appropriate
protection for the personal data through implementation of technical and organizational measures. Organizational protection measures can include that accessibility restrictions are used for the systems that contain personal data, logging of access to personal data or that computers and similar that contain personal data shall be stored so that unauthorized access is more difficult and not be left about. Examples of technical measures that have to be reviewed are if PAMC has sufficient back-up routines, sufficient firewalls, password protected wireless networks, updated anti-virus software, password protection for mobile devices such as mobile phones and tablets, protection against unauthorized internal access, password requirements, encryptions when required, logging of access to and use of IT systems etc.
Personal data are not permitted to be stored longer than what is necessary in relation to the purpose of the processing. By implementing and complying with an erasure routine for every database/processing, one ensures the structured erasure work. Personal data in so called unstructured material such as documents on servers, in a simple list, on webpages etc. also need to be erased when the purpose of the processing is fulfilled.
7. Transfer to third countries
Any transfer of personal data to countries outside EU and EES (so called third country transfer) is subject to specific regulations. The result of GDPR is that all EU member states and the EES countries have an equivalent protection of personal data and personal privacy and consequently personal data can be transferred within that territory without restrictions. However, there are no general rules for countries outside that territory that would provide equivalent guarantees and consequently, third country transfers are only permitted under certain conditions. This is applicable to every form of transfer of information over the borders, e.g. many online IT services, cloud based services, services for external access or global data bases etc., and needs to be analyzed separately.
8. Data protection impact assessment
PAMC has a certain routine in place for identifying and handling certain privacy risks within the business and for structured monitoring. Certain risks for the rights and freedoms of natural persons can for example exist in connection with a certain type of processing of personal data, especially sensitive personal data, when the scope of the processing is exceptionally extensive, use of new technology or similar.
If a new or changed type of processing of personal data in a certain respect is likely to result in a high risk to the rights and freedoms of natural persons, the routine shall be complied with and an assessment of the impact of the envisaged processing operations on the protection of personal data shall be carried out prior to the processing.
Prior to commencing such a processing of personal data, the office manager shall be contacted to review if an impact assessment is required and if it is required, the impact assessment will be carried out together with the responsible by answering certain questions, work meetings and risk assessment.
9. Copy and disclosure
GDPR provides the data subjects with several rights regarding processing of personal data. It is PAMC’s duty to fulfil these rights and ensure that there are sufficient procedures in place to accommodate the data subjects.
– The data subject has the right to information when the personal data are collected. This information shall be provided in an accessible written form and in a clear and plain language. GDPR prescribes a number of clear requirements that need to be fulfilled and the requirements vary depending on whether the information is collected from the data subject or from a third party.
– The data subject has a right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, get a copy of the personal data undergoing process (extract from the register). This right exists irrespective of the place where the personal data are being processed.
– Where personal data that are processed are incorrect or incomplete, the data subject has the right to obtain rectification. If the data subject shows that the purpose of the processing of the personal data is no longer permitted, necessary or reasonable under the circumstances, the personal data in question shall be erased, unless there are other legal provisions stating otherwise.
– The data subject has the right to transfer personal data which he or she has provided to PAMC to another controller (right to data portability) if the processing is based on the legal bases contract or consent. The personal data shall be provided to the data subject in a structured, commonly used and machine-readable format. Where technically feasible, the data subject has the right to have the personal data transmitted directly to another controller. The right only applies to the personal data that the data subject has provided to PAMC.
– The data subject has in certain cases the right to obtain from PAMC restriction of processing of his or her personal data, i.e. restriction of the processing to certain, defined purposes. The right to restriction of processing is applicable inter alia when the data subject has contested the accuracy of the personal data and has requested that the personal data shall be rectified. The data subject can then request that the processing of personal data shall be restricted during the period when the accuracy of the personal data is verified. Before the restriction is lifted, the data subject shall be informed.
– The data subject has the right to object to processing of personal data that is based on legitimate interest as legal basis. Where the data subject objects, the firm shall no longer process the personal data unless the firm can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or if the processing is being carried out for the establishment, exercise or defense of legal claims.
– In certain cases, the data subject has the right to obtain the erasure of personal data concerning him or her (“the right to be forgotten”). One example is when consent is the legal basis for the processing and the data subject withdraws his or her consent.
– Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
10. Personal data breaches
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. Examples of personal data breaches can be theft of customer records, accidental disclosure of salary information via e-mail to the wrong receiver, an employee who brings an unencrypted work computer home that is subsequently stolen in a burglary and which leads to disclosure of employees or customers, personal data that are published online by mistake, a laptop containing personal data that is lost or stolen etc.
Personal data breaches need to be notified to the supervisory authority not later than 72 hours after having become aware of the breach, if it is likely that that the personal data breach will result in a risk to the rights and freedoms of natural persons. Any personal data breaches shall be documented and the data subject might need to be informed.
Where there is a suspected personal data breach, the office manager shall immediately be contacted at info@pamc.se. The office manager shall thereafter consult PAMC’s Managing Partner (MP). It is the MP that will assess if the supervisory authority and/or the data subjects need to be notified.
11. Miscellaneous
For definitions of terms used in this Policy, reference is made to GDPR.
This Policy shall be updated annually or when required based on instructions from the board of directors of PAMC.
12. Questions
Where there are any questions regarding the processing of personal data, please contact the office manager at info@pamc.se.
Policy adopted by PAMC on 10 December 2020.
©PAMC 2020
SVENSK VERSION: BEHANDLING AV PERSONUPPGIFTER – INFORMATION ENLIGT DATASKYDDSFÖRORDNINGEN (2016/679/EG)
För dig som är kund eller kontaktperson för kund hos PAMC är personuppgiftsansvarig för de personuppgifter vi erhåller i samband med uppdrag eller som annars behandlas när uppdraget förbereds eller administreras. Du är inte skyldig att lämna personuppgifter till oss men utan att det sker kan vi inte åta oss ett uppdrag eftersom vi inte kan genomföra nödvändig jävs- och, i vissa fall, penningtvättskontroll. Vi behandlar alltså uppgifterna för att genomföra obligatorisk jävs- och (i förekommande fall) penningtvättskontroll, utföra och administrera uppdraget, för att tillvarata dina eller ditt företags intressen, för redovisnings- och faktureringsändamål. Härutöver kan dina personuppgifter komma att användas för affärs- och metodutveckling, marknadsanalys, statistik och riskhantering. Uppgifterna som hanteras i syfte att utveckla och analysera verksamheten behandlas på grundval av vårt berättigade intresse att utveckla verksamheten och kommunicera med våra kontakter. Personuppgifter kan, i förekommande fall, komma att överföras mellan PAMCs, i förekommande fall, olika ägarbolag och, i förekommande fall, koncern- eller systerbolag. Sådan överföring kan ske i syfte att utföra jävs- och penningtvättkontroll, för informations- och kunskapsutbyte och för resursallokering. Vi kommer inte att lämna ut personuppgifter till utomstående annat än i de fall då (i) det särskilt överenskommits mellan PAMC och dig, (ii) då det inom ramen för ett visst uppdrag är nödvändigt för att tillvarata dina rättigheter, (iii) om det är nödvändigt för att vi skall fullgöra lagstadgad skyldighet eller efterkomma myndighetsbeslut eller beslut av domstol, eller (iv) för det fall vi anlitar utomstående tjänsteleverantörer som utför uppdrag för vår räkning. Uppgifterna kan komma att lämnas ut till domstolar, myndigheter, motparter (när sådan finns) om det är nödvändigt för att tillvarata dina rättigheter. Personuppgifterna sparas under en tid om tio år från dagen för ärendets slutförande, eller den längre tid som påkallas av ärendets natur. Uppgifter som behandlas i syfte att utveckla, analysera och marknadsföra PAMCs verksamhet sparas under en skälig tid efter den senaste kontakten. Om du avanmäler dig från nyhetsbrev eller liknande kommer uppgifterna att raderas.
För dig som söker jobb hos PAMC, är anställd eller konsult är PAMC’s personuppgiftsansvarig för de personuppgifter vi erhåller i samband med uppdrag eller anställning eller som annars behandlas när sådant uppdrag eller anställning förbereds och administreras. I egenskap av arbetsgivare samlar PAMC in och behandlar kontaktuppgifter (t.ex. namn, e-post, telefonnummer och postadress), personnummer, fotografier för bland annat hemsida, anställningsinformation (såsom anställningsdatum, position, lön, förmåner, inloggningsuppgifter, uppgifter avseende semester, arbetsprestationer och utbildning), finansiell information (t.ex. bank- och kontouppgifter), hälsoinformation (t.ex. uppgifter om rehabilitering och sjukfrånvaro) samt kommunikation (t.ex. eventuell loggad data- och telefontrafik, in- och utpasseringsinformation). Vi använder de personuppgifter vi samlar in för att (i) administrera anställningsförhållandet och uppfylla de skyldigheter som följer av anställningsavtalet och relaterade avtal, (ii) för att uppfylla PAMCs skyldigheter enligt tillämplig lagstiftning och interna styrdokument, (iii) för att hantera hälso- och säkerhetsfrågor, (iv) för att hantera och administrera PAMCs IT-system och (v) för att marknadsföra PAMC (t.ex. publicering av profilbilder och CV på hemsida och i presentationer eller liknande). Den lagliga grunden för hanteringen av dina personuppgifter baseras på att behandlingen är nödvändig för att vi ska kunna administrera anställningsförfarandet och relaterade avtal till dig och fullgöra vår lagstadgade skyldighet som arbetsgivare. Vidare baseras behandlingen på PAMC’s berättigade intresse i egenskap av arbetsgivare. Vi bedömer att våra berättigade intressen överensstämmer med gällande rätt och dina rättigheter i egenskap av anställd.
För dig som prenumererar på ett nyhetsbrev sparas din mejladress för att vi ska kunna skicka ut nyhetsbrev. Uppgifterna kvarstår så länge som du vill kvarstå som prenumerant. För prenumeration gäller att du när som helst kan avsluta din prenumeration. Om du avanmäler dig som prenumerant kommer uppgifterna att raderas.
För dig som anmält dig till PAMC’s seminarium av olika slag eller mingel sparas ditt namn, mejladress och normalt även namn på det företag du jobbar på. Namn och företagsnamn sparas för att PAMC ska kunna pricka av dig vid dörren eller för att PAMC i efterhand ska kunna skicka över presentationer som hållits under seminariet. Mejladressen sparas för att vi skall kunna nå dig med information, t.ex. om vi skulle behöva justera tiden för seminariet eller byta lokal etc.
I huvudsak samlar vi in personuppgifter direkt från dig. I vissa fall kan vi också samla in uppgifter från allmänt tillgängliga källor eller register, exempelvis från Bolagsverket eller andra myndigheter och/eller institutioner.
Du har rätt att kostnadsfritt begära information från PAMC om användningen av de personuppgifter som rör dig. Vi kommer på din begäran eller på eget initiativ rätta eller radera uppgifter som är felaktiga eller begränsa behandlingen av sådana uppgifter. Du har vidare rätt att begära att dina uppgifter inte behandlas för direktmarknadsföringsändamål. Du har också rätt att få del av dina personuppgifter i ett maskinläsbart format eller, om det är tekniskt möjligt, att få uppgifterna överförda till en tredje part som du anvisar. Om du är missnöjd med vår behandling kan du lämna in ett klagomål till en tillsynsmyndighet vilket i Sverige är Datainspektionen (www.datainspektionen.se). Du kan också vända dig till tillsynsmyndigheten i det land där du bor eller arbetar.
Om uppgifterna överförs till tredje land, vilket det krävs lagstöd för, ska information tillhandahållas om till vilka länder överföringen sker och en länk till privacy shieldeller annat regelverk som garanterar skyddet för personuppgifterna.
PAMC har antagit en policy för behandling av personuppgifter. Policyn avser att ge PAMC’s medarbetare närmare vägledning om hur personuppgifter ska behandlas.
Skulle du ha ytterligare frågor rörande PAMC’s personuppgiftsbehandling kontaktar du oss på info@pamc.se.
©PAMC 2023