GDPR - The Act on the Processing of Personal Data

GDPR stands for General Data Protection Regulation and is a new EU data protection regulation that will become a law in all EU member states from May 25, 2018. GDPR will replace the current Personal Data Protection Act (PuL). The law is designed to protect the privacy of individuals and intends to modernize, harmonize and strengthen protection within the EU.

Within each EU Member State there is a regulatory authority that will control this. In Sweden, this authority is called the Integrity Protection Authority, formerly the Data Inspectorate. On their website there is more information and help that you can find out to find out what you need to do.

Processing of personal data
The law is about how you should process personal data, which are two important concepts to understand. Personal data may be explained as any information relating to an identified or identifiable individual (also known as a registered person), whereby an identifiable natural person is a person who can be directly or indirectly identified, in particular with reference to an identifier such as a name, identification number, location information or online identifiers, or to one or more factors specific to the physical person’s physical, physiological, genetic, psychological, economic, cultural or social identity. Processing of this information means that you carry out a measure or combination of measures regarding personal data or sets of personal data, regardless of whether they are automated or not. Examples of such processing are collection, structuring, storage, processing, dissemination or deletion.

Sensitive personal data
There is a special category of personal data that the law takes up and that you as personal data manager need to pay extra attention to, that is sensitive personal data. Examples of sensitive personal data are information that reveals ethnic origin, political opinions, religious or philosophical beliefs or information about health and sexual life. The starting point is that it is prohibited to process these personal data, but there are a number of exceptions. In Sweden, an investigation is underway on these tasks and they are looking into developing supplementary Swedish legislation.

Responsible for personal data and personal data assistant
In the processing of personal data there are mainly two roles that you should know about and depending on your role there are different responsibilities. The person responsible for personal data (PuA) is the one who, according to the law, has the ultimate responsibility for the treatment and determines the purpose and the means. The person responsible for personal data shall ensure compliance with the law, shall inform the persons whose personal data is being processed and shall ensure compliance with the personal data officer. The Personal Data Assistant (PuB) processes the personal data on behalf of the data controller and is responsible for the technical and organizational security measures.

Responsible and assistant for tasks in Recruto’s services
You as a customer are responsible for all personal data processing in the tools. Recruto is a personal data assistant and takes technical and organizational security measures to ensure that your collected personal data is processed securely and in accordance with the law. We therefore also update our User Agreement and incorporate a Personal Data Access Agreement as an accompanying appendix.

Recruto as personal data manager
All processing of personal data about you as a customer, user we are responsible for personal data when you order Recruto’s services or in various ways contact us. What we do or do not do with your personal information is described in our Privacy Policy.

Basic principles of GDPR
The law is based on 7 basic principles:

Legality, correctness and transparency
Purpose limitation
Data Minimization
correctness
storage Minimization
Privacy and confidentiality
Accountability
You can read about the basic principles on the Integrity Protection Authority’s website.

Legal grounds
In compliance with the principle of legality, regularity and transparency, you need support in the Data Protection Regulation for the processing of personal data to be allowed. These legal bases are about having a consent, agreement, legal obligation, basic interests, public interest, exercise of authority or balancing of interests to process personal data.

Legal basis for information in Recruto’s services
What legal bases exist for the processing of personal data in Recruto’s services, as a personal data controller, you must find out and document. It can vary from case to case depending on the activity, what laws you need to follow, whether you collect information that is required or which can be good to have.

Unstructured material
In PuL, in Sweden we have had an exception where we did not have to think about how personal data is processed, this exception is called the “Abuse Rule”. This has meant that we have been able to have personal data in so-called unstructured material, which is running text and free text such as documents, e-mails, websites or note fields in systems. The abuse rule now disappears with GDPR and means that you need to map out what personal data is in all unstructured material and need to start handling it in the same way as with structured material.

Do you have questions?

Do you have as responsible questions about GDPR and Recruto’s work on the new regulation. Then you are welcome to contact us via info@recruto.co.uk or by calling 031-799 90 65.

You can also update yourself by reading Recruto’s latest mailing (sent 180511 to all our customers) regarding GDPR and what Recruto is doing in the system to customize its tools. Click on the link below:

“Updated contract terms and new features related to GDPR”