fbpx

“How can we be sure our company complies with the Personal Data Act/the Data Protection Act/the GDPR?”

If this topic has been thrown around your conference room recently, you aren’t alone. Almost every company, organization and agency is affected by the Data Protection Act, a comprehensive personal data regulation that came into force in the spring of 2018.

We’ve written this blog post as an in-depth guide to aspects of the Personal Data Act that are most relevant to companies.

First, we discuss articles of the regulation that directly impact companies and change the way they should view and process personal data. Then we will present seven general principles you should follow to help your company comply with privacy regulations and stay data-ethical.

Please read on!

 

 

What are the Data Protection Act, the Personal Data Act and the GDPR?

 

 

The Danish ‘Personal Data Law’ is a former Danish law that dealt with when and how personal data could be processed. The law regulated all electronic and manual processing of personal data; and applied to private companies, associations, organizations and authorities in Denmark.
 
In 2018, the law was repealed with a new Danish Data Protection Act; additional provisions for the General Data Protection Regulation (GDPR) for the protection of individuals with regard to the processing of personal data and on the free exchange of such information.
This was passed around the time the GDPR came into force and is the regulation that has brought the GDPR into the Danish language.
 
But the use of the name ‘personal data law’ to refer to data privacy regulations lives on in the Danish language, and most people still find it difficult to make head or tail of the complicated legislation.
 
The General Data Protection Regulation (GDPR) that came into force in the spring of 2018 and is today what dictates how companies should handle personal data belonging to individual EU citizens.

 

 

Checklist for companies

 

We present here articles that have a direct impact on companies and their way of processing personal data. This is intended as a guide for data controllers, i.e., any companies that collect personal information.

You can also find all the articles below here in full as legal text.

 

 

Article 12: Exercise of the rights of the data subject

This Article emphasizes transparency when communicating with data subjects about their stored personal data. Companies are required to communicate in ‘a concise, transparent, easily understandable and easily accessible form and in clear and simple language’. The article also dictates that data must be submitted in writing within one month when requested.

Key points for companies:

 

  • Personal data must be provided in writing within one month when requested.
  • Companies must communicate with data subjects in a straightforward way that is easy to understand.

 

 

Article 15: Right of access by the data subject

This Article gives people the right to access their personal data and be informed, for example, of the categories of personal data collected along with why and how companies use it.

Key points for companies:

Companies must disclose:

 

  • The purpose of collecting personal data
  • The categories of personal data collected
  • Any third-parties personal data is shared with
  • How long personal data will be stored
  • How to make data requests and have personal data deleted

 

 

Article 16: Right to rectification

This article gives data subjects the right to have incorrect or incomplete personal data corrected immediately when requested.

 

 

Article 17: Right to erasure (‘right to be forgotten’)

Registered persons have the right to have their personal data deleted without undue delay if any of the following applies:

 

  • The data is no longer needed for the purposes for which it was collected
  • The person withdraws consent
  • The data has been processed illegally
  • The person objects to the way his or her data is used
  • The data must be deleted to comply with a legal obligation under EU or national law
  • The data was collected in connection with the provision of information society services

 

 

Article 18: Right to restriction of processing

This article gives registered data subjects the right to restrict the processing of their personal data in certain cases. For example:

 

  • He or she does not believe the information is correct
  • The processing of the data is illegal
  • The company no longer needs the personal data, but the data is still needed for a legal claim
  • The person objects to the processing of their data

 

 

Article 20: Right to data portability

This article gives data subjects the right to request personal data about themselves from companies, and it must be sent in a format they can easily pass on to another data controller (third party) if they wish; without hindrance and without delay.

Key points for companies:

 

  • The data must be returned to the requester in a ‘structured, commonly used and machine-readable format’.
  • If technically feasible, a person’s data should be transferred directly from one controller to another, at their request. For example, an individual can ask to have their data transferred from one bank to another.

 

 

Article 21: Right to object

This article gives registered persons the right to object to any use of his or her personal data at any time.

Key points for companies:

 

  • If your company uses personal data for marketing purposes, you should be aware that the data subject has the right to object at any time.
  • If an objection arises, the company may no longer use personal data for this purpose.

 

 

 

7 principles from the Personal Data Regulation

If you have read this far, you may be feeling overwhelmed. There is no doubt that this legislation presents challenges for companies. However, Article 5 of the Personal Data Regulation can help.

It lists 7 principles that should influence how you process personal data. Follow these 7 principles, and you will be on the right track. Let’s review them one by one:

 

 

 

1. Accountability

Your company should be able to document its actions to demonstrate that you are complying with the principles of the Personal Data Regulation.

 

 

2. Purpose restriction

When your company collects personal data about your customers, you may only use it for authorized purposes.

You may collect and process personal data for multiple purposes if you are authorized to do so, by obtaining consent. Each time you collect personal data about a customer for a specific purpose, you must inform the customer first and obtain his or her consent.

When personal data is collected for a specific purpose it must not be used for other purposes. You cannot resell a customer’s data if you have not informed the customer first and obtained his or her consent.

You may, however, continue to process personal data for legitimate or factual purposes. For example, when a transaction is processed for a customer, it follows that the transaction must be documented and posted. In such cases, you will not need to obtain further consent.

 

 

3. Data minimization

Here you should think in terms of “need-to-have” instead of “nice-to-have”.

The amount of personal data collected must be appropriate to the purpose.

An example: To deliver a package to a customer, you need their name and address. You do not need the person’s CPR number, date of birth, religious beliefs, and so on.

Reduce the amount of data you ask for.

 

 

4. Legal, reasonable and transparent

Of course, any processing of personal data must be legal. Your company must be legally authorized to process personal data, usually by obtaining consent from the customer.

Any processing of personal data must be reasonable. It is reasonable to process personal data securely and use best practices. Use a secure technological solution.

Your company should be transparent when providing information to customers about how you process their personal data. The language should be easily understood. Customers need to know what is happening and why. Avoid technical language and have a copywriter draft the templates you need.

 

 

5. Accuracy

Make sure the personal data you process is correct.

Update data frequently. It’s a good idea to have some control measures in place to ensure that every customer data is always accurate.

Check personal data for errors, and delete or correct data that is incorrect or out of date for the purpose for which it was collected.

 

 

6. Integrity, confidentiality and security

Your business is responsible for the integrity of the personal data you store. This means that you must ensure the credibility and accuracy of data over time.

You must also ensure that the personal data you process is treated confidentially. Unauthorized persons should not have access to customer data. Your company should have protocols in place to prevent hackers, thieves, or even unauthorized employees within the company from accessing customer data.

In order to ensure integrity and confidentiality, you must have sufficient security. That level of security will vary from company to company. It’s a good idea to conduct a risk assessment of your personal data processing systems to test if your security level is adequate.

Provide adequate security for your customers’ personal data by implementing organizational and technical measures. These measures should protect you from:

Unauthorized use of corporate personal data. Personal data is not unauthorized.
Illegal processing of corporate personal data.
Accidental loss, destruction or damage to the company’s personal data.

 

  • Unauthorized use of personal data
  • Illegal processing of personal data
  • Accidental loss, destruction or damage to personal data.

 

 

7. Storage limitation

You should only keep personal data as long as it is needed. Keep an eye on your stored data and ask yourself: Do we still have a purpose for keeping this information? Of course, if the answer is yes, it must be kept. If not, the best policy is to delete it.

 

 

Didn’t find the answer you were looking for?

Contact us for more information on the Personal Data Act.

 

 

“How can we be sure our company complies with the Personal Data Act/the Data Protection Act/the GDPR?”

If this topic has been thrown around your conference room recently, you aren’t alone. Almost every company, organization and agency is affected by the Data Protection Act, a comprehensive personal data regulation that came into force in the spring of 2018.

We’ve written this blog post as an in-depth guide to aspects of the Personal Data Act that are most relevant to companies.

First, we discuss articles of the regulation that directly impact companies and change the way they should view and process personal data. Then we will present seven general principles you should follow to help your company comply with privacy regulations and stay data-ethical.

Please read on!

 

 

What are the Data Protection Act, the Personal Data Act and the GDPR?

 

 

The Danish ‘Personal Data Law’ is a former Danish law that dealt with when and how personal data could be processed. The law regulated all electronic and manual processing of personal data; and applied to private companies, associations, organizations and authorities in Denmark.
 
In 2018, the law was repealed with a new Danish Data Protection Act; additional provisions for the General Data Protection Regulation (GDPR) for the protection of individuals with regard to the processing of personal data and on the free exchange of such information.
This was passed around the time the GDPR came into force and is the regulation that has brought the GDPR into the Danish language.
 
But the use of the name ‘personal data law’ to refer to data privacy regulations lives on in the Danish language, and most people still find it difficult to make head or tail of the complicated legislation.
 
The General Data Protection Regulation (GDPR) that came into force in the spring of 2018 and is today what dictates how companies should handle personal data belonging to individual EU citizens.

 

 

Checklist for companies

 

We present here articles that have a direct impact on companies and their way of processing personal data. This is intended as a guide for data controllers, i.e., any companies that collect personal information.

You can also find all the articles below here in full as legal text.

 

 

Article 12: Exercise of the rights of the data subject

This Article emphasizes transparency when communicating with data subjects about their stored personal data. Companies are required to communicate in ‘a concise, transparent, easily understandable and easily accessible form and in clear and simple language’. The article also dictates that data must be submitted in writing within one month when requested.

Key points for companies:

 

  • Personal data must be provided in writing within one month when requested.
  • Companies must communicate with data subjects in a straightforward way that is easy to understand.

 

 

Article 15: Right of access by the data subject

This Article gives people the right to access their personal data and be informed, for example, of the categories of personal data collected along with why and how companies use it.

Key points for companies:

Companies must disclose:

 

  • The purpose of collecting personal data
  • The categories of personal data collected
  • Any third-parties personal data is shared with
  • How long personal data will be stored
  • How to make data requests and have personal data deleted

 

 

Article 16: Right to rectification

This article gives data subjects the right to have incorrect or incomplete personal data corrected immediately when requested.

 

 

Article 17: Right to erasure (‘right to be forgotten’)

Registered persons have the right to have their personal data deleted without undue delay if any of the following applies:

 

  • The data is no longer needed for the purposes for which it was collected
  • The person withdraws consent
  • The data has been processed illegally
  • The person objects to the way his or her data is used
  • The data must be deleted to comply with a legal obligation under EU or national law
  • The data was collected in connection with the provision of information society services

 

 

Article 18: Right to restriction of processing

This article gives registered data subjects the right to restrict the processing of their personal data in certain cases. For example:

 

  • He or she does not believe the information is correct
  • The processing of the data is illegal
  • The company no longer needs the personal data, but the data is still needed for a legal claim
  • The person objects to the processing of their data

 

 

Article 20: Right to data portability

This article gives data subjects the right to request personal data about themselves from companies, and it must be sent in a format they can easily pass on to another data controller (third party) if they wish; without hindrance and without delay.

Key points for companies:

 

  • The data must be returned to the requester in a ‘structured, commonly used and machine-readable format’.
  • If technically feasible, a person’s data should be transferred directly from one controller to another, at their request. For example, an individual can ask to have their data transferred from one bank to another.

 

 

Article 21: Right to object

This article gives registered persons the right to object to any use of his or her personal data at any time.

Key points for companies:

 

  • If your company uses personal data for marketing purposes, you should be aware that the data subject has the right to object at any time.
  • If an objection arises, the company may no longer use personal data for this purpose.

 

 

 

7 principles from the Personal Data Regulation

If you have read this far, you may be feeling overwhelmed. There is no doubt that this legislation presents challenges for companies. However, Article 5 of the Personal Data Regulation can help.

It lists 7 principles that should influence how you process personal data. Follow these 7 principles, and you will be on the right track. Let’s review them one by one:

 

 

 

1. Accountability

Your company should be able to document its actions to demonstrate that you are complying with the principles of the Personal Data Regulation.

 

 

2. Purpose restriction

When your company collects personal data about your customers, you may only use it for authorized purposes.

You may collect and process personal data for multiple purposes if you are authorized to do so, by obtaining consent. Each time you collect personal data about a customer for a specific purpose, you must inform the customer first and obtain his or her consent.

When personal data is collected for a specific purpose it must not be used for other purposes. You cannot resell a customer’s data if you have not informed the customer first and obtained his or her consent.

You may, however, continue to process personal data for legitimate or factual purposes. For example, when a transaction is processed for a customer, it follows that the transaction must be documented and posted. In such cases, you will not need to obtain further consent.

 

 

3. Data minimization

Here you should think in terms of “need-to-have” instead of “nice-to-have”.

The amount of personal data collected must be appropriate to the purpose.

An example: To deliver a package to a customer, you need their name and address. You do not need the person’s CPR number, date of birth, religious beliefs, and so on.

Reduce the amount of data you ask for.

 

 

4. Legal, reasonable and transparent

Of course, any processing of personal data must be legal. Your company must be legally authorized to process personal data, usually by obtaining consent from the customer.

Any processing of personal data must be reasonable. It is reasonable to process personal data securely and use best practices. Use a secure technological solution.

Your company should be transparent when providing information to customers about how you process their personal data. The language should be easily understood. Customers need to know what is happening and why. Avoid technical language and have a copywriter draft the templates you need.

 

 

5. Accuracy

Make sure the personal data you process is correct.

Update data frequently. It’s a good idea to have some control measures in place to ensure that every customer data is always accurate.

Check personal data for errors, and delete or correct data that is incorrect or out of date for the purpose for which it was collected.

 

 

6. Integrity, confidentiality and security

Your business is responsible for the integrity of the personal data you store. This means that you must ensure the credibility and accuracy of data over time.

You must also ensure that the personal data you process is treated confidentially. Unauthorized persons should not have access to customer data. Your company should have protocols in place to prevent hackers, thieves, or even unauthorized employees within the company from accessing customer data.

In order to ensure integrity and confidentiality, you must have sufficient security. That level of security will vary from company to company. It’s a good idea to conduct a risk assessment of your personal data processing systems to test if your security level is adequate.

Provide adequate security for your customers’ personal data by implementing organizational and technical measures. These measures should protect you from:

Unauthorized use of corporate personal data. Personal data is not unauthorized.
Illegal processing of corporate personal data.
Accidental loss, destruction or damage to the company’s personal data.

 

  • Unauthorized use of personal data
  • Illegal processing of personal data
  • Accidental loss, destruction or damage to personal data.

 

 

7. Storage limitation

You should only keep personal data as long as it is needed. Keep an eye on your stored data and ask yourself: Do we still have a purpose for keeping this information? Of course, if the answer is yes, it must be kept. If not, the best policy is to delete it.

 

 

Didn’t find the answer you were looking for?

Contact us for more information on the Personal Data Act.