The policy regulates how Galleria Vintergatan (the company) handles personal data in accordance with the EU's data protection regulation (General Data Protection Regulation – GDPR). The policy covers the handling of all personal data and covers both structured and unstructured data. Policy is anchored in all our employees.
Application and Revision
- The company's board is responsible for ensuring that the processing of personal data complies with this policy.
- The policy must be determined, and if necessary updated, annually by the company's board.
- The company's personal data manager is tasked with keeping informed of changes in the data protection regulation and is responsible for updating the policy as a result of new and changed regulations.
- This policy must be applied by all of the company's executives and employees as well as sub-consultants and contractors who in one way or another are part of our business operations.
Organization and responsibility
The CEO is ultimately responsible for the content of the company's personal data policy and that it is implemented and complied with by all of the company's executives, employees and contractors. The CEO may delegate content responsibility and implementation to the appropriate person in the company.
All of the company's executives, employees and contractors are responsible for acting in accordance with the company's personal data policy.
Personal data processing
Every personal data processing takes place according to the following principles:
- Purpose limitation
- Task minimization
- Storage minimization
- Privacy and Confidentiality
Data collection criteria
The principles for data processing mean that we only handle personal data on an ongoing basis that is of directly relevant and legitimate business interest, contractually regulated or statutory. Only in exceptional cases and if necessary are other personal data handled, which are then regulated by consent agreements.
Only personal data that is absolutely necessary to conduct the business, fulfill applicable agreements, handle personnel administration and meet legal requirements shall be processed and stored. When the personal data no longer meet these criteria, they must be deleted without delay.
Our data processing is continuously documented in our handling register, which is managed by the personal data controller. A person who is registered always has the right to receive an extract of registered information, as well as the right to correct incorrect information. Follow-up and evaluation of our handling of personal data must take place at least annually.
Illegal data processing
Any incidents concerning personal data that we process must be reported without delay to the person in charge of personal data. The personal data controller must report the incident to without undue delay and within 72 hours at the latest The Swedish Privacy Protection Authority and otherwise take the necessary measures due to the incident.
In the case of external handling, cooperation and purchasing of services
Our requirements that personal data be handled in accordance with the GDPR must always be ensured when procuring external suppliers and developing IT solutions and services, and must be part of the requirements specification and any agreements. Outsourcing of personal data handling is regulated by personal assistant agreements.