VALID FROM 2018
This policy shall be reviewed by the Board of Directors on a yearly basis.
In the same way as for society as a whole, Nordkap AB ( Nordkap) our customers, employees and suppliers are affected by digitization and globalization which has led to a significant increase in the use and spreading of personal data. Digitization means increased opportunities, but also a greater need for protection of the data subjects' personal data and integrity. This policy describes the overall principles that apply to personal data processing within Nordkap.
The Nordkap Policy is approved by the Nordkap Board of Directors.
The purpose of this policy is to define the Nordkap responsibility, and appoint roles and responsibilities, in order to comply with the General Data Protection Regulation (GDPR).
The objective is that Nordkaps processing of personal data is done on lawful grounds and in accordance with the principles of the GDPR to ensure our customers, employees and suppliers we handle their personal data in a safe and transparent way.
In this policy the following definitions are used:
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by union or member state law, the controller or the specific criteria for its nomination may be provided for by union or member state law;
The natural living person to whom personal data relates to. A Data Subject is in this policy defined as any natural person that Nordkap has any kind of relation with, e.g. private customer, employee, consultant and other.
A natural or legal person, public authority, institution or other body handling personal data on behalf of the personal data controller.
Data Protection Laws:
a) in EU countries, the Directive (95/46/EC) as superseded by the General Data Protection Regulation (Regulation (EU) 2016/679);
b) in non - EU countries, any similar or equivalent laws, regulations or rules relating to Personal Data;
c) any enforceable guidance and codes of practice issued by any local regulatory authority responsible for administering Data Protection Laws; and/or
d) any amendments, re - enactments or changes to the items described in (a) to (c) above, from time to time
The member states of the European Union, Iceland, Liechtenstein, Norway and Switzerland.
EEA Personal Data:
Personal data of a Data Subject in the EEA.
Any kind of information relating to an identified or identifiable natural person (also referred to as a "Data Subject"), an identifiable physical person being a person identified directly or indirectly with reference to an identifier such as a name, identification number, location or online identifier or several factors specific to the physical, physiological, genetic, economic, cultural or social identity of the physical person.
An action or combination of personal data or sets of personal data, whether performed automated or not, such as collection, registration, organization, structuring, storage, processing or modification, production, reading, use, transfer by transmission, dissemination or provision otherwise, adjustment or assembly, restriction, erasure or destruction.
The scope of this policy is limited to Personal Data processing as required by the General Data Protection Regulation (GDPR). This covers Nordkap AB, external consultants performing tasks on behalf of Nordkap and Data processors performing data processing on behalf of Nordkap.
In addition to the general guidelines set out in this policy, detailed requirements in local data protection laws must, as applicable, be followed by employees when processing personal data.
In the case Nordkap is Data Processor for an external organisation the data processing should be done in accordance with this policy, unless otherwise stated in a Data Processing Agreement between Nordkap and a Data controller.
The Data Protection Policy applies to all staff, who performs tasks on behalf of Nordkap regarding processing of personal data. It is also intended to be the basis for information to data subjects regarding personal data processing. It also applies to data processors who perform personal data processing on behalf of Nordkap.
The CEO shall ensure that Nordkap is appropriately organized with delegated responsibilities and sufficient resources for the processing of personal data within Nordkap.
The Chief Information Security Officer (CISO), or equivalent, has the responsibility to identify information security risks, propose appropriate information security controls and follow up compliance towards, and efficiency of, the information security controls.
The Controller is always responsible for the processing of personal data. The Controller is always the legal person who controls and decides the handling of personal data. Nordkap may be a Data Controller of either employee, private customers or supplier data.
For many organizations the DPO is a mandatory role. The main task of the DPO is to ensure provision of the GDPR in his/her organization . The DPO is also required to keep a register of all of the processing operations involving personal data carried out by the organization.
External suppliers of IT operations, cloud services and similar where personal data is processed on behalf of Nordkap are called Data Processors. A data processor shall perform the data processing as specified in a data processing agreement.
All employees are personally responsible for the legal and correct processing of personal data in their daily work. By following Nordkap governing documents relating to personal data processing, the employees contribute to compliant personal data processing.
A personal data inventory covering the whole Nordkap shall be compiled and maintained as a prerequisite to govern personal data processing in a lawful way. Nordkap is responsible for documenting all processing.
Personal data may only be processed if certain conditions are met, for example
a) if the individual to whom the personal data pertains has given his or her consent to the processing
b) the processing is necessary for the performance of a contract to which the individual is a party
c) the processing is necessary for compliance with a legal obligation of Nordkap ; or
d) Nordkap ’s legitimate interest to process personal data outweighs the individual’s interest of not having his or her personal data processed.
Nordkap shall respond to Data Subject’s requests in the manner required by applicable law or otherwise deemed reasonably practical and appropriate in consultation with the DPO.
Where processing is to be carried by a processor on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Data Protection Laws and ensure the protection of the rights of the data subject.
There shall be a legal binding agreement between the Data controller and the Data Processor, which fulfils the requirements in the Data Protection Laws, and in which the distribution of responsibilities between the parties is specified regarding the personal data processing:
Nordkap will conduct objective, comprehensive audits of this Policy, including data protection, on a periodic basis.
The CEO of Nordkap is responsible for the overall oversight and implementation of this Policy . The DPO is responsible for Nordkap ’s day - to - day compliance with this policy and Data Protection Laws.