Kårkulla processes to a significant extent various types of personal data. As a responsible actor, we want to ensure that personal information is always processed in an appropriate manner, respecting the privacy of all parties. Kårkulla is committed to fulfilling its obligations under the EU General Data Protection Regulation (679/2016) and national data protection law as both controller and processor of personal data, and to protecting the rights and freedoms of individuals with regard to the processing of personal data.
Implementation of data protection
Built-in, default and risk-based data protection
Kårkulla aims to implement the principles of privacy by design and privacy by default, and to incorporate data protection principles and requirements into the processing of personal data at an early stage. This ensures that the processing complies with the requirements of the EU General Data Protection Regulation throughout the life cycle of the personal data processed.
Data protection is taken into account in various ways in connection with Kårkulla’s basic operations, e.g. in human resources management, procurement and operational processes. The risks associated with the processing of personal data are primarily assessed from the perspective of the data subject and, whenever necessary, an impact assessment of the processing is carried out in accordance with the Data Protection Regulation. The necessary management measures are selected according to the level of risk indicated by the evaluations, and the implementation of data protection is always ensured by using the best possible technical and organizational solutions based on a risk assessment on a case-by-case basis.
Principles for the processing of personal data
Kårkulla follows the following principles in all processing of personal data:
- There shall be a lawful basis for the processing of personal data (lawfulness)
- Adequate information on the processing shall be provided to the data subject (obligation to provide information)
- Personal data shall only be processed for a pre-defined purpose (purpose limitation)
- The rights of data subjects shall be exercised without delay
- Only personal data necessary for the purpose of the processing shall be collected and processed (data minimization)
- The accuracy and updating of data shall be ensured (accuracy)
- The processing of personal data shall be documented
- Personal data shall be kept only for the time required for their intended use (retention limitation)
- Personal data shall be protected against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access
- The processing shall follow the given data protection and security guidelines
Training and instructions
Kårkulla ensures that its employees are provided with adequate training, guidance and advice on data protection and processing of personal data.
Kårkulla’s personnel must know and master the rules of their own area of responsibility for the processing of personal data. Each member of staff should read Kårkulla’s instructions on the processing of personal data. Also, the introduction of all new employees includes a section on data protection and its implementation in Kårkulla. Separate online or other training is required if required for the specific job. The manager must ensure that the necessary training and orientation is completed.
All employees processing personal data are subject to either a statutory or a separately agreed and documented obligation of confidentiality.
Kårkulla’s privacy notices, codes of conduct and instructions, training materials and other data protection information are published on Kårkulla’s intranet or website.
Organization and responsibilities
Kårkulla’s management is responsible for ensuring that personal data is processed legally and correctly, and that the data protection work is organized and resourced in an appropriate manner.
Every Kårkulla employee and officer should be aware of the rules and risks associated with the processing of personal data in his or her area of responsibility and be able to process personal data in a fair and lawful manner. Each of them is responsible for the processing of personal data made with their own user IDs and is otherwise obliged to participate in the implementation, maintenance and control of data protection, e.g., complying with data protection and data security regulations, and reporting any data security or data protection risks or breaches that he or she detects.
All personal registers must have a responsible / contact person who coordinates the processing of personal data and ensures that the privacy notices are prepared and kept up to date.
Kårkulla’s Data Protection Officer monitors and develops the implementation of data protection throughout the organization, supports management and personnel in meeting the requirements of data protection legislation, and reports to management on a regular basis. The Data Protection Officer trains staff and provides advice on data protection issues. The Officer also acts as a liaison between the data subjects and the supervisory authority. The Data Protection Officer is responsible for monitoring the implementation of and compliance with this policy.
Personal data breaches
A data breach is an event that results in the integrity, confidentiality or usability of the information and services for which Kårkulla is responsible. A personal data breach, on the other hand, is an event that results in the destruction, alteration, illegal transfer or fall into the hands of an operator who has no right to process personal data. Every Kårkulla employee has the obligation to immediately report any deficiencies, errors and intrusions related to data security or data protection.
Kårkulla has a written plan for dealing with personal data breaches. The plan shall include the responsibilities and measures to be followed in the event of a data breach. The Data Protection Officer shall always notify the supervisory authority of personal data breaches within the statutory time limits. If the event poses a significant risk to the data subject’s rights and freedoms, the data subject will also be notified.