Privacy policy

Introduction

Kårkulla processes to a significant extent various types of personal data. As a responsible actor, we want to ensure that personal information is always processed in an appropriate manner, respecting the privacy of all parties. Kårkulla is committed to fulfilling its obligations under the EU General Data Protection Regulation (679/2016) and national data protection law as both controller and processor of personal data, and to protecting the rights and freedoms of individuals with regard to the processing of personal data.

Personal data means all information concerning an identified or identifiable natural person. The processing of personal data means any activity involving personal data, such as collecting, viewing, storing or sending by e-mail. These and other key terms used in this privacy policy correspond to the definitions in the EU General Data Protection Regulation.

The purpose of the privacy policy is to define the main principles, responsibilities, and practices to which Kårkulla is committed in order to enforce the rights and freedoms of individuals (data subjects) with regard to the processing of personal data. The policy forms the basis of Kårkulla’s data protection guidelines, which are intended to clarify the provisions set out in the policy and to guide their application in practice.

The privacy policy applies to all processing of personal data, regardless of whether Kårkulla is a controller or a processor of personal data on behalf of the other party in the processing situation. The privacy policy is binding on the entire Kårkulla organization and its personnel, including those stakeholder representatives who, within the framework of their assignments, process information owned or managed by Kårkulla.

Implementation of data protection

Built-in, default and risk-based data protection

Kårkulla aims to implement the principles of privacy by design and privacy by default, and to incorporate data protection principles and requirements into the processing of personal data at an early stage. This ensures that the processing complies with the requirements of the EU General Data Protection Regulation throughout the life cycle of the personal data processed.

Data protection is taken into account in various ways in connection with Kårkulla’s basic operations, e.g. in human resources management, procurement and operational processes. The risks associated with the processing of personal data are primarily assessed from the perspective of the data subject and, whenever necessary, an impact assessment of the processing is carried out in accordance with the Data Protection Regulation. The necessary management measures are selected according to the level of risk indicated by the evaluations, and the implementation of data protection is always ensured by using the best possible technical and organizational solutions based on a risk assessment on a case-by-case basis.

Principles for the processing of personal data

Kårkulla follows the following principles in all processing of personal data:

  1. There shall be a lawful basis for the processing of personal data (lawfulness)
  2. Adequate information on the processing shall be provided to the data subject (obligation to provide information)
  3. Personal data shall only be processed for a pre-defined purpose (purpose limitation)
  4. The rights of data subjects shall be exercised without delay
  5. Only personal data necessary for the purpose of the processing shall be collected and processed (data minimization)
  6. The accuracy and updating of data shall be ensured (accuracy)
  7. The processing of personal data shall be documented
  8. Personal data shall be kept only for the time required for their intended use (retention limitation)
  9. Personal data shall be protected against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access
  10. The processing shall follow the given data protection and security guidelines

Training and instructions

Kårkulla ensures that its employees are provided with adequate training, guidance and advice on data protection and processing of personal data.

Kårkulla’s personnel must know and master the rules of their own area of ​​responsibility for the processing of personal data. Each member of staff should read Kårkulla’s instructions on the processing of personal data. Also, the introduction of all new employees includes a section on data protection and its implementation in Kårkulla. Separate online or other training is required if required for the specific job. The manager must ensure that the necessary training and orientation is completed.

All employees processing personal data are subject to either a statutory or a separately agreed and documented obligation of confidentiality.

Kårkulla’s privacy notices, codes of conduct and instructions, training materials and other data protection information are published on Kårkulla’s intranet or website.

Organization and responsibilities

Kårkulla’s management is responsible for ensuring that personal data is processed legally and correctly, and that the data protection work is organized and resourced in an appropriate manner.

Heads of unit shall ensure that units comply with data protection legislation, privacy policy and instructions issued. Heads of unit and managers should define the tasks so that it is clear to each employee what personal data he or she can process and what duties and responsibilities are involved in the processing of personal data. Managers should also ensure that employees can familiarize themselves with the instructions given on data security and data protection.

Every Kårkulla employee and officer should be aware of the rules and risks associated with the processing of personal data in his or her area of ​​responsibility and be able to process personal data in a fair and lawful manner. Each of them is responsible for the processing of personal data made with their own user IDs and is otherwise obliged to participate in the implementation, maintenance and control of data protection, e.g., complying with data protection and data security regulations, and reporting any data security or data protection risks or breaches that he or she detects.

All personal registers must have a responsible / contact person who coordinates the processing of personal data and ensures that the privacy notices are prepared and kept up to date.

Kårkulla’s Data Protection Officer monitors and develops the implementation of data protection throughout the organization, supports management and personnel in meeting the requirements of data protection legislation, and reports to management on a regular basis. The Data Protection Officer trains staff and provides advice on data protection issues. The Officer also acts as a liaison between the data subjects and the supervisory authority. The Data Protection Officer is responsible for monitoring the implementation of and compliance with this policy.

Personal data breaches

A data breach is an event that results in the integrity, confidentiality or usability of the information and services for which Kårkulla is responsible. A personal data breach, on the other hand, is an event that results in the destruction, alteration, illegal transfer or fall into the hands of an operator who has no right to process personal data. Every Kårkulla employee has the obligation to immediately report any deficiencies, errors and intrusions related to data security or data protection.

Kårkulla has a written plan for dealing with personal data breaches. The plan shall include the responsibilities and measures to be followed in the event of a data breach. The Data Protection Officer shall always notify the supervisory authority of personal data breaches within the statutory time limits. If the event poses a significant risk to the data subject’s rights and freedoms, the data subject will also be notified.

Entry into force and maintenance of privacy policy

The privacy policy will enter into force once it has been approved by Kårkulla’s Board of Directors. Kårkulla’s Data Protection Officer is responsible for ensuring that the Privacy Policy remains up-to-date and is always updated to meet any required changes.