Introduction and purpose
The purpose of this policy is to ensure that Fibersystem handles personal data in accordance with the European Data Protection Regulation (GDPR). The policy covers all treatments where personal data are handled and comprises both structured and unstructured data. This policy is rooted with all Fibersystem employees.
Application and revision
Fibersystems Board is responsible for the processing of personal data in accordance with this policy. The policy shall be determined by the Board at least once a year and updated if necessary. Fibersystem’s Security Manager is responsible for hanling the process with annual update of the policy as a result of new and changed regulations. This policy applies to the company board members, CEO, employees and contractors affected by Fibersystems business.
Organization and responsibility
The CEO has overall responsibility for the content of this policy and that it is implemented and enforced by the business. The CEO has delegated the responsibility of this policy to the Security Manager. All employees are responsible for acting in accordance with this policy and what it wants to ensure.
Concepts and abbreviations
|Personal Data||A personal data is any information that can be directly or indirectly attributed to a physical person who is in life.|
|Registered||The person to which a personal data refers, that is, the natural person who can be identified directly or indirectly through the personal data in a register.|
|Personal Data Processing||An action or combination of personal data actions – regardless of whether they are automated or not – such as collection, registration, organization and structuring.|
- Each personal data processing should be done according to the following principles:
- Purpose limitation
- Data Minimization
- Storage minimization
- Integrity and confidentiality
- Our data treatments are documented on a regular basis in the Treatment Registry
- Follow-up and evaluation of our handling of personal data shall be done at least annually
- Any incidents relating to personal data we process should be reported to the Security Manager without delay. The Security Manager shall report the incident to the Data Inspection Agency without undue delay and no later than 72 hours, and take the necessary measures as a result of the incident.
Our requirements for personal data management under GDPR should always be ensured in procurement and development of IT solutions and services, and shall be part of the requirements specification and any agreements.