The European Union’s General Data Protection regulation comes into force on the 25th May 2018. As an EU-based establishment, this Regulation has a direct impact on Vemco Group A/S and how we process personal data about EU residents or data subjects within the EU.
Personal data in this article is defined as “any information relating to an identified or an identifiable person”. Everything that falls outside of this definition is not considered in this article, nor is it applicable to the terms of the Regulation.
This article will explain Vemco Group’s efforts to live up to the principles and requirements of the Regulation.
Vemco as the data controller
A data controller is defined in the Regulation as being an entity that determines the purposes and means of the processing of personal data. Vemco Group A/S acts as the data controller for the personal data we collect about you, the user of our application (Vemcount) and our website (vemcogroup.com).
We process data that is necessary for us to perform our contract with you, including being able to identify users in order to provide the necessary support as demanded by the contract.
The personal information we collect about you as a user of Vemcount is limited to:
- Your name
- Your email address
- Assigned company
We also process your personal data for our legitimate interests in line with the GDPR, including cookies and the use of similar tracking technologies. The legitimate interests we talk about are among other things:
- Improving the application and website for the benefit of your business
- Making sure that your data and Vemcount’s systems are safe and secure
What is Vemco Group doing to comply with the GDPR
We have audited our internal processes, reviewed and made the appropriate changes to our procedures and policies to make sure we are compliant. Furthermore, we are continuously striving to strengthen our technical and organizational measures in order to ensure the most complete protection of your personal data.
Internal processes and security
We have mapped out our data flows and classified the personal data we process in order to assess the risks of each type of personal data and to identify the appropriate legal basis for storing them. This has resulted in minimizing the amount of data we currently store and have stored as well as adjustments to our internal processes. Furthermore, we have assessed the risks of our IT systems to identify and locate areas where there is room to enhance our security measures and to ensure the confidentiality, integrity and availability of data.
Additionally, we have implemented technical measures to ensure that our end customer data is completely anonymized, and we have made the appropriate Data Protection Impact Assessments (DPIA’s) prior to the implementation of new tracking technologies.
Should there be any data leakages, we have implemented internal procedures to readily manage and notify a data breach.
Third-Party service providers and Data transfers
We have reviewed our third-party service providers whom act as sub processors of the personal information we control and made sure they live up to the standards of the Regulation. We have engaged in Data Processing Agreements with our sub processors with the intention of providing you with the assurance that your data is safely guarded and is not used for any other purpose than instructed.
Where there is a potential for data transfers across borders due to sub processing, we have made sure that our service providers are either EU-US Privacy Shield Compliant or subject to Standard Contractual Clauses approved by the European Commission. This will ensure that the personal data of EU citizens that is processed by our service providers located outside the EU receives an adequate level of protection.
Subject access requests
With the new Regulation, you and other EU citizens are empowered with the ability to gain more control of your personal data flows through the exercise of a number of rights. These rights include but is not limited to gaining access to the information we hold about you and to ask for rectification of inaccurate data. As part of our efforts to live up to the GDPR, we have implemented internal procedures to readily manage subject access requests.
Documentation
In order to live up to the principle of accountability in the GDPR, we have policies and procedures in place to document our commitment to the adherence of GDPR principles. To enhance the transparency of the way we handle privacy matters, we provide public access to our privacy and cookie policy, which explains what data we hold about you as well as how and why we process them. We have also implemented retention and disposal policies to ensure that data is not kept for longer than necessary.
Training
To ensure that the staff is updated about the GDPR and what it means for our internal processes, efforts have been made to instruct personnel (in particular those whom deal with personal information in their daily work) in compliance and data protection. This includes training in the appropriate way to manage data in line with the company’s IT-security policy.