Event Logic Data Protection Policy
Context and Overview
Event Logic Sweden AB (hereafter EL) needs to gather and use certain information about individuals.
These individuals include, but are not limited to, customers, suppliers, business contacts, employees, and other people who has a relationship with the organisation, or who may be contacted.
This policy describes how an individual’s personal data is collected, handled, and stored to meet the company’s data protection standards — and to comply with the law. Furthermore, this policy gives the required legal notice to individuals that EL processes information about.
Why This Policy Exists
This data protection policy ensures that EL:
- Complies with personal data and data protection law, and follows good practices.
- Protects and enables the rights of its staff, customers, and partners.
- Is transparent about how it stores and processes each individual’s data.
- Protects itself from the risks of a data security breach.
Data Protection Law
EL is bound by the EU General Data Protection Regulation (“GDPR”) which regulates how EL collect, handle, and store personal information. As EL is an international company, local variations can exist. However, EL has its main establishment in Sweden.
These rules apply regardless of whether the data is stored electronically, or on paper, or on other materials.
To comply with the law, personal information collected must be used fairly, stored safely, and not disclosed unlawfully.
The GDPR is underpinned by seven important principles. These principles state that personal data must:
- Be processed fairly and lawfully.
- Be obtained only for specific, lawful purposes.
- Be adequate, relevant, and not excessive.
- Be accurate, and kept up to date.
- Not to be held for longer than necessary.
- Processed in a way that ensures compliance with GDPR.
- Be protected in appropriate ways.
Which information is collected
This policy applies to all data that the company holds that relates to identified or identifiable individuals. This can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Health data regarding food allergies or handicaps
- Data regarding the individuals occupation
- Electronic identifiable data such as IP-adresses, cookies, connection history etc.
- …plus any other information relating to individuals
How EL uses the collected information.
El collects information about individuals for several purposes, these purposes can include:
- Administration of registrations to events.
- Administration regarding partners and providers of services.
- For statistics and further development of EL.
- Marketing purposes for future events.
Transfer of Personal data to third parties
In addition to EL and the organizer, the information may be transferred to and processed by providers of events and travel services (such as travel, tourism, hotel and leisure business). Service providers (such as IT providers) to either EL, the organizer or suppliers may also process the personal data. These service providers may be in located in a third country (outside the EES). EL shall ensure that its service providers meet the requirements for transfer to third countries set out in Articles 44-50 of the GDPR. This may mean that the country to which the transfer is made is considered to have an adequate level of protection or that the service provider is Privacy Shield-certified. The data may also be transferred to others if it is necessary for us to fulfil a statutory obligation, comply with government decisions or court decisions.
Personal data is stored at EL in accordance with EL’s internal policy regarding the removal of personal data. Personal data shall not be kept longer than necessary.
Right to access
An individual is free to request information from EL or, where EL is acting as data processor, from the responsible organizer, regarding the use of the personal data relating to the individual. EL will, at an individuals request or on their own initiative, correct or delete information that is incorrect, or limit the processing of such information. An individual also has the right to request that personal data is not processed for direct marketing purposes. Furthermore, an individual is entitles to request that personal information is transmitted to them or if possible another data controller in a machine-readable format. A complete list of an individual’s right to access can be found under the section ‘Subject Access Requests’ below.
If an individual is dissatisfied with EL’s treatment of personal data, a complaint can be filed to a supervisory authority, which in Sweden is the Datainspektionen (www.datainspektionen.se). An individual can also contact the supervisory authority in the country where the individual lives or works.
A request can be submitted via e-mail to firstname.lastname@example.org or to EventLogic Sweden AB, Drakegatan 4, 412 50 Göteborg.
People, Risks and Responsibilities
This policy applies to:
- The head office of EL
- All branches of EL
- All staff and volunteers of EL
- All contractors, sub-contractors, suppliers, and other people working on behalf of EL
Data Protection Risks
This policy helps to protect EL from very real data security risks, including:
- Confidentiality breaches. For instance, information being given out inappropriately.
- Failing to offer choice. For instance, all individuals should be free to choose how the company uses their personal data.
- Reputational damage. For instance, the company could suffer if hackers had successfully gained access to sensitive data.
Everyone who works for or with EL is responsible for ensuring that all data collected is stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and the 8 data protection principles.
However, these people have key areas of responsibility:
- The board of directors is ultimately responsible for ensuring that EL meets its legal obligations.
- The CEO, Eric Windzer, is responsible for:
- Keeping the board updated about data protection responsibilities, risks, and issues.
- Reviewing all data protection procedures and related policies so that it is line with an agreed schedule.
- Arranging data protection training and advice for the people covered under this policy.
- Handling data protection questions from staff and anyone else covered under this policy.
- Dealing with requests from individuals to access or view the data EL holds about them (also called ‘subject access requests’).
- Checking and approving any contracts or agreements with third parties who may have to handle the company’s sensitive data.
- Approving any data protection statements attached to communications such as emails and letters.
- Addressing any data protection queries from journalists or media outlets like newspapers.
- Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
- The CTO, Johan Windzer, is responsible for:
- Ensuring all systems, services, and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure all security hardware and software are functioning properly.
- Evaluating any third-party services which the company is considering engaging to store or process data. For instance, cloud computing services.
General Staff Guidelines
- The only people able to access data covered under this policy should be those who need it for their work.
- Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
- EL will provide training to all employees to help them understand their responsibilities when handling data.
- Employees should keep all data secure by taking sensible precautions and following the guidelines listed below.
- In particular, strong passwords must be used and they should never be shared.
- Personal data should not be disclosed to unauthorised personnel, either within the company or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. If the data is no longer required, it should be deleted permanently.
- Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or data controller.
If needed to store data on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is typically stored electronically but has been printed out for various reasons:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Employees should ensure that the paper and printouts are not left where unauthorised people could see them, like on a printer.
- Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion, and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
- Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
- All servers and computers containing data should be encrypted and protected by approved security software and a firewall(see System Security Policy).
Personal data is of no value to EL unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption, or theft:
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be shared informally. In particular, it should never be sent by email as this form of communication is not secure.
- Data must be encrypted before being transferred electronically (see below). The IT manager can explain how to send data to authorised external contacts.
- Employees should never save copies of personal data to their own computers or electronic devices. Always access and update the central copy of any data.
- Employees will not actively seek any information that they do not use for handling their work.
The law requires EL to take reasonable steps to ensure data is kept accurate and up to date.
The more important it is for the personal data to be accurate, the greater the effort EL should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure the data is kept as accurate and up to date as possible.
- Data is to be held in as few places as possible. Staff should not create any unnecessary additional data sets.
- Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
- EL is to make it easy for data subjects to update the information EL holds about them. For instance, updating via the company website.
- Data should be updated as and when inaccuracies are discovered. For instance, if a customer can no longer be reached by their stored telephone number, the customer should be removed from the database.
- It is the marketing manager’s responsibility to ensure marketing databases are checked against industry suppression files every six months.
- Local datastores (PC/phone/tablet/etc.) containing working copies of EL data must always be encrypted at partition level using standards equivalent to or better than AES128. For Windows OS BitLocker is preferred and for OS X please use FileVault.
- Data transferred externally should always be encrypted using a standard equivalent to or better than AES128. Partner capabilities and preference may vary, 7-Zip is the preferred method when supplying oral passwords. For public key encryption, please use OpenSSL with or without a GUI.
Subject Access Requests
All individuals who are the subject of personal data held by EL are entitled to receive confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
If an individual contacts the company requesting this information, this is called a Subject Access Request.
The data controller will aim to provide the relevant data within 30 business days.
The data controller will always verify the identity of the individual making a subject access request before handing over any information.
EL will ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used
- How to exercise their rights