BoxOne Functional Fitness AB “BoxONE” GDPR POLICY, DOCUMENTATION AND COMPLIANCE PROCESS
Purpose: May 25, 2018 General Data Protection Regulation “GDPR” was implemented across Europe and incorporated as law in the Kingdom of Sweden. The Purpose of the legislation is targeting the collection, use and holding of personal data.
Personal data is defined as any information relating to an identifiable person who can directly or indirectly identified in particular by reference to an identifier.
To be GDPR compliant an organization needs to collect and handle personal data in a way that ensures that
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for
- which they are processed;
- Accurate and, where necessary, kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- Processed in a manner that ensures appropriate security of the personal data GDPR further specifies any individuals rights regarding their personal data, namely
- Right to be informed – The right to receive fair processing information
- Right of access – The right to access their personal data
- Right of rectification – individuals right to have personal data rectified if its inaccurate or incomplete
- Right of erasure – Not a absolute right of being forgotten but right of having personal data, not required to fulfill a contract or legal obligation, erased or stop processing of data
- Right of blocking – an individuals right to block or stop processing of personal data
- Right of data portability – Individuals have the right to obtain and reuse their personal data for their own purposes across different services
- Right to object – Individuals must be informed about their right to object to sharing personal data
The Purpose of this document is to establish BoxOne policy in regards to Personal data and outline how BoxOne secures GDPR Compliance.
BoxOne PERSONAL DATA POLICY
BoxOne collects data through Consent, for reasons of fulfilling a Contract or taking steps to enter a Contract or for fulfilling its Legal obligations.
BoxOne strives towards holding no longer than necessary to fulfill the purposes of why the data is being held.
BoxOne respects any individual rights under GDPR
PERSONAL DATA COLLECTED, HELD AND LEGITIME PURPOSE THEREOF
Personal Data collected to fulfill legal obligations, such as employment data, accounting material etc. are held until the legal requirement for storage has passed.
Personal data collected as steps to enter a contract, personal data collected in the outbound or inbound process of entering into a contract are held for as long as BoxOne deams the sales process to be ongoing and potentially can turn into a contract.
Personal data collected to fulfill and offer services under a contract can contain a wide range of personal information, ranging from contact and personal details to performance development and current feelings. This kind of data are even more sensitive and BoxOne uses software with user access control to ensure data is being held safe. Data to fullfill contract are held throughout the contract and thereafter for as long as a potential new contract can potentially be entered.
All other personal data are collected and handled using consent. Consent are collected primarily verbally and anyone impacted always have a right to opt-out of any collection of personal information.
LIMITATIONS OF SCOPE
BoxOne definition of personal data complies with GDPR. Personal data can either stored either in physical or virtual media. Data can be stored in a structured form, e.g. databases, systems, file servers, binders. Or unstructured, e.g. in a xls sheet on a desktop. BoxOne does not include unstructured data in its policy.
MAPPING AND HOLDING OF PERSONAL DATA
BoxOne holds personal data either in structured file folders, databases, physical files or in software systems. Each of these is referred to as “Systems”. Furthermore BoxOne uses agents that handles Personal Data. System owner in this case acts as consolidator and focal point for requests and maintenance.
Agents – Agents process personal data on behalf of BoxOne. This could for example be Salary agents, IT suppliers, webshops, phone service suppliers. To ensure GDPR compliance each BoxOne legal entity within Europe establish a Personal Data Assistant Agreement with Agents. These are stored at each entity and the responsible for IT in the entity will hold a ledger of the current agreements
Structured Data – Each System has a designated System Owner that is responsible of mapping what personal data is held in the system, with what purpose and how you search for individuals personal data within the system. BoxOne CEO holds a ledger over System Owners
COMPLYING WITH INDIVIDUAL RIGHTS
Right to be informed – BoxOne publishes it personal data policy and usage through a privacy notice published on the BoxOne websites. E.g. www.glodcrossfit.se, www.relyfunctionalfitness.se “about website”