GDPR guide

In order to make it easier for you as a business owner to comply with the rules of GDPR, verksamt.se, in cooperation with Swedish Authority for Privacy Protection (IMY), has produced this guide. It covers the most important parts of the data protection regulation.

The page was last modified:

Here is your result

Here are some tips and advice on what you need to consider when your company processes personal data. You may print out this information through a link at the bottom of the page.

Is your company following GDPR - the data protection regulation?

The Data Protection Regulation came into effect in 2018 and concerns all companies.

Answer yes or no to nine quick questions. When you have answered them you will get a result that shows you what you need to do in order to comply with the new rules.

The guide has been produced in cooperation with the Swedish Authority for Privacy Protection, formerly the Swedish Data Protection Authority.

Question 1 / 9

Do you have a list of what type of personal data exists in your company and how you use this data?

Personal data is any type of information that can be directly or indirectly related to a living individual. Typical personal data is a personal identification number, name and address.

Photos of people can also be considered personal data. The license plate on a car can be personal data if it is possible to connect the car to an individual.

Film: What is personal data?

Lenght: 1:04

The content of the film What is personal data? corresponds to the text on the page What is personal data? 

Question 2 / 9

Do you have a customer directory?

A customer directory contains information about your customers. The information might be stored in a programme, a web service or in an Excel spreadsheet.

Question 3 / 9

Do you send out news letters or other marketing material to your customers?

Newsletters can be a good way to keep in contact with your customers and conduct more business. Normally there is no problem with sending newsletters and other marketing material to your customers. However, there must be an option for the customer to say no to more mailings.

Question 4 / 9

Do you have any form of booking system where customers can make an appointment with you?

Yes! A system where customers can make an appointment with you contains personal data such as name, telephone number and other contact information for the customer who has made the booking. Therefore you must consider the rules of the data protection regulation.

Question 5 / 9

Do you have a directory of your suppliers?

A supplier directory contains data relating to your suppliers. The information can for example be stored in a programme, a web service or in an Excel spreadsheet.

 

Question 6 / 9

Do you have employees and do you save information in a wage system?

Yes! If your company has employees you are most certainly processing  personal data about these persons, most likely in the form of a programme or web service in order to, for example, manage absence due to illness, overtime, vacations and so on, and to manage payments to the employees. Therefore you must consider the rules in the data protection regulation.

Question 7 / 9

Do you have contact information and perhaps even photos of any of your employees on your website?

Yes! The data protection regulation also applies to personal data that is published on your website. Remember that images and other information that can be related to a specific individual is also personal data.

Question 8 / 9

Have you decided for how long data relating to your customers, suppliers and employees will be stored?

One important rule in the data protection regulation is that you cannot store personal data for too long. Once the data is no longer needed for the purpose for which it was collected it should be deleted.

 

Film: For how long are you permitted to store personal data?

Lenght: 0:57 minutes

Text version of the film For how long are you permitted to store data?

Question 9 / 9

Do you protect personal data so that unauthorized persons cannot access it?

The personal data that you manage in the company must be protected. Protection might consist of technical measures such as an antivirus programme, a firewall, a wireless network with encryption and computers with updated programmes. It is equally important to have organizational measures, like for example limiting the number of employees that have access to different types of personal data.

New legislation that affects all companies

In May 2018, new legislation will come into effect which is called the General Data Protection Regulation (GDPR).

GDPR is designed to strengthen the rights that individuals have when it comes to how companies, authorities and organizations are allowed to collect and use their personal data.

One set of rules for all companies processing data in the EU. This is in order to promote free competition and make it easier for companies to expand and conduct business in several EU countries.

The data protection regulation sets higher demands on how companies are allowed to collect and use personal data. If you as a business owner violate the rules of the regulation you risk having to pay considerable fines. It is therefore important to be aware of the rules that apply when you use personal data in your company.

The data protection regulation replaces the Personal Data Act, which currently regulates how companies are allowed to collect and use personal data in Sweden.

List of personal data processing activities

It is great that you have a list that describes how your company processes personal data. Basically all companies are obligated to have such a list.

The list should contain:

  • contact information to your company (the company responsible for processing  the personal data)
  • what purposes the data is used for (for example customer directory, contact information on the website)
  • what categories of people and data that occur (for example employees or customers)
  • time limits for removal of data, if possible
  • if the data will be disclosed to a different organization or transferred to another country outside the EU there must be information about that
  • description of security measures used when processing, if possible.

You can store the list in, for example, an Excel spreadsheet. As your company grows you will likely collect more personal data to use for new purposes. Remember that you will need to update the list at that time.

Read more about personal data

Keep records

One first important step towards fulfilling the requirements of the data protection regulation is to identify what personal data is being processed in your company. Basically all companies are according to the regulation obliged to have a list that describes the different ways in which personal data is processed.

The list should contain:

  • contact information to your company (the company responsible for processing the personal data)
  • what purposes the data is used for (for example customer directory, contact information on website)
  • what categories of people and data that occur (for example employees or customers)
  • time limits for removal of data, if possible
  • if the data will be disclosed to a different organisation or transferred to another country outside the EU there must be information about that
  • description of security measures used when processing, if possible.

You can store the list in, for example, an Excel spreadsheet. As your company grows you will likely collect more personal data to use for new purposes. Remember that you will need to update the list at that time.

Customer directory

It is good to keep your customer relations in order! But are you also keeping track of whether you are fulfilling the rules of the data protection regulation?

You may register certain information without first obtaining the customer’s consent. This applies to data that is needed in order for you to fulfill the contract with the customer, for example contact information and delivery address. Certain other information requires the customer’s consent.

Sometimes the customers need to give their consent
Do you want to register more data about the customer than what is needed to fulfill the contract? Then you need to ask the customer for permission first.

Perhaps the sporting goods store wants to register what sports the customer is interested in, and the grocery store what type of food the customer prefers. In order to register that type of information, the customer needs to give his/her consent.

In other words the customer must first be informed that you will be saving that type of information and why, and then approve that you are doing it. Do not register information that you do not need.

Inform the customers
You should also inform the customer about what type of information you are saving and how you will be using it. You can for example do this in a brief text in the customer information or in the contract, where you refer to more detailed information on your website.

Read more about informing the customers

Be careful when you give reviews of customers
By noting down your customer’s interests you can create a personal relationship with each customer, who consequently will feel welcome and will return. For example, say that you have a hair salon. By keeping track of what the customer purchased during their last visit you can suggest these products during a later visit and in that way you can sell more. Such data can be stored if the customer has given his/her consent to it.

Sensitive information
However, you need to be careful with what type of customer information you make a note of. For example, you should never write down reviews of customers or any type of sensitive information about the customer’s health, religious beliefs or political opinions.

For more information contact the Swedish Data Protection Agency

Customer directory

The majority of companies have some form of directory of their customers, which contains personal data. Companies who work business-to-business will also most likely have information about contact persons in the companies that they do business with.

You may register some customer data without first obtaining the customer’s consent. This applies to data that is needed in order for you to fulfill your contract with the customer, like for example contact information and delivery address. Other information requires the customer’s consent.

Sometimes the customers need to give their consent

Do you want to register more data relating to the customer than what is needed to fulfill the contract? Then you need to ask the customer for permission first.

Perhaps the sporting goods store wants to register what sports the customer is interested in, and the grocery store what type of food the customer prefers.

In order to register that type of information, the customer needs to give his/her consent. In other words the customer will first be informed that you will be storing that type of information and why, and then approve that you are doing it. Do not register information that you do not need.

Inform the customers

You should also inform the customer about what type of information you are saving and how you will be using it. You can for example do this in a brief text in the customer information or in the contract, where you refer to more detailed information on your website.

Read more about informing the customers

Be careful when you give reviews of customers

By noting down your customer’s interests you can create a personal relationship with each customer, who consequently will feel welcome and will return. For example, say that you have a hair salon. By keeping track of what the customer purchased during their last visit you can suggest these products during a later visit and in that way you can sell more. Such data can be stored if the customer has given their consent to it.

Sensitive information

However, you need to be careful with what type of customer information you make of a note of. For example, you should never write reviews of customers or any type of sensitive information about the customer’s health, religious beliefs or political opinions.

For more information contact the Swedish Data Protection Agency

Newsletters and marketing

It is okay to send out newsletters and other marketing material to your customers. However the mailings need to contain the option for the customer to say no to more mailings. If a customer says no to more marketing material from you, you must respect the customer’s wishes.

Do you want to send emails to people who are not customers? According to the Marketing Act, an email address can normally only be used for marketing purposes if the person has given their consent to it beforehand.

Newsletters and marketing

It is okay to send out newsletters and other marketing material to your customers. However the mailings need to contain the option for the customer to say no to more mailings. If a customer says no to more marketing material from you, you must respect the customer’s wishes.

 

Do you want to send emails to people who are not customers? According to the Marketing Act, an email address can normally only be used for marketing purposes if the person has given their consent to it beforehand.

Consider this when you send out emails

The data protection regulation also applies to personal data that can be found in emails, something that may be easy to overlook.

  • Never send sensitive information through email, for example information concerning someone’s health, religious beliefs or political opinions.
  • Also avoid sending other privacy-sensitive information, such as for example pay-slips through email.
  • Transfer personal data to other systems and delete the email. If an employee sends an email to report that they are ill, register that in the pay roll system system and delete the email.
  • If you have a contact form on your website that generates an email to you, try to avoid free-text fields. If you have such fields, instruct the person who is filling out the form not to enter any personal information in the field.
  • Decide for how long you need to save emails and delete the emails after that time. Never save emails that contain personal data “because it might be useful”.
  • Inform your employees about the above mentioned points.

Booking system

The same rules apply to a booking system for a customer directory. Therefore: information that the customer would expect you to need for a booking is fine to register.

If you would like to make other notes, such as what the customer preferred during the last visit, you normally need to get the customer’s consent to save this type of information.

If you are given such consent, it is still important to never write down reviews of the customer or any type of sensitive information, for example about the customer’s health, religious beliefs or political opinions.

Booking system

If you in the future would like to start using a booking system you can review this guide again in order to receive more information about the rules that apply.

Supplier data

A supplier directory normally only contains data relating to legal persons.

Data like this is not personal data and is not covered by the rules in the data protection regulation. However, data relating to sole traders and data relating to contact persons in the companies is personal data and you are permitted to handle such personal data in order to manage your contract with the suppliers.

Supplier directory

Many companies purchase products or services, but not all do. Even if your company does not register any data relating to suppliers, it might be useful to know that data relating to legal persons is not covered by the rules in the data protection regulation.

A supplier directory normally only contains data relating to legal persons. Such information is not personal data.

However, data relating to sole traders and data relating to contact persons in the companies is personal data, and you may process such personal data in order to manage your contract with the suppliers.

Wages and other data relating to your employees

As an employer you must manage personal data relating to your employees.

You need to register certain data in order to fulfill the contract between you as an employer and your employee. This might involve information that is needed in order to calculate your employee’s wage but also information for access control systems, switchboards and other IT systems.

The company also needs to manage personal data that relates to employees in order to live up to legal requirements such as reporting taxes and social fees.

If you want to store contact information to your employees’ family members so that they can be contacted in emergency cases or sudden illness, you need to provide written information about this that your employees can give to their family members.

Information about employees

If you in the future decide to hire staff, you can review this guide again to receive more information about the rules that apply.

Personal data on the web – ask first!

Contact information and photos of employees is personal data.

In order to publish this type of information on the company website you need to have a legal basis for it, in other words you must be able to show that you have support for it in the data protection regulation.

The easiest way to do this is by asking your employees if it is alright for you to publish contact information and photos on the website. Keep in mind that you need to respect the employees’ wishes.

If the company can give good cause for why it is important for the company to publish the data, for example that the employee is a manager or has customer oriented work tasks, it might still be alright to publish the data without consent from the employee.

You must always inform your employees that their photos and other personal data will be published on your website.

Read more about legal grounds for permission to gather personal data

Personal data on the web

If you in the future would like to have photos or contact information on your website you can review this guide again to receive more information about the rules that  apply.

Do not store personal data longer than necessary

It is good that your company has decided how long personal data will be stored. One important rule in the data protection regulation is that you cannot store personal data for too long.

When the data is no longer needed for the purpose for which it was once collected it should be deleted. For a company this means that data relating to persons who are no longer customers should be deleted from the IT systems.

Customer data may be stored for up to one year after the customer relations has ended

A rule of thumb according to the Swedish Data Protection Authority is that personal data relating to a previous customer may normally be used for marketing purposes for up to one year after the customer relation has ended.

If you as a salesperson need to be able to fulfill any possible guarantee commitments, this might be a reason to save certain personal data until the guarantee has expired.

Create routines for data removal

A tip is to indicate in your list of personal data that is processed in the company for how long different types of data need to be stored. You should also have routines in place that will ensure that the data is actually deleted after the indicated time.

Do not save personal data longer than necessary

One important rule in the data protection regulation is that you cannot store personal data for too long.

When the data is no longer needed for the purpose for which it was collected, it should be deleted. For a company this means for example that data relating to persons who are no longer customers should be deleted from the IT systems.

Customer data may be stored for one year after the customer relations has ended

A rule of thumb according to the Swedish Data Protection Authority is that personal data relating to a previous customer may normally be used for marketing purposes for up to one year after the customer relation has ended.

If you as a salesperson need to be able to fulfill any possible warranty commitments, this might be a reason to save certain personal data until the guarantee has expired.

Create routines for data removal

A tip is to indicate in your list of personal data that is processed in the company for how long different types of data need to be stored. You should also have routines in place that will ensure that the data is actually deleted after the indicated time.

Remember to protect personal data

Antivirus programmes, wireless networks with encryption and computers with updated programmes are a few examples of how to increase security in the company. Remember to also back up the data.

Limit who has access to personal data

Do not forget organisational security measures, such as restrictions on which employees that should have access to different types of data. Instruct your employees not to send sensitive personal data via email and not to use reviews about persons in any possible free-text fields.

How much effort should be put on protecting personal data that exists in the company?

That depends. The more personal data there is in the company or the more sensitive the information is, the better it should be protected. You must make a risk assessment: if an unauthorized person accesses our data, how big will the damage be? Then adjust the protection accordingly.

 

Remember to protect personal data

You may actually have already taken steps to protect the data relating to, for example, your customers and employees, but without knowing it. Antivirus programmes, wireless networks with encryption and computers with updated programmes are a few examples of how to increase security in your company.

Limit who has access to personal data

Do not forget organizational security measures, such as restrictions on which employees that should have access to different types of personal data. Instruct your employees not to send sensitive personal data via email and not to use reviews about persons in any possible free-text fields. Also remember to back up the data.

Important fact about this guide!

This guide covers some of the most important aspects of the data protection regulation. However, the guide does not discuss all of the requirements and assessments that may become relevant when personal data is collected  and processed.

For more information contact the Swedish Data Protection Authority

Did you find this information helpful?

Yes No

Thank you for your feedback!

Please help us improve verksamt.se by telling us what you think about the page. If you would like to receive a reply from us, please enter your email address.

Responsible: Swedish Agency for Economic and Regional Growth

Back to top