The EU’s new General Data Protection Regulation (GDPR) will begin to be applied from 25 May 2018. The purpose of the data protection reform is, among other things, to improve transparency in the processing of personal data, to strengthen the rights of data subjects, and to update data protection regulations in line with modern processing situations. We have collated the key effects of the reform on our activities and on our cooperation with clients and other customers.
The changes required by the GDPR with regard to the documents and practices we use are not yet fully completed in the early part of 2018.
1. We agree with clients on the processing of personal data
The GDPR sets new requirements for all those involved in processing personal data as well as for agreements between entities and service providers that process personal data. In practice, with regard to OK Perintä, the need to update agreements will be assessed on the basis of the services we provide to clients.
In the case of collection and reminder services, we act as the data controller and we are accordingly responsible for data protection obligations. In the case of invoice and instalment payment services, however, we act as a processor of personal data, and the client company acts as the data controller.
There is no mention of the processing of personal data in our agreement with our clients. During spring 2018, we will therefore update all valid agreements regarding our services by sending to clients an appropriate amendment proposal to the terms of the agreements. The procedure will not require any measures on the part of our clients.
2. Issues and timetables to be agreed
In an appendix to the cooperation agreement, agreement will be reached on the purpose of personal data, the confidentiality of data, data protection, use of subcontractors, ending the processing of data, and the right to audit our activities.
We will prepare the necessary updates to current service agreements and ensure that the necessary agreements are valid when the GDPR begins to be applied in May 2018.
3. We will ensure that all data processing is in compliance with the GDPR
We will ensure the responsible and lawful processing of personal data in accordance with the GDPR and Finnish law. Principles and internal rules relating to data protection have been outlined in our data protection policy and in our code of practice on personal data processing, which also includes training practices promoting the data protection expertise of our personnel.
Careful documentation of operating principles and models is a key part of implementing the GDPR. As part of our own GDPR project, we are currently reviewing our present operating practices and guidelines, whose content we will revise, if necessary. In the future, the implementation of data protection will be monitored regularly.
Activities in accordance with the GDPR will be the responsibility of a dedicated Data Protection Officer, supported by a Data Protection Team, consisting of key change management actors. We will ensure personnel’s data protection awareness, activity according to guidelines and preparedness to address deviations with the aid of orientation sessions and regular data protection training.
4. Obligation to provide information, and records of data files and processing
Persons whose data are processed have the right to know about the processing of data relating to themselves. Under the GDPR, the data controller is primarily responsible for fulfilling the obligation to provide information.
As far as services are concerned, we are responsible as the data controller for all provision of information on our own data, such as maintaining data file records as well as the data processing records that must be prepared for the authorities.
With regard to invoicing services, the obligation to provide information, including maintaining data file records, lies with the client company. However, as a processor of invoicing and customer data, we maintain records on data processing, which are submitted, on request, to the authorities.
5. Right of data subjects to delete their own data from our personal data files
Personal data processing, in the case of our services, is based on the criteria mentioned in the GDPR, i.e. generally on a cooperation agreement or the fulfilment of a legitimate interest. In these situations, persons are not as a rule, entitled to delete their own information.
If it becomes apparent that the processing of personal data is not justified, for example, because of an inaccurate order or a mistaken collection assignment, we will remove data based on a claim submitted by the data subject, if the data has not been previously deleted.
6. Data subjects’ right to inspect
Persons whose data are processed have the right to obtain their own data from the data controller. In the case of debt collection or an invoice or instalment service, a request can be made directly to our customer service unit. Under the GDPR, the data must be supplied to the person making the request data within one month. When data are processed on behalf of a corporate customer, as in an invoicing service, we will direct the request for data in the agreed way to our corporate customer, i.e. the data controller.
In some situations, the GDPR also gives persons to right to transfer their own data to another data controller. For the data controller, this means that the data must be saved in such a form that facilitates the transfer of the data. The right to transfer data concerns data processed in invoicing and in an invoice or instalment service, when the data are processed automatically. In the case of personal data processed in debt collection, the right to transfer data does not apply.
7. We ensure that the personal data processing of our subcontractors also complies with requirements
We are responsible for the activities of the subcontractors we use as for own activities. We agree the processing of personal data always in compliance with the GDPR and we oblige through agreements our partners to act the manner required by the GDPR. We also supervise our subcontractors’ activities with audits.
8. Right to audit in data protection issues
Clients and partners have the right to audit both our activities and our service processes with respect to personal data processing and data protection. The details of audits are agreed in the terms and conditions of the service agreement.
9. We have prepared for personal data breaches and their reporting
Under the GDPR, persons have the right, without undue delay, to be informed if their data may have fallen into the wrong hands. The entity acting as the data controller is also obliged to notify the authorities of any personal data breach within 72 hours of detecting the breach.
We have prepared for the handling of possible personal data breaches in accordance with an operating model created for the purpose and corresponding to the requirements of the GDPR. In our role as a processor of data, we are also responsible for ensuring that the entity whose customer data are involved is informed without delay about any risk to the protection of personal data, in order to fulfil its own obligations as a data controller.