Integrity and Security

 

GDPR stands for General Data Protection Regulation and is a new EU data protection regulation which will become law in all EU member states from 25 May 2018. In Sweden, GDPR will replace the current Swedish Public Data Act (commonly known as “PUL”). The new law aims to protect the integrity of individuals and is intended to modernise, harmonise and enhance data protection within the EU.

Within each EU member state there is a supervisory authority which will check compliance with this new law. In Sweden this supervisory authority is currently called Datainspektionen (the Swedish Data Protection Authority), although the Swedish government announced in December 2017 that the authority will be given a new name (Integritetskyddsmyndigheten) and will have a slightly different role in the future (this change will be phased in during 2018). If you want to know more about what you should know and do in relation to GDPR you can start here: https://www.eugdpr.org

Processing of personal data

The new law addresses how “personal data” should be “processed”, and these are two important terms to understand. Personal data can be explained as any information relating to an identified or identifiable natural person (‘data subject’), whereby an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Processing of such personal data means that you perform an operation or combination of operations on personal data or sets of personal data, whether or not by automated means. Examples of such processing include collection, structuring, storage, use, dissemination or erasure.

Sensitive personal data

There is a special category of personal data which is addressed by the new law and about which you as a controller need to be particularly aware, namely sensitive personal data. Examples of sensitive personal data include data which reveals ethnic origin, political opinions, religious or philosophical beliefs, or data about a person’s health and sex life. The basic principle is that it is forbidden to process such sensitive personal data, although there are a number of exceptions. In Sweden an investigation is currently underway regarding such sensitive personal data, with a view to producing a piece of supplementary Swedish legislation.

Controller and processor

In the processing of personal data there are above all else two roles with which you should be familiar, and these two roles entail different areas of responsibility. The controller is the person who, according to the law, has the ultimate responsibility for the processing, and for determining the purpose and means of the processing. The controller shall ensure that the law is followed, shall inform the persons whose personal data is being processed, and shall ensure compliance on the part of the processor. The processor processes personal data on behalf of the controller and is responsible for the technical and organisational security measures.

Controller and processor in relation to personal data in TellusTalk’s services

You as the customer are the controller in relation to all processing of personal data in TellusTalk’s services. TellusTalk is the processor and undertakes technical and organisational security measures in order that you shall feel secure in the knowledge that your collected personal data will be processed securely and in accordance with the law. TellusTalk’s technical and organisational measures are described under Security.

TellusTalk as controller

We are the controller in relation to all processing of personal data about you as a customer or user when you order TellusTalk’s services or contact us in some other way. In our Integrity Policy we have described what we do, and don’t do, with your personal data.

Fundamental principles in GDPR

The law is based on 7 fundamental principles:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

You can read more about what these fundamental principles entail on https://www.eugdpr.org.

Lawfulness of processing

In fulfilment of the principle of lawfulness, fairness and transparency you need to have support in the data protection regulation in order for the processing of personal data to be permitted. Requirements on lawfulness of processing mean that you need to have consent, a contract, a legal obligation, fundamental interests, public interest, exercise of official authority or legitimate interest in order for the processing of personal data to be lawful.

Lawfulness of processing of personal data in TellusTalk’s services

As controller, it is your responsibility to identify and document the basis for the lawfulness of processing of personal data in TellusTalk’s services. This might vary from case to case, depending on the type of business activity, which laws you need to follow, and whether you collect data which is necessary or which could be good to have.

Unstructured materials

In the Swedish Personal Data Act here in Sweden we have had an exemption, known as the “misuse rule”, thanks to which we have not had to think about how personal data is processed. This has meant that we have been able to have personal data in “unstructured materials”, such as running text and free text in e.g. documents, email, websites or fields for notes in systems. This “misuse rule” will now disappear when GDPR comes into effect, which means that you need to map the personal data which exists in all unstructured materials and start to manage such data in the same way as for structured materials.

TellusTalk as processor is responsible for the technical and organisational security measures in and regarding TellusTalk’s services. This means that we ensure the existence of the security which is needed, for example encrypted storage, permission control, and the possibility of being able to obtain a register excerpt and erase personal data. When functions do not exist in the administrator’s login for the management of personal data, we have internal procedures for this. The measures undertaken by TellusTalk are described in more detail below

Authentication and encryption

All data communication takes place with Transport Layer Security (TLS). In order to gain access to the Services it is necessary to log in with a username and password.

• TellusTalk uses encrypted communication in the form of TLS. All data communication to and from the User’s computers is encrypted with TLS, the latest approved Internet standard for encrypted communication.
• TellusTalk applies password protection in the form of a login procedure which is completely encrypted, which means that no information is sent as unencrypted text. The User’s password is stored in one-way encrypted format (with a standardised one-way cipher).
• In order to avoid the risk of unauthorised persons gaining access to information if a computer is left unsupervised, the system automatically logs the User out after a period of inactivity. The Customer always owns the risk in relation to unauthorised use of the Services as a result of the User having left a logged-in computer unsupervised.
• Continual verification of users takes place. Every hit or request to TellusTalk’s servers means that a verification check is carried out in relation to the permission(s) possessed by the logged-in user.

Storage and backups

TellusTalk’s Services are operated entirely within the EU on Google’s cloud service (App Engine) as well as virtual mail servers hosted in Sweden and within EU.

• Only approved personnel have access to the platform.
• TellusTalk’s Services are based on a modern platform with redundancy and scalability on several levels.
• Backups are taken automatically at pre-determined intervals.

Protection of knowledge and information

• Only a few key persons know how the security system is structured.
• All personnel are bound by a confidentiality agreement which prohibits the dissemination of data, information, or the customer’s or user’s personal data. Only authorised personnel have access to the data, and access permission is managed by TellusTalk’s IT department.

Receiving notification of the status of the services

At TellusTalk we work hard to ensure that our systems shall be available at all hours around the clock and on all days of the week, so that you as the customer are able to work at any time. At http://www.tellustalk.com you can sign up for an email service whereby you automatically receive notification of any problems with our services.

In GDPR there is a new requirement regarding personal data breaches, namely that such breaches need to be reported to the relevant competent supervisory authority (which in Sweden is the Swedish Data Protection Authority) within 72 hours. In order to be able to comply with the new obligations imposed by GDPR, it is important to have sufficient procedures in place to enable detection, reporting and investigation of personal data breaches.

Incidents

If a program-related incident occurs, it could entail a personal data breach. A problem in TellusTalk’s services which generates incorrect data or loss of data is categorised as a service-related incident. If the data in question contains personal data, the incident is also classified as a personal data breach. A personal data breach may also occur if a security incident leads to unauthorised disclosure of, or unauthorised access to, the processed personal data.

Incident process

TellusTalk has an incident team which manages the necessary coordination and communication and is responsible for assessing, reacting to and learning from incidents, with the aim of reducing the risk of such incidents occurring again. Depending on the nature and impact of the incident in question, the persons required in order to be able to deal with the incident are assigned to the task. The process for managing incidents is the basis for the flow which, along with supplementary procedures, clarifies who does what and how the situation is to be managed. The process is divided up into the following sub-processes: Identification of Incident, Impact Analysis, Corrective Measure Process, Communication and Root Cause Analysis (RCA).

On identification of an incident, identification is also carried out as to what type of incident it is. In the sub-process Impact Analysis an analysis is performed of the scope of the incident, the customers and users who are affected by the incident, and the consequences (impact) of the incident. In the Corrective Measure Process an assessment is performed of the problem in order to ensure the production of an appropriate action plan and the implementation of the requisite corrective measures. If the incident is also classified as a personal data breach, an additional activity is undertaken in the form of the production of a report, in which case we base our report on the Swedish Data Protection Authority’s template, which describes that we should include information about:

• The type of incident concerned
• The categories of persons who could be affected
• The number of persons who are or could be affected
• The consequences to which the incident could give rise
• The measures which have been undertaken in order to mitigate any adverse consequences

Incidents (and the measures taken) are communicated to those affected. If the incident is also classified as a personal data breach, the submission of a report to the Swedish Data Protection Authority is included as an activity in this sub-process. Once all measures have been implemented and all affected persons have been informed, a Root Cause Analysis is carried out with the aim of preventing such an incident from occurring again.

At http://www.tellustalk.com you can sign up for an email service whereby you automatically receive notification of any problems with our services.

This text describes TellusTalk’s processing of personal data and is intended to help you make a well-grounded decision regarding your relationship to us. The following three important issues are dealt with here:

1. We want to provide clarification on the responsibility involved in order to protect your rights and your integrity.
2. We explain how we use the personal data you share with us, in order to be able to offer you TellusTalk’s services and provide you with the best possible experience of the services, the website and when you have contact with us.
3. This document is intended to help you to understand the type and nature of the data we collect, as well as what we do – and don’t do – with that data.

Parties and responsibilities in relation to the processing of your personal data

TellusTalk AB, corporate ID no. 556429-8213, Kungsgatan 37, 8th floor, 111 56 Stockholm, is a service provider of electronic messaging services, hereinafter referred to as “the Services”. TellusTalk is the processor for the processing of your personal data in the Service, and as such is responsible for the organisational and technical security measures which are described further down under ”Things you need to consider”. The controller in relation to the processing of your personal data in the Service is “the Customer” i.e. the organisation which is registered with TellusTalk, which could be a government agency, an authority, a private company or an association. You who are a user and have your own login details to the Service are hereinafter referred to as “the User”. In the Service there is the role of “System administrator” i.e. representative for the Customer in the Service, with responsibility for setting up users and other system administrators, allocating rights and providing instructions to TellusTalk regarding the processing of data, including personal data, in the Service.

TellusTalk is the controller in relation to the processing of the personal data you share with us when:

• you order the Service
• you obtain login details and become a user of the Service
• you have a question or contact us for some other reason
• you visit our website and accept the use of cookies

 

What personal data do we process about you?

The personal data which is processed varies depending on the form of incorporation you have. Business details can be personal data for a Customer who operates as a sole trader. When you order the Service, we obtain your contact details and company/business details. All users have their contact details and login details registered with us in order to be able to use the Service. When you use TellusTalk’s services you may upload images in the Service, in which case such images will be processed by us. If you have a question or contact us about some other matter, the quantity and nature of the personal data processed may vary depending on the communication channel used. The most common categories of personal data are contact details, company/business details and the case itself as unstructured material, which contains the personal data you have chosen to share with us. Appendix 1 contains a detailed list of the personal data which arises within the various categories, on which occasions, and the basis for the lawfulness of the processing. Information about what cookies are and how we use cookies is provided below under Cookies.

Why do we process your personal data?

TellusTalk collects personal data about you as a user and customer in order to be able to provide the Service, fulfil the undertakings to you according to agreement, and provide you with the best possible experience of both the Service and our website. This is necessary in order that we shall be able to identify you and administer your account, as well as for statistical purposes and for direct marketing (from which you can opt out if you so wish). The personal data which is collected in conjunction with your order is needed in order to be able to process the order, invoice you and send login details to you. All of a user’s personal data is needed in order to be able to provide you with access to the Service, in order for you to be able to use the Service, in order to be able to create a processing history for you as a customer, in order to be able to identify you, and in order to know which users and customers are using the Service. When you contact us via one of TellusTalk’s communication channels, the information about you is used in order to be able to manage the case, contact you and contribute to the improvement of our service by saving the case for reference in the event of recurring questions. If you visit TellusTalk’s website you approve our use of cookies for the processing of your data.

With whom do we share personal data?

In conjunction with the use of certain services we may share personal data with suppliers to TellusTalk, both within and outside the EU/EEA. A complete overview of the recipients and locations for each processing of personal data in the Service is available below, under “Things you need to consider”. Suppliers have obligations regarding the processing of personal data equivalent to the obligations which you as the customer have agreed with us. This is set out in the Personal Data Processor Agreement. We may need to share personal data with other companies within the group in order to be able to provide the Service and fulfil our undertakings to you. We share personal data about users and customers between the companies within the group when you contact us with a question etc. which then becomes a case, if the information needs to be shared in order for us to be able to help you with the matter at hand.

How long do we save your personal data?

TellusTalk saves personal data about you as a customer as long as there is a customer relationship or it is necessary to do so in order to achieve the purposes which are described in this policy. On termination of the agreement, TellusTalk will erase or anonymise your data within a reasonable period of time after the termination, unless something to the contrary is stipulated by Swedish or European law, a judgement/order by a court or a decision by an authority. Your data may be saved on the basis of legitimate interest if legitimate security or financial reasons exist. The length of time your personal data as a user is saved by us will vary depending on the purpose for which the data was collected. Data in the Service is erased by the system administrator, however, if there is no technical function for erasure then your system administrator will need to contact us. Data which is collected when you contact us is stored as long as you are our customer, in order to be able to fulfil our undertakings to you as a customer. On termination of the customer relationship we may store data on the basis of legitimate interest, for use as evidence if a problem should arise. In such case the storage is limited to one system with verified permission control.

What rights do you have?

You who are registered with TellusTalk have a number of rights of which you should be aware. You have the right, once a year, at no cost to yourself, and provided you have appropriate reason to do so, to request a register excerpt containing details of the information which is registered about you. In certain cases you also have the right to data portability of the personal data. You have the right to rectification of your personal data if the data is incorrect, incomplete or misleading, as well as the right to restriction of processing of the personal data until rectification has been carried out. You have the right to be forgotten (also referred to as right to erasure), although erasure of personal data cannot take place if the data is required in order to comply with the agreement or if erasure is prevented on account of some other Swedish or European law, judgement by a court or decision by an authority, or on the basis of legitimate interest. If you do not feel that there are appropriate grounds to process the data, or if you feel that the claim of legitimate interest is incorrect, you have the right to object to the processing. You also have the right to withdraw your consent, lodge a complaint about the processing with the Swedish Data Protection Authority, and object to automated individual decision-making, profiling and direct marketing.

If you would like to know more

If you have any questions about this policy and the processing of your personal data, or if you wish to have incorrect information erased or rectified, please feel free to contact us via the contact details published on TellusTalk’s website.

 

---

 

Appendix 1

Categories of personal data

When	Category of data	Personal data	Basis of lawfulness
Order the Service	Company details	Corporate ID number, Company name Address Post code City/Town	Fulfil our contractual undertakings to you
	Contact details	First name, Last name Email Telephone	Fulfil our contractual undertakings to you
User of the Service	Contact details	First name, Last name Email	Fulfil our contractual undertakings to you
	Login details	Username	Fulfil our contractual undertakings to you

 

When	Category of data	Personal data	Basis of lawfulness
Contact via the website	Contact details	Contact details, Email Telephone number User ID	Fulfil our contractual undertakings to you and legitimate interest
	Company details	Corporate ID number	Fulfil our contractual undertakings to you and legitimate interest
	Case-related info	Message in running text*	Fulfil our contractual undertakings to you and legitimate interest

*Contains the personal data you have chosen to provide.

 

When	Category of data	Personal data	Basis of lawfulness
Contact via email	Contact details	Name, Email User ID Telephone number (possibly)	Fulfil our contractual undertakings to you and legitimate interest
	Company details (possibly)	Company name, Corporate ID number	Fulfil our contractual undertakings to you and legitimate interest
	Case-related info	Message in running text*	Fulfil our contractual undertakings to you and legitimate interest
Contact via telephone	Contact details	Name, Email User ID Telephone number	Fulfil our contractual undertakings to you and legitimate interest
	Company details (possibly)	Company name, Corporate ID number	Fulfil our contractual undertakings to you and legitimate interest
	Case-related info	Notes in running text	Fulfil our contractual undertakings to you and legitimate interest

*Contains the personal data you have chosen to provide.

 

 

TellusTalk’s websites, tellustalk.com and elektronisksignering.se, as well as the service pages, contain Cookies. A Cookie is a small text file which is placed on the computer of a web server and acts like an ID card. Cookies make it possible for the website to remember important information which makes your visit to the website more convenient and enjoyable. As with most other websites, TellusTalk uses cookies to improve your internet experience in the following ways:

• You have logged into the service and shall thus not have to log in again for each new page you visit within the service.
• Adapt our services in accordance with the user preferences you have provided.
• Count the number of users and traffic. By better understanding how the website is used, we can develop and improve it.
• Adapt our services so that you receive information which is relevant to you.
• Collect and analyse behavioural data based on use of the website and services, with the aim of improving the user experience and even facilitating individually adapted communication and messages to the user.

On TellusTalk’s service pages, which are completely separate from the website pages, only Session Cookies are used. During the time a visitor is visiting a website, a Session Cookie is temporarily stored in the memory of the visitor’s computer. Session Cookies disappear when you close your web browser.

On TellusTalk’s websites both Session Cookies and third-party cookies are used, for Google Analytics and Remarketing, among other things. The aim is to understand how our sites are used and how we might be able to improve them, as well as to be able to carry out targeted advertising.

If you do not wish to accept and receive cookies, you can change the settings regarding cookies in your web browser, and you can even block cookies. Please note that if you block cookies you will not be able to use all functions on TellusTalk’s website.

As a customer there are a number of things you need to consider in relation to the processing of personal data in TellusTalk’s services, where you are the controller and shall determine the purpose and means of the processing.

Processing of personal data in TellusTalk’s services

TellusTalk is a service provider and processor for the processing of personal data in TellusTalk’s services. As the controller it is you who needs to know what data you are collecting and why, and for how long such data should remain in the service. Only you know what personal data will be processed by you in TellusTalk’s services. Only you know if the data concerns a private person or a sole trader and is thus personal data, or if it concerns a limited company.

Sensitive personal data in TellusTalk’s services

Only you know what sensitive personal data will be processed by you in TellusTalk’s services. If, as a result of the business activity conducted by you or your customers or suppliers, you will be processing sensitive personal data, you are obligated, prior to the commencement of such processing, to find out which security measures may be needed in conjunction with such processing.