GDPR stands for General Data Protection Regulation and is a data protection regulation in the EU. GDPR replaces the Personal Data Act (PUL). The law exists to protect the privacy of individuals and intends to modernize, harmonize and strengthen the protection of personal privacy within the EU.

Within each EU member state there is a supervisory authority that will control this. In Sweden, this authority is called The Swedish Data Protection Authority.

 

Processing of Personal Data

The law prescribes how you must process personal data. Personal data can be defined as any information relating to an identified or identifiable individual (also referred to as a data subject), whereby an identifiable natural person is a person who can be directly or indirectly identified, in particular by reference to, for example, a name, an identification number, a location data or online identifiers . Processing this data means that you carry out an action or combination of actions regarding personal data or sets of personal data, regardless of whether they are performed automatically or not. Examples of such processing are collection, structuring, storage, processing, dissemination or deletion.

 

Sensitive Personal Data

There is a special category of personal data that the law covers and that you as a data controller need to pay extra attention to, that is sensitive personal data. Examples of sensitive personal data are information that reveals ethnic origin, political opinions or religious beliefs or information about health and sex life. The starting point is that it is prohibited to process this personal data, but there are a number of exceptions.

 

Personal data Controller and Personal Data Assistant

In the processing of personal data, there are mainly two roles that you should be aware of, and depending on which role you have, there are different areas of responsibility. The person responsible for personal data (PuA) is the person who, according to the law, has the ultimate responsibility for the processing and determines the purposes and means. The personal data controller must ensure that the law is followed, must inform the persons whose personal data is processed and must ensure compliance by the personal data processor. The personal data assistant (PuB) processes the personal data on behalf of the personal data controller and is responsible for the technical and organizational security measures.

 

Responsible and Assistant for Tasks in Avista

As a customer, you are the personal data controller for all processing of personal data in the programs. Avista is a personal data processor and takes technical and organizational security measures so that you can feel secure that your collected personal data will be processed securely and in accordance with the law. Avista's technical and organizational measures are described under Security.

​

Avista as Personal Data Controller

We are responsible for all processing of personal data about you as a customer, user or participant in our courses when you order our services, contact us or register for one of our courses. We have described what we do, or do not do, with your personal data in our Privacy Policy.

 

Basic Principles of the GDPR

The Data Protection Regulation is based on seven basic principles:

1. Legality, correctness and transparency

2. Purpose limitation

3. Task minimization

4. Correctness

5. Storage minimization

6. Privacy and Confidentiality

7. Accountability

You can read about what the basic principles mean at the Swedish Data Protection Authority's website.

 

Legal Grounds

In fulfillment of the principle of legality, correctness and openness, you need support in the data protection regulation for the processing of personal data to be permitted. These legal bases are about the fact that you need to have a consent, agreement, legal obligation, fundamental interests, public interest, exercise of authority or balance of interests in order to be allowed to process personal data.

 

Legal Basis for Data in Avista

As the person in charge of personal data, you must find out and document what legal grounds there are for the processing of personal data in Avista. It can vary from case to case depending on the business, which laws you need to follow, whether you collect information that is required or that might be good to have.