GDPR Certification

GDPR Certification

Personal Data Subscription Agreement          GERT STRAND A / B
We are responsible for your personal information
It is   GERT STRAND AB   (  who is responsible for your personal information
("Data Responsible") and contact information to us at the bottom of the policy.

Personal Data Responsible and Personal Data Counselor

Personal Data Responsibility is the person who determines the purposes and means of personal data management.
Personal Data Coordinator is the person who processes personal data for the personal data controller, ie in many cases a supplier of IT services. It may also be, for example, an accounting agency that manages, for example, accounting and payroll management.
The person responsible for personal data can not delegate his or her responsibility and is always ultimately responsible for processing according to the requirements of the Data Protection Ordinance (also known as the GDPR). A personal data counselor may become liable if this has violated the provisions specifically directed to the assistant or has processed data in violation of the personal data officer's instructions. The Personal Data Administrator may, in the same way as personal data administrators, be subject to sanctions if it fails to fulfill the obligations contained in the GDPR.


Written agreement
When the Personal Data Administrator hires a Personal Data Coordinator, there must be a written agreement, a so-called Personal Data Access Agreement. It is the personally responsible person responsible for establishing an agreement.


Content of the agreement
Basically, the agreement specifies why and how long the personal data are processed, the purpose of the processing, the type of personal data and the categories of registered personally identifiable information.
According to GDPR, the Personal Data Commissioner in the agreement undertakes to:
Only process personal data according to documented instructions from the person responsible.

Ensure that persons authorized to process personal data with the assistant are obliged to observe confidentiality or are subject to statutory confidentiality.

Take all technical and organizational measures necessary to ensure an appropriate level of safety in relation to the risks of treatment.

Respect the requirements for prior authorization and agreement upon the use of
another assistant (a substitute).

Take appropriate technical and organizational measures so that the person responsible can respond to an individual's request for access to his / her personal data. The same applies to correction, erasure, data portability and more.

Assist the person responsible for ensuring that the obligations are fulfilled with regard to security measures, notification of personal data incidents and information about incidents to the data subjects as well as impact assessment and prior consultation.

Delete or return all personal data to the person responsible (depending on what the person responsible person selects) when the assignment ends and also delete all copies.

Provide the personally responsible access to all information required to demonstrate compliance with all duties as a counselor, and to enable and contribute to inspections and other audits that the personal data controller wishes to implement.



Agreements points
Here is a review of the items that are included in the Personal Disclosure Agreement. Keep in mind that each agreement is unique and that this agreement is only an example. You may need to adapt the agreement to your particular situation. However, the agreement will cover most cases under normal circumstances.


It is customary to enter the name of the parties at the beginning of the agreement and preferably the organization number. The full names of the parties need not be repeated in the other contractual clauses. It is sufficient to use the names of personal data administrators and personal data counselors.

The GDPR and Personal Data License Agreement contain several difficult terms and it may be appropriate to explain difficult terms and terms at the beginning of the agreement. This facilitates reading and interpretation of the agreement.
It is good that at the beginning of the contract write a little about the background, content and purpose of the agreement. If it is a complex agreement, it can give a good overview of the agreement. This makes it easier to read and understand the contractual content.



The Personal Data Administrator may only process personal data in accordance with the instructions and for the purposes specified by the Personal Data Administrator in the Personal Data Access Agreement. The instructions can be defined in an annex to the agreement, on the personal data officer's website or in the service agreement between the parties. In our example of Personal Data Submission Agreement, we assume that the instructions are included in an appendix to the agreement. However, we have not developed any template for this appendix because it can differ materially from case to case.

The instructions should be so clear that the Personal Data Counselor can meet GDPR's requirements for processing. The instructions should include the purpose and purpose of the treatment, categories of personal data, treatment activities, etc. When you download the template, a template is also included for the instructions. Note that the yellow-highlighted text is sample text that you are replacing with your text.
According to GDPR, the bidding agreement also stipulates that the assistant must immediately inform the person responsible in case the assistant considers that an instruction given to him by the person responsible for data protection violates GDPR or other data protection provisions.
Note that if the Personal Data Administrator begins to process the personal data received from the person responsible for other purposes as the assistant himself determines, the assistant will instead be personally responsible for these, with all responsibility as it implies.


For the transfer of personal data to countries outside the EU and EEA (transfer to third countries), special rules apply. GDPR means that EU and EEA countries have equivalent protection for personal data and personal integrity. Therefore, personal data may be transferred freely within this area without limitation. As there are no general rules providing equivalent guarantees outside the EU and EEA, transfers to such countries can only be made under special conditions. For example, transfer may only be made to third countries that have an adequate level of protection (as the EU Commission decides) or after a special permission from the Privacy Authority (formerly Data Inspectorate).
In order for the personal data controller to have complete control over transfers to third countries, the personal data grant agreement may stipulate that this requires the consent of the personal data controller.


A personal data officer has the sole responsibility to take appropriate technical and organizational measures to ensure that the security level of his personal data processing is sufficient.
The agreement shall contain a provision that the Data Protection Officer shall take the measures required by the GDPR to achieve a reasonable level of security. As an example of what may be appropriate safeguards that reduce the risk of processing, GDPR mentions pseudonymization, encryption, etc. It is common for these examples to be included in the bidding agreement, as they also do in this agreement.



According to the GDPR, the agreement shall contain provisions requiring the persons handling personal data with the Data Protection Officer to have confidentiality.



IN assistants
A Personal Data Coordinator can hire sub-contractors (subcontractors). It is especially common with sub-contractors when it comes to cloud services.
The personal data grant agreement stipulates that the assistant may not hire a subcontractor for processing personal data without first obtaining a prior authorization from the person responsible. The prior authorization must be in writing and can either be regulated on a case-by-case basis or through a general prior authorization in the Personal Data Entry Agreement. We recommend a general permit to facilitate the substitution of subcontractors. If the personal data commissioner has been granted a general permission to hire substitutes, the assistant must inform the personally responsible person of the plans to use a new subdivision so that the person concerned can object to this.
Existing subcontractors used by the Data Protection Authority to make use of at the conclusion of the agreement shall be specified, for example, on the assistant's website or in an attachment to the grant agreement.
When a personal data commissioner hires a subcontractor, an agreement (a sub-agreement) must be established between the parties. If the subcouncil does not fulfill its obligations, the Data Protection Officer under GDPR will be fully liable to the person responsible for performing these obligations.
Subsection under the Subsection Agreement shall be subject to the same obligations as the original assistant has against the personally responsible under their agreement.
The Personal Data Administrator shall take appropriate technical and organizational measures so that the person responsible can respond to an individual's request for access to his / her personal data. The same applies to the individual's ability to correct and delete personal data and data portability (the right to transfer personal data to another person responsible).
The bidding agreement shall furthermore contain a provision that the assistant has a general obligation to assist the personal data controller to fulfill the obligations of the GDPR. This means that the Data Protection Officer has a more general obligation to assist the Data Responsible in order to fulfill his obligations under the GDPR, for example, that the security of the treatment is sufficient. The Personal Data Counselor will also assist in assisting the Data Responsible in Data Protection Impact Assessments and being Personal Data Assistant in Advance Consultation with the Integrity Protection Authority. The obligation also includes notification and information about personal data incidents (see more below).
The personal data grant agreement shall include a commitment by the assistant to provide access to all data required to demonstrate that all obligations set by the GDPR have been fulfilled and to contribute to the carrying out of audits and inspections. For example, if the person responsible for personal data requests evidence that personal information as an assistant is required to delete has been permanently destroyed, the assistant shall provide information confirming that this has been done.



It is a requirement under DGPR that security incidents, for example, if the person responsible suspects that an unauthorized person has access to personal data, should be notified to the Security Authority within 72 hours. Depending on the incident, the person responsible may also need to inform those affected.
According to GDPR, the Data Protection Officer is obliged to inform the personally responsible person without unnecessary delay in the event of a personal data incident. The time at which the notification is to be made should be determined according to the nature, severity, consequences and adverse effects of the incident. It is difficult to specify an exact time frame in the agreement, but in practice some management may be taken from the situation when a personal data incident occurs with the person responsible. In this case, as mentioned, the personal data officer should make a notification to the Integrity Protection Authority within 72 hours. Therefore, the Data Protection Officer should be obliged to inform the Personnel Manager faster than that.
According to GDPR, the personal data controller's notification to the Privacy Authority should contain certain information. Among other things, the notification must contain information about the number of registered persons involved, how many and what information has been cleared, what likely consequences may arise, what actions the company plans to take. In order to facilitate the personal data controller, the personal data officer's notification to the person responsible should contain the same information. This information is specified in the agreement.


According to the GDPR, the Personal Disclosure Agreement will regulate that the Personal Data Counsel, when processing is terminated on behalf of the Personal Data Administrator, deletes or returns the personal data.
Exemption from the obligation can be made if there is a Union or national legal obligation to preserve personal data, for example for accounting purposes.
It is therefore important that batch agreements contain clear instructions on erasure and destruction of
personal data.
Additions and changes to the agreement must be made in agreement between the parties. No one can unilaterally change or make additions. Additions and changes are made by writing a new agreement or by adding to the old agreement. If the old agreement is supplemented with an addition, it is important that the content of the extension does not violate the content of the original agreement. Should certain provisions in the supplement apply instead of the provisions of the original agreement, it should be stated in the supplement. The risk is otherwise that you get parts of the agreements that conflict with each other.
Changes and additions should be made in writing to be valid. Otherwise, doubts and probabilities may arise.




If there has been a dispute between you and your counterparty, which you can not solve yourself, you must seek help from outside. The dispute can be resolved by a court or arbitrator. If there is no clause in the agreement on how and where the dispute should be tried, the dispute shall be resolved in court. Here you can refer to the service agreement if the issue is regulated there.
Concepts and definitions of this Agreement shall have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the Data Protection Ordinance) and interpreted and applied in accordance with Applicable Data Protection Law. This includes the following:

refers to an action or combination of personal data or sets of personal data, whether performed automated or not, such as collection, registration, organization, structuring, storage, processing or modification, production, reading, use, transfer by transmission, dissemination or otherwise providing, adjustment or assembly, restriction, erasure or destruction.




data protection legislation refers to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46 / EC and the national laws stemming from this Regulation. "Applicable data protection legislation" also includes binding guidelines, statements, recommendations and decisions by regulatory authorities, courts or other authorities.
Personally responsible                

personally as well as with others, establishes purposes and means for processing personal data.
Personal Data Counsel                

refers to the person handling personal data on behalf of the Data Responsible
Personal data                              

Any information relating to an identified or identifiable natural person, an identifiable physical person being a person identified directly or indirectly, in particular with reference to an identifier such as a name, an identification number, a location or online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the physical person.

Personal Data Incident                    

refers to a security incident that leads to accidental or illegal destruction, loss or change or

to unauthorized disclosure or unauthorized access to the personal data transferred, stored or otherwise processed.




The Data Protection Officer and the Data Protection Officer have concluded an agreement (hereinafter referred to as "Service Agreement") regarding the services that the Data Protection Authority shall provide to the Personal Data Manager. Due to this Service Agreement, the Data Protection Officer will process personal data on behalf of the Data Protection Officer. This Agreement has been established to meet, among other things, the requirement in Article 28 of the Data Protection Ordinance that there should be a written agreement between a personal data controller and a personal data counselor for the processing of personal data.
The Personal Data Protection Officer ensures that this person is entitled to process personal data and that the processing is in accordance with applicable data protection legislation.
The Personal Data Commissioner undertakes to process personal data only in accordance with the Service Agreement and with the Personal Data Administrator's instructions as per Appendix 1 of this Agreement. The Personal Data Counselor shall, in the processing of personal data, comply with applicable data protection legislation.
The Personal Data Administrator shall immediately inform the Personal Data Administrator if the Personal Data Administrator lacks instructions on how to handle personal data in a specific situation or in an instruction under this Agreement or otherwise in violation of applicable data protection legislation.
The Data Protection Board may not, without injunction from the relevant authority or mandatory legislation:
· Collect or disclose personal data from or to any third party unless otherwise agreed in writing;
· Change method of treatment,
· Copy or recreate personal data or
· Treat in any other way personal data for purposes other than those specified in the Service Agreement.
The transfer of personal data to a state outside the EU and EEA requires the written consent of the Data Protection Officer in advance and may only be made if the conditions for transfer to third countries as set out in Applicable Data Protection Act have been met.





The Data Protection Officer shall take appropriate technical and organizational measures to protect the personal data being processed. The measures shall include a level of security that complies with Appropriate Data Protection Legislation and is appropriate considering:
· The technical possibilities that exist
· What would it cost to implement the measures
· The particular risks associated with the processing of personal data and
· How sensitive the processed personal data are
Agreed actions, which comply with this paragraph, shall provide a level of security that the Data Responsible considers appropriate.
Taking into account the latest developments, implementation costs and the scope, context and purpose of the treatment, and the risks to the rights and freedoms of natural persons, the Data Protection Officer shall take appropriate technical and organizational measures to ensure a level of safety appropriate to the risk, including when suitable
· Pseudonymization and encryption of personal data,
· The ability to continually ensure the confidentiality, integrity, availability and resilience of the systems and services dealing with personal data,
· The ability to restore availability and access to personal data in a reasonable time at a physical or technical incident; and
· A procedure for periodically testing, investigating and evaluating the effectiveness of the technical and organizational measures that will ensure the safety of the treatment.
The Data Protection Officer is required to ensure that only persons who have a direct need for access to Personal Data in order to be able to comply with the obligations of the Personal Data Act in accordance with the Service Agreement have access to such information. The Personal Data Counsel shall ensure that all employees, consultants and others involved in the processing are bound by confidentiality and are informed of the processing of personal data.





IN assistants
In order for the Data Protection Officer to be able to fulfill the obligations under the Service Agreement and this Agreement, the Data Protection Officer has the right to hire a substitute. The Personal Data Administrator agrees that the subservients listed on the Personal Data Board's website may be hired as a substitute. If the Personal Data Coordinator intends to change, delete or add a sub-item, the Personal Data Counsel will inform you so that the Personal Data Administrator has the opportunity to object to such changes.
If the Personal Data Counsel employs a subconsultation, the Personal Data Counsel shall enter into a specific person's task-related agreement with such sub-custody as regards the subcouncil's processing of personal data. In such an agreement, it must be stated that the sublicence has the corresponding obligations that the Personal Data Council has under this Agreement. The Personal Data Counsel shall, at the request of the Data Protection Officer, provide a copy of the parts of the Personal Data Submission Agreement with the substitute required to prove that the Personal Data Coordinator fulfilled its obligations under this Agreement.
The Personal Data Commissioner shall, taking into account the nature of the Treatment, assist the Personal Data Responsible through appropriate technical and organizational measures, to the extent that this is possible so that the Personal Data Responsible can fulfill its obligation to respond when the Registrar wishes to exercise his rights.
The Data Protection Officer shall assist Personal Data Responsibility by ensuring that the Personal Data Officer can fulfill his legal obligations as a Personal Data Responsible under Applicable Data Protection Law.
The Personal Data Administrator is entitled to carry out an audit in person or by third parties in respect of the Data Protection Authority or otherwise verify that the Personal Data Processor's processing of personal data complies with this Agreement. In such audit or verification, the Personal Data Coordinator shall provide the Personal Data Manager with the assistance required for the implementation.



In a personal data incident involving personal data processed on behalf of the Data Responsible, the Data Protection Officer shall immediately investigate the incident and take appropriate measures to mitigate its potential adverse effect and prevent repetition. The Personal Data Commissioner shall also immediately provide the Personnel Manager with a description of the incident. The description should at least
· Describe the nature of the personal data incident, including, if possible, the categories of and the approximate number of registered persons involved, as well as the categories of and the approximate number of personal data items concerned,
· Convey the name of the person who can provide more information or answer questions,
· Describe the likely consequences of the personal data incident, and
· Describe the actions taken by the Personal Data Assistance Board or proposed to resolve the Personal Data Incident, including, where appropriate, measures to mitigate its potential adverse effects.
The terms of this Agreement shall apply as long as the Personal Data Processing Board processes personal data on behalf of the Personal Data Administrator.
If this Agreement expires, the Personal Data Coordinator shall terminate the Processing of Personal Data and, after the Personal Data Controller's request, delete or redirect all Personal Data to the Personal Data Manager and delete existing copies, unless Applicable Data Protection Act or National Law requires that Personal Data be stored. The Data Protection Board shall ensure that Subscriptions take the same action.



Back to Top