Data protection/GDPR

As from 25 May 2018, all businesses, public authorities and organisations have to comply with the many requirements of the General Data Protection Regulation, GDPR. This applies to information about employees, customers and other types of personal data that are processed. With this regulation, very high fine levels have been introduced, which has frightened most people.

Our focus is to help businesses and organisations comply with GDPR and avoid these fines, without also destroying the business and making everyday work difficult.

Thus, our services are concentrated on businesses’ processing of personal data within the framework of GDPR, but in a way whereby it still has a value for them.

Our data protection team

Compliance projects with data controllers and data processors

We have implemented GDPR compliance in a number of large, medium-sized and small Danish and international businesses, adjusted to the specific needs of each business.

We have developed the Integra ShareFile Solution; a tool to help customers set up clear compliance documentation, which both we and our customers can access and interact from. This means that the compliance work is carried out in close contact with the customer and the customer’s business.

Data processing agreements and inspections/audits

We are very experienced in drafting and negotiating data processing agreements and with the inspection of data processors and sub-processors.

Data protection in employment (HR)

The area of data protection law that is relevant to nearly all businesses, authorities and organisations is the HR area. The interface between the data protection rules and the labour employment rules, including collective agreements etc., is something that everyone should keep in mind.

We assist businesses, authorities and organisations in their handling of information about applicants, employees and former employees.

Furthermore, we assist with the drafting of IT policies, internal education and compliance with the duty of disclosure in employment contracts.

The Danish Data Protection Agency has produced a guide related to employment matters that can be found here.

Handling of data breaches

We are very experienced with the handling of data breaches, including reporting and subsequent correspondence with the Danish Data Protection Agency. By virtue of our IT qualifications we have drafted useful policies for e.g. disaster recovery etc. and tools to keep a safety log, for risk evaluation in relation to safety breaches etc.

Use of cookies

The use of cookies is governed by both the Cookie Order and GDPR.

The Cookie Order, which is based on the ePrivacy directive, is about to be replaced by the ePrivacy Regulation. The purpose of the ePrivacy Regulation is to protect natural persons’ right to privacy and confidentiality and especially relates to digital communication and the use of data, including among others profiling, data handling software etc.

One of the major points of debate in relation to the ePrivacy regulation is whether to obtain an active consent, by way of a voluntary and positive act, to use cookies.

Our team follows the development closely and is ready to assist and advice regarding any challenges you may face in this regard.

The Cookie Order can be found here.

The proposal for the ePrivacy Regulation can be found here.

Data protection and marketing

Marketing is often closely related to data protection and GDPR.

Our team has many years of experience with marketing and the interface with GDPR.

We advice businesses, authorities and other organisations about marketing, and we focus very much on online/data-driven marketing, the use of custom audience, data science, data management etc.

Assistance to data protection officers (DPOs)

We have developed the concept DPO BackOffice, which is a subscription-based telephone hotline for assistance regarding GDPR etc.

The concept is aimed at businesses, authorities and other organisations’ internal advisors, including also data protection advisors (DPOs).

Rights of data subjects

The rights of data subjects and their handling is very much in focus with the European supervisory authorities.

The purpose of the rules regarding handling of the rights of data subjects is to clarify towards the data subjects who processes their information and for which purposes and what the information is used for. These rules furthermore grant the data subject certain rights. These rights are based on the principle of the personal data regulation regarding transparency in connection with the processing of personal data.

In this connection it is important that the data controller keeps in mind that some of the rights of the data subjects must be automatically observed by the data controller, while others must be observed upon request from the data subject.

We assist businesses, authorities and organisations with their handling of the rights of data subjects, including by drafting usable and clear procedures and solutions.

Processing of health data etc.

In addition to the general data protection rules, our data protection team has a thorough insight into the special legislation relating to GDPR, including also in relation to health data.

Assistance in connection with inspection and/or correspondence with the Danish Data Protection Agency

We have assisted a large number of data controllers and data processors in connection with inquiries from the Danish Data Protection Agency, and our data protection team is very experienced with inspections and any matters related thereto.

Sufficient technical and organisational security measures

Integra Law Firm specialises in IT, tech and software, and our data protection team and the team in general have many years of experience with IT security. We assist businesses, authorities and organisations establishing a sufficient security level and ensuring the relevant procedures for handling of security breaches, procedures for setting up a sufficient security level etc.

In addition, we provide assistance with risk and impact assessments.

Furthermore, the Danish Data Protection Agency has issued notes of guidance regarding:

Security of processing and data protection by design and by default

Notes of guidance regarding impact assessments

The Danish Data Protection Agency’s list specifying when an impact assessment MUST be made

Transfer of data to countries outside the EU/EEA (third countries), including also intra-group transfers.

When data controllers request to transfer information to countries outside the EU/EEA, so-called third countries, certain requirements must be complied with. The same applies when data processers use so-called sub-processors established outside the EU/EEA.

When information is transferred to third parties, it must be considered whether the four essential safeguards are present.

We assist businesses, authorities and other organisations to ensure that a sufficient basis for the transfer exists.

Brexit:
As a result of Brexit, Great Britain will become a third country.

We will assist you in determining whether it will have any impact to you, as well as we will help you with a contingency plan.

The notes of guidance regarding transfer of information to third countries of the Article 29 Group can be found here.

The Danish Data Protection Agency’s notes of guidance regarding transfer of information to third countries can be found here.

Tools

The six “W” questions

Data processing record template

Security log (no risk assessment)

Security log including risk assessment

Tools for Article 32 assessments

Template for an annual wheel

Procedure for handling the rights of data subjects

Deletion procedure

Analysis tool for HR

Stand-alone statement of confidentiality/NDA

Contact us for prices of our tools

Workshops

We offer different workshops, which we also use in connection with the implementation of our solutions. Contact us for more information.

Presentations and training

You will often meet our data protection team in connection with presentations and relevant arrangements.

Our data protection team is often booked for internal training and presentations, as well as Integra Law Firm also offers after-work meetings etc.

DPO BackOffice

We acts as DPO for businesses and we also provide hotline solutions for data protection officers and others who are responsible for data protection/GDPR with businesses, organisations and authorities.