{"id":17311,"date":"2018-06-05T10:33:54","date_gmt":"2018-06-05T08:33:54","guid":{"rendered":"https:\/\/coreit.se\/okategoriserad\/first-weeks-of-gdpr"},"modified":"2026-03-26T07:19:11","modified_gmt":"2026-03-26T06:19:11","slug":"first-weeks-of-gdpr","status":"publish","type":"post","link":"https:\/\/coreit.se\/en\/blog\/first-weeks-of-gdpr","title":{"rendered":"First weeks of GDPR!"},"content":{"rendered":"\n<strong>If you haven&#8217;t yet managed to get everything in place, don&#8217;t panic!<\/strong>\n\nOver the last few weeks, you have probably been email-bombed with lots of information about organizations&#8217; new personal data processing policies. Some have even added more threatening elements about needing consent to continue using their service, right or wrong can be difficult to determine but can be stressful for the person concerned. \n\nPerhaps you have started or completed your mapping exercise, but you have not yet put in place all the policy documents or trained all your staff. Perhaps you need to create an action plan and set up guidelines? \n\nMany are in the same situation and are now struggling to understand the rules and set up thinning procedures.\n\nA simple rule to follow is the legal basis for processing personal data. No personal data can be processed without a legal basis and it also requires a purpose for processing, which can support erasure. But what is a lawful basis?  \n\nThe law sets out 6 different legal bases that must exist for personal data processing:\n<ul>\n \t<li><strong>Consent &#8211; <\/strong>Personal data may be processed with the consent of the data subject. It must be freely given, in the form of a statement or unambiguous affirmative action, and it must be given after the data subject has been informed of the processing operation. If consent is withdrawn, data must be deleted (existing consents may be invalid after the new law comes into force)   <\/li>\n \t<li><strong>Contract &#8211; <\/strong>A contract may constitute a legal basis for processing personal data. It is then required that the processing is necessary for the performance of a contract with the data subject or to take steps at the request of the data subject prior to entering into such a contract, e.g. employment contract, salary calculation, invoicing, etc.  <\/li>\n \t<li><strong>Legal obligation &#8211; <\/strong>Personal data may be processed if it is necessary to comply with a national law, e.g. Patient Data Act, Accounting Act, Labor Law, etc. <\/li>\n \t<li><strong>Protection of vital interests &#8211; <\/strong>Personal data may be processed if this is for the purpose of protecting the vital interests of a data subject, e.g. in emergency care situations <\/li>\n \t<li><strong>Public interest and exercise of public authority &#8211; <\/strong>Processing of personal data is permitted if it is necessary for the performance of a task carried out in the public interest, e.g. statistical surveys or as part of the exercise of official authority, e.g. the activities of the Swedish Tax Agency, the Swedish Transport Agency, etc.  <\/li>\n \t<li><strong>Balancing of interests &#8211; <\/strong>If the processing of personal data is necessary for legitimate interests and the data subject&#8217;s interest in the protection of their personal data is not overridden, balancing of interests may be a legal basis. E.g. employer&#8217;s processing of family information of employees to be able to contact relatives in case of illness. This does not require the consent of the relative, but they must be informed that they are registered (balancing of interests cannot normally be used as a reason for authorities)    <\/li>\n<\/ul>\nIf you can clearly justify the personal data you process with a lawful basis, you don&#8217;t need to stress yourself out unnecessarily. It goes a long way and with a privacy policy for information to data subjects in place and an action plan for deletion procedures and guidelines, you can breathe easy for a while. \n\nIf you need support and help with training staff, creating policy documents or just setting up an action plan, please contact us and we will help you!\n","protected":false},"excerpt":{"rendered":"<p>If you haven&#8217;t yet managed to get everything in place, don&#8217;t panic! Over the last few weeks, you have probably been email-bombed with lots of information about organizations&#8217; new personal data processing policies. Some have even added more threatening elements about needing consent to continue using their service, right or wrong can be difficult to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":17314,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[190],"tags":[205],"class_list":["post-17311","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-gdpr"],"acf":[],"_links":{"self":[{"href":"https:\/\/coreit.se\/en\/wp-json\/wp\/v2\/posts\/17311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/coreit.se\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/coreit.se\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/coreit.se\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/coreit.se\/en\/wp-json\/wp\/v2\/comments?post=17311"}],"version-history":[{"count":0,"href":"https:\/\/coreit.se\/en\/wp-json\/wp\/v2\/posts\/17311\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/coreit.se\/en\/wp-json\/wp\/v2\/media\/17314"}],"wp:attachment":[{"href":"https:\/\/coreit.se\/en\/wp-json\/wp\/v2\/media?parent=17311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/coreit.se\/en\/wp-json\/wp\/v2\/categories?post=17311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/coreit.se\/en\/wp-json\/wp\/v2\/tags?post=17311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}