Welcome to our blog
We write and publish articles about the latest GDPR news and informative posts about provisions in GDPR.
Consent as Lawful Basis for processing personal data
All processing of personal data must be based on a legal basis. Consent is one of the six lawful bases in GDPR. One of the most important aspects...
What do we need to know about Personal Data Breach Notification?
According to the GDPR, data controllers are required to notify their competent supervisory authority in case of a personal data breach....
Data processing agreements
Data processing agreements (DPA) are an essential part for organisations which transfers or collects personal data from other organisations,...
For how long can we keep personal data?
A common question we receive is “For how long can we store personal data?” The short answer is: “As long as you can motivate and justify your...
The right to erasure – some common misconceptions
It is a common misconception that data subjects have an absolute right to demand erasure of their personal data at request, according to article...
How to write a Privacy Policy
Transparency is one of the fundamental principles of the GDPR. All organisations need to ensure that...
Social media and the GDPR
Social media is often used for targeted marketing. This raises the question who is responsible for the different processing’s and if it is...
Clarification regarding the concepts of controller and processor
An important part of the GDPR is to know whether your organisation is controller or processor for a certain processing. In some cases, your...
Can we collect personal data concerning our member’s relatives?
We receive many questions regarding relatives’ data. Data concerning relatives can be collected in different contexts. First and foremost, many...
How you can process personal data in accordance with the GDPR
In the GDPR, some of the articles only apply to certain categories of personal data. These specialised articles are important to understand in...
Personal data and covid-19
As we are in the middle of a global pandemic, we of course have to behave differently than we are used to. But what does it actually mean in...
Invalidation of Privacy Shield – New judgment regarding transfer of personal data to the US
On the 16th of July we finally got a long-awaited judgment of the Court of Justice in the interesting case C-311/18 Data Protection Commissioner...
When is the GDPR applicable?
Now that the GDPR has been in force for two years, many companies have started to deepen their knowledge in specific parts of the regulation. It...
Do we have to report all data breaches?
Data breach is a common word since the GDPR came into effect almost two years ago. It is important to have basic knowledge regarding personal...
Different ways to claim responsibility for wrongfully processing personal data
The personal integrity is considered worth protecting. It is difficult to define exactly what the personal integrity is, but it involves personal...
The Swedish Supervisory Authority’s annual report
If your business operates in Sweden, you have probably noticed that Integritetsskyddsmyndigheten (in 2019 named Datainspektionen) is the Swedish...
Regarding C-311:18: update to the case with the AG opinion
In this interesting case, previously covered in this blog post, Advocate General (AG) Henrik Saugmandsgaard Øe gave his opinion on the 19 of...
When are we data processor?
When is our organisation a data controller respectively a data processor? These definitions can be hard to understand and get a grasp of, but it...
Are we allowed to handle personal identity numbers?
A personal identity number is considered to be personal data, thus it shall be dealt with in accordance to GDPR and other complementary national...
Data Protection Officer’s liability
According to the GDPR, it is either the data controller or the data processor that can be held liable if the regulation is not followed. This is...
C-311/18 Facebook Ireland and Schrems – Preliminary ruling and what it entails
The ongoing case; C-311/18 Facebook Ireland and Schrems is a very interesting one in regard to data privacy and mass surveillance when data is...
First step to process personal data in accordance with GDPR
We still get many questions regarding when it is legal to process personal data and if companies always have to collect consent to be able to...
Are you controlling your virtual identity?
Many companies (e.g. social media platforms and email providers) have as a large component of their business model to collect your personal data...
What is new in the field of GDPR – the first GDPR fine in Sweden
Many of us are free during the summer, but the development in the field of law never ceases. GDPR Hero have put together three of the most...
Standard contractual clauses and GDPR
In chapter V in the GDPR you will find a special regulatory framework which regulates transfer of data to third countries. A third country is a...
Pseudonymization and anonymization of personal data
Many organizations want to retain information in order to keep statistics, which often requires information to be stored for a long time. By...
Guidance regarding e-mail and the GDPR
It is common in today´s society that your work e-mail contains a lot of personal data and different types of processing. We receive many...
What is a legitimate interest and when can we rely on one?
Even if you have not entered into a contract with an individual or collected the individuals consent there is sometimes an opportunity to process...
What is a Data Sharing Agreement, really?
In this blogpost we will inform you about a kind of GDPR agreement, namely a Data Sharing Agreement. We will answer the questions; when it is...
Are we allowed to have a list of phone numbers to family members of our employees?
Many organisations have a list of contact information to at least one family member of their employees. The purpose of this list is to be able to...
Right of access – if someone requests their personal data
GDPR entails a right for the person whose data is being processed by an organisation to request access to their data. This is the so called...
Am I not allowed to note that an employee has reported sick!?
According to article 9.1 in the GDPR it is forbidden to process personal data about a data subjects health. Now you might think “oh, so we cannot...
10 important concepts within the GDPR!
The General Data Protection Regulation contributes with a lot of new, and sometimes difficult, concepts that are of course not explaining...