Transkribering.nu Sweden AB follow the new Data Protection Regulation GDPR. Here you can read about how we process personal data in our system.
What kind of data do we have?
This is a list of the registers that carry personal data and of which we act as data controllers.
We keep records of our clients in Teamwork.com.
When the client is a legal person, the client list contains data such as name and email address to our contact person within the company. When the client is a physical person, the client list also contains postal address to the client. This data is necessary in order for us to communicate with our clients and make sure that for example invoices go to the right address.
Legal ground: legitimate interest.
We regularly send out newsletters to clients that have not unsubscribed, as well as to others who have shown interest. The record of our newsletter subscribers are in Teamwork.com.
Legal ground: grounds of legitimate interest, or consent.
Our records contain personal data on the invoices that we have sent out to our clients. This is the same personal data as in our client list.
Legal ground: compliance of legal obligation.
Our mail conversations with clients contain unstructured personal data, mainly names and email addresses.
Legal ground: legitimate interest.
We save the application forms from everyone who applies for a job with us. This data contains information regarding the applicant’s name, telephone number, email as well as their previous experience with similar jobs. The applicant can also choose to add additional personal data about themselves.
Legal ground: legitimate interest.
How to we gather personal data?
We mainly gather the personal data through the form our clients fill in when they register as clients. When they register they are also informed about this integrity policy.
We may complement this personal data through email or by telephone with the client. In exceptional cases we may use a search engine on the internet to get the client’s address when the client is a physical person.
The ones who apply for jobs fill in a form with their personal data on the website.
What do we use the personal data for?
We use our client list and newsletter list to keep track of our clients, to know who we are communicating with as well as to have an overview of what agreements we have made with each client.
We are obligated to store and keep track of all of our transactions and verifications of accounts.
Legal ground: legitimate interest and compliance of legal obligation.
The data subject can request access to their personal data and information. In order to ensure that it is the right person that is requesting the data, such a request must come from the same email address that the client has used previously in their communication with us. Normally we send the data to the data subject the following work day, or within the following days.
On demand of the data subject we can immediately delete all of their personal data, except for the personal data that we are obligated to store to comply with legal obligations.
Requesting personal data in our clients’ material
Note that our clients are the ones responsible for the personal data in the material they instruct us to work with. We are only data processors. Whoever wants to access the personal data in the stored material should therefore contact the data controller, which is our client.
If a data breach were to occur, if the personal data we are responsible for were to come into the wrong hands, we will immediately report this to the Swedish Data Protection Authority. We will decide from case to case whether or not we will notify the data subject.
For how long is the personal data stored?
When a registered client has not been an active client in two years we delete their personal data from Teamwork.com. The client also gets unsubscribed from our newsletter. The ones who want to remain a client, but unsubscribe from the newsletter, can notify us through email.
We forfeit all verifications of accounts in our records after seven years and delete the data file after ten years. This is according to existing legislation.
Whoever is registered as a job applicant is deleted after two years.
Transfer of personal data to a third country
Our coworkers mainly work in Sweden. But since we are a distance workplace some coworkers may temporarily be located in other countries and work from there. The coworkers can choose to work temporarily from any country within the EEA. In the event that a coworker will work in a country outside EEA, a so called third country, we will determine in every separate case whether it can be done in a secure way without risking that the personal data gets processes in an improper manner. In the cases we deem this to be possible we establish a special agreement with the coworker which regulates how the personal data can processed in a third country. The processing in a third country will only be executed by our Swedish staff on computers with Swedish operating systems which they bring from Sweden when they travel. We will never borrow, rent of buy computer equipment in a third country.
We use three cloud services that are established in a third country (USA). Since these companies participate in the EU-US Privacy Shield agreement they meet the requirements of the GDPR for processing personal data in a third country.
Who can access the personal data?
The personal data is available in its entirety to selected parts of our staff as well as partly to subcontractors who act as data processors for us. We do not give out personal data to anyone else.
The main part of our staff do not have access to client lists, newsletters, emails and record keeping.
Aktiebolaget Redovisningscentrum RECUM
Our record keeping is done by Aktiebolaget Redovisningscentrum RECUM. They act as data processors for us and have access to all personal data on our invoices. This is regulated by a data processor agreement between us and RECUM.
.jo solutions is our IT consultant who helps us develop our work in the system Teamwork.com. As IT consultant he has full access to the system, as well as the personal data therein. The scripts the consultant develops is, among other things, used to automatically register the personal data that the client fills in at registration, which makes is necessary for the consultant to have access to all personal data. This is regulated by a data processor agreement between us and .jo solutions.
We use the cloud service Teamwork.com to store the personal data. Teamwork.com participates in the EU-US Privacy Shield agreement which means that they meet the requirements of the GDPR for processing personal data in a third country.
We use Google to deliver our email. During the last year Google has put a lot of effort in trying to adapt their technology and their agreements to live up to the requirements of the GDPR.
Google participates in the EU-US Privacy Shield agreement which means that they meet the requirements of the GDPR for processing personal data in a third country.
When our clients upload audio files they are being temporarily stored at Amazon.com. Amazon.com shows the length of the audio file and automatically transfers this information to Teamwork.com to facilitate our administrative work. The personal data that may occur in the audio files is not processed in any way, it is only temporarily stored while the server returns the length of the audio file.
Amazon.com participates in the EU-US Privacy Shield agreement which means that they meet the requirements of the GDPR for processing personal data in a third country.
We use Space2u as our web hotel. The scripts that register, among other things, the personal data that our clients provide when they register as clients, are at Space2u. Space2u have all their servers in Sweden.
We have a data processor agreement with Space2u that regulates the division of responsibilities between us.
Our roll as data processors
Some of our clients instruct us to work with material that contains personal data. We then act as data processors for these clients. Then we establish a data processor agreement with the client. Since we do not know beforehand whether the material from our clients contains any personal data or not, it is up to the client to inform us when the material contains personal data and when a data processor agreement has to be established. We always inform our clients of this to make sure that we do not work with any personal data without a data processor agreement having been established. We can use one of our own templates for the data processor agreement, or use one provided by the client.
It is the data controllers (our clients) that gather the personal data. We only process it according to the instructions we have been given from the data controllers.
We store the personal data that we process as data processors for our clients in the services listed above under the heading “Who can access the personal data?”. When it comes to personal data that the client is responsible for, our data processors act as sub-processors. As a client you consent to our use of these sub-processors as described under the heading “Who can access the personal data?”
The personal data is not released to anyone else than the sub-processors described above. We will never hire sub-processors to transcribe the material that our clients send to us.
Safety routines in our role as data processors
We are very keen on processing the personal data in our clients’ material in a safe way.
Our staff are tied to a confidentiality agreement in which they commit not to give out any information whatsoever from the material they work with, nor any information regarding which clients we work with or what subjects the material deals with. We only work on locations where no one can see the screen or hear the audio from the headphones.
When we are finished working with the material we delete it from our own computers as well as from Teamwork.com. Teamwork.com has a recycle bin in which the material is stored for 30 days, and after that only the client has access to the material.
If a data breach were to occur, meaning that the personal data stored in our clients’ material were to be processed in an improper manner, we will report it to the data controller, which is our client, who in turn will report this to the Swedish Data Protection Authority as well as inform the data subject. A data breach may be due to improper processing on our part, with any of our sub-processors or because of data hacking.