DraftInternalISO 27001

SW-ISMS-POL-004

Data Protection Policy

Version

1.0

Owner

CISO

Effective Date

[TBD]

Review Date

[TBD]

Data Protection Policy

1. Purpose

This Data Protection Policy establishes Swedwise AB's commitment to protecting personal data and demonstrates compliance with the EU General Data Protection Regulation (GDPR) and Swedish data protection laws. The policy:

Defines how Swedwise collects, processes, stores, and protects personal data
Establishes data classification and handling requirements
Ensures respect for data subject rights
Provides framework for privacy by design and default
Supports compliance with legal and contractual obligations

This policy applies to all personal data processed by Swedwise, whether relating to employees, customers, partners, or other individuals.

2. Scope

This policy applies to:

People:

All Swedwise employees, contractors, consultants, and temporary staff
Third parties processing personal data on behalf of Swedwise
Anyone accessing or handling personal data in their work for Swedwise

Data Types:

All personal data as defined by GDPR (any information relating to an identified or identifiable natural person)
Special categories of personal data (sensitive personal data)
Employee personal data
Customer and customer employee personal data
Supplier and partner personal data
Website visitor and marketing contact data

Processing Activities:

Manual and automated processing
Collection, recording, organization, storage, alteration, retrieval, use, disclosure, erasure
Processing at all locations (offices, remote work, customer sites, cloud systems)
Processing by Swedwise as controller and as processor

Systems:

All IT systems processing personal data (HR systems, CRM, email, file storage, SaaS platforms)
Paper records containing personal data
CCTV and access control systems (if applicable)

3. Legal Basis and Compliance

3.1 Applicable Legislation

Swedwise complies with:

EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
Swedish Data Protection Act - Dataskyddslagen (2018:218)
Swedish Electronic Communications Act - Lagen om elektronisk kommunikation (2022:482)
Sector-specific regulations applicable to our customers and services

3.2 Accountability

Swedwise is accountable for compliance and demonstrates this through:

Documented policies, procedures, and processing activities
Data protection impact assessments for high-risk processing
Regular compliance reviews and audits
Staff training and awareness programs
Appropriate technical and organizational measures
Records of processing activities maintained and current

3.3 Regulatory Authority

Swedish Authority for Privacy Protection (IMY) - Integritetsskyddsmyndigheten

Supervisory authority for GDPR compliance in Sweden
Contact for data protection concerns and breach notifications
Authority to investigate and enforce compliance

4. Data Protection Principles

Swedwise adheres to the GDPR data protection principles:

4.1 Lawfulness, Fairness, and Transparency

Personal data is processed lawfully, fairly, and transparently:

Valid legal basis identified for each processing activity
Individuals informed about data processing (privacy notices)
No deceptive or unfair data collection practices
Transparent about data use, retention, and sharing

Legal Bases for Processing:

Consent: Freely given, specific, informed, and unambiguous
Contract: Necessary for contract performance or pre-contractual steps
Legal Obligation: Required by law
Vital Interests: Necessary to protect life
Public Task: Public interest or official authority
Legitimate Interests: Swedwise or third party interests (when not overridden by individual rights)

Most Swedwise processing relies on:

Contract (customer and employee relationships)
Legitimate interests (marketing, IT security, business operations)
Legal obligation (employment law, tax, accounting)

4.2 Purpose Limitation

Personal data is collected for specified, explicit, and legitimate purposes:

Purpose defined before or at time of collection
Data not used for incompatible purposes without new legal basis
Processing activities documented with purposes
Staff understand and respect purpose limitations

4.3 Data Minimization

Only personal data necessary for the purpose is collected and processed:

Don't collect data "just in case"
Review data fields in forms and systems - collect only what's needed
Regular review of processing to identify unnecessary data
Remove or anonymize data when no longer needed for original purpose

4.4 Accuracy

Personal data is accurate and kept up to date:

Reasonable steps taken to ensure accuracy at collection
Individuals can review and correct their data
Inaccurate data corrected or erased without delay
Regular data quality reviews for critical data sets
Processes to update changed information (e.g., employee role changes)

4.5 Storage Limitation

Personal data is kept only as long as necessary:

Retention periods defined for each data category
Data deleted or anonymized when retention period expires
Regular review and purging of old data
Retention requirements balanced with legal obligations (e.g., accounting records)
Documented retention schedule [TBD - reference to retention schedule]

4.6 Integrity and Confidentiality (Security)

Personal data is processed securely with appropriate protection:

Technical and organizational measures to protect against unauthorized access, loss, destruction, or damage
Access controls based on need-to-know
Encryption for sensitive data and data in transit
Regular security testing and monitoring
Incident response procedures for data breaches
Staff training on data security

4.7 Accountability

Swedwise is responsible for and can demonstrate compliance:

This policy and supporting procedures
Records of processing activities
Data protection impact assessments
Contracts with processors
Training records
Audit trails and compliance evidence

5. Data Classification

Swedwise classifies data to determine appropriate handling and protection measures:

5.1 Classification Levels

Level	Definition	Examples	Protection Requirements
Public	Intended for public disclosure	Marketing materials, public website content, press releases	Basic integrity protection
Internal	For Swedwise internal use	Internal memos, non-sensitive business information, policies	Access control, not for external sharing
Confidential	Restricted access, business impact if disclosed	Customer contracts, financial data, business plans, employee personal data	Encryption in transit, access logging, confidentiality agreements
Restricted	Very limited access, serious impact if disclosed	Customer personal data (as processor), authentication credentials, trade secrets	Strong encryption at rest and in transit, MFA, audit logging, strict access control

5.2 Personal Data Classification

Standard Personal Data:

Name, contact information, job title
IP address, device identifiers
Classified minimum as Confidential

Special Categories (Sensitive Personal Data):

Racial or ethnic origin
Political opinions, religious beliefs
Trade union membership
Genetic or biometric data
Health data
Sex life or sexual orientation
Classified as Restricted with additional safeguards

Criminal Conviction Data:

Limited processing, specific legal basis required
Classified as Restricted

Swedwise avoids processing special category and criminal data unless absolutely necessary with appropriate legal basis and safeguards.

5.3 Data Labeling

Sensitive documents containing personal data should be labeled:

Document headers/footers with classification level
Email subject lines for confidential/restricted content
File naming conventions indicating sensitivity
Metadata tags in document management systems

6. Roles and Responsibilities

6.1 Data Controller

Swedwise AB as Controller:

When processing personal data for our own purposes (employees, marketing, customer relationship management):

Determine purposes and means of processing
Ensure legal basis and compliance with GDPR
Provide privacy notices to data subjects
Handle data subject rights requests
Conduct data protection impact assessments
Report breaches to supervisory authority and data subjects
Maintain records of processing activities

6.2 Data Processor

Swedwise AB as Processor:

When processing personal data on behalf of customers (SaaS platform operations):

Process only on documented instructions from customer (controller)
Ensure confidentiality of personnel processing data
Implement appropriate security measures
Engage sub-processors only with customer authorization
Assist customer with data subject requests
Notify customer of data breaches without undue delay
Return or delete data at end of service contract
Maintain records of processing activities

6.3 Chief Information Security Officer (CISO)

Assigned to: [TBD - Name]

The CISO serves as Data Protection Officer (DPO) function:

Inform and advise on data protection obligations
Monitor compliance with GDPR and this policy
Provide advice on data protection impact assessments
Cooperate with supervisory authority (IMY)
Act as contact point for IMY and data subjects
Coordinate data breach response and notifications
Maintain records of processing activities
Oversee data protection training

Note: Formal DPO designation required if processing meets GDPR criteria. [TBD - assess if formal DPO appointment needed]

6.4 Management Team

Ensure adequate resources for data protection
Approve data protection policies and assessments
Support data protection culture
Review data protection performance in management reviews
Accountability for processing within their areas

6.5 Department Heads / Managers

Implement data protection requirements in their areas
Maintain records of processing activities for their departments
Ensure staff training and awareness
Conduct data protection impact assessments for new processing
Report data breaches and incidents
Respond to data subject rights requests in their area

6.6 All Staff

Understand and comply with data protection requirements
Handle personal data only for legitimate business purposes
Protect personal data according to classification
Report data breaches and incidents immediately
Complete required data protection training
Respect data subject rights

7. Privacy Notices and Transparency

7.1 Privacy Notice Requirements

Privacy notices inform individuals about data processing and must include:

Identity and contact details of controller (Swedwise)
Contact details of DPO/CISO
Purposes and legal basis for processing
Categories of personal data processed
Recipients or categories of recipients
Data retention periods or criteria
Data subject rights
Right to withdraw consent (if applicable)
Right to lodge complaint with IMY
Data transfer information (if outside EEA)
Automated decision-making information (if applicable)

7.2 Privacy Notices by Context

Employee Privacy Notice:

Provided during recruitment and onboarding
Covers HR data processing throughout employment
Updated when processing purposes change

Customer and Partner Privacy Notice:

Available at point of data collection (website, contracts)
Explains business relationship data processing
Separate notices for different processing purposes if needed

Website Privacy Notice:

Published on Swedwise website
Covers website visitor data, cookies, analytics
Cookie consent mechanism where required

SaaS Customer (Processor) Notice:

Data processing agreement with customers
Explains how Swedwise processes customer data as processor
Security measures and sub-processors

7.3 Notice Accessibility

Privacy notices are:

Written in clear, plain language
Easily accessible and visible
Available in Swedish and English as appropriate
Reviewed annually and updated as needed
Communicated when processing changes

8. Data Subject Rights

Swedwise respects and facilitates data subject rights under GDPR:

8.1 Right of Access (Article 15)

Individuals can request:

Confirmation that their data is being processed
Copy of their personal data
Information about processing (purpose, categories, retention, etc.)

Response:

Verify identity of requestor
Respond within 1 month (extendable to 3 months if complex)
Provide data in commonly used electronic format
First copy free; reasonable fee for additional copies

8.2 Right to Rectification (Article 16)

Individuals can request correction of inaccurate personal data.

Response:

Correct data without undue delay
Notify recipients if data was shared
Implement processes for ongoing accuracy

8.3 Right to Erasure / "Right to be Forgotten" (Article 17)

Individuals can request deletion when:

Data no longer necessary for original purpose
Consent withdrawn and no other legal basis
Objection to processing (and no overriding grounds)
Data processed unlawfully
Legal obligation requires erasure

Response:

Assess if exception applies (legal obligation, public interest, legal claims)
Delete data and confirm to individual
Notify recipients if data was shared

8.4 Right to Restriction (Article 18)

Individuals can request processing be limited when:

Accuracy is contested
Processing unlawful but individual opposes erasure
Data no longer needed but individual needs it for legal claims
Objection pending verification

Response:

Restrict processing (store only, no further use)
Mark data as restricted in systems
Inform individual before lifting restriction

8.5 Right to Data Portability (Article 20)

Individuals can request:

Personal data in structured, commonly used, machine-readable format
Direct transmission to another controller if feasible

Applies when:

Processing based on consent or contract
Processing carried out by automated means

Response:

Provide data in portable format (e.g., JSON, CSV, XML)
Transmit directly if technically feasible
Does not apply to manual/paper processing

8.6 Right to Object (Article 21)

Individuals can object to processing based on:

Legitimate interests (including profiling)
Direct marketing (always honored)

Response:

Cease processing unless compelling legitimate grounds override individual rights
Always stop direct marketing when objection received
Document objections and actions taken

Individuals have right not to be subject to solely automated decisions with legal or significant effects.

Swedwise Position:

Currently minimal automated decision-making
If implemented, ensure human involvement in significant decisions
Provide information about logic involved
Allow individuals to challenge decisions

8.8 Rights Request Procedure

Request Receipt:

Accept requests via email, letter, or in-person
Request email: [TBD - privacy@swedwise.se or similar]
Log all requests with date received and type

Identity Verification:

Verify identity before disclosing data or making changes
Request additional information if necessary to confirm identity
Balance verification with not requesting excessive data

Response Timeline:

1 month from receipt (extendable to 3 months if complex)
Inform individual of extension within 1 month
Explain reason for extension

Response Format:

Written response (email acceptable if request received by email)
Clear explanation of action taken
Information about right to complain to IMY

Fees:

Generally free
Reasonable fee for manifestly unfounded or excessive requests
Fee for additional copies beyond first

Refusal:

May refuse manifestly unfounded or excessive requests
Must explain reason and inform of right to complain to IMY

Documentation:

Record all requests, actions taken, and responses
Retain for audit and compliance demonstration

9. Data Processing Activities

9.1 Records of Processing Activities (ROPA)

Swedwise maintains records of processing activities including:

For each processing activity:

Name and contact details of controller
Purposes of processing
Categories of data subjects and personal data
Categories of recipients
Data transfers outside EEA (if applicable)
Retention periods
Security measures

Responsibility:

CISO maintains central ROPA
Department heads provide input for their areas
Reviewed and updated at least annually
Available to supervisory authority on request

9.2 Data Protection Impact Assessment (DPIA)

DPIA required for processing likely to result in high risk to individuals:

When Required:

Systematic and extensive profiling
Large-scale processing of special category data
Systematic monitoring of public areas (e.g., CCTV)
New technologies with privacy implications
Processing that could prevent individuals from exercising rights

DPIA Process:

Describe processing and purposes
Assess necessity and proportionality
Identify and assess risks to individuals
Identify measures to mitigate risks
Document assessment and decisions
Consult IMY if high risk remains

Responsibility:

Department proposing new processing initiates
CISO reviews and provides guidance
Management approves before proceeding
DPIA reviewed if processing changes significantly

9.3 Contracts with Processors

When Swedwise uses third-party processors (cloud providers, SaaS tools):

Contract Requirements (Article 28):

Process only on documented instructions
Confidentiality obligations
Appropriate security measures
Sub-processor restrictions and approvals
Assistance with data subject rights
Assistance with security and DPIAs
Data deletion or return at end of contract
Audit rights
Notification of data breaches

Processor Management:

Maintain list of processors and sub-processors
Security assessment before engagement
Annual review of processor compliance
Monitor for security incidents
Include data protection terms in procurement

9.4 International Data Transfers

Personal data transferred outside EEA requires adequate protection:

Transfer Mechanisms:

Adequacy Decision: EU has determined country ensures adequate protection
Standard Contractual Clauses (SCCs): EU-approved contract terms
Binding Corporate Rules: For intra-group transfers
Certification Mechanisms: Approved certification schemes

Current Position:

Swedwise processes data primarily within EEA (Swedish data centers)
Some processors may be outside EEA (e.g., cloud services)
Standard Contractual Clauses used where applicable
Document and monitor all international transfers

Responsibility:

CISO approves international transfers
Legal/procurement ensures appropriate safeguards in contracts
Monitor changes in adequacy decisions and transfer mechanisms

10. Data Security Measures

10.1 Technical Measures

Encryption: Data encrypted in transit (TLS) and at rest where appropriate
Access Control: Role-based access, least privilege, MFA
Network Security: Firewalls, intrusion detection, network segmentation
Endpoint Protection: Antivirus, endpoint detection and response
Backup: Regular backups with encryption and tested recovery
Logging: Security event logging and monitoring

10.2 Organizational Measures

Policies and Procedures: This policy and supporting procedures
Training: Regular data protection awareness training
Access Management: Joiners/movers/leavers process
Incident Response: Data breach response plan
Vendor Management: Processor contracts and assessments
Physical Security: Controlled access to facilities and servers

10.3 Privacy by Design and Default

New systems and processes incorporate privacy from the outset:

Privacy by Design:

Data protection integrated into system design
Security controls built in, not bolted on
Data minimization in design (don't collect unnecessary data)
Transparency in processing
User-centric design

Privacy by Default:

Strictest privacy settings by default
Users opt-in to additional data uses
Data not shared without user action
Automatic data deletion when retention period expires

11. Data Breach Management

11.1 Data Breach Definition

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.

Examples:

Ransomware encrypting personal data
Email sent to wrong recipient
Lost laptop or USB drive
Hacking incident
Unauthorized access by employee
Accidental public exposure of data

11.2 Breach Detection and Reporting

All Staff Responsibility:

Report suspected breaches immediately
Don't delay reporting while investigating
Report to: [TBD - CISO contact, security email, phone]

Initial Assessment:

CISO assesses severity and risk to individuals
Determine if breach is reportable
Initiate containment and investigation

11.3 Notification to Supervisory Authority

Requirement:

Report to IMY within 72 hours if breach likely to result in risk to individuals' rights and freedoms
Initial report may be followed by additional information

Report Contents:

Nature of breach (categories and approximate numbers affected)
Contact point (DPO/CISO)
Likely consequences
Measures taken or proposed to address breach

Exemption:

No notification required if unlikely to result in risk (e.g., encrypted data, very limited scope)
Document rationale for not reporting

11.4 Notification to Data Subjects

Requirement:

Notify affected individuals without undue delay if breach likely to result in high risk to their rights and freedoms

Notification Contents:

Nature of breach in clear and plain language
Contact point for more information
Likely consequences
Measures taken or proposed to mitigate

Exemption:

Appropriate technical/organizational protection applied (e.g., encryption)
Subsequent measures ensure high risk no longer likely
Notification would involve disproportionate effort (public communication may substitute)

11.5 Breach Documentation

All breaches documented including:

Facts of breach
Effects and impact
Remedial action taken
Notification decisions and communications

Breach register maintained by CISO for audit and review.

12. Data Retention and Disposal

12.1 Retention Principles

Personal data retained only as long as necessary for purpose
Retention periods defined for each data category
Legal and regulatory requirements considered
Data deleted or anonymized when retention period expires

12.2 Retention Schedule

[TBD - Develop detailed retention schedule. Examples:]

Data Type	Retention Period	Legal Basis
Employee HR records	2 years after employment end	Swedish labor law
Accounting records	7 years	Swedish Accounting Act
Customer contracts	3 years after contract end	Limitation periods
Marketing consent records	Until consent withdrawn + 1 year	GDPR accountability
Access logs	12 months	Security and audit
CCTV footage (if applicable)	30 days	Proportionality

12.3 Secure Disposal

Electronic Data:

Secure deletion using approved tools
Overwriting for highly sensitive data
Physical destruction of storage media when decommissioning
Certificate of destruction for regulated data

Paper Records:

Shredding using cross-cut shredder or professional service
Locked bins before shredding
Certificate of destruction for large volumes

Verification:

Periodic audits of disposal processes
Documentation of disposal for audit trail

13. Training and Awareness

13.1 Mandatory Training

All staff complete data protection training:

During onboarding (before accessing personal data)
Annual refresher training
Role-specific training for data-intensive roles
Training on policy updates

Training Content:

GDPR principles and Swedwise obligations
Data classification and handling
Data subject rights
Breach reporting
Acceptable use of systems
Role-specific responsibilities

13.2 Awareness Activities

Ongoing awareness through:

Regular communications and updates
Awareness campaigns (e.g., Data Privacy Day)
Posters and reminders in offices
Intranet resources and FAQs
Examples and case studies

13.3 Training Records

Track training completion
Evidence of compliance for audits
Follow-up for non-completion

14. Monitoring and Review

14.1 Compliance Monitoring

Regular monitoring through:

Internal audits of data processing activities
Access log reviews
Processor compliance reviews
Data subject rights request metrics
Breach incident analysis

14.2 Policy Review

This policy reviewed:

At least annually
After significant data breaches
When legislation or guidance changes
After internal/external audits
When business activities change significantly

14.3 Management Review

Data protection performance reviewed in management reviews:

Data subject rights requests received and response times
Data breaches and incidents
Training completion rates
Audit findings and remediation
Processor compliance issues
Regulatory developments

Policies:

SW-IMS-POL-001: Integrated Management System Policy
SW-ISMS-POL-001: Information Security Policy
SW-ISMS-POL-002: Access Control Policy
SW-ISMS-POL-003: Acceptable Use Policy

Procedures:

[TBD - SW-ISMS-PRO-002: Incident Management Procedure]
[TBD - SW-ISMS-PRO-007: Data Subject Rights Procedure]
[TBD - SW-ISMS-PRO-008: Data Breach Response Procedure]
[TBD - SW-HR-PRO-003: Data Retention and Disposal Procedure]

Guidelines:

[TBD - SW-ISMS-GUI-001: Information Classification Guideline]
[TBD - SW-ISMS-GUI-007: Privacy by Design Guideline]

Supporting Documents:

[TBD - Records of Processing Activities (ROPA)]
[TBD - Data Retention Schedule]
[TBD - Data Protection Impact Assessment Template]
[TBD - Data Processing Agreement Template (Processor)]
[TBD - Employee Privacy Notice]
[TBD - Customer Privacy Notice]
[TBD - Website Privacy Notice]

16. Contact Information

Data Protection Queries:

CISO / Data Protection Officer: [TBD - email and phone]

Data Subject Rights Requests:

Email: [TBD - privacy@swedwise.se]
Mail: Swedwise AB, [TBD - address]

Data Breach Reporting (Internal):

Email: [TBD - security@swedwise.se]
Phone: [TBD - emergency contact]

Supervisory Authority:

Swedish Authority for Privacy Protection (IMY)
Website: www.imy.se
Email: imy@imy.se
Phone: +46 (0)8-657 61 00

17. Document Control

Version	Date	Author	Changes	Approved By
1.0	[TBD]	[TBD - CISO name]	Initial policy creation	[TBD - CEO name]

Next Review Date: [TBD - typically 12 months from effective date]

Document Classification: Internal

Document Owner: CISO

This policy is approved by Swedwise AB management and is effective from the date specified above. All staff are required to read, understand, and comply with this policy.

Swedwise AB is committed to protecting personal data and respecting the privacy rights of individuals. Questions or concerns about data protection should be directed to the CISO.