logo

Data Privacy Policy

1 Introduction

The Board of Directors works to ensure that Sciigo has good governance and internal control. The Board is responsible for ensuring that Sciigo follows laws and relevant national and European regulations that regulate business. The Board shall establish internal rules and policies on an annual basis and ensure that these are followed and are regularly monitored and evaluated within the business. The Board is ultimately responsible for ensuring that has an appropriate and efficient business, as well as a well-developed system for risk management and compliance.

2 Applicability

This policy covers Board, management, all employees, consultants, partners, agents and contractors involved in Sciigo’s activities. The policy applies to all parts of the business and includes operations and areas outsourced to another party.

The requirement levels set out in this policy can be in the form of obligatory requirements that use the words “must” or “shall” or of strongly recommended requirements that use the word “should”.

All employees at who process or may process personal data must have undergone basic training in the processing of personal data.

Employees who have regular contact with data subjects must have an extended understanding of the data subject’s rights and their opportunity to exercise these.

Employees who work with systems or services that share personal data must have an understanding of how Sciigo manages data processors and the transfer of personal data.

Employees who process special categories of personal data, such as data on union membership or health (which also includes data on sick leave), must have knowledge of the additional requirements imposed on such processing.

Employees who work with development, set requirements or procure systems and/or solutions must have an understanding of privacy by design and privacy by default.

3 Responsibility

The Board is responsible for the drafting of this policy. It falls to the CEO to ensure that the policy is made available to all concerned.

The CEO is responsible for informing all concerned of the provisions of this policy. This means ensuring that the employees, consultants, partners, agents and contractors affected by this policy are familiar with and comply with its content. The CEO or person designated by the CEO is also responsible for issuing the detailed rules needed to facilitate the application of this policy.

Each business within Sciigo must ensure that the necessary procedures are in place in relation to the processing of personal data. It is important that methods and processes are consistently used that safeguard privacy and protect personal data. It is also important that these are followed up.

Procedures, methods and processes should be documented in the form of process descriptions and/or instructions.

CEO is the contact for questions regarding this policy and is responsible for the production of more detailed guidelines, procedures and templates pursuant to this policy.

4 Entry into force and amendments

This policy shall be revised on an ongoing basis and amended as necessary following the decisions of the Board.

The CEO is responsible for assessing and updating the content of this policy on an annual basis and for submitting it to the Board with any proposed amendments. The policy must be adopted by the Board at least every year, even if there are no amendments to be decided on.

5 Background

Laws and regulations regarding the processing of personal data are intended to protect the privacy of those whose personal data is being processed. Sciigo processes lots of different types of data, such as personal data in the form of contact details linked to employees and clients. To ensure that protects the privacy of individuals to the greatest extent possible, Sciigo must work continuously to protect privacy in relation to the processing of personal data, which concerns everyone working at Sciigo who processes or may process personal data.

The Sciigo platform collects data about the client and the client’s organization, and certain assets and properties belonging to the client’s organization, both by manual entry from the client and automated import from public and private data sources. All data collection is initiated by the client, either by setting up an account on the platform or by specific actions taken by the client’s employees (platform users) on the platform. The client retains ownership of data entered, and data is by default shared only with users on the client’s account.

The platform enables the client to share their data with other Sciigo users through explicit actions. In this process, the platform makes a copy of the selected data records and transfers the copy to the recipients Sciigo platform account. Ownership of the copy of the records is transferred to the recipient.

With the client’s consent, Sciigo also collects aggregated anonymized data based on the client’s own data and uses for analysis. The analysis may be shared with other Sciigo users. However, this data constitutes an aggregate from a large group of clients, and any connection with the client’s data is removed.

All data processing and storage is performed on data centers within the European Economic Area.

Any collection of user data not part of the description above is forbidden.

6 Purpose

The purpose of this policy is to specify the requirements imposed on Sciigo, its suppliers and others who may process personal data on behalf.

7 Definitions

“Processing of personal data” is an action or combination of actions relating to personal data or sets of personal data, automated or otherwise, taken with regard to personal data, such as: collection, registration, organization, structuring, storage, development or modification, production, reading, use, distribution through transfer, dissemination or otherwise made available, adjustment or compilation, restriction, erasure or destruction.

“Personal data” is any information that could directly or indirectly identify an individual. Examples include a name, e-mail address or photograph.

“Data controller” is a legal entity that singly or together with another data controller governs the purpose and means of the processing of personal data.

“Data processor” is a legal entity that processes personal data on behalf of a data controller.

“Data subject” is the individual to which the personal data relates.

“Special categories of personal data” is personal data containing information on health, race or ethnic origin, political, religious or philosophical views, union membership or data on sexual orientation. The starting point is that this data, by its very nature, is sensitive and requires extra consideration in its processing and when evaluating the protection of personal data.

8 Risk-based approach

In its work with the processing of personal data, Sciigo must have a risk-based approach. This means, for example, that:

  • All inventory and analysis of processing of personal data must seek to identify where the greatest risks to privacy lie in the processing of the data. This requires a holistic perspective that includes:
  • how privacy-sensitive the types of data to be processed are;
  • the volume of data processed;
  • how privacy-sensitive the forms of processing to be carried out are;
  • how large a circle of people have access to the data; and
  • whether the data is shared, even if on a read-only basis, with external parties (and in particular with parties outside the EU).
  • All measures, both organizational and technical, must prioritize the greatest risks to privacy. This means that in its processing of personal data, must always:
  • maintain an overview of the risks in its work with personal data;
  • have a plan for addressing existing risks; and
  • conduct regular follow-ups.

Measures to manage privacy risks must be taken as appropriate in view of the degree of risk, as well as of the costs, resources, and inconvenience that the measures would entail.

9 Responsibility for the processing of personal data

Sciigo must ensure that all processing of personal data is accurate and legal. is also responsible for being able to demonstrate compliance with the following fundamental principles:

Legality: Every business within Sciigo must ensure compliance with current legislation and these guidelines for all processing linked to processes for which the business is responsible. Each person responsible for an activity/process must ensure that the processing of personal data is accurate all the way from its collection through to the point that the data is no being longer processed, regardless of whether the processing is carried out by itself or a data processor.

Responsibility: The processing of personal data must always have a specified data controller (i.e. the company or other legal entity responsible for determining the purpose and means for processing; see the definition above). Processing performed by a data processor must be regulated by way of a data processing agreement. When an agreement is signed that means that is acting as the data controller, the employee responsible for the agreement on behalf must ensure that a data processing agreement is drawn up or included in the assignment agreement as an annex.

Documentation: All processing of personal data must be documented in record of processing activities.

Instructions: Persons or data processors (i.e. suppliers or other companies/organizations) who process personal data on behalf must process personal data only according to the instructions provided by Sciigo. Correspondingly, when acting as a data processor, Sciigo must ensure that it obtains such instructions. Instructions regarding the processing of personal data must be documented in the data processing agreement.

10 Fundamental principles for the processing of personal data

Legal, accurate and transparent:

Sciigo must process personal data only in a manner which is lawful, accurate, and transparent in relation to the data subject. The personal data processed shall be correct and, where necessary, kept up to date.

Personal data must be collected only for specific, explicit and justified purposes. Personal data must not subsequently be processed for any other purpose or in a way that is inconsistent with the stated purposes. In such cases, the data subject must be informed beforehand. If the law requires consent for new processing, this must be obtained. In addition, it must be ensured that this new processing is permitted under applicable legislation and these guidelines.

Purpose limitation:

Sciigo must process personal data only for commercial and explicit purposes. Before starting to collect personal data, the part of business responsible for the processing must determine the purpose of the processing and document this in record of processing activities.

Data minimization:

Sciigo must use only the personal data that is necessary for it to fulfil the purpose of the processing. Sensitive data should be anonymized wherever possible.

Should a client, partner or the like have a method, file format etc. that requires the transfer of additional data to than what is necessary for the fulfilment of the assignment, should take the initiative to minimize the data in the first instance. Secondly, it should endeavor to find organizational or technical solutions that eliminate or reduce the risks to privacy. If a client is unable to remove the data in question from the material sent, can take measures such as:

  • minimizing the circle of employees who can come into contact with the data;
  • creating procedures upon receipt of the material to mask or otherwise remove the data that is not required for to fulfil its assignment; and
  • creating methods that encrypt sensitive personal data in order to reduce the risk of unauthorized access.

This includes sorting incoming e-mail containing such data into a separate folder which is then thinned out as quickly as possible. It may also be appropriate to name such a folder so that it clearly states that the content is confidential/privacy sensitive.

Storage minimization:

Sciigo must not store personal data for longer than is necessary for it to fulfil the purpose of processing or to comply with legal requirements. The client retains ownership of their data; Sciigo must not share client data with a third party without the client’s initiative and explicit permission. On termination of the client’s relationship with Sciigo, all identifiable client data pertaining to that relationship will be deleted within one month. Data that has been transferred to a third party within Sciigo’s platform is considered to be the property of said third party and will remain in the platform’s database for the duration of Sciigo’s relationship with the third party in question.

Privacy and confidentiality:

Based on the risks to privacy from processing, Sciigo must implement appropriate technical and organizational measures to protect personal data against illegal or unnecessary access to the data. The same applies to accidental or illegal deletion, loss, alteration, dissemination or other unauthorized processing.

The pseudonymization of data (e.g. by way of a customer number or employment number) is generally recommended, provided that it does not require an unreasonably large amount of effort or resources. Personal identity numbers as identifiers should be avoided as much as possible.

11 Legal basis for the processing of personal data

The processing of personal data must always have a legal basis (i.e. one of the conditions stipulated in applicable legislation must be met). The legal basis invoked for processing is documented through the audit trail built into the platform. For every record of data that is stored in the platform, the client action to store the record is also recorded alongside the data. This client action is taken to constitute the agreement necessary for a legal basis.

There are a total of six legal grounds; two of which are in scope for Sciigo’s data storage needs:

  1. Agreement: Processing is necessary for to fulfil (or conclude) an agreement with the data subject.
  2. Consent: The data subject has consented to the processing of their personal data for one or more specific purposes. In Sciigo the client can consent to three types of processing:
    1. Explicitly sharing a certain data record or limited collection of data records with a third party on the Sciigo platform. This action requires a preexisting relationship between the client and the third party on the platform, as well as an explicit initiation of the data sharing on part of the client. Consent is given by the client in the act of initiating the sharing.
    2. Sharing data with Sciigo for internal analysis and platform improvement. All data will be anonymized and all references to the client will be removed from the data by Sciigo. Consent is given by the client through a separate check box/accept button during onboarding.
    3. Sharing data with Sciigo for the purpose of providing aggregated analysis to other Sciigo clients. All data will be anonymized and all references to the client will be removed from the data by Sciigo. Consent is given by the client through a separate check box/accept button during onboarding.

The client can withdraw consent at any time by closing their account on the platform.

Automatic decisions – including the profiling of the data subject – is permitted only if the data subject gives their consent for this or in order to fulfil an agreement with the data subject or pursuant to any other exception provided by law.

12 Consequence assessment

If the processing of personal data is likely to result in a high risk to the data subject’s privacy, rights and freedoms, an impact assessment must be carried out before processing commences. Examples of high-risk processing include the processing of special categories of personal data or processing that uses new technology. The aim of an impact assessment is to identify risks linked to the processing and to assess the likelihood and impact of a risk scenario occurring. This enables risk-mitigating measures to be taken and for considerations regarding the processing to be documented. must have impact assessment procedures.

The impact assessment must be regularly evaluated to ensure that the assessment is up to date and that measures taken over time provide adequate protection. Should processing that has previously been subject to an impact assessment be changed, such as by way of a change in technology, a new impact assessment must be carried out.

13 The subject’s right to information

In order for the data subject to be able to exercise their rights, they need to be informed about the processing that is taking place or will take place. Sciigo must ensure that complete information on how client data is processed and managed is available throughout the platform so that fulfills the following criteria:

  • Easy to find in association with the relevant activity on the platform
  • Clear and simple to understand
  • Compliant with regulatory requirements

It must be easy for the client to find information on how data processing and storing is affected by a client action before, in direct association with, and after the action is taken by the client.

14 The subject’s right to certain measures

The data subject must have the right to the following measures:

Correction and deletion: The platform must enable the data subject (client) to correct incorrect data. The client is responsible for the correctness of their data.

Data portability: The data subject must have the right to receive (export) all its data that the data subject has provided to Sciigo in an electronic format.

“The right to be forgotten”: This does not refer to an unconditional right to have data deleted. The data subject must have the right to an assessment as to whether their data is to be deleted. For example, deletion cannot take place if there are rules requiring the retention of the data, or if the data subject wishes to remain a client. (In the case of the latter, some data is of course necessary in order to manage the client relationship.) In general, data is deleted when the data subject (client) terminates their account on the platform (within no longer than one month’s time), unless the client explicitly requests data to remain on the platform.

The right to forgo profiling: The data subject must have the right to refuse future processing of personal data for marketing purposes, including profiling, by way of opting out. Sciigo does not process personal data for profiling.

In addition, the data subject may have the right to limit the processing of their personal data pending an investigation into its processing.

15 Right to register extract

Where Sciigo is the data controller, the data subject has a statutory right to receive confirmation as to whether Sciigo processes personal data relating to them. In this case, the data subject must have the right to information about the processing and to a list of the personal data - a register extract.

Sciigo must provide the possibility to request this information through the platform. The functionality must be easy to find and easy to use for the data subject (client).

16 Transfer of personal data to third parties

Sciigo may provide personal data to a third party only provided that the transfer has a legal basis and follows the principles and requirements stated in this policy and which otherwise follow from applicable regulations. Before transferring personal data, must consider the risks linked to the transfer. In cases where personal data is transferred to be processed by another party on behalf, the liability relationship between the parties must be documented by way of a data processing agreement. The data processing agreement must stipulate that the data is guaranteed to reside within the European Economic Area at all times (storage, transit, error investigation, etc.).

17 Data processor

Sciigo may only appoint data processors that offer sufficient guarantees as to their appropriate technical and organizational measures that enable them to meet the requirements of current legislation and ensure the protection of the data subjects’ rights.

The data processor may process data only in accordance with instructions from Sciigo.

Sciigo may instruct a data processor to carry out only such processing that itself has a legal basis to carry out.

A written data processing agreement must be in place between and each data processor processing personal data on behalf. The agreement must, for example, stipulate that the data processor must protect the personal data from dissemination and that the data processor may process personal data only in accordance with instructions. Furthermore, the agreement will obligate the data processor to implement appropriate technical and organizational security measures to protect the personal data, and to establish procedures for personal data incidents.

The data processor must report personal data incidents or suspected incidents to Sciigo immediately.

The data processor may instruct a sub-processor for processing only if the data processor has received written approval from and takes responsibility for the performance of the sub-processor as if it were its own.

When transferring data to a data processor, Sciigo must ensure that the data is guaranteed to reside within the European Economic Area at all times (storage, transit, error investigation, etc.).

18 Development of services, products and processes

The protection of personal data within Sciigo must be a key aspect in the development or procurement of new services, products or processes. Whenever possible, options that strengthen privacy protection should be chosen.

Privacy by design: Products and services must be developed in accordance with design principles that take privacy protection into account. This means that the protection of personal data must form part of every phase of the process, from the gathering of requirements and design of work methods or IT interfaces through to phasing out.

Privacy by default: Systems and services within where personal data is processed must, as standard, be set up to ensure that personal data is not made available to users beyond what is necessary for the specific purpose of the processing. This includes limiting access to personal data based on the purpose of the processing that takes place within the system/service.

Sciigo must strive to ensure that all IT systems that process personal data meet the following requirements:

  • The ability to automatically or manually delete and/or anonymize personal data based on a time-based search to adhere to thinning requirements. Each system must have a documented thinning plan.
  • The ability to automatically or manually delete and/or anonymize personal data based on an individual-based search to adhere to the right of individuals to be forgotten. This must include the ability to send information regarding the removal to other systems where the information was previously shared as required by law.
  • If processing is based on consent, there must be the technical ability to prevent further processing if consent is withdrawn by the data subject.
  • Personal data that is processed must be up to date and correct. There must be the ability to correct incorrect personal data.
  • Data subjects must be able to obtain an extract of their personal data in an easily readable format. The purpose of each instance of processing must be stated, and any abbreviations must be explained in such an extract.
  • If processing takes place automatically in a system and on the condition of the consent of or agreement with the data subject, the system must have the ability to export the personal data in a commonly used digital format in order to fulfil the data subject’s right to data portability.
  • The ability to temporarily halt the processing of a data subject’s personal data pending further investigation.
  • The ability to exclude a data subject from profiling or automated decision making, if the system has the ability to perform profiling or automated decision making.

19 Security measures and incident reporting

When processing personal data, must ensure that sufficient and appropriate measures have been taken to protect this data, including both technical and organizational measures. The basis for these measures is identified by way of a risk analysis. The assessment must also take into account business processes and relevant IT systems. This is to ensure that personal data is protected from accidental or unauthorized deletion, destruction, alteration, dissemination, access or other form of unlawful processing. Security must also form part of both organizational projects and technical development.

IT systems that process personal data must have security measures that can be deemed appropriate in relation to the risks of the processing, such as in relation to the types of data being processed, the type of processing being carried out, whether the data is shared with third parties, whether the data is at risk of intrusion etc. Examples of such measures are as follows:

  • Encryption (in connection with transfer and storage)
  • Pseudonymization
  • Access management
  • Logging and log follow-up
  • Thinning
  • Privacy by design and privacy by default
  • Resistance
  • Resetting ability
  • Security testing

Sciigo should endeavor to use appropriate codes of conduct and certification mechanisms issued by the competent regulatory authority or national accreditation body pursuant to the applicable legislation in order to demonstrate compliance with current requirements related to the processing of personal data.

A personal data incident may include the leak or other unintentional loss of personal data. When a personal data incident is discovered or reported Sciigo will take the following steps:

  • CEO and CTO must be informed immediately
  • CEO will appoint a person to be responsible for addressing the incident and communicating with data subjects and other potential parties
  • All affected data subjects must be informed of the incident, the actions being taken in response to the incident and the results of said actions
  • Data subjects should be informed no later than 72 hours after the discovery of incident
  • If it is likely that the incident poses a risk of affecting the data subject’s rights and freedoms, the relevant authority must be informed of the incident within 72 hours