ACCREDITATION AND THE EU GENERAL DATA PROTECTION REGULATION

One of the main principles of GDPR – EU General Data Protection Regulation 679:2016 is that companies are only allowed to collect information when it is necessary.
 
DANAK has deemed it unnecessary that DANAK collects and processes personal data which us documentation for the accredited company’s compliance of the requirements for accreditation.
 
DANAK must have access to review a representative number of members of staff to be able to assess the applicant’s expertise within the field of accreditation applied for. This assessment will mainly take place when visiting the company’s localities. 
 
When visiting the customer, DANAK reviews and registers the customer’s regular personal data in the form of descriptions of expertise and qualifications.
 
DANAK does not take these data from the customer and registrations made by DANAK in notes, deviations and inspection report must be unambiguous but must be written so that it does not refer personal data aside from name or other identification, function and DANAK’s assessment of compliance of the required elements.
 
If the company in connection with applications or documentation of adjusted actions submit documentation of members of staff’s expertise it does not have to contain social security numbers (CPR) or specific categories of personal data like union affiliation or information about health. DANAK deletes submitted documentation containing personal data after the assessment.
 
When using an electronic management system DANAK must have access to all relevant parts of the management system or to a copy of it, which must include functionality that allows a sufficient assessment. DANAK does not need general access to the company’s registrations, including registered personal data and access to this should be denied. DANAK will not extract personal data from the company’s registrations.
 
When signing an agreement with costumers the personal data of the companies contact person is collected. This data consists of name, work-email and -telephone number. These are published on DANAK’s website. The costumer is informed about this in the contract. The information is removed when the contract terminates.
 
Reports, correspondence, processing of non-conformities and other information about the costumers are kept on DANAK’s server where only internal members of staff have access. The process of non-conformity, reports and communication with the costumer is also put on the customer portal where internal and external members of staff who are associated with the case and customer have access.
 
DANAK does not have data on external servers and does not send personal data to others including third counties or international organizations except the abovementioned.
 
DANAK’s data drive is placed on separate servers and is protected by firewalls so that it normally is impossible to hack into the drive from the servers that are connected to the Internet.
 
Backups of mailboxes and shared drives will be taken. The backup is handled confidentially by DANAK’s head of IT and will only be used if data is lost in the main systems or if misuse is suspected.
 
DANAK reports breaches of personal data security to the supervisory authority (The Danish Data Protection Agency) without unnecessary delay and if possible within 72 hours of DANAK being aware of the breach unless that it is unlikely the breach of the personal data security entails a risk for physical people’s rights or constitutional rights.
 
DANAK notifies the registered about breaches of the personal data security if such a breach is likely to entail a high risk for physical people’s rights or constitutional rights.
 
DANAK runs an impact analysis concerning data protection if a type of process is likely to entail a high risk for physical people’s rights or constitutional rights and makes enquiries with the supervisory authority (The Danish Data Protection Agency) before the process if an impact analysis concerning data security shows that the process will lead to high risk caused by lack of precautionary measures set in place by the data controller to limit the risk.