.svg){kind=logo}
.svg){kind=logo}
Inexchange & GDPR
Questions and answers
- What does the GDPR mean?
- What is meant by personal data?
- What is the purpose of the GDPR?
- What changes does the GDPR mean for me as an InExchange customer?
- My invoices contain personal information about my customers. How do you handle it?
- Is my "retention period" on Inexchange Network affected by the GDPR and what happens to my invoices if I decide to stop being a customer of Inexchange?
- Where is the information created by the customer at our disposal physically stored?
- Do you or any other party use the information created by customers for purposes other than those intended? If it is used by another party: who is it?
- What are your monitoring and incident management practices?
- Does the GDPR only apply to private individuals or does it also apply to sole traders?
- Does the Accounting Act, which states that I must retain accounting records on paper and digitally for seven years, take precedence over GDPR regulations?
- What does the "Right to be Forgotten" mean?
- After I have requested that my data be removed, by when must this data be deleted?
What does the GDPR mean?
GDPR stands for General Data Protection Regulation. It is an EU-adapted data protection directive that aims to protect our personal integrity when personal data is processed. In Sweden, the GDPR replaces the old Personal Data Act (PUL).
What is meant by personal data?
Personal data means any information that can be directly or indirectly attributed to a living natural person. Images and sound recordings of individuals processed in a computer can also be personal data, even if no names are mentioned. Encrypted data and various types of electronic identities, such as IP numbers, are considered personal data if they can be linked to natural persons.
What is the purpose of the GDPR?
The purpose of the law is to strengthen the protection of natural persons when processing personal data. Personal data can be information about employees as well as customers or potential customers. The EU hopes that the GDPR will bring about a consensus among EU Member States on this type of regulation. Previously, it was up to each country to interpret the Data Protection Directive, but as of May 25, 2018, the same legal text applies in all EU countries.
What changes does the GDPR mean for me as an InExchange customer?
There are no major changes except that Inexchange and the customer must sign a so-called data processing agreement. We send this to customers or customers can approve the agreement via Inexchange Network.
My invoices contain personal information about my customers. How do you handle it?
Under the Data Processing Agreement, Inexchange processes personal data in accordance with the law.
Is my "retention period" on Inexchange Network affected by the GDPR and what happens to my invoices if I decide to stop being a customer of Inexchange?
Your retention period is not affected by the GDPR as the customer has the right under the balance of interests to retain invoices containing personal data.
Where is the information created by the customer at our disposal physically stored?
In the European Union.
Do you or any other party use the information created by customers for purposes other than those intended? If it is used by another party: who is it?
No.
What are your monitoring and incident management practices?
The monitoring of hardware, as well as OS, is done around the clock via our hosting partner. Internal components of the platform are monitored and managed by Inexchange technicians.
Does the GDPR only apply to private individuals or does it also apply to sole traders?
Yes, even sole traders are now living natural persons and therefore subject to the data protection rules of the GDPR.
Does the Accounting Act, which states that I must retain accounting records on paper and digitally for seven years, take precedence over GDPR regulations?
No, GDPR is an EU regulation and takes precedence over Swedish national law. However, GDPR allows for the storage of data required by Union law or national law, such as the Swedish Accounting Act.
What does the "Right to be Forgotten" mean?
Each individual has the right to contact a company or authority that processes personal data and request that the data concerning them be deleted. If data is deleted at the individual's request, the company or authority must also inform those to whom the data has been disclosed about the deletion.
An external person who wishes to have their data deleted from Inexchange must contact their own organization. We cannot execute a deletion until the individual's organization provides a confirmation verifying that the correct person is to be removed. Therefore, the process must be handled by the person's organization.
After I have requested that my data be removed, by when must this data be deleted?
The personal data is placed in a deletion selection process and is then either deleted or anonymized after three months.
The Swedish Data Protection Authority’s questions and answers on the EU’s data protection reform: