InExchange & GDPR
GDPR—Questions and answers
What does GDPR mean?
GDPR stands for General Data Protection Regulation. It is an EU-adapted data protection regulation that will protect our personal integrity when personal data is processed. In Sweden, GDPR will replace the old Swedish Personal Data Act (PUL).
What does “personal data” refer to?
Personal data refers to all kinds of information that can directly or indirectly be attributed to a physical living person. Images and sound recordings of individuals processed by computers may also be personal data, even if no names are mentioned. Encrypted data and various kinds of electronic identities, such as IP numbers, are considered to be personal data if they can be linked to physical persons.
What is the purpose of GDPR?
The purpose of the regulation is to strengthen the protection of physical persons when processing personal data. Personal data can consist of information about employees as well as customers or potential customers. The EU hopes with GDPR to achieve concordance among the EU member states in terms of this type of regulation. Previously it was up to each country to interpret the Data Protection Directive, but from May 25, 2018, the same legal text began to apply in all EU states.
What changes does GDPR entail for me as a customer of InExchange?
It does not entail any major changes apart from the fact that InExchange and the customer must sign a so-called personal data-processing agreement.
We send this to customers or, alternatively, customers may approve the agreement via the InExchange Network.
My invoices contain sensitive personal data about my customers. How will they be handled by you?
As a consequence of the personal data-processing agreement, InExchange processes personal data according to the law.
Is my “storage time” in the InExchange Network affected by GDPR, and what happens to my invoices if I choose to stop being a customer of InExchange?
Your storage time is not affected by GDPR, as the customer, in the balance of interests, has the right to retain invoices that contain personal data.
Where is the data that the customer creates for our disposal physically stored?
Do you or any other party use the information that the customers create in any way other than for the intended purpose? If it is used by another party: who are they?
What does your monitoring and incident management look like?
Monitoring of hardware and OS takes place daily all year round via our hosting partner. Internal components in the platform are monitored and handled by technicians at InExchange.
Does GDPR apply only to private individuals or do the rules also apply to persons who are sole proprietors?
Yes, persons who are sole proprietors are physical living persons and are therefore also covered by the GDPR personal data protection regulations.
Does the Swedish Bookkeeping Act, which states that I must keep copies of accounts on paper and digitally for seven years, take precedence over the GDPR provisions?
No, GDPR is an EU regulation and takes precedence over Swedish national law.
However, GDPR gives you the option to store data that is required by EU or national laws such as the Swedish Bookkeeping Act.
What does the “right to be forgotten” mean?
Every person has the right to approach a company or authority that processes personal data and ask that the data that refers to him or her be deleted.
If the data is deleted at the request of the individual, the company or authority must also inform those who submitted the data about the deletion.
An external person who wants their InExchange data deleted must approach their own organization. We cannot perform a deletion until the individual’s organization submits confirmation verifying that the correct person will be deleted. The process must therefore be handled by the person’s organization.
After I request that my data be deleted, when is the latest that the data can be deleted?
Personal data is screened and is then deleted or anonymized after three months. The Swedish Data Protection Authority’s frequently asked questions about the EU’s data protection reform: