Musskema.dk are continuously receiving a number of questions from customers and users. This is the reason why we make this FAQ, Frequently asked questions

 

FAQ, Frequently asked questions

- concerning GDPR (General Data Protection Regulation)

 

We are continuously receiving a number of questions from customers and users.

We have decided that as soon as we have met the same type of questions several times, we'll put it in FAQ.

 

So far, there are the following:

  1. Notification of breach of personal data protection to the supervisory authority
  2. Research collaboration with Aarhus University - With 100% anonymous data made available?
  3. Warranties for security breaches
  4. Approval of the Data Processing Agreement
  5. Instructions from Data Managers for Data Processors - should it be described in separate attachments?
  6. Staff papers on resigned employees - how long should data be available here?
  7. Risk assessment - as a basis for the security level
  8. Delivery and deletion of data if Musskema.dk no longer exists?
  9. Issue of fines - Limitation of liability?
  10. Sub Data Processors agreements:  can the customer gain insight into them?
  11. Signature of the Data Processing Agreement - Should it be signed physically?

 

 

Notification of breach of personal data protection to the supervisory authority

 

The customer asks:

Some have asked us if we could not set a deadline, so we, as a Data Processor, report personal data breach out of max. 24 hours. Currently there is "no undue delay".

 

We answer:

No, we neither can nor will. This is because of a misreading of Article 33 of the Personal Data Regulation itself (see below). The data processor must report without undue delay. And Data Managers must report within 72 hours, but the two time frames are not inclusive, but each has its own sphere. Data administrators have 72 hours from the moment the Data Processor has informed!

 

The case is:

  • If there is a breach of personal data protection, we have the following responsibilities as data administrators:
  • "Without undue delay informs the data controller after being aware that there has been a violation of personal data protection" (citation Article 33)
  • "Without undue delay" really means as soon as possible! But also, in a way, the data processor ensures that you do not unnecessarily disturb the unnecessary number of customers, so the data processor must make things clear. It will take place as soon as possible! And without undue delay.
  • And then, when the customer = data manager is notified from the data processor, the customer has 72 hours to fullfill his obligation.
  • It is, of course, in everyone's interest that it is done as soon as possible! Or: Without undue delay, as Article 33 says!

 

Here is the text: The EU's Personal Data Regulation, Article 33

Notification of breach of personal data protection to the supervisory authority.

  1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
  2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
  3. The notification referred to in paragraph 1 shall at least:
    1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
    3. describe the likely consequences of the personal data breach;
    4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

 

 

Research collaboration with Aarhus University - With 100% anonymous data made available?

 

The customer asks:

Is it a shared data responsibility with Musskema.dk, since Musskema.dk itself processes data by, for example, sending anonymous data for research at Aarhus University?

 

We answer:

No, not at all.

The Subscription Terms and Conditions of Business state the following:

Musskema.dk reserves the right, in conjunction with university researchers, to use statistical data in 100% anonymized form for scientific purposes. This is an option that we have always included in our terms of business and it follows the following principles:

Musskema.dk makes a data extract that is 100% anonymous and can not identify a particular customer or group, as data extracts are selected only on the following parameters:

  1. The gender of the leader
  2. Employee gender
  3. Leader's span of control (number of employees directly leading you)
  4. Public or private company
  5. Geographical main categories
  6. And in some overall branch segments when there is security for a critical mass of customers, so anonymity can be maintained.

If a customer does not wish to be included in such a benchmark, one can be exempted by contacting Musskema.dk. Then, the customer will neither participate nor be able to make use of this benchmark.

The short answer is then:

  • No, there is no talk of shared responsibility here
  • The customer is responsible for what you enter - and what you want to use the statistics that can be extracted from the system, graphs and reports - and how
  • Musskema.dk is responsible for how data is stored and made available to the customer - including in statistics and reports and that it complies with the legislation
  • And in relation to 100% anonymous data for research purposes at Aarhus University - we do not offer anything for those who can not extract statistics and reports, just 100% anonymous! However, we have just expanded with some geography and overall industry + male / female leader, and here we use a single research program that "guesses" on gender in terms of first name with the risk that "Inge" is a boy's name in Norway , while it is a maiden name in Denmark!
  • And finally, any customer may, upon request, opt out of participating in and making use of such benchmark data.

 

 

Warranties - in case of security breach

The customer asks:

Missing something, especially in the "Reporting of security breaches" section. Musskema.dk does not provide any contractual assurances that we are able to lift the 72-hour requirement relative to a data burst from them, as Musskema.dk does not guarantee the information kind. 33 and 34 require.

 

We answer:

No, nothing is missing. Both parts are clearly contained. And Musskema.dk provides the necessary and necessary guarantees.

Please be aware that the data controller's deadline for the max. 72 hours will first count from the notification received from the data processor. Since the data processor must notify without undue delay, and since the data processor merely finds that there has been a violation, this will in practice provide very limited options for staying from the data processor to be aware of the violation for notification to be given.

In Musskema.dk's data processing agreement, it follows that the data processor is required to assist the data controller in fulfilling its obligations under Articles 33 and 34.

Therefore, there are necessary guarantees that Muskema assists in lifting the data controller's obligations.

 

Additional documentation:

Report on page 496 states that:

As stated in the wording of the provision, the data controller's obligation to report personal data breach to the supervisory authority is activated after the data controller has become aware of a breach of personal data security. A simple presumption that a breach of personal data security has occurred or a simple detection of an incident is not considered sufficient to regard a breach of personal data security as being "done" within the meaning of the regulation. Such a simple presumption may, however, cause the data controller to consider processing security, cf. Article 32 of the Regulation.

In assessing whether a breach has occurred, it must be assumed that particular attention should be paid to the information referred to in Article 33 (1) of the Regulation. 3, is available to the provider.

And on page 497:

As regards the cases where the data controller has left the processing of personal data to a data processor, reference is made to Article 33 (1) of the Regulation. 2, which is discussed in more detail below.

The Ministry of Justice's Executive Order does not, therefore, link the data controller's deadline and a data processor's deadline together.

These sections are repeated in the manual issued by the Data Inspectorate regarding violations of personal data security.

Article 29 group has stated in their WP250 breach of personal data security on page 13:

Article 33(2) makes it clear that if a processor is used by a controller and the processor becomes aware of a breach of the personal data it is processing on behalf of the controller, it must notify the controller “without undue delay”. It should be noted that the processor does not need to first assess the likelihood of risk arising from a breach before notifying the controller; it is the controller that must make this assessment on becoming aware of the breach. The processor just needs to establish whether a breach has occurred and then notify the controller. The controller uses the processor to achieve its purposes; therefore, in principle, the controller should be considered as “aware” once the processor has informed it of the breach. The obligation on the processor to notify its controller allows the controller to address the breach and to determine whether or not it is required to notify the supervisory authority in accordance with Article 33(1) and the affected individuals in accordance with Article 34(1). The controller might also want to investigate the breach, as the processor might not be in a position to know all the relevant facts relating to the matter, for example, if a copy or backup of personal data destroyed or lost by the processor is still held by the controller. This may affect whether the controller would then need to notify.

Regardless of what the Data Inspectorate states in their presentation on a data processor agreement, the data controller's deadline is counted only after the notification has been received from the data processor. Since the data processor must notify without undue delay, and since the data processor merely finds that there has been a violation, this will in practice provide very limited options for staying from the data processor to be aware of the violation for notification to be given.

It follows that the data processor is required to assist the data controller in fulfilling its obligations under Articles 33 and 34.

It is therefore clearly contained the necessary guarantees that Muskema assists in lifting the data controller's obligations.

 

 

Approval of the Data Processing Agreement

 

The customer asks:

Where and how do you approve the Data Processing Agreement?

 

We answer:

  • As soon as you as a leader in an organization - or delegated at the top level - log in to Musskema.dk, the Data Processing Agreement picks up and you can not move on until one of you has approved it!
  • If you have not had the necessary time to read the Data Processing Agreement, please accept, and then you have until May 14, 2018 to sign up for the Data Terms of Service. Unless we have heard from the customer in writing by 14 May 2018, the approval is valid!
  • Within a few seconds of approval, an email in your mailbox will be attached with a PDF file attached to the entire Data Processing Agreement, where your company name is entered - and where Musskema.dk's director's signatures are stamped down with date.

 

 

Instructions from Data Managers for Data Processors - should it be described in separate attachments?

 

The customer asks:

The Article 28 (1) of the Regulation, 3a states that the data processor may only process personal data after documented instructions from the data controller, what does that mean? Should there be a special document for that?

 

We answer:

No, it is not necessary because we can not predict all conceivable situations, but when it happens, it must be documented / documentable.

Specific: If a manager or employee has a technical issue in the dialogue questionnaire and contacting Support for help and Support can not solve this task for the customer without having access to the questionnaire, Support can only do this,  if that manager / employee enters his / her profile and gives Support this access at a check mark that can be removed immediately after the problem is resolved. However, this instruction is "documented" in the system.

The instructions are contained in the terms of the "Scope of processing Activities" section, where is stated that upon Customer's acceptance of the Data Terms of Service, the Customer instructs the Musskema to process Customer's personal information for the delivery of the Musskema.dk cloud service on the terms set forth in the Subscription Agreement and these Data Processing Terms.

In the data processing conditions itself, there is a section about the nature and purpose of the treatment, including states: In addition, it may be agreed between the parties that the nature of the treatments also includes the provision of services that entail processing of Customer's information. It points to the possibility that the customer can give Musskema.dk instructions to take care of, for example, an anonymous well being survey for the customer. Then the Data Processor acts on clear instructions from Data Controller in the given situation.

That's how it should be considered.

 

 

Personnel Folders

- On resigned employees, how long should data be available here?

 

The customer asks:

It is stated in Musskema.dk's Data Processor Agreement that when an employee is deleted by the customer's system, the employee is deleted after 14 days while entered data, appointments and scores are stored in the manager's archive for 5 years. Is it legal with the 5 years?

 

We answer:

Yes, it is legal to store staff records for +5 years according to the Data Inspectorate's practice, and the manager's archive is an archive that only the leader in question has access to, and it is to be regarded as an "extended feature" of the Employee Folder.

 

 

Risk assessment - as a basis for the security level

The customer asks:

What risk assessment is based on the security level in the system? And is it taken into account that the system may potentially contain health information?

 

We answer:

The risk assessment has included an assessment of the sources of risk, the vulnerabilities that may exist in the system and how this threat picture can lead to an event that can be characterized as a violation of personal data protection, in accordance with the Data Protection Regulation nature. 4 (12). The probability and severity of a break is then assessed to determine the overall risk image.

There are clear instructions from Musskema.dk to the users that there is no need to enter health information into our system. Musskema.dk is not just something similar to a medical journal system - but it can be used for a very good dialogue about what creates and reduces absenteeism. It is a dialogue system.

 

 

Delivery and deletion of data if Musskema.dk no longer exists?

The customer asks:

How is data delivered / deleted if Musskema.dk goes bankrupt? Who is the beneficiary?

 

We answer:

If Musskema.dk goes bankrupt, a curator will be appointed to handle the estate. The curator / bankruptcy estate replaces Musskema.dk and has an inherent interest in delivering or deleting data.

 

 

Issue of fines - Limitation of liability?

The customer asks:

If the penalty issuing authority determines a division of responsibility, is that what is followed or is it an internal decision of the same? Limitation of Liability is not entirely clear.

 

We answer:

As a starting point, the division of responsibility contained in the fine settlement is followed by nature. 83 - which would be consistent with the principles by nature. 82 also. To the extent a party with reference to the guarantees, etc. What is contained in the agreement means that the final distribution of responsibilities must be different, this may be pursued, but in that case it will ultimately be a court decision.

 

 

Sub Data Processors - Can the customer get access to read the agreements with them?

The customer asks:

Is it possible to get access to read the sub data processors agreements?

 

We answer:

There is, as a rule, no access to read the sub data processors agreements. In connection with the execution of supervision of Musskema.dk, Musskema.dk may choose to display those parts of the sub data processors agreements that do not contain commercial terms or such technical specifications that may compromise total security. In addition, Musskema.dk will issue the Executive Board statements and, to a certain extent, statements of assurance regarding the sub-processing agreements that are integrated into the annual statement of assurance (From Deloitte).

 

 

Signature of the Data Processing Agreement: Should it be signed physically?

The customer asks:

Should there be a physical signature of the Data Processing Agreement?

 

We answer:

  • No, it is not necessary.
  • We can document who in the company has accepted - and when.
  • It is enough.
  • However, at the same time a customer has Accepted Data Processing Agreement in our system, you will receive an email with a PDF file with the entire agreement, and with the company's name and a date and signature stamped down with the Executive Board at Musskema.dk.
  • See also: Approval of the Data Processing Agreement

 

Statement of Assurance - Why ISAE 3000?

The customer asks:

Why ISAE 3000?

 

We answer:

Together with Deloitte, Musskema.dk has chosen ISAE 3000 as the best and most comprehensive European standard for our area. And individual customers can see the latest update on their profile. It will be updated annually.

The overall difference between ISAE 3000 and other similar ones eg ISAE 3402 lies in the fact that ISAE 3402 applies when the statement and the controls included in the statement deal with financial reporting. If Musskema.dk's product was ex. to supply Axapta, then the statement would have to be used by our client's accountants to use for the accounting of our clients. In that case, it should be an ISAE 3402.

But that's not how our product works.

ISAE 3000 can be used for anything other than financial reporting, including for example reporting on checks on personal data that Deloitte has made with us. But generally, it can be used for anything that does not process financial information, ex. service desk systems, portals etc.

That said, there are overlaps in the controls. Area B of our statement addresses general IT controls, which will often also be covered by an ISAE 3402 statement. However, the ISAE 3402 declaration will often have even more IT controls, but it will not contain any personal data.

The extent to which one or the other type of declaration must be provided depends on the service provided. If our customers want to report on whether Musskema.dk complies with the data processing agreement and protects the customers' personal data, then ISAE 3000 is the right one. If we were now a data center, or otherwise run the customer's IT systems, ISAE 3402 might be better.

That is why we have chosen ISAE 3000.

 

Consent to withdraw anonymous graphic data

The customer asks:

Should employees give consent for anonymous graphical data to be drawn?

 

We answer:

No, the employee should not. And the employee can't demand it either.

Legally, there is no legal basis to make that claim.

Because anonymization can occur, statistical information can also be extracted as long as it is not possible to identify the person from the information.

“To the extent that […] employee development interviews are held in the private labor market, ordinary information may be processed with the consent or on the basis of Article 6 (2). In the case of sensitive information, only the express consent of the employee may, in principle, be processed. However, it may also be a matter of processing information for other purposes, e.g. Article 9 (2) of the Regulation 2 (f) (determination etc. of legal requirements). "

The company can therefore process personal data in connection with EDP based on a balance of interests.

Therefore, it will not in principle be a consent-based treatment or treatment that can only be done based on consent.

Lawyers discuss making statistical information based on personal data. First, the lawyers conclude that the anonymization of personal data is not at all a processing, as it lacks meaning in relation to the basic principle of the nature of the Regulation 5 on storage restriction. The regulation directly states in the preamble that processing of anonymized data falls outside the scope of the regulation. (Peter Blume has argued that viewpoint).

Other lawyers state that anonymization is always within the scope of the original treatment, since it in turn supports the principle of retention of storage.

Finally, other lawyers find that anonymization is always compatible with the original purpose and that treatment can therefore be done.

Musskema.dk has usually recommended the two first mentioned angles on the case.

Let us have a talk about your options Let us call you. We will quickly find a solution that fits your organization!