On 25 May 2018, the General Data Protection Regulation (GDPR) will take effect. This new regulation might be a bit confusing, or difficult to understand. That’s why Mynewsdesk is determined to improve, update and adapt our product to comply with GDPR seamlessly. We take anonymization and integrity policies very seriously and welcome this development.

On this page, you will find information on how Mynewsdesk is preparing for the new EU regulation.

In which way is the Data Controller responsibility split between the client and Mynewsdesk?
As our client, you attain responsibility as Data Controller for a certain part of the data that you upload onto Mynewsdesk’s platform. Nevertheless, in the future, the definition of responsibility will largely depend on which specific objectives and usages are intended.
When uploading, downloading, storing or updating contact information within the Contact feature of an account, the responsibility as Data Controller lies with the client. While at the same time Mynewsdesk in this context obtains an overall Data Controller role due to its responsibility for the infrastructure, and in some cases also as an administrator. All this will be elaborated in detail in our new Terms & Conditions, which are currently under review by our legal representatives.

Does our contract with Mynewsdesk comply with GDPR?
At present we are revising our Terms & Conditions and a new version is set to be rolled out during spring 2018. The updated Terms & Conditions will account for how the Data Controller responsibility is split between the client and Mynewsdesk, and will in this regard fulfill its function as a Data Processing Agreement. In this context, we are also updating our privacy policy.

Who is responsible for the data that I upload in Contacts?
As our client, you are responsible that the data you upload in Contacts is handled legitimately according to GDPR. You need to define routines with regard to e.g. why and how you store and handle contact lists.
Therefore we recommend you to always have your lists updated, so that they do not include any contacts you are not using. All emails that you send from Mynewsdesk include a link which the recipients can use to unsubscribe.
The responsibility for data uploaded in Contacts will be described more clearly in our new Terms & Conditions, which is going to be rolled out during spring 2018.

Are notices provided when information is directly collected from an individual?
Upon signing up and entering personal data, the user accepts our Terms & Conditions. In connection with our GDPR preparations, we will also make sure that specific information about the data processing and its purpose is given to the user when creating an account.

Do you have a documented privacy policy?
Yes, there is a documented privacy policy and we are defining our routines for processing the personal data of clients and users. Our current privacy policy will be updated with regard to GDPR.

Are controls in place to ensure that collection of personal information is limited to the minimum necessary?
Yes. We have internal routines ensuring that processing of personal data is limited to specific purposes. Furthermore, we have defined routines to ensure that our subcontractors fulfill the GDPR requirements.

What is your policy on data transfer to external data controllers?
Routines for transferring personal data are established and documented. As a general rule, no personal data can be transferred to external data controllers (not even between companies in the same corporate group) without notifying the corporate group’s Data Controller and/or the Data Protection Officer.
Transferring personal data abroad is only permitted to EU/EEC countries and to the US (given that the data processing subcontractor is Privacy Shield certified). For any other transfer, the corporate group’s Data Protection Officer would have to be notified, with decisions to be made on a case by case basis.

Which are your main data processing subcontractors?
Our principal subcontractors, administering our hosting and storing data from Mynewsdesk on their servers, are Amazon Webservices and Heroku. These subcontractors are processing data within the EU (in Ireland).

In which countries are you processing personal data?
We are processing data within the EU (Sweden, Norway, Germany and Ireland) and in some cases in the USA. Regarding data processing in the USA, our policy is to collaborate with Privacy Shield certificated suppliers. The term data processing denominates all kinds of data handling such as for example storage, transmission, calculation.

Can you supply information on which specific addresses your data is stored?
For security reasons, most hosting providers do not hand out detailed information on this. Mynewsdesk does not consider it to be necessary to give specific street addresses of server locations to comply with GDPR.

Is there physical and electronic protection for stored personal data? Do you use data encryption and how is your intrusion protection?
Protection of our data is administered by our hosting partner Heroku (via Amazon). For more information, please see https://www.heroku.com/policy/security

Is there a process for data erasure?
We have defined a process to ensure that data is deleted when its further storage is not required anymore, or in case it has to be deleted for juristic reasons.

Do you support removal of personal data upon request by the person concerned?
We do support this and we are currently defining processes and routines for removal requests.

Are there backup copies of stored personal data, and which are the routines for deletion of those copies?
We are storing backup copies of our production database via our hosting partner Heroku. These copies are being stored for three years before deletion. We are currently revising the routine for erasure of personal data from the backup copies in connection with deletion of pieces of data on the original database. The new routines will be implemented before GDPR takes effect.

Are there identified security risks about your data processing?
We are conducting a continuous identification, evaluation and follow-up in order to fix any security risks that might be found.

Is there a process for detecting and reporting security incidents?
We have a partly automated process for identification of security risks and incidents in our database. Moreover, we have defined a routine for reporting to all persons concerned and The Swedish Data Protection Authority (Datainspektionen) within 72 hours.

Can I have our Data Processing Agreement signed by Mynewsdesk?
We do not sign individual agreements since we are currently elaborating a Data Processing Agreement that will be linked to our Terms & Conditions, whose publication will take place during spring 2018.

Who has responsibility as Data Controller and Data Protection Officer?
Data Controller for NHST Media Group is chairperson Anette Olsen while Petter Irgens Gustafson is appointed as Data Protection Officer for the corporate group and all affiliates. In addition, all businesses within the corporate group have their own Data Controller with delegated responsibility for their respective business. Data Controller for Mynewsdesk is CEO Mattias Malmström.

Which personal data is being processed by Mynewsdesk?
Mynewsdesk processes the following personal data
– with regard to user accounts:
Name, username/id, email, user password, skype, google account, role, api token, newsroom name, tool usage data
– with regard to Contacts:
Email, country, first name, last name, organization, job title, interests, work phone, mobile phone, address, fax, postcode, city, state, website, email events (received, opened, clicked)