On 25 May 2018, the General Data Protection Regulation (GDPR) has taken effect. This new regulation might be a bit confusing, or difficult to understand. That’s why Mynewsdesk has improved, updated and adapted our product to comply with GDPR seamlessly. We take anonymization and integrity policies very seriously and welcome this development.

On this page, you will find answers to the most frequently asked questions on how Mynewsdesk is handling the new EU regulation. For more information, please also see our Data Protection Terms (DTP) which include Mynewsdesk’s Data Processing Agreement (DPA), and our updated General Terms and Conditions.

In which way is the Data Controller responsibility split between the client and Mynewsdesk?
As our client, you attain responsibility as Data Controller for a certain part of the data that you upload onto Mynewsdesk’s platform. Nevertheless, the definition of responsibility largely depends on which specific objectives and usages are intended.
When uploading, downloading, storing or updating contact information within the Contact feature of an account, the responsibility as Data Controller lies with the client. While at the same time Mynewsdesk in this context obtains an overall Data Controller role due to its responsibility for the infrastructure, and in some cases also as an administrator.

Does our contract with Mynewsdesk comply with GDPR?
Yes. Prior to the launch of GDPR, we rolled out a revised version of our General Terms and Conditions that are now related to our Data Protection Terms (DTP), which in their turn include Mynewsdesk’s Data Processing Agreement (DPA). This way our General Terms and Conditions also fulfill the function of a  Data Processing Agreement (DPA). In this context, we also updated our Privacy Policy and Security Policy.

Who is responsible for the data that I upload in Contacts?
As our client, you are responsible that the data you upload in Contacts is handled legitimately according to GDPR. You need to define routines with regard to e.g. why and how you store and handle contact lists.
Therefore we recommend you to always have your lists updated, so that they do not include any contacts you are not using. All emails that you send from Mynewsdesk include a link which the recipients can use to unsubscribe.
Please see our Data Protection Terms (DTP) for more detailed information on the processing of personal data in the Contacts feature.

Are notices provided when information is directly collected from an individual?
Upon signing up and entering personal data, the user accepts our Terms & Conditions. Specific information about the data processing and its purpose is given to the user when creating an account.

Are controls in place to ensure that collection of personal information is limited to the minimum necessary?
Yes. We have internal routines ensuring that processing of personal data is limited to specific purposes. Furthermore, we have defined routines to ensure that our subcontractors fulfill the GDPR requirements.

What is your policy on data transfer to external data controllers?
Routines for transferring personal data are established and documented. As a general rule, no personal data can be transferred to external data controllers (not even between companies in the same corporate group) without notifying the corporate group’s Data Controller and/or the Data Protection Officer.
Transferring personal data abroad is only permitted to EU/EEA countries and to the US (given that the data processing subcontractor is Privacy Shield certified). For any other transfer, the corporate group’s Data Protection Officer would have to be notified, with decisions to be made on a case by case basis.

Which are your main data processing subcontractors?
Our principal subcontractors, administering our hosting and storing data from Mynewsdesk on their servers, are Amazon Webservices and Heroku. These subcontractors are processing data within the EU (in Ireland).

In which countries are you processing personal data?
We are processing data within the EU/EEA (Sweden, Norway, Germany and Ireland) and in some cases in the USA. Regarding data processing in the USA, our policy is to collaborate with Privacy Shield certificated suppliers. The term data processing denominates all kinds of data handling such as for example storage, transmission, calculation.

Can you supply information on which specific addresses your data is stored?
For security reasons, most hosting providers do not hand out detailed information on this. Mynewsdesk does not consider it to be necessary to give specific street addresses of server locations to comply with GDPR.

Is there physical and electronic protection for stored personal data? Do you use data encryption and how is your intrusion protection?
Protection of our data is administered by our hosting partner Heroku (via Amazon). For more information, please see https://www.heroku.com/policy/security

Is there a process for data erasure?
We have defined a process to ensure that data is deleted when its further storage is not required anymore, or in case it has to be deleted for juristic reasons.

Do you support removal of personal data upon request by the person concerned?
We do support this and we have defined processes and routines for removal requests.

Are there backup copies of stored personal data, and do you have in place routines for deletion of those copies?
We are storing backup copies of our production database via our hosting partner Heroku. These copies are being stored for three years before deletion. Revised routines for erasure of personal data from the backup copies in connection with deletion of pieces of data on the original database were implemented before GDPR took effect.

Are there identified security risks about your data processing?
We are conducting a continuous identification, evaluation and follow-up in order to fix any security risks that might be found.

Is there a process for detecting and reporting security incidents?
We have a partly automated process for identification of security risks and incidents in our database. Moreover, we have defined a routine for reporting to all persons concerned and The Swedish Data Protection Authority (Datainspektionen) within 72 hours.

Can I have our Data Processing Agreement signed by Mynewsdesk?
Mynewsdesk does not sign individual agreements since we, being a SaaS Company, have elaborated a DPA (Data Processing Agreement) that is adjusted to our specific services.
Our Data Processing Agreement (DPA) forms part of our Data Protection Terms (DTP) which in their turn are related to our General Terms and Conditions that were agreed upon original contract signature.

Who has responsibility as Data Controller and Data Protection Officer?
Data Controller is NHST Media Group with chairperson Anette Olsen while Petter Irgens Gustafson is appointed as Data Protection Officer for the corporate group and all affiliates. In addition, all businesses within the corporate group have their own Data Controller with delegated responsibility for their respective business. Data Controller for Mynewsdesk is CEO Mattias Malmström.

Which personal data is being processed by Mynewsdesk?
Mynewsdesk processes the following personal data
– with regard to user accounts:
Name, username/id, email, user password, skype, google account, role, api token, newsroom name, tool usage data
– with regard to Contacts:
Email, country, first name, last name, organization, job title, interests, work phone, mobile phone, address, fax, postcode, city, state, website, email events (received, opened, clicked)