On 25 May 2018, the General Data Protection Regulation (GDPR) has taken effect. This new regulation might be a bit confusing, or difficult to understand. That’s why Mynewsdesk has improved, updated and adapted our product to comply with GDPR seamlessly. We take anonymization and integrity policies very seriously and welcome this development.
On this page, you will find answers to the most frequently asked questions on how Mynewsdesk is handling the new EU regulation. For more information, please also see our Data Protection Terms (DTP) which include Mynewsdesk’s Data Processing Agreement (DPA), and our updated General Terms and Conditions.
1) In which way is the Data Controller responsibility split between the client and Mynewsdesk?
When uploading, downloading, storing or updating contact information within the Contact feature of an account, the responsibility as Data Controller lies with the client.
2) Does our contract with Mynewsdesk comply with GDPR?
3) Who is responsible for the data that I upload in Contacts?
As our client, you are responsible that the data you upload in Contacts is handled legitimately according to GDPR. You need to determine yourself which legal ground you apply, and define routines with regard to e.g. why and how you store and handle contact lists.
Please see our Data Protection Terms (DTP) for more detailed information on the processing of personal data in the Contacts feature.
4) Who is responsible for contacts that are followers of my newsroom?
5) Are notices provided when information is directly collected from an individual?
Upon signing up and entering personal data, the user accepts our Terms & Conditions. Specific information about the data processing and its purpose is given to the user when creating an account.
6) Are controls in place to ensure that collection of personal information is limited to the minimum necessary?
Yes. We have internal routines ensuring that processing of personal data is limited to specific purposes. Furthermore, we have defined routines to ensure that our subcontractors fulfill the GDPR requirements.
7) What is your policy on data transfer to external data controllers?
Routines for transferring personal data are established and documented. As a general rule, no personal data can be transferred to external data controllers (not even between companies in the same corporate group) without notifying the corporate group’s Data Controller and/or the Data Protection Officer. All our subcontractors have conducted a TIA (Transfer Impact Assessment) with Mynewsdesk.
Transferring personal data abroad is only permitted to EU/EEA countries and to the USA. For transfer of personal data to the USA we are using EU Standard Contractual Clauses (SCC) and other supplementary measures of organizational or technical kind.
For any other transfer, the corporate group’s Data Protection Officer would have to be notified, with decisions to be made on a case by case basis.
8) Which are your main data processing subcontractors?
Our principal subcontractors, administering our hosting and storing data from Mynewsdesk on their servers, are Amazon Webservices and Heroku. These subcontractors are processing data within the EU (in Ireland).
9) In which countries are you processing personal data?
We are processing data within the EU/EEA (Sweden, Norway, Germany and Ireland) and in some cases in the USA. For transfer of personal data to the USA we are using EU Standard Contractual Clauses (SCC) and other supplementary measures of organizational or technical kind. The term data processing denominates all kinds of data handling such as for example storage, transmission, calculation.
10) Can you supply information on which specific addresses your data is stored?
For security reasons, most hosting providers do not hand out detailed information on this. Mynewsdesk does not consider it to be necessary to give specific street addresses of server locations to comply with GDPR.
11) Is there physical and electronic protection for stored personal data? Do you use data encryption and how is your intrusion protection?
Protection of our data is administered by our hosting partner Heroku (via Amazon). For more information, please see https://www.heroku.com/policy/security
12) Is there a process for data erasure?
We have defined a process to ensure that data is deleted when its further storage is not required anymore, or in case it has to be deleted for juristic reasons.
13) Do you support removal of personal data upon request by the person concerned?
We do support this and we have defined processes and routines for removal requests.
14) Are there backup copies of stored personal data, and do you have in place routines for deletion of those copies?
We are storing backup copies of our production database via our hosting partner Heroku. These copies are being stored for three years before deletion. Revised routines for erasure of personal data from the backup copies in connection with deletion of pieces of data on the original database were implemented before GDPR took effect.
15) Are there identified security risks about your data processing?
We are conducting a continuous identification, evaluation and follow-up in order to fix any security risks that might be found.
16) Is there a process for detecting and reporting security incidents?
We have a partly automated process for identification of security risks and incidents in our database. Moreover, we have defined a routine for reporting to all persons concerned and The Swedish Data Protection Authority (Datainspektionen) within 72 hours.
17) Can I have our Data Processing Agreement signed by Mynewsdesk?
Mynewsdesk does not sign individual agreements since we, being a SaaS Company, have elaborated a DPA (Data Processing Agreement) that is adjusted to our specific services.
Our Data Processing Agreement (DPA) forms part of our Data Protection Terms (DTP) which in their turn are related to our General Terms and Conditions that were agreed upon original contract signature.
18) Who has responsibility as Data Controller and Data Protection Officer?
Data Controller is the chairperson of NHST Media Group, while Petter Irgens Gustafson is appointed as Data Protection Officer for the corporate group and all affiliates. In addition, all businesses within the corporate group have their own Data Controller with delegated responsibility for their respective business. Data Controller for Mynewsdesk is the Mynewsdesk CEO.
19) Which personal data is being processed by Mynewsdesk?
Mynewsdesk processes the following personal data
– with regard to user accounts:
Name, username/id, email, user password, skype, google, role, api token, newsroom name, tool usage data, title, country, city, phone number, image, Google Talk user name, Skype; ICQ, AIM, Yahoo!Messenger, biography, interests, positions/assignments
– with regard to Contacts:
Email, country, first name, last name, organization, job title, work phone, mobile phone, address, postcode, city, country, website, email events (received, opened, clicked)