On 25 May 2018, the General Data Protection Regulation (GDPR) has taken effect. This new regulation might be a bit confusing, or difficult to understand. That’s why Mynewsdesk has improved, updated and adapted our product to comply with GDPR seamlessly. We take anonymization and integrity policies very seriously and welcome this development.

On this page, you will find answers to the most frequently asked questions on how Mynewsdesk is handling the new EU regulation. For more information, please also see our Data Protection Terms (DTP) which include Mynewsdesk’s Data Processing Agreement (DPA), and our updated General Terms and Conditions.

1) In which way is the Data Controller responsibility split between the client and Mynewsdesk?
When uploading, downloading, storing or updating contact information within the Contact feature of an account, the responsibility as Data Controller lies with the client.

2) Does our contract with Mynewsdesk comply with GDPR?
Yes. Prior to the launch of GDPR, we rolled out a revised version of our General Terms and Conditions that are now related to our Data Protection Terms (DTP), which in their turn include Mynewsdesk’s Data Processing Agreement (DPA). This way our General Terms and Conditions also fulfill the function of a  Data Processing Agreement (DPA). In this context, we also updated our Privacy Policy and Security Policy.

3) Who is responsible for the data that I upload in Contacts?
As our client, you are responsible that the data you upload in Contacts is handled legitimately according to GDPR. You need to determine yourself which legal ground you apply, and define routines with regard to e.g. why and how you store and handle contact lists.
Therefore we recommend you to always have your lists updated, so that they do not include any contacts you are not using. All emails that are sent from Mynewsdesk to any of your contacts will include a link to our Privacy Policy for Contacts, and there is also always a link for the contact to opt out from receiving emails from your newsroom.
Please see our Data Protection Terms (DTP) for more detailed information on the processing of personal data in the Contacts feature.

4) Who is responsible for contacts that are followers of my newsroom?
Mynewsdesk ensures that followers are being handled according to GDPR. Those who follow a newsroom always need to create a user account on Mynewsdesk, which means that they accept our Terms of Use, including the  Mynewsdesk Privacy Policy and our Privacy Policy for Contacts.

5) Are notices provided when information is directly collected from an individual?
Upon signing up and entering personal data, the user accepts our Terms & Conditions. Specific information about the data processing and its purpose is given to the user when creating an account.

6) Are controls in place to ensure that collection of personal information is limited to the minimum necessary?
Yes. We have internal routines ensuring that processing of personal data is limited to specific purposes. Furthermore, we have defined routines to ensure that our subcontractors fulfill the GDPR requirements.

7) What is your policy on data transfer to external data controllers?
Routines for transferring personal data are established and documented. As a general rule, no personal data can be transferred to external data controllers (not even between companies in the same corporate group) without notifying the corporate group’s Data Controller and/or the Data Protection Officer. All our subcontractors have conducted a TIA (Transfer Impact Assessment) with Mynewsdesk.
Transferring personal data abroad is only permitted to EU/EEA countries and to the USA. For transfer of personal data to the USA we are using EU Standard Contractual Clauses (SCC) and other supplementary measures of organizational or technical kind.
For any other transfer, the corporate group’s Data Protection Officer would have to be notified, with decisions to be made on a case by case basis.

8) Which are your main data processing subcontractors?
Our principal subcontractors, administering our hosting and storing data from Mynewsdesk on their servers, are Hetzner Online GmbH and Amazon Webservices ´. These subcontractors are processing data within the EU.

9) In which countries are you processing personal data?
We are processing data within the EU/EEA (Sweden, Norway, Germany and Ireland) and in some cases in the USA. For transfer of personal data to the USA we are using EU Standard Contractual Clauses (SCC) and other supplementary measures of organizational or technical kind. The term data processing denominates all kinds of data handling such as for example storage, transmission, calculation.

10) Can you supply information on which specific addresses your data is stored?
For security reasons, most hosting providers do not hand out detailed information on this. Mynewsdesk does not consider it to be necessary to give specific street addresses of server locations to comply with GDPR.

11) Is there physical and electronic protection for stored personal data? Do you use data encryption and how is your intrusion protection?
Protection of our data is administered by our hosting partner Hetzner Online GmbH.

12) Is there a process for data erasure?
We have defined a process to ensure that data is deleted when its further storage is not required anymore, or in case it has to be deleted for juristic reasons.

13) Do you support removal of personal data upon request by the person concerned?
We do support this and we have defined processes and routines for removal requests.

14) Are there backup copies of stored personal data, and do you have in place routines for deletion of those copies?
We are storing backup copies of our production database via our hosting partner. These copies are being stored for three years before deletion. Revised routines for erasure of personal data from the backup copies in connection with deletion of pieces of data on the original database were implemented before GDPR took effect.

15) Are there identified security risks about your data processing?
We are conducting a continuous identification, evaluation and follow-up in order to fix any security risks that might be found.

16) Is there a process for detecting and reporting security incidents?
We have a partly automated process for identification of security risks and incidents in our database. Moreover, we have defined a routine for reporting to all persons concerned and The Swedish Data Protection Authority (Datainspektionen) within 72 hours.

17) Can I have our Data Processing Agreement signed by Mynewsdesk?
Mynewsdesk does not sign individual agreements since we, being a SaaS Company, have elaborated a DPA (Data Processing Agreement) that is adjusted to our specific services.
Our Data Processing Agreement (DPA) forms part of our Data Protection Terms (DTP) which in their turn are related to our General Terms and Conditions that were agreed upon original contract signature.

18) Who has responsibility as Data Controller and Data Protection Officer?
Data Controller is the chairperson of NHST Media Group, while Petter Irgens Gustafson is appointed as Data Protection Officer for the corporate group and all affiliates. In addition, all businesses within the corporate group have their own Data Controller with delegated responsibility for their respective business. Data Controller for Mynewsdesk is the Mynewsdesk CEO.

19) Which personal data is being processed by Mynewsdesk?
Mynewsdesk processes the following personal data
– with regard to user accounts:
Name, username/id, email, user password, skype, google, role, api token, newsroom name, tool usage data, title, country, city, phone number, image, Google Talk user name, Skype; ICQ, AIM, Yahoo!Messenger, biography, interests, positions/assignments
– with regard to Contacts:
Email, country, first name, last name, organization, job title, work phone, mobile phone, address, postcode, city, country, website, email events (received, opened, clicked)