GDPR Frequently Asked Questions

In connection with the upcoming introduction of the new General Data Protection Regulation ("GDPR") on 25th May 2018, it has naturally raised a number of questions. Below we have collected and answered the most urgent questions from our corporate customers. 

Is it possible to get help with GDPR?

With our new service, Privacy Assistant, we will handle most of the privacy dialogue with your employees, so you can focus on running a profitable business. The Privacy Assistant will:

  • Ensure your company is using ABAX products and services in a way that keeps you GDPR compliant
  • Handle employee requests, so you can focus on running your business
  • Inform your employees in an easy and compliant way with customised documents specific to your business

Order ABAX Privacy Assistant here. 

 

How are ABAX preparing for GDPR? 

We are in the process of handling and adapting our policy and systems to meet GDPR regulations. Terms, conditions and an updated data processing agreement for our services were sent to our Customers on April 25th 2018 (one month before the new regulations are enforced.)  

 

Will we receive updated data processor agreement from ABAX? 
As a result of GDPR, we have updated our data processor agreement and our terms and conditions for our services. These updates were sent to our Customers on April 25th 2018, with the changes coming into effect on May 25th 2018.  
 

Can I, as a Customer, send ABAX our own "standard" data processor agreement for ABAX to sign? 
Some Customers have sent us their data processor agreements to cover our services, but as these agreements are standardised, they rarely cover our services and do not adequately regulate the processing of personal information in a sufficient way.

The terms and conditions for our updated data processor agreement will be in accordance with the GDPR. Since there is a close relationship between our services, the terms governing our services and the data processor agreement, it is important that these terms and conditions are specific.

As a consequence, no data processing agreement we receive can be signed, and instead our data processing agreement should be used.  

 

What changes are ABAX making to the agreement to adjust to the new regulations? 
We are reviewing our terms, conditions and data processing agreement to make the necessary adjustments to meet the new regulatory framework and ensure all required changes are incorporated. 

 

Do ABAX have access control that ensures our personal information? 
We have access control that meets normal industry requirements and is certified according to ISO 27001 Information Security Management, where access control is one of many elements. Nonetheless, access control will be reviewed to ensure that all requirements in the new regulations are met.   
 

Will ABAX provide a privacy declaration for the Customers employees? 
We will issue a privacy statement for handling of data in cases where we are the data controller. In addition, we aim to make a privacy policy proposal that our Customers can use as a foundation when preparing their own privacy statement in relation to our services (because our Customers are the data controller).  

 

Has ABAX planned further steps to reinforce data security? 
Data security reinforcement is ongoing and will continue in the future. It will be in accordance with the new regulatory framework and follow technological developments. 

 

Does ABAX have subcontractors that will access our information? 
ABAX AS (Norway) uses subcontractors in some operational and development related tasks and these providers have access to personal information. Data processing agreements between subcontractors and ABAX AS will be in accordance with GDPR.

For ABAX AS subsidiaries, (if you as a Customer have an agreement with an ABAX AS subsidiary) ABAX AS will be a subcontractor for the relevant subsidiary and have a data processing agreement with the subsidiaries in accordance with GDPR.

ABAX AS' subsidiaries in Europe are:

• ABAX Sweden AB

• ABAX Danmark A / S

• ABAX Finland Oy

• ABAX UK Ltd.

• ABAX Nederland B.V.

• ABAX Poland sp. z o.o.

• ABAX Deutschland GMBH

• ABAX Performance AS

• ABAX Technology AS 

 

Does ABAX transfer our personal data to countries outside the EU / EEA and approved third countries? 
Data is processed in the EU / EEA area except when ABAX AS uses its subsidiary in China (ABAX China Ltd.) as a supplier of certain services. This means that some employees in ABAX China Ltd have access to personal information through ABAX AS' systems. ABAX AS will ensure appropriate agreements are in place before GDPR takes effect.     

 

Does ABAX handle sensitive personal information for their Customers? 
We do not ask for sensitive personal information on behalf of the Customer. Sensitive information can be added by the Customer or other users that have access on behalf of the Customer, but this is not controlled by us. 

 

What actions do ABAX take to ensure that the duty of notification to us as Customers are met? 
We have already established alert routines for information security as a part of our ISO 27001 certification. These alert routines are continually reviewed to ensure that all requirements in new regulatory frameworks are met. 

 

What other conditions affecting us as a Customer of ABAX do we have to pay attention to regarding GDPR? 
Our new terms, conditions and data processing agreement will be delivered to our Customers by April 25th 2018.

The updates must be approved by the Customer. For most customers, the approval will be conducted by the administrator directly after system login. 

 

Where does ABAX store their data? 
All data is currently stored on our servers located in a professional operating environment in Karlstad, Sweden. Our servers are located within the EU / EEA area.

 

What personal information is stored? 
The personal information stored is dependent on which service the Customer uses and what personal information the Customer has entered into our systems. 

 

Has a user added personal information into an ABAX system? 
The Customer (as a data controller), and not ABAX (as a data processor) has this overview and control.  

 

Is a user informed about the collection / registration of the personal information? 
ABAX (as a data processor) has no control on whether a user is informed about the collection or registration of information. This is the Customers responsibility (as a data controller).  

 

Is a user aware of where personal information is stored? 
The Customer (as a data controller), and not ABAX (as a data processor) has this overview and control.  

 

Are there any procedures for deleting personal information? Does documentation exist? Where is the documentation stored? 
New procedures and processes in accordance with the new regulations are being prepared. The routines will be stored in our internal Quality Management System. 
As a data processor for our services, we act according to instructions from our Customer (as a data controller) when data is deleted. 
 

Are privacy implications considered? Is a risk and vulnerability analysis performed? Where is the documentation stored? 
Assessment of privacy implications as well as risk and vulnerability analysis in accordance with the new regulations, are included as a key part of the work we have initiated to prepare for the new regulatory framework.

The routines will be stored in our internal Quality Management System.  

 

Do ABAX log files contain an overview of user logins and user actions (what users do)? 
In order to provide support to our Customers and accordance with our agreements, we log files on when a user is created, information on who created the user and user login details including time and IP address. There is no log on user action, but we do log administrator action.  

 

What information is being sent from you to us in connection with GDPR and when can we expect it? 
We will update our data processor agreement and our terms and conditions for our services. These updates will be delivered to our Customers by April 25th 2018.