One of the major changes the EU General Data Protection Regulation (GDPR) will bring about it is companies’ accountability. It is no longer enough that a company’s operations are lawful: with the new regulation, they will also have to prove it. Risk management is an integral part of meeting the accountability requirement, and it also concerns situations where the company’s personal data processing has been outsourced.
Varma takes care of data protection also in outsourced functions
The controller is responsible for the processing of personal data also when it has outsourced its personal data processing to a personal data processor as referred to in the GDPR. The GDPR requires that an agreement be concluded in writing on the outsourcing of personal data. Varma is responsible, as a controller, for its outsourced functions through data processing agreements. The form and scope of the agreements vary according to the outsourced personal data to be processed and its scope.
The controller manages personal data based on a specific purpose and on rules related thereto and commits the processor to operate according to the same rules.
Roles not always clear
Our client companies have repeatedly provided Varma with agreements on data processing, because Varma has been considered a processor of personal data. However, Varma is a controller, because, as an earnings-related pension institution, it performs a statutory task. It also makes things easier for the customer when processing agreements are not required. We have addressed this matter previously in Varma’s news release.
Varma strives for transparency in personal data processing
A controller’s tasks include clearly communicating the rights of the data subjects and the processing of personal data. A key tool for transparency is the record of processing activities required by the GDPR.
On Varma’s website, we describe how we process personal data, our grounds for processing data, which data we process, how long the data will be stored, to whom we disclose the data and how data-processing security has been arranged. Read Varma’s description of processing activities.
Data protection promotes the development of important customer services
Here at Varma, we do not build data protection for our private customers for the purpose of avoiding fines and other consequences, but instead to maintain the trust of our insured clients and companies.
Our intention is also to transform data protection from a risk factor into a business driver and enabler. Regulation-compliant data protection solutions support the development of Varma’s services.