Corporate Privacy Policy
Important
This is not a GDPR-compliant Privacy Policy. This is a public copy of an internal policy. Some information was redacted. Please find GDPR Privacy Policies linked at the bottom.
Goals
- Comply with EU GDPR
- Comply with EU ePrivacy Directive
- Comply with EU Digital Services Act
- Act as a frontrunner in privacy and data protection
Guidelines
- The Data Protection Officer (DPO) is overall responsible for compliance with data protection regulations.
- Elastisys acts as:
- A Data Processor, when processing Customer Data ("data of customers") as part of our offerings.
- A Data Controller, when processing prospect lists ("data on customers") and employees personal data.
- A Joint Data Controller in relationship to the company LinkedIn, Instagram, Twitter and YouTube Pages.
- As a Data Processor, Elastisys processes all Customer Data (including personal data) under the Data Protection Agreement at ToS A1.
- As a Joint Data Controller:
- with LinkedIn, Elastisys processes data according to the LinkedIn Privacy Policy and the LinkedIn Page Insights Joint Controller Addendum.
- with Instagram, Elastisys processes data according to the Instagram Privacy Policy and the Meta Page Controller Addendum.
- with YouTube, Elastisys processes data according to the Google Privacy Policy and the Google Controller-Controller Data Protection Terms.
- with Twitter, Elastisys processes data according to the Twitter Privacy Policy and the Twitter Controller-to-Controller Data Protection Addendum.
- Where to put privacy policies?
- Always have a privacy policy available to data subjects at the closest point of entrance to Elastisys digital properties (e.g., on elastisys.com, on forms, etc.).
- Clearly mark when the data subject exits Elastisys digital properties.
- Email signatures from employees in Elastisys commercial function must have the following footer: "All communication between you and Elastisys is subject to our privacy policy, and you may also be interested in our data processing agreement. If you don't want to hear from me again, please let me know."
- Job ads must contain the following text: "By responding to an Elastisys job ad, you consent to process your personal data as laid out in our Privacy Policy for Recruitment."
- What about cookies?
- Only use strictly necessary cookies and similar technologies.
- What data to process?
- Minimise personal data collection. Use anonymization and pseudonymisation where appropriate, e.g., IP addresses can be trimmed to their /24 subnet.
- How to safeguard personal data?
- Minimise access to collected personal data.
- Minimise retention of personal data.
- Always use encryption-in-transit.
- Use encryption-at-rest as much as possible.
- How to choose suppliers?
- Use Swedish and EU suppliers as much as feasible.
- The DPO has final sign-off authority on any changes in personal data flows.
- What about continuous improvement?
- The DPO performs regular privacy audits.
- The DPO regularly trains people on our privacy policy.
- What if something doesn't look right?
- Report deviations from these guidelines to our DPO or via our deviation management process.
- Report any suspected breaches to our DPO.
Privacy Policies
When acting as a Data Controller, Elastisys processes several categories of personal data. Each is covered by a separate privacy policy as listed below:
- Category: Website visitors and Free Trial Customers
- Category: Authorized Users
- Category: Recruitment
Processing of personal data of employees is described in detail in an internal document.
IT Systems Outside this Privacy Policy
The following IT systems are outside the scope of this Privacy Policy and are governed by their own Privacy Policies. Employees, contractors, customers, etc. are data subjects and the providers of these IT systems are data controllers. We strongly recommend reviewing their privacy policy before entering any personal data. In case of doubt, we advised against entering personal data when interacting with these systems:
