Corporate Privacy Plan

Corporate Privacy Policy


This is not a GDPR-compliant Privacy Policy. This is a public copy of an internal policy. Some information was redacted. Please find GDPR Privacy Policies linked at the bottom.



  • The Data Protection Officer (DPO) is overall responsible for compliance with data protection regulations.
  • Elastisys acts as:
    • A Data Processor, when processing Customer Data ("data of customers") as part of our offerings.
    • A Data Controller, when processing prospect lists ("data on customers") and employees personal data.
    • A Joint Data Controller in relationship to the company LinkedIn, Instagram, Twitter and YouTube Pages.
  • As a Data Processor, Elastisys processes all Customer Data (including personal data) under the Data Protection Agreement at ToS A1.
  • As a Joint Data Controller:
  • Where to put privacy policies?
    • Always have a privacy policy available to data subjects at the closest point of entrance to Elastisys digital properties (e.g., on, on forms, etc.).
    • Clearly mark when the data subject exits Elastisys digital properties.
    • Email signatures from employees in Elastisys commercial function must have the following footer: "All communication between you and Elastisys is subject to our privacy policy, and you may also be interested in our data processing agreement. If you don't want to hear from me again, please let me know."
    • Job ads must contain the following text: "By responding to an Elastisys job ad, you consent to process your personal data as laid out in our Privacy Policy for Recruitment."
  • What about cookies?
  • What data to process?
    • Minimise personal data collection. Use anonymization and pseudonymisation where appropriate, e.g., IP addresses can be trimmed to their /24 subnet.
  • How to safeguard personal data?
    • Minimise access to collected personal data.
    • Minimise retention of personal data.
    • Always use encryption-in-transit.
    • Use encryption-at-rest as much as possible.
  • How to choose suppliers?
    • Use Swedish and EU suppliers as much as feasible.
    • The DPO has final sign-off authority on any changes in personal data flows.
  • What about continuous improvement?
    • The DPO performs regular privacy audits.
    • The DPO regularly trains people on our privacy policy.
  • What if something doesn't look right?
    • Report deviations from these guidelines to our DPO or via our deviation management process.
    • Report any suspected breaches to our DPO.

Privacy Policies

When acting as a Data Controller, Elastisys processes several categories of personal data. Each is covered by a separate privacy policy as listed below:

Processing of personal data of employees is described in detail in an internal document.

IT Systems Outside this Privacy Policy

The following IT systems are outside the scope of this Privacy Policy and are governed by their own Privacy Policies. Employees, contractors, customers, etc. are data subjects and the providers of these IT systems are data controllers. We strongly recommend reviewing their privacy policy before entering any personal data. In case of doubt, we advised against entering personal data when interacting with these systems: