Privacy Plan

Not a GDPR privacy policy per se, but our internal guidelines for how we work with data processing in a privacy-respecting way.​

Elastisys Privacy Plan

  • Date: 2024-02-09
  • Author: DPO
  • Reviewed by: Management Team
  • Approved by: CEO
  • Information owner: CEO


This is not a GDPR-compliant Privacy Policy. This is a document describing how Elastisys works with privacy and personal data. Please find GDPR Privacy Policies linked at the bottom.



  • The Data Protection Officer (DPO) is overall responsible for compliance with data protection regulations.
  • Elastisys acts as:
    • A Data Processor, when processing Customer Data (“data of customers”) as part of our offerings.
    • A Data Controller, when processing prospect lists (“data on customers”) and employees personal data.
    • A Joint Data Controller in relationship to the company LinkedIn, Instagram, Twitter and YouTube Pages.
  • As a Data Processor, Elastisys processes all Customer Data (including personal data) under the Data Protection Agreement at ToS A1.
  • As a Joint Data Controller:
  • Where to put privacy policies?

    • Always have a privacy policy available to data subjects at the closest point of entrance to Elastisys digital properties (e.g., on, on forms, etc.).
    • Clearly mark when the data subject exits Elastisys digital properties.
    • Email signatures from employees in Elastisys commercial function must have the following footer: "All communication between you and Elastisys is subject to our privacy policy, and you may also be interested in our data processing agreement. If you don't want to hear from me again, please let me know."
    • Job ads must contain the following text: “By responding to an Elastisys job ad, you consent to process your personal data as laid out in our Privacy Policy for Recruitment.”
    • Social media appearance: For people who are not regularly present on social media, or who might not expect to appear on social media, please proceed as follows:

      • Ask via email and CC the following question:

        We're planning to share a picture on our social media, and you're in the image. We want to make sure we have your consent before posting it. The choice is entirely yours. Could you kindly reply with a simple "yes" or "no"? Your response is much appreciated. Thank you!

      • The Commercial function keeps consents received via email in a special folder.

  • What about cookies?

  • What data to process?
    • Minimise personal data collection. Use anonymization and pseudonymisation where appropriate, e.g., IP addresses can be trimmed to their /24 subnet.
  • How to safeguard personal data?
    • Minimise access to collected personal data.
    • Minimise retention of personal data.
    • Always use encryption-in-transit.
    • Use encryption-at-rest as much as possible.
  • How to choose suppliers?
    • Use Swedish and EU suppliers as much as feasible.
    • The DPO has final sign-off authority on any changes in personal data flows.
  • What about continuous improvement?
    • The DPO performs regular privacy audits.
    • The DPO regularly trains people on our privacy policy.
  • What if something doesn’t look right?
    • Report deviations from these guidelines to our DPO or via our deviation management process.
    • Report any suspected breaches to our DPO.

Privacy Policies

When acting as a Data Controller, Elastisys processes several categories of personal data. Personal data of non-employees is only processed according to our public privacy policy.

Processing of personal data of employees is described in detail in an internal document entitle "Privacy Policy for Elastisys Employees".

IT Systems Outside this Privacy Plan

The following IT systems are outside the scope of this Privacy Plan and are governed by their own Privacy Policies. Employees, contractors, customers, etc. are data subjects and the providers of these IT systems are data controllers. We strongly recommend reviewing their privacy policy before entering any personal data. In case of doubt, we advised against entering personal data when interacting with these systems: