The following policy has been established by Gignation Sverige AB hereinafter referred to as “the company”


At the company, we work in a structured manner to process personal data in a correct and legal manner. This policy describes our overall procedures for handling personal data.

Roles and responsibilities

The CEO of Gignation has an overall responsibility for following up data protection issues addressed in this policy. All managers are responsible for compliance with their own organization.

Principles for our personal data processing

We shall be responsible in our handling of personal data, regardless of whether it concerns employees, customers, suppliers or other partners. Issues that in various ways concern the processing of personal data are found in all parts of our business and we therefore encourage all meeting agendas to include personal data processing as a reconciliation point.

The information must be processed in a legal, correct and transparent manner in relation to the data subject. We will be transparent about what information we handle and ensure that the people who are registered with us in various ways can assert their rights in an effective manner.

The collection of personal data may only take place for specific, explicitly stated, and justified purposes and we shall only collect data needed for this purpose. We work actively to limit storage by thinning in accordance with our thinning policy and when appropriate through automatic thinning. We shall, with reasonable measures, ensure that the information is correct.

In order to ensure and show that we live up to the requirements of the legislation, we will collect all documentation regarding our data protection work in one place: in the platform

Procurement of IT services

When we procure IT services, such as software or operations and support, we must first carry out a risk and vulnerability analysis and then choose a solution or supplier based on the outcome.

When hiring personal data assistants, we shall only hire the person who provides sufficient guarantees to implement appropriate technical and organizational measures in such a way that the processing meets the requirements of the law and ensures that the data subject’s rights are protected. The considerations that are made, including documentation of safety level, etc., must be documented. Furthermore, a personal data assistant agreement (DPA) must be signed.

We will not transfer any kind of personal data to third countries.

IT security

Risk assessment

We will continuously make a risk assessment of the processing of personal data that we carry out. We must take technical and organizational measures to achieve a level of safety that is appropriate in relation to the risk. Risk analysis and decisions on measures must be documented.


There must be written authorization instructions for all IT systems that contain personal data. The basic principle is that authorizations must be allocated so that only those persons who need access to personal data have access. Depending on the sensitivity of the information, the permissions may be narrower or wider.

Incident management

Security incidents must be documented in an incident management log with information about the circumstances surrounding the personal data incident, its effects and the corrective measures taken. Security incident refers to an event that leads to unintentional or illegal destruction, loss or alteration or to unauthorized disclosure of or unauthorized access to the personal data that has been transferred, stored or otherwise processed.

When the law so prescribes, incidents must also be reported to The Swedish Data Protection Authority and the data subject, respectively.

IT policy and IT security policy

We have adopted an IT policy and an IT security policy where our employees’ approach to the IT environment is regulated in more detail.

Register of personal data

We will keep a register of processing of personal data in the platform The respective system owner is responsible for keeping the register updated in the event of changes.

Impact assessment

If a processing of personal data, especially with the use of new technology and taking into account its nature, scope, context and purpose, is likely to lead to a high risk to the rights and freedoms of natural persons, we must carry out an assessment of the planned processing before the processing. consequences for the protection of personal data: Impact assessment or DPIA (Data Protection Impact Assessment).

Even when we do not reach the requirement for Impact Assessment, we shall, when appropriate, carry out a simplified risk analysis. The analysis becomes a basis for the choice of technical and organizational security measures.

Built-in data protection and data protection as standard

We will proactively evaluate the possibilities of implementing technical built-in data protection and data protection as standard

We will proactively evaluate the possibilities of implementing technical measures, such as pseudonymisation and data minimization, in order to effectively live up to the requirements of the GDPR and protect the data subject’s rights.

We shall also implement appropriate technical and organizational measures to ensure, in the standard case, that only personal data necessary for each specific purpose of the processing are processed.


Our employees shall receive relevant information and training on the processing of personal data in accordance with a separate annual plan for training. If necessary, in-depth or targeted training is given to those who handle sensitive tasks. Participation in training must be documented.

Follow-up and internal audit

Compliance with this policy shall be checked by random sampling and internal audit. We must continuously evaluate whether our data protection work meets the requirements of the legislation and implement changes when necessary.

This Policy was adopted by the Board of Gignation Sverige AB 2023-04-02