General Data Protection Regulation Privacy Policy, Tuff Leadership Training

Tuff Leadership Training is a Swedish management institute. Our training focus in leadership coaching explains our success: we train managers so that change, really happens in their organisations and groups. Over the years, our popularity has increased and we now have the privilege of training managers all over the world in global organisations with a base in Sweden. The results achieved are the reason why we are now establishing our business at the very centre of Europe: Amsterdam, among our clients are companies like Karolinska Institutet, AMF, King, Tacton, Folksam, Tetra Pak and many others.

  1. Purpose of the policy

The new data protection Regulation (EU) 2016/679 called theGeneral Data Protection Regulation (GDPR) came into force the 24thof May 2016 and will only apply once the GDPR becomes law on 25th May 2018 for all EU-resident users who are natural persons.

The purpose of this Policy is to describe how Tuff Leadership Training collects, processes, uses, shares and secures the provided personal information. It also describes Data Subject choices and rights regarding use, access, and correction of the personal information. In details:

  • What information is being collected?
  • How did Tuff Leadership Training obtain it?
  • Who is collecting it?
  • How secure is it, both in terms of encryption and accessibility?
  • Why was it originally gathered?
  • Why are we holding it?
  • How will it be used?
  • Who will it be shared with?
  • How long will we retain it?
  • The Data Subject’s Rights
  • The right of the Data Subject to be informed

According to this Policy, personal information is any information relating to an identified or identifiable natural person.

This Policy applies only to information we collect, process and use through the platform. This Policy does not apply to information that we collect through other channels, such as information that we collect offline, from other websites or fromemails you send us.

  1. Data Collection

To run our business and to provide our customers the courses, Tuff Leadership Training processes information relating to individuals (referred to as “Personal Information”) which typically includes information (e.g. name and surname, company, e-mail address, address, telephone number, a record of our contacts and/or customers history and comments notes related to the trainings, e-mail conversations and notes related to the meeting, billing history, billing address, e-mail address and testimonials and review about the trainings). Our records derive from information collected directly from the Data Subject.

  1. Data Storage

The information is maintained on the Tuff Leadership Training systems, which are secure and accessible only to the Tuff Leadership Training employees and consultants. The data are stored in the following software:

  1. Atatiki (CRM Filemaker)
  2. Fortnox
  3. Mailchimp
  4. Learnifier
  5. Dialect

The above are all provided of licences. All the data, stored in the systems, are secured by password that we change periodically.

  1. Data Usage

We will use Personal Information to contact the Data Subject for the use linked to the training and for business purpose with our contacts. The information was originally gathered since the Data Subject participated in one or several of other events or training programs or that he/her have showed interest by subscribing our newsletter. We are holding the information since our course participants very often choose to participate in the regular training opportunities and seminars that Tuff Leadership Training provides. On-going training, and therefore benefits from updates on scheduled events and dates for new training. An effect of our training is the realization that the Data Subject has never “done” when it comes to leadership skills, therefore the larger majority of our customers commit to continuous training and wishes to get updates on all opportunities for follow-up training. We will use the information solely to serve your future training ambitions and we will retain it as long as that purpose is relevant, if the Data Subject disagrees he can unsubscribe at anytime and we will erase the information.

  1. Transfer of Personal Information

The recipients of Personal Information are in cloud, managed by Dialect and Atatiki. They are committed to protecting the information and they will take appropriate technical, organizational and legal measures to secure Personal data. Please be assured that they and we do not sell Data Subject’s information to third parties or use the information for purposes that are incompatible. The Personal Information is transferred internally among our different systems: CRM Filemaker, Fortnox, Mailchimp, Learnifier, Dialect.

  1. Breach notification

Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

  1. The Data subject Rights

The Data Subject has the right to withdraw the consent at any time or to access and request that we rectify or remove the record from our system(s). When asked to remove a record from our database, Tuff Leadership Training will retain minimal Personal Information in order to prevent future contact, to keep a record of the information disclosed to our clients and to preserve Tuff Leadership Training’s interests in accordance with any applicable legal requirements. The Data Subject may exercise these rights by contacting the Privacy Officer. Tuff Leadership Training will comply with any request as required by law.

  1. Right to Access

Part of the expanded rights of the Data Subjects outlined by the GDPR is the right for Data Subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.

  1. Right to be forgotten

Also known as Data Erasure, the right to be forgotten entitles the Data Subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.

  1. Data Portability

GDPR introduces data portability – the right for a Data Subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.

  1. Right to object to processing personal data

The Data Subject has the right to object to certain types of processing of his/her personal data where this processing is carried out in connection with tasks in the public interest, or under official authority, or in the legitimate interests of others. The Data Subject has a stronger right to object to processing of his/her personal data where the processing relates to direct marketing. Where a data controller is using personal data for the purpose of marketing something directly to the Data Subject, or profiling the Data Subject for direct marketing purposes, the Data Subject can object at any time, and the data controller must stop processing as soon as they receive objection. The Data Subject may also object to processing of personal data for research purposes, unless the processing is necessary for the performance of a task carried out in the public interest.

  1. Privacy by Design

The controller shall implement appropriate technical and organisational measures in an effective way in order to meet the requirements of this Regulation and protect the rights of Data Subjects’. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

  1. Review of this Policy

We keep this Policy under regular review. This Policy was last updated in May 2018.

  1. GDPR Terminology
  • Data subject: A data subject is a natural person. Examples of a data subject can be an individual, a customer, a prospect, an employee, a contact person, etc.
  • Personal data: Any information relating to an identified/identifiable individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, photo, email address, bank details and posts on social networking sites, IP address, or a combination of the data that directly or indirectly identifies the person.
  • Sensitive personal data:The GDPR refers to sensitive personal data as “special categories of personal data.” The special categories of data include racial or ethnic origin, political opinions, religious or philosophical views; trade union membership, sexual orientation, and health, genetic and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offenses are not included, but similar extra safeguards apply to its processing.
  • Data controller: Any organization, person, or body that determines the purposes and means of processing personal data, controls the data and is responsible for it, alone or jointly.
  • Data processor: A data processor processes the data on behalf of the data controller.
  • DPA: DPAs are independent public authorities that monitor and supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints that may have breached the law.
  • Accountability: Accountability is the ability to demonstrate compliance with the GDPR. The Regulation explicitly states that this is the organization’s responsibility. In order to demonstrate compliance, appropriate technical and organizational measures have to be implemented.
  • Processing: Processing is any operation performed on personal data (sets), such as creation, collection, storage, view, transport, use, modification, transfer, deletion, etc., whether or not by automated means.
  • Consent:Under the GDPR, consent to processing must be freely given, specific, and informed. The Data Subject cannot be forced to give the consent, he must be told what purpose(s) the data will be used for and he should show the consent through a ‘statement or as a clear affirmative action’ (e.g. ticking a box).

Consent is not the only lawful basis on which the personal data can be processed.

  • Privacy Impact Assessment (PIA): The GDPR imposes a new obligation on data controllers and data processors to conduct a Data Protection Impact Assessment (also known as a privacy impact assessment, or PIA) before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope, or purposes.
  • Profiling: Profiling is any form of automated processing of personal data intended to evaluate certain personal aspects relating to an individual, or to analyse or predict in particular that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour.
  • Territorial scope: The territorial scope of the GDPR includes the European Economic Area (EEA – all 28 EU member states), Iceland, Lichtenstein, and Norway, and does not include Switzerland.
  • Third party: A third party is any natural or legal person, public authority, agency, or any other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.

For further questions regarding the data Tuff Leadership Training collects, or how we use it, then please feel free to contact us by email at: info@tuffledarskapstraning.seor in writing at:Tuff Leadership Training – Östgötagatan 16 – Stockholm, SE-116 25 +46 (0) 8-446 16 20

  1. External Links
  • Regulation (EU) 2016/679 – General Data Protection Regulation (link)
  • European Commission – Data Protection (link)
  • EU GDPR Portal (link)
  • European Commission – Right for citizen(link)
  • Data Protection Commissioner individuals (link)
  • European Commission – Rules for business and organisations (link)
  • Data Protection Commissioner – organisations (link)
  • National Data Protection Authorities (link)
  • Data Protection Authority Sweden (link)