This policy describes Diplomat Communications’ routines for handling personal information and is enforced since the 25th of May 2018.
The purpose of this policy is that you in a clear and transparent way should be able to know what types of personal information we manage, how we manage them and how you can enforce your rights. The policy follows the framework of EU’s General Data Protection Regulation (GDPR) and our trade organization PRECIS’s guidelines for application of GDPR. Furthermore, it is completed by our internal guidelines for managing personal information.
2. What personal information do we handle?
Collection and handling of personal information is not a part of the core operations at Diplomat Communication. However, we handle some personal information in our internal administration and for marketing purposes, just as almost every other company. In most cases we take the role of being responsible for personal information, including in assignments on behalf of our clients.
Personal information which is handled on behalf of our clients
We perform a broad variety of services within the fields of Public Affairs, Corporate Communications, PR and financial communication on behalf of our clients. It includes market analysis and intelligence, networking strategies within the political arena, advocacy tasks, crisis management, media relations and PR, formulating communicational strategies, transactional advisory and financial reporting and sustainability reporting.
In almost any type of client assignment it may become necessary to handle personal information. Typically, it is information about external parties, such as journalists, key opinion makers, politicians, political officials, company leaders, scientists, experts and partners. A large part of this information is already publicly available through their connection to the individual’s position. Examples of personal information we handle within the framework of client assignments is contact information, resumes, photos, films, audio recordings, quotes and statements of various types.
Additional management of personal information within client assignments may be regarding developing, operating and monitoring platforms for social media or other platforms for advocacy as well as tools for monitoring attendance and activities in such platforms. Where applicable, the integrity policy of each platform or tool applies. In general, we are responsible for the content in the channel, including personal information.
On behalf of our clients, we use a variety of tools for web publishing, distribution, analysis, dispatching, mapping, media production and so on. Where applicable, we are responsible for handling personal information even connected to these tools, if not the integrity policy of each tool applies.
Personal information handled in our internal administration and in our own channels
We are responsible for the content, including personal information, published on social media channels which run in the name of Diplomat Communications. This means that we, in the social media channels where we have an opportunity to control the content, are responsible for maintaining a regular watch on publications and moderating content in order to ensure that the channel does not include e.g. offensive personal information. Beyond this, the integrity policy of each platform applies.
For our own PR work, we use tools for dispatching press releases beyond just our own channels in social media. The tools give us access to contact information to editorial staff and individual journalists. The integrity policy of each tool applies when using these.
Marketing and dispatchment
We store contact information to our clients, previous clients, potential clients and other relevant parties we maintain contact with, in order to market our business. This is primarily done by dispatching emails with marketing information about our services, invitations to events etc. Dispatchments always contain a so called opt out-opportunity for you who no longer wants to receive such information from us.
Media production and photographing
We also perform media production (auditory and visual recordings) and photography for our own use. This is generally done for documentation events conducted in our own name and marketing and documentation of our own operations.
We handle personal information included in the contracts we sign. This can e.g. be contracts with clients, suppliers, cooperative partners and employees. The information is mostly constituted by basic contact information necessary to enforce the contract.
We also handle personal information for recruitment purposes. Typically, we receive the information from the registered person in question, through resumes and other documentation. If you apply for employment with us we will store your information for two years’ time before they are deleted.
We use Google Analytics and Hojtar to monitor the flow of visitors to our own webpage. For this purpose, the integrity policy of each tool applies.
We handle personal information present in the email conversations we maintain, partly with our clients but also with our employees, suppliers, cooperative partners and external parties.
3. How is your personal information handled?
The legality of the handling
Our handling of personal information, regardless if it is performed on behalf of our clients or for our internal administration or marketing, is based on the founding principles of GDPR. We only handle personal information after we have ensured that we have legal grounds in accordance with GDPR in doing so.
In regard to handling personal information within the scope of client assignments, the handling is generally motivated by the so-called balance of interest as legal ground. One of our core purposes is to understand and describe societal development, analyzing market changes, political actions and consumer behaviors as well as describing and advising on advocacy and influencing. Collection of personal information belonging to registries which are active within these fields, in public such as private enterprises, is a tool in this work. Against this background we normally make the judgment that we have legal grounds in handling personal information which constitutes a basis in fulfilling our assignments, and that ours and our client’s interest thus weighs more that the registries, assuming that the registration does not constitute a threat towards the integrity of the registered.
Furthermore, we have the right to handle personal information if necessary in enforcing an agreement, for example with a client, a cooperative partner, a supplier or an employee, as well as in fulfilling legal duties, for example to public authorities. This may be handling and storing information if required by laws and regulation.
In certain cases, the consent of the registered makes the handling of personal information legal. This is also required if the information is to be considered as sensitive in accordance with GDPR. In cases where required by law or where situational circumstances make it suitable, we gather a personal consent for our handling from the registered.
Information to registries
In our handling of personal information, we also ensure that we enforce the responsibility of informing the registered as described by GDPR, and informing the registered that their personal information is handled by us. This assumes that the personal information in question has not already been publicly announced, such as being openly accessible (for example on the internet or in the media) or has already been publicized or announced by the registered.
Limitation of access
We have routines in place for handling personal information in a secure way. The basis is that only employees, and if applicable, the client we perform the assignment for who needs the information to perform their tasks shall have access to the information.
Personal information no longer used, e.g. because of the relevant client assignment being finished, the information for other reasons has become irrelevant for the assignment, or an assignment or partnership has ended or similar, are regularly sorted out.
The exception from the above is if the personal information needs to be saved for a certain time in order to, for example, enable a reclaim period, if there is reason to believe that the finished assignment, agreement or cooperation will forth go with a new party, or if it is in our interest to retroactively be able to present how the assignment was executed.
Transfer of personal information
In certain cases, we transfer personal information to other parties. This can e.g. be personal information we have previously handled on behalf of a client and where it is part in our assignment to present the information to the client, or if the personal information is handled within the framework of a tool or digital platform where theirs, and not our, integrity policy is applied.
Furthermore, transfer of personal information within firms in the Diplomat Group and possible partners is done when required by assignments. We typically do not transfer personal information to third parties outside the EU/EEA.
We follow the requirements on data security actions outlined by the GDPR. This includes encryption of our networks and limitation of access to data in order to avoid so-called personal information incidents. We have internal policies and routines for IT-security as well as handling of personal information incidents which comply with legal requirements.
4. Your rights
The GDPR gives you the right to:
- Request information regarding what personal information we handle regarding you.
- Request to have faulty personal information corrected and in certain cases ask us to completely erase your personal information.
- Object against that certain personal information on you is being handled as well as requesting that the handling of your personal information be limited.
- Have the personal information you have left us transferred to another handler (the right to data portability).
- Denounce your consent if the handling is based on consent, and
- If you are dissatisfied with how we handle your personal information you can file a complaint with Datainspektionen, which is the responsible public authority.
5. Contact information
For questions regarding our integrity policy, please contact integritet(a)diplomatcom.com.