Data con­troller and data processor

Sydbank is the data con­troller when the Bank processes personal data about its customers and employees. To carry out the pro­cess­ing Sydbank can draw on external as­sis­tance from a data processer, eg a hosting supplier.

Using a data processor is con­di­tion­al upon Sydbank entering into a written agreement with the party concerned and Sydbank ensuring that the data processor can comply with the in­struc­tions in the data pro­cess­ing agreement and leg­is­la­tion before signing the agreement. Sydbank has es­tab­lished pro­ce­dures for using data proces­sors and checks in the ongoing con­trac­tu­al re­la­tion­ship that the data processor lives up to its oblig­a­tions to ensure re­spon­si­ble and secure pro­cess­ing of personal data.

Similarly, when Sydbank is the data processor on behalf of others, the Bank must ensure that it only processes personal data subject to the in­struc­tions of the data con­troller and in com­pli­ance with the General Data Pro­tec­tion Reg­u­la­tion and the existing data pro­cess­ing agreement.

If – in ex­cep­tion­al cases – Sydbank acts as a data con­troller together with another or­gan­i­sa­tion, the Bank will ensure that it has defined the shared re­spon­si­bil­ity in relation to com­pli­ance with the current rules in this area.

Personal data breach

No­ti­fi­ca­tion to the Danish Data Pro­tec­tion Agency

If a personal data breach has occurred, Sydbank will notify the Danish Data Pro­tec­tion Agency in ac­cor­dance with the re­quire­men­ts of the General Data Pro­tec­tion Reg­u­la­tion and Sydbank’s internal pro­ce­dures without undue delay and not later than 72 hours after the Bank has become aware of it.

If it is unlikely that the breach will result in a risk to the rights or freedoms of data subjects, Sydbank is not obliged to notify the Danish Data Pro­tec­tion Agency.

Com­mu­ni­ca­tion to data subjects

If the breach is likely to result in a high risk to the rights or freedoms of data subjects, Sydbank is obliged to notify the data subjects of the breach without undue delay and inform them of the con­se­quences for them.

Personal data policy – follow-up

The Board of Directors prepares and updates the Bank’s personal data policy. The Board of Directors assesses on an ongoing basis and at least once a year whether the policy should be updated.

Read our Privacy policy