Data controller and data processor
Sydbank is the data controller when the Bank processes personal data about its customers and employees. To carry out the processing Sydbank can draw on external assistance from a data processer, eg a hosting supplier.
Using a data processor is conditional upon Sydbank entering into a written agreement with the party concerned and Sydbank ensuring that the data processor can comply with the instructions in the data processing agreement and legislation before signing the agreement. Sydbank has established procedures for using data processors and checks in the ongoing contractual relationship that the data processor lives up to its obligations to ensure responsible and secure processing of personal data.
Similarly, when Sydbank is the data processor on behalf of others, the Bank must ensure that it only processes personal data subject to the instructions of the data controller and in compliance with the General Data Protection Regulation and the existing data processing agreement.
If – in exceptional cases – Sydbank acts as a data controller together with another organisation, the Bank will ensure that it has defined the shared responsibility in relation to compliance with the current rules in this area.
Personal data breach
Notification to the Danish Data Protection Agency
If a personal data breach has occurred, Sydbank will notify the Danish Data Protection Agency in accordance with the requirements of the General Data Protection Regulation and Sydbank’s internal procedures without undue delay and not later than 72 hours after the Bank has become aware of it.
If it is unlikely that the breach will result in a risk to the rights or freedoms of data subjects, Sydbank is not obliged to notify the Danish Data Protection Agency.
Communication to data subjects
If the breach is likely to result in a high risk to the rights or freedoms of data subjects, Sydbank is obliged to notify the data subjects of the breach without undue delay and inform them of the consequences for them.
Personal data policy – follow-up
The Board of Directors prepares and updates the Bank’s personal data policy. The Board of Directors assesses on an ongoing basis and at least once a year whether the policy should be updated.