Omega 365 Privacy Statement

Omega 365 processes personal data in a legal and secure manner in accordance with General Data Protection Regulation (GDPR), and which is necessary to achieve the purpose of the processing.

Published: 20. July 2023

Omega 365 processes personal data in a legal and secure manner in accordance with General Data Protection Regulation (GDPR), and which is necessary to achieve the purpose of the processing.

The purpose of the processing

Processing of personal data in Omega 365 has the following purposes:

• Ensuring the execution of work: Omega 365 shall take care of, facilitate and ensure business management, project implementation and project management.
• Logging: Omega 365 shall help ensure documentation, validity and traceability of plans, approvals and decisions in the business and projects.
• Contract management: Omega 356 must facilitate clarity and verifiability during the contract management phase to reduce the risk of conflict and disputes.
• Training and experience archive: Omega 356 will act as a training and experience archive for future projects.

The legal basis for the processing

The processing basis for processing the personal data is the Personal Data Protection Regulation Article 6 No. 1 f) legitimate interest.

The business has carried out a step-by-step balancing of interests to determine whether the individual's privacy outweighs the business's legitimate interest. The business has concluded that there is a legitimate interest in processing specified personal data to achieve the above-mentioned purpose.

There is a clear interest for the company's customers in using a project management, business management and implementation tool, and in reducing the amount of unresolved questions and points of dispute in the business, contract and in projects. A documentation log that ensures traceability, validity and verifiability will help facilitate clarity and cooperation between the business and the suppliers, and reduce the risk of disagreements and disputes as plans, changes, approvals and decisions are documented. A system that ensures documentation directly in the system also reduces the risk of human failure in internal archiving routines.

There are a number of different legal requirements relating to documentation obligations in various subject areas, e.g. in accounting and security. The system can help to document compliance with these. Industry practice for documentation requirements in various relevant subject areas has already been established.

There is also a clear interest in establishing an experience log that is independent of the specialist resources from previous projects and independent of internal archiving systems on various projects. The experience log will be able to contribute major savings, professional development and reduction of risk.

What personal data is processed

For all modules in Omega 365, personal information is collected through the creation of user accounts and job descriptions. The information categories are explained in more detail below, and apply to general contact and usage information, as well as statistics on the use of the service. The personal information that is registered will be linked to the registered person's employment, including the employee's telephone number and email address issued by the employer.

The following information is collected in connection with user accounts in Omega 365:

• Name
• E-mail address
• Employer
• Employer's organization number
• Work location
• User activity linked to user account

In addition, it is possible to supplement with who has access to the personal data, as well as date of birth, telephone number, professional areas and functional roles/job description.

Authentication and user access

In order to interact in Omega 365, a user must be created. Users create their own passwords, or are authenticated via Office365 / Azure AD. When a user is created, the user's name, telephone number, e-mail address, employer and any title are registered.

Users are created and exist in the system without being associated with a unit, project or role in the system. This means that users can see other users and the above-mentioned personal data, across roles, units and projects. Omega365 refers to this as a partially open register, and considers this necessary to achieve its objectives. The data subjects' rights are safeguarded in the form of minimizing measures, as described below.

It is an information technology necessity that users can exist in the system independently of access to roles or units in the business, such as e.g. one project. After the creation of a user, that person can be assigned one or more roles, units or projects. Furthermore, the user can be moved between units, projects and roles, access can be changed, or the user can exist in the system without assignments if the person concerned is not engaged in a unit or a project at the relevant time. This makes the system efficient and user-friendly, while at the same time achieving the purposes of the treatment.

If the user had to be associated with specific units in the business, projects or roles, the user would have to be created several times corresponding to the number of units, projects and roles the person was involved in. This would be impractical and time-consuming, as well as opening up a large degree of human error as there would be multiple users for the same person. It would be particularly problematic in resource management, where the customer would be dependent on having an overview of what resources exist, what availability they have, and what roles, units or projects they are engaged in or can be engaged in. Furthermore, it would be problematic if a user was deleted when a unit, project or role was deleted or changed, or that a user could not be moved between units or projects.

The system thus ensures that individuals do not have to be created manually, and possibly repeatedly, when specific needs arise. The availability to other users also creates the opportunity to act effectively, ask questions, document, make clarifications, obtain approvals etc., among other things in connection with case management, progress plans and interfaces.

The minimizing measures that have been taken to safeguard the rights of the registered in the partly open register are presented below.

One of the minimizing measures is that the personal information that is available to other users is limited to the name, telephone number and e-mail address issued by the employer, the employer, and any title. This information is normally already publicly available. The system does not ask for the employees' private e-mail address or telephone number. Another minimizing measure is that users can be created with an expiry date, so that the customer ensures limited access and deletion in accordance with the allocated unit or the life of the project.

A third minimizing measure is that user administration can be assigned at different levels in the solution, so that the user is assigned roles where they have a service need. The system has a hierarchical organizational structure which means that only certain users can see which units, projects and roles another user has been assigned to, as well as which actions the person takes in the system. The person who is assigned such an administrator role will have access to data about roles, units, projects and actions down the structure in relation to where the person is given access in the organizational structure, but not laterally or upwards in the structure. The customer will organize their own access to the solution for their employees and suppliers.

With this, various unit owners, project owners, project participants and roles only have access to limited personal data about other users. Users cannot see what other users are doing if they belong to another business, or if they belong to the same business, but have not been given specific permission for this.

The right to access and correction

All registered users have the right to access their own personal data. If information in Omega 365 is incorrect, it will be possible to notify about this in order to have it corrected or deleted. All users can correct their own information about name, e-mail and telephone number. Other changes can be made via the system administrator.

Information security and storage

Omega 365 has established routines, processes, procedures and audits in accordance with ISO 27001. These include how security breaches are detected and dealt with, including security breaches affecting personal data. The Omega 365 solution is security tested at least once a year by an external security provider, and a report is made available to the customer. In the event of significant changes or the introduction of new functionality, a new security test is agreed.

Omega 365 has set up the "vulnerability analysis" service, which monitors the infrastructure and alerts relevant personnel. All possible findings are recorded and followed up in Omega 356's ISMS solution. The following security measures have been established:

• Secure authentication with the option of two-factor or via a third party (e.g. Microsoft Azure AD)
• All information exchange takes place with strong encryption and over HTTPS (SSL/TLS)
• Application process for extended access
• Logging of changes to infrastructure
• Change procedure that takes care of evaluation of privacy in the solution
• Risk framework that includes evaluation of privacy in the solution

Omega 365 delivers the service in collaboration with Microsoft Azure at data centers located only in the EU/EEA. Infrastructure and data location is located in a secure operations center that safeguards personal data security and the Personal Data Act, and the General Data Protection Regulation (GDPR).

Omega 365 shall not disclose the personal data of the registered persons without the person requesting access having a legal order or authority in law for the disclosure. The person requesting access must send the legal ruling or a written description of the legal authority to Omega 365. The assessment of access must be carried out by the day-to-day manager, head of department, group manager or legal person.

Deletion

The personal information is stored for as long as is necessary to achieve the purposes for which the personal information was collected. It is the business's legitimate interest in processing the personal data that determines the storage period. The purpose of ensuring the performance of work dictates that the personal data must be stored as long as the work on the primary contract object is ongoing.

The purpose of logging and contract management dictates that the personal data should be stored as long as the primary contract object is in operation, e.g. a building or facility. The reason is that the system must document the plans, inspections, decisions, approvals, etc. that have been made, and which decision-making authority the person had. The need applies as long as disagreements and disputes can arise, including during the entire lifetime of the contractual object.

The purpose cannot be achieved if the personal data is anonymised or pseudonymised. In the case of pseudonymisation, it will be so difficult to identify the relevant person and their decision-making authority that the purpose of log keeping and contract management cannot be achieved.

After the lifetime of the contract object, the purpose of the system is only to form a training and experience archive. The purpose can then be achieved without storing personal data, and at this point personal data will be deleted.

Sub-processors