Hudya’s principle of “YOYOD“, You Own Your Data, is a promise to our customers. To make it something more than an empty statement, it must also extend to Hudya employees and partners: in servicing our customers, each person is responsible for using and managing the customer’s data with this principle in mind. Furthermore, Hudya IT systems need to support customers, employees, and partners in this task.
This is no small undertaking! We want to be transparent, so this Code of Conduct for Hudya employees and partners is thus publicly available. This way you, as a customer, can hold us responsible and help us improve.
Code of Conduct
- What, who, why
The customer promise “You Own Your Data” means that as a Hudya representative you need to make sure that:
- the customer knows what you do with his or her information
- who you share it with, and
- that you from the customer’s perspective have a valid reason to do what you do
- No limit
There is no limit to what the customer owns. If it can be associated with a named person, that person owns that data, and this Code of Conduct applies
- Only YOU!
Hudya is really many different types of businesses in one. Most employees and partners DON’T have a valid reason to access a customer’s information. You and only you, with your role and your officially assigned tasks, can have a valid reason to access a customer’s information
You have the responsibility to protect the customer’s YOYOD right. This also means that you need to act when it is violated
What This Means From A Practical Point of View
- What, who, why
- Customers give us some consent to use their information through our terms of conditions (Hudya account and for each service) and Hudya data privacy terms
- In addition, you can and should ask the customer explicitly for anything outside these consents or if you are not sure
- The proof that we asked in on Hudya’s side, we are thus continously working on simplifying through MyHudya how customer’s can actively manage how we use their information without making it a burden for everyone
- Customers can always withdraw their consent to how we use their data, even if that means we have to terminate their service (if we cannot offer the service without that particular use of data)
- You cannot share personal information in Hudya email (as it is not protected well enough), you must use Cisco Webex Teams (Spark) for messages or Tresorit (for file sharing). You also need to make sure that you ONLY share in rooms set up with members who on their own have a valid reason to access that information just like you
- If you need personal information from a customer, the chat is secure for sharing personal information, while email is not
- If you are uncertain about whether a certain use or sharing of a customer information is approved, ask your manager or reach out to Greger, who is the Data Protection Officer (DPO), a role mandated by EU GDPR laws and ultimately the person responsible for how Hudya handles customers’ data
- All ways we handle and process data on a regular basis should be available publicly on this site. Any ad-hoc use of personal data, like campaigns, email or sms messages, data analysis etc is recorded continously internally (and can be requested by authorities)
- Any new ways of processing or handling customer data must be approved by the Data Protection Officier (Greger)
- No limit
- In Hudya we protect all information that can be associated to a named person as sensitive. The reason is that seemingly innocent information can quickly be sensitive
- At Hudya we want to simplify people’s life. To do this we need to process data about the customer and the customer’s services. But we don’t want to surprise customers and spook them because we know things about them that they didn’t know we knew. We thus want to make sure that our customers expect things before we do it. It boils down to respect of our customers and the YOYOD principle, a respect YOU as a Hudya representative must show
- Only YOU!
- If a customer has revealed a life-threatening illness as part of insurance services and then requests a house mortgage, Hudya has a valid business reason for saying no. BUT we don’t have a valid MORAL reason, and we are legally not allowed to use that information across services, even if it’s about the same person
- We have three ways of ensuring that this does not happen: IT systems don’t allow access, different Hudya representatives handle different requests, and YOU respect the boundaries. To the extent possible, Hudya IT systems are continously improved to “sandbox” and protect information to avoid that even information is accessible
- However, there will always be situations where you as a Hudya representative has to make a decision that should respect the individual, the laws, and the YOYOD principle
- As a Hudya individual you are ultimately legally and morally responsible for making sure that Hudya as a company actually does what we say we are doing
- Nobody’s perfect and mistakes happen. It is then your responsibility to correct it AND report it. We are morally and legally responsible for alerting the customer to any mistakes, leaks, or other incidents that affect them. If the incident covers many customers, we may be obligated to report the incident to authorities WITHIN 72 HOURS! Immediately reach out to Greger if you suspect an incident of such scope
Any questions, comments, breaches, or improvement suggestions can be sent to Hudya Data Protection Officer, our CTO, Greger Teigre Wedel, at firstname.lastname@example.org.