Description of Processing Activities

Controller
Customer

Processor
Talenom Redovisning AB

Purpose of the processing of personal data

Personal data is processed and stored to produce the services provided by the Processor in a contractual relationship between the Processor and the Controller. Personal data is processed and stored to fulfil statutory requirements and obligations related to the processing of personal data,

  • to produce and develop services that the Controller orders from the Processor
  • Controller’s employees: payroll and personnel administration
  • Controller’s private customers: follow-up of receivables
  • Partner in a joint-stock company: management of the joint-stock company
  • Members of an association: management of the association and invoicing

What personal data do we process?

Categories of data subjects and categories of personal data:

Controller’s employees: payroll and personnel administration (payroll adminstration)

Follow-up of receivables from the Controller’s private customers (accounting)

Partner of a limited liability company: management of the joint-stock company (joint-stock company)

Member register associations: management of associations and invoicing (associations and organizations)

Personal data processed are:

  • name, personal identity number (payroll administration, accounting, limited companies, associations and organizations)
  • address, e-invoice address, telephone number, e-mail address, data usedby the online service (payroll administration, accounting, limited companies, associations and organisations)
  • personal identity number, language (payroll administration, limited companies, associations and organizations)
  • bank account details (payroll administration, accounting, limited companies, associations and organizations)
  • data on foreclosure (payroll administration, accounting, limited companies, associations and organizations)
  • dividends, shareholder loans (accounting, limited liability companies)
  • tax amount, employment contract (payroll administration, joint-stock company);
  • absences, holidays, medical certificates (payroll administration, limited liability company)
  • employment data (payroll administration)
  • payroll information and benefits (payroll administration)
  • data on trade union membership fees (payroll administration)
  • registrations of working hours, hourly wages (payroll administration)

Regular sources of information

In addition to their own data, the Controller adds the personal data of their personnel and customers to the Processor’s electronic services. Personal data may be added based on electronic and/or physical material provided by the Controller.

In addition, personal data is collected from public authorities, insurance companies, trade union membership fee associations, credit granting services and from other parties whose data is to be processed in services provided by the Processor, such as salary calculations.

Users’ data is automatically collected to develop the services and products provided by the Processor and to develop customer service, for example by using cookies from browsers in the Processor’s electronic products and online services.

Recipients of personal data incl. in third countries and international organisations

The Processor may disclose the Controller’s personal data within the framework of the applicable legislation and in accordance with the terms between the Processor and the Controller. Register data may be disclosed to public authorities, insurance companies, trade unions, or unemployment insurance funds. The Processor has a statutory obligation to disclose personal data to authorities that on a legal basis submit a written request for it. Personal data will not be transferred outside the European Union (“EU”) or the European Economic Area (“EEA”) unless the Controller has given their prior written consent. Data transfers requested by the Controller to be made to areas outside the EU or EEA are carried out in accordance with the requirements of the standard contractual clauses regarding data transfer in the EU General Data Protection Regulation.

Disclosure procedures for personal data

Data is disclosed to the Client’s auditor without a separate power of attorney for the execution of the agreement between the Controller and the auditor. In the case of other partners of the Controller, such as lawyers and consultants, a separate written consent is requested from the Controller for the disclosure of data. In connection with the release of written material, a certificate of disclosure of the data is drawn up, which contains basic information on the material disclosed, to whom it has been disclosed and when. The certificate is saved in the Controller specific folders for possible proof later. In connection with the release of digital material, personal user IDs are created for the Controller company’s partners in the Processor’s information system. The Controller’s partner will have access to the material with these codes. The Controller’s request to obtain login credentials to the System and   to provide access to the Controller’s Data also includes the Controller’s consent to share the Controller’s Data with the respective partners.  Information is disclosed to public authorities, insurance companies, trade unions or unemployment insurance funds without the Controller’s authorization or consent, if it has been stipulated by law on the disclosure of the information. The processing of digital material is monitored with the help of transaction data in information systems, i.e. log data that is saved and monitored automatically or manually. In addition, log data can be used for evidence of events if necessary.

Technical and organizational security measures

Register data processed electronically is protected by technical firewalls, passwords, the possibility of identification of the Controller’s employees in two steps when logging in to the Processor’s financial administration system and other generally adopted technical means in the information security industry. The data transfer between the Controller and the Data Processor is encrypted with TLS (Transport Layer Security) technology, in the software and applications currently used by The Processor or provided to its customers. The data is backed up regularly, and the backups are stored in a different location from the original data.

The Processor protects the Controller’s information against unauthorized access and disclosure. Only appointed employees of the Processor and employees of companies working on behalf of and on behalf of the Processor have access to the data contained in the register based on separately granted user rights. User rights are monitored and dangerous combinations of rights have been prohibited in the user rights management policy. Whether they arise is monitored in the context of the management of user rights. In particular, the user rights of the main users of the different systems are regularly checked and removed when the user no longer needs the rights. The user rights of employees who have left the Processor are removed from all systems when the employment ends.

The Controller’s data is only processed by the Processor’s employees whose job description requires the processing of the data in question. Processing of personal data on other grounds is prohibited for the Processor’s employees, even if the Processor’s employees have technical access to the Controller data due to their duties and for business reasons. The Processor’s entire staff and external persons who work on behalf of the Processor are bound by confidentiality regarding all information and personal data regarding the Controller’s financial administration. The non-disclosure agreement is written into the employment contracts of the Processor’s employees, including the sanctions caused by breaches of the duty of confidentiality. The non-disclosure agreement, including sanctions caused by breaches of professional secrecy, has been written into agreements concluded with third parties.

Employees who process the Controller’s data are regularly trained. The legal grounds for processing data at work are an essential part of the training. The data protection and information security knowledge of the Processor’s personnel is regularly maintained in various ways, for example by arranging regular information meetings for the entire personnel of the company regarding data protection and information security. In addition, mandatory training in data protection and information security is organized annually for employees. Employees must pass a test in the subject area with a passing grade. The Processor has designed a data protection policy that every new employee of the Processor gets to know when they start their service. The regular information security training sessions provide information about the information security policy and where it can be read. Workers are reminded that they are bound by the policy. The information security policy describes the general rules on information security and data protection that oblige employees, whether they are technical rules, information security processes or procedures and instructions to be applied in daily work. The Controller’s data is processed in information systems located in serverhalls in Finland or in cloud services within the EU. In  the server halls in Finland, the most important production systems have been duplicated into two (2) physically separated serverhalls to ensure the security, data storage and continuity of the service under both normal and exceptional conditions. These machine halls are operated in safety procedures, access control and monitoring certified by the service provider. Manually maintained materials are located in premises to which access control has prevented unauthorised persons. Video surveillance is used in the most important premises for the purpose of investigating and detecting possible breaches of physical security. The processor carries out internal evaluations and allows third parties to carry out evaluations that cover both the technical security of critical information systems and the processes and instructions related to the administrative aspect of information security and data protection.

The Controller is responsible for ensuring that adequate technical and organizational data protection measures are implemented and maintained.

Planned times for deletion of data

The Processor removes the Controller’s personal data to the extent required by law when the Controller leaves the Processor. The data is deleted when five (5) years have passed from the end of the customer relationship. After deletion in the operational information systems, the data will be automatically deleted from the backup copies within six (6) months.

Rights of data subjects

The controller describes in a separate documentation which matters the data subjects must be informed about. In accordance with sections 15–22 of the EU General Data Protection Regulation, the data subject has the right to:

  1. control personal data;
  2. request correction of data;
  3. request the deletion of data;
  4. limit the processing of;
  5. request the transfer of data from one system to another;
  6. object to the processing of their personal data; and
  7. lodge a complaint with the supervisory authority;

access such personal data that has been registered about him or her in the Processor’s system. The exercise of certain of the data subject’s rights is limited by some other mandatory legislation, according to which the Processor has the right and obligation to justifiably refuse to rectify, delete, restrict the processing of the data or transfer them from one system to another. An example of such legislation is the Accounting Act, which stipulates that supporting documents related to the payroll calculation must be stored, regardless of the rights that the data subject has under the General Data Protection Regulation. In situations where the data subject wishes to check or change data in a personal data file belonging to the Controller, the data subject must submit a request for verification or change of the data to the Controller. The Controller then completes the implementation of the control or change request together with the Processor for the personal data. In such a situation, the controller must submit the written request for verification to the e-mail address mentioned below. The request for verification and amendment must state which personal data you want to check and the name of the register to which the request relates. The request should be sent by e-mail to: dataskydd@talenom.se. Data subjects may exercise their right of access under the Personal Data Act free of charge only once a year.

Instructions for the controller

The Controller may, in a separate documentation, provide more detailed instructions to the Processor on the processing of the data. The Processor stores the instructions in a customer-specific file folder, as part of the Controller’s instructions.

Notification of personal data breaches

To the controller

The notification must be made to the Controller without undue delay after a personal data breach has been discovered. The notification must describe the nature of the personal data breach and the measures taken in the manner required by legislation.

To the data subject

The Controller will notify the data subject if the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject. The notification must describe the nature of the personal data breach and the measures taken in the manner required by law.

To the supervisory authority

The Controller’s obligation is to submit a notification to the relevant public authority within 72 hours of discovery if it is likely that the personal data breach will result in a high risk to the rights and freedoms of a natural person.  The Processor assists the Controller in drawing up a notification upon separate request. The notification is made in accordance with the instructions of the Data Protection Ombudsman.

Processor (service provider) and contact details

Name of the Processor: Talenom Redovisning AB

Data Protection Officer: Jimmy Dahmén
Tel. 08 505 736 75
E-mail:  jimmy.dahmen@talenom.se
Address: Holländargatan 13, 111 36 Stockholm or Box 842, 101 36 Stockholm
Tel. 08 505 736 10 (switchboard)

Subcontractors

The Controller has given his general consent to the use of subcontractors. A list of subcontractors is provided on request.