Privacy compliance with Aditro

The decisions you make with respect to the processing of your data are critical for ensuring compliance with your obligations under the General Data Protection Regulation (GDPR). But how will you comply with these obligations while also meeting your legal requirements under national legislation and your specific business needs?

Classify your data with our classification program in line with data protection principles to simplify compliance. Meet your legal requirements with ease thanks to our minimum retention times. Do you need to add special purpose categories or set different retention times than those proposed? No problem. Simply tailor these policies to your business needs with our fully customizable solutions.

A processor should merely process your data according to your instructions. We see ourselves as more than just your processor – as your business partner, we are committed to sharing our expertise by building smart features to make your data decisions easier.

To fully use Privacy features in our products we recommend to follow the four simple steps below, choose to follow our standard for data classification and retention or modify settings to suit your business needs.

Don’t hesitate to get in touch if you have any questions.

IMPLEMENTATION

Summary
First, you will need to define the lawful basis for the processing of your data as we need to know this before we can proceed to the following steps and it may affect the removal process. Separating personal data into privacy categories is a prerequisite for the data report and data export functions, which are important for safeguarding data subject rights. Purpose categories and retention times need to be defined to ensure that statutory requirements and your specific business needs are met, and this will in turn result in your own records of processing. We need you to analyze your data flows so that we can help you set up secure transfer methods and you can establish clearly defined access rights settings.

1. Mark lawful basis of processing

Contract

Personal data required for performance of employment contract.

Consent

Personal data not necessary for the performance of the employment contract.

A lawful basis is required for processing personal data. Contract, consent, legitimate interest and statutory law are among the lawfulness categories available. You can use our Records of Processing as a template if you do not process personal data on the basis of consent or legitimate interest.

contract and consent

If any data is collected on the basis of legitimate interest or consent such data may be eligible for removal on request of the data subject, in order to simplify removal mark such data in advance.

2. Classify data for proper management

Indirect
Personal data relating indirectly to a person because the chance that it will apply to others is high and the distinctive nature is low.

Direct
Personal data that is unique or highly unique to only on individual.

Sensitive
Data that is sensitive due to its nature.

All personal data that is part of our standard configuration is divided into the three categories mentioned above. The sensitive data category is in line with the limitative special categories of processing in the GDPR. Directly identifying personal data and sensitive data will be compiled with your records of processing in a data report to notify your employees of the typical type of data processed and the data export (portability) function will deliver all data in a machine-readable format.

Intelligent data

Our standard has indexed data in several classes to ensure data is managed appropriately down the line. Sensitive data is earmarked according to GDPR requirements and personal information relating directly to an individual is seperated from other personal data.

3. Perform data life-cycle settings

Product
Data is required for the product to fulfill its purpose.

Legal
Data is required for compliance with a statutory obligation.

Customer
Data that we process but do not need.

Each lawfulness category may have one or more purposes of processing. We have added several predefined purposes as a recommendation, but you are welcome to adapt them to your business and responsibilities as a controller. The purposes are grouped by purpose classification. You will then need to set retention times based on the purposes of processing. We also provide recommended retention times tailored to your national statutory requirements in our Records of Processing for use at your discretion. Once you have set your purposes of processing and retention times, you will have what you need to prepare your records of processing.

Data is grouped in a number of classes to ensure end of life is followed by removal or anonymization. Please check the Records of Processing to see our standard for data retention.

4. Set up access rights and control data flow

Direct transmission
Fewer processing operations on data reduces stress on integrity and accuracy.

Email
Sensitive or highly unique directly identifying personal data should be encrypted.

Access
Data should not be accessible to anyone who does not need it or should not have access to it.

Controlling who has access to data and how it is transferred is essential for maintaining accuracy, integrity and security. Start by analyzing your data flows, especially at the end of the data life cycle. Based on your analysis, we can help you set up email encryption, a direct connection between your company and ours, and/or direct integrations with third parties such as unions, banks and employee benefit providers.

GDPR- flow and access

This step is mandatory to reduce the likelihood of personal data breaches.

DOCUMENTATION

1 Data Processing Agreement

The Data Processing Agreement governs the formal relationship and obligations between Aditro as a processor and you as a controller.
ENGLISH
NORWEGIAN
SWEDISH
FINNISH

2 Data protection policy – Processor

The Data Protection Policy describes the organizational and technical safeguards Aditro has implemented to protect personal data.
ENGLISH
NORWEGIAN
SWEDISH
FINNISH

3 Records of Processing

The Records of Processing disclose the contact details of our data protection officer, the purposes of processing, a description of the categories of personal data, the categories of recipients, and technical and organizational security measures.
ENGLISH
FINNISH

4 Data Governance Framework 

This document aims to provide a framework for stronger data governance utilizing classification on the basis of the data protection principles and goals.
ENGLISH

5 Compliance matrix

The Compliance Matrix gives an overview of the GDPR requirements and how they are reflected in Aditro’s processes and solutions.
ENGLISH

CONTACT

Data Protection Officer
Ian van de Walle
Email

CONSULTANTS
Sweden
Click on link below
Kundsidor

Norway
Click on link below
Kundesider

Finland
Click on link below
Asiakassivut

ADDITIONAL INFORMATION

Webinars
GDPR Road to Compliance (click to watch recording)

GDPR Road to compliance for outsourcing customers (click to watch recording)

Outsourcing Road to Compliance (slides from webinar)

Videos 
Aditro Summit Recording (Swedish)
Aditro Summit Q&A Session (English)

CONSULTING SERVICES
Norwegian consulting package form