Road to Compliance

The decisions you make with respect to the processing of your data are critical for ensuring compliance with your obligations under the General Data Protection Regulation (GDPR). But how will you comply with these obligations while also meeting your legal requirements under national legislation and your specific business needs?

Classify your data with our classification program in line with data protection principles to simplify compliance. Meet your legal requirements with ease thanks to our minimum retention times. Do you need to add special purpose categories or set different retention times than those proposed? No problem. Simply tailor these policies to your business needs with our fully customizable solutions.

A processor should merely process your data according to your instructions. We see ourselves as more than just your processor – as your business partner, we are committed to sharing our expertise and building smart features to make your data decisions easier.

Our Road to Compliance Action Plan outlines four simple steps with a brief description and a clear overview of when deliveries are due and who should take action. Each step also includes links to relevant documentation from our Road to Compliance Package for more information. Follow these steps with the support of our resources and consultants and you will be well on your way to compliance. Don’t hesitate to get in touch if you have any questions.

Action Plan

First, you will need to define the lawful basis for the processing of your data as we need to know this before we can proceed to the following steps and it may affect the removal process. Separating personal data into privacy categories is a prerequisite for the data report and data export functions, which are important for safeguarding data subject rights. Purpose categories and retention times need to be defined to ensure that statutory requirements and your specific business needs are met, and this will in turn result in your own records of processing. We need you to analyze your data flows so that we can help you set up secure transfer methods and you can establish clearly defined access rights settings. If all of these steps are completed according to our proposed timeline, your policies will be implemented in our products and processes by 25th May.

1. Define lawful basis


Personal data required for performance of employment contract.


Personal data not necessary for the performance of the employment contract.

  • Free choice
  • Please read our statement

A lawful basis is required for processing personal data. Contract, consent, legitimate interest and statutory law are among the lawfulness categories available. You can use our Records of Processing as a template if you do not process personal data on the basis of consent or legitimate interest.

contract and consent

lawfulness definition

2. Make data intelligent

Personal data relating indirectly to a person because the chance that it will apply to others is high and the distinctive nature is low.

Personal data that is unique or highly unique to only on individual.

Data that is sensitive due to its nature.

All personal data that is part of our standard configuration is divided into the three categories mentioned above. The sensitive data category is in line with the limitative special categories of processing in the GDPR. Directly identifying personal data and sensitive data will be compiled with your records of processing in a data report to notify your employees of the typical type of data processed and the data export (portability) function will deliver all data in a machine-readable format.

Intelligent data

3. Differentiate purposes

Data is required for the product to fulfill its purpose.

Data is required for compliance with a statutory obligation.

Data that we process but do not need.

Each lawfulness category may have one or more purposes of processing. We have added several predefined purposes as a recommendation, but you are welcome to adapt them to your business and responsibilities as a controller. The purposes are grouped by purpose classification. You will then need to set retention times based on the purposes of processing. We also provide recommended retention times tailored to your national statutory requirements in our Records of Processing for use at your discretion. Once you have set your purposes of processing and retention times, you will have what you need to prepare your records of processing.

differentiate purpose

4. Control flows & access

Direct transmission
Fewer processing operations on data reduces stress on integrity and accuracy.

Sensitive or highly unique directly identifying personal data should be encrypted.

Data should not be accessible to anyone who does not need it or should not have access to it.

Controlling who has access to data and how it is transferred is essential for maintaining accuracy, integrity and security. Start by analyzing your data flows, especially at the end of the data lifecycle. Based on your analysis, we can help you set up email encryption, a direct connection between your company and ours, and/or direct integrations with third parties such as unions, banks and employee benefit providers. We also need you to tell us who should have access to what data in order to safeguard data subject rights and ensure security.

GDPR- flow and access
Flow and access



1 Data processing agreement

The Data Processing Agreement governs the formal relationship and obligations between Aditro as a processor and you as a controller.

2 Data protection policy – Processor

The Data Protection Policy describes the organizational and technical safeguards Aditro has implemented to protect personal data.

3 Records of processing

The Records of Processing disclose the contact details of our data protection officer, the purposes of processing, a description of the categories of personal data, the categories of recipients, and technical and organizational security measures.

4 Data governance framework 

This document aims to provide a framework for stronger data governance utilizing classification on the basis of the data protection principles and goals.

5 Compliance matrix

The Compliance Matrix gives an overview of the GDPR requirements and how they are reflected in Aditro’s processes and solutions.


 Can our company complete the steps above on its own?

Step 1: This step is your responsibility but this step will influence any adjustments that have to be made in step 3, Contact us if you require assistance from our consultants.

Steps 2 & 3: We aim to provide extensive resources to enable self-service but we recommend that you work with our consultants for best results.

Step 4: We strongly recommend that you contact our consultants for this step.

How do I engage Aditro consultants?

We will launch specific GDPR implementation consulting packages in late March, but you are welcome to contact our consulting team sooner.

How do I find what I need for self-service?

The product-specific information you need for self-service will be made available in late March via guidebooks on the customer pages and a product webinar in beginning of April. You can also find information in our package of documentation. See the resources section of the action plan to learn which documents are relevant to each step.


Data Protection Officer
Ian van de Walle

Click on link below

Click on link below

Click on link below


GDPR Road to Compliance (click to watch recording)

GDPR Road to compliance for outsourcing customers (click to watch recording)

Outsourcing Road to Compliance (slides from webinar)

Aditro Summit Recording (Swedish)
Aditro Summit Q&A Session (English)

Norwegian consulting package form