Privacy compliance with Aditro

The decisions you make with respect to the processing of your data are critical for ensuring compliance with your obligations under the General Data Protection Regulation (GDPR). But how will you comply with these obligations while also meeting your legal requirements under national legislation and your specific business needs?

Classify your data with our classification program in line with data protection principles to simplify compliance. Meet your legal requirements with ease thanks to our minimum retention times. Do you need to add special purpose categories or set different retention times than those proposed? No problem. Simply tailor these policies to your business needs with our fully customizable solutions.

A processor should merely process your data according to your instructions. We see ourselves as more than just your processor – as your business partner, we are committed to sharing our expertise by building smart features to make your data decisions easier.

To fully use Privacy features in our products we recommend to follow the four simple steps below, choose to follow our standard for data classification and retention or modify settings to suit your business needs.

Don’t hesitate to get in touch if you have any questions.


First, you will need to define the lawful basis for the processing of your data as we need to know this before we can proceed to the following steps and it may affect the removal process. Separating personal data into privacy categories is a prerequisite for the data report and data export functions, which are important for safeguarding data subject rights. Purpose categories and retention times need to be defined to ensure that statutory requirements and your specific business needs are met, and this will in turn result in your own records of processing. We need you to analyze your data flows so that we can help you set up secure transfer methods and you can establish clearly defined access rights settings.

1. Mark lawful basis of processing


Personal data required for performance of employment contract.


Personal data not necessary for the performance of the employment contract.

A lawful basis is required for processing personal data. Contract, consent, legitimate interest and statutory law are among the lawfulness categories available. You can use our Records of Processing as a template if you do not process personal data on the basis of consent or legitimate interest.

contract and consent

If any data is collected on the basis of legitimate interest or consent such data may be eligible for removal on request of the data subject, in order to simplify removal mark such data in advance.

2. Classify data for proper management

Personal data relating indirectly to a person because the chance that it will apply to others is high and the distinctive nature is low.

Personal data that is unique or highly unique to only on individual.

Data that is sensitive due to its nature.

All personal data that is part of our standard configuration is divided into the three categories mentioned above. The sensitive data category is in line with the limitative special categories of processing in the GDPR. Directly identifying personal data and sensitive data will be compiled with your records of processing in a data report to notify your employees of the typical type of data processed and the data export (portability) function will deliver all data in a machine-readable format.

Intelligent data

Our standard has indexed data in several classes to ensure data is managed appropriately down the line. Sensitive data is earmarked according to GDPR requirements and personal information relating directly to an individual is seperated from other personal data.

3. Perform data life-cycle settings

Data is required for the product to fulfill its purpose.

Data is required for compliance with a statutory obligation.

Data that we process but do not need.

Each lawfulness category may have one or more purposes of processing. We have added several predefined purposes as a recommendation, but you are welcome to adapt them to your business and responsibilities as a controller. The purposes are grouped by purpose classification. You will then need to set retention times based on the purposes of processing. We also provide recommended retention times tailored to your national statutory requirements in our Records of Processing for use at your discretion. Once you have set your purposes of processing and retention times, you will have what you need to prepare your records of processing.

Data is grouped in a number of classes to ensure end of life is followed by removal or anonymization. Please check the Records of Processing to see our standard for data retention.

4. Set up access rights and control data flow

Direct transmission
Fewer processing operations on data reduces stress on integrity and accuracy.

Sensitive or highly unique directly identifying personal data should be encrypted.

Data should not be accessible to anyone who does not need it or should not have access to it.

Controlling who has access to data and how it is transferred is essential for maintaining accuracy, integrity and security. Start by analyzing your data flows, especially at the end of the data life cycle. Based on your analysis, we can help you set up email encryption, a direct connection between your company and ours, and/or direct integrations with third parties such as unions, banks and employee benefit providers.

GDPR- flow and access

This step is mandatory to reduce the likelihood of personal data breaches.


1 Data protection policy – Processor

The Data Protection Policy describes the organizational and technical safeguards Aditro has implemented to protect personal data.

2 Records of Processing

The Records of Processing disclose the contact details of our data protection officer, the purposes of processing, a description of the categories of personal data, the categories of recipients, and technical and organizational security measures.

3 Data Governance Framework 

This document aims to provide a framework for stronger data governance utilizing classification on the basis of the data protection principles and goals.

4 Compliance matrix

The Compliance Matrix gives an overview of the GDPR requirements and how they are reflected in Aditro’s processes and solutions.


Data Protection Officer
Frida Stenbäck, Group Privacy Officer & DPO

Click on link below

Click on link below

Click on link below