Entities involved in the processing of data

We share personal data with other legal entities within Aditro group and with other legal entities for the purpose of delivering the agreed services, we thereby distinguish all processing activities by delivery method. Any public legal entities that we share data with are excluded in this overview but can be inferred from the overview under “data processed as part of legal obligations”, we are then either instructed by law to share data or we have expressly agreed the sharing of data with the customer such as there where the law instructs our customers to do so. Data may in this case be shared with foremost governmental agencies such as in the area of taxation, social healthcare, pensions, etc but also private firms such as banks and insurers.
We are thus distinguishing four different groups of entities with whom we share data.
1. Aditro group subsidiaries as sub-processors
2. External entities as sub processors
3. Entities assigned by law
4. Entities in the data lifecycle chain providing ancillary services for the customer

Aditro group subsidiaries as sub-processors

Data Protection and Information Security are central functions within the Aditro Group and all essential policies and controls are effectuated equally throughout all companies that form part of Aditro Group. We therefore hold that data delivered for the purposes of our fulfilment of a contractual obligation to one of the subsidiaries of Aditro Group is to be considered as data delivered to all subsidiaries of Aditro Group. The data exchanged between subsidiaries may however be limited based on the delivery model chosen and the country of operations.

On premise (OP)

During a normal on-premise delivery, the customer has the database containing personal data in-house and we are therefore unable to access the data without permission from the customer. All requirements relating to GDPR compliance mentioned on www.aditro.com/gdpr are applicable to all our products but as the market has shifted towards a cloud service based model we do have more of our newer products available for this model which may mean that functionalities are delivered through an onsite custom installation. Please contact our consulting team for more information.

Outside of onsite installations and maintenance of our products we may be able to access personal data in the normal course of business such as when providing support. In this case you as a customer will be taking initial contact and need to be aware of privacy best practice and operating standards.

Support Services. Any data delivered to us that may contain personal data is not identified as such there where it concerns the normal day-to-day business activities. E-mail and support tickets send to us are send over a trusted network but are left unencrypted. Such E-mails may contain personal data send to us and the sender should be aware that no large amounts of data are send in the text body of the E-mail. In this case think before you send applies and customers will be made aware and our staff will be trained to avoid unnecessary sharing of data.

Technical support services. Customer data for testing or for resolving errors in software or in the handling of software is only used upon consent from customer and preferably within customer environment. The data delivered to us in form of any attachment is removed within two years. We are sending files that may likely contain larger records of personal data such as CSV (excel) or XML files only encrypted and reduce where possible unique identifiers such as personal identification numbers. Of any files delivered to us that may likely contain sensitive data please ensure to:

1. Send files encrypted;
2. Filter personal data and alter by for example anonymizing where possible.

Cloud (CL)

The information under “support services” and “technical support services” applies also to our cloud customers. Otherwise our software as a service will not entail the transfer of large data files as we already are in possession of the database. It is therefore also that we have a special responsibility towards your data. Your data is handled by our centralized Cloud Team with offices in Espoo, Finland. Here delivery management, change management, information security management are working close together to ensure both availability and integrity of your data. Under technical and organisational security measures you will be able to find more information on how your data is safeguarded and respected.

Business Process outsourcing (BPO)

Business Process Outsourcing is foremost done through the entities marked with “BPO” in the company name and data received in the execution of tasks is normally not shared outside the country of operations.

Entity nameCountryBusiness IDAddressMain processing activitiesApplicable for Delivery Model
OPCLPO
Aditro Enterprise OyFinland2644026-6PO Box 201, 02631 Espoo, FinlandMain processor for customers within private sector in Finland (excl. BPO customers) ; software support, maintenance and consultancy services for all customers in the private and public sectorsXXX
Aditro Shared Services OyFinland2644030-3PO Box 201, 02631 Espoo, FinlandCloud hosting, development, support and maintenance; IT security; technical consultancy; software support, maintenance and consultancy for all Cloud and BPO Customers of Aditro in the NordicsXX
Aditro BPO OyFinland2644031-1PO Box 201, 02631 Espoo, FinlandMain processor for BPO customers in Finland. Business process outsourcing services in Finland; payroll, travel management and super user servicesX
Aditro Estonia OÜEstonia11180790Mäealuse 2/2
EE-12918 Tallinn, Estonia
Business process outsourcing services from Estonia, if and as agreed with the customer in the master agreementX
Aditro Enterprise ABSweden556985-9829Box 1102, 172 22 Sundbyberg, SwedenMain processor for customers within private sector in Sweden (excl. BPO customers); software support, maintenance and consultancy services for all customersXXX
Aditro Shared Services ABSweden556985-9811Box 1102, 172 22 Sundbyberg, SwedenCloud development, support and maintenance; IT security; technical consultancy; software support, maintenance and consultancyXX
Aditro BPO ABSweden556601-8080Box 1102, 172 22 Sundbyberg, SwedenMain processor for BPO customers in Sweden; Business process outsourcing services, payroll, travel management and super user services.X
Aditro Enterprise ASNorway913 143 663Trelastgata 3, 0191 OsloMain processor for customers within private sector in Norway (excl. BPO customers); software support, maintenance and consultancy services for customers

Cloud development, support and maintenance; IT security; technical consultancy; software support, maintenance and consultancy
XXX
Aditro BPO ASNorway813 285 762
Trelastgata 3, 0191 Oslo
Business process outsourcing services in Norway; payroll, travel management and super user servicesX

External entities as sub-processors

As part of our service delivery we may use external parties, in the case where such external parties have access to personal data these are listed here. Based on the access to personal data these sub-processors have received a criticality status critical or major. There where the sub-processor is listed as critical the sub-processor is subject to an on-site audit according to our audit policy.

On-Premises (OP)

Technical Support Services, customer data only used upon consent from customer and preferably within customer environment. There are limited entities that may be involved in sub processing and this is only due access to support incidents or through additional products purchased.

Cloud

For cloud service management we have strategical partners for the provision of hosting services and back-ups management. Please find more information below.

Business Process Outsourcing (BPO)

As part of the business process outsourcing delivery model we have partnerships with companies foremost for the provision of ancillary services such as printing and postage of payslips, such ancillary services are always agreed on in the master agreement. Please find more information below.

General InformationSelection criteria
Entity nameCountry¹Business IDAddressMain processing activitiesDelivery Model²CountryᶾCustomer Scope⁴
OPCLOUDBPO
Microsoft Sweden 556533-4804 Box 27, 164 93 Kista Access to information from Aditro support incodents for internal applications that may contain personal data. X X X Nordic ALL (EU14)
Elisa Appelsiini OyFinland1539836-5Kaarlenkatu 11, 00530 HelsinkiHosting of all Private sector cloud delivered applicationsXXNORDICALL
ProACT Finland OyjFinland1084241-2Aku Korhosen tie 8-10, 00440 HelsinkiBack-up services provider for Aditro internal applications (not including Aditro cloud environments).XXNORDICALL
CGI Suomi OyFinland0357502-9PL 38, 00381 HelsinkiAccess to information from support incidentsXXXFIONE CUSTOMER
Tom Sønderup I/SDenmark31824559Jyllandsgade 9, 4100 RingstedPartner for BPO Delivery in DenmarkXDKALL
Microsoft AzureSweden556533-4804Box 27, 164 93 KistaAccess to information from support incidents for Aditro Pay and hosting platform for Aditro Pay and Aditro AnalyticsXXSEBASED ON PURCHASED PRODUCT
Rely I Mälardalen ABSweden556744-5589Gånstavägen 4, 749 43 EnköpingPartner for HR (Personec HR) and TEIS and XAIS supportXXXSEBASED ON PURCHASED PRODUCT
Opus Capita Group OyFinland1465570-2Postintaival 7, 00230 HelsinkiPrinting services, delivery services, transferring services to home addresses of pay slip or employment related informationXFIBASED ON AGREEMENT
Opus Capita ASNorway966565772Postboks 500, 8601 Mo i RanaPrinting services, delivery services, transferring services to home addresses of pay slip or employment related informationXNOBASED ON AGREEMENT
Taavi Tarkvara OÜEstonia10265337Turu plats 5-17, Tallinn 11611, EestiPayroll and HR software provider in Estonia.XEEBASED ON AGREEMENT
Evry Norge ASNorway933 012 867Postboks 4, 1330 FornebuHosting of Payroll solution dedicated for customerXNOONE CUSTOMER
Visma Software ASNorway933646920Postboks 733 Skøyen, 0214 OsloSoftware provider, payroll system. SaaS service (storage, system admin, support) of payroll platform.XXNOONE CUSTOMER
EG A/SDenmark84667811Industrivej Syd 13 C, 7400 HerningHosting of Payroll solution dedicated for customerXXDKONE CUSTOMER
MinuitFinland2695592-1Yliskalliontie 3 J 2, 02210 EspooDelivery of customer specific subscriptions and reports for customers of Aditro’s Trip & Expense serviceXXXNORDICRESELLER, BASED ON PURCHASED SERVICE/PRODUCT
ReachMee ABSweden556675-7810Rosenlundsgatan 52, 118 63 StockholmRecruitment software as SaaS service (storage, system admin, support )XXNORDICRESELLER, BASED ON PURCHASED PRODUCT
DGC One ABSweden556624-1732Sveavägen 143, 113 46 StockholmProvision of hosting services for above mentioned ReachMee recruitment software.XXNORDICRESELLER, BASED ON PURCHASED PRODUCT
NorlicFinland0592518-4Koulukatu 23, 68600 PietarsaariSupport services for Aditro solutions, cloud hosting and support services relating to Norlic OntimeXXFIRESELLER, BASED ON PURCHASED SERVICE/PRODUCT
Visma Enterprise ABSweden556329-3280Lindhagensgatan 94, 112 18 StockholmVisma Recruit 3rd level support.XXFIRESELLER, BASED ON PURCHASED PRODUCT
Visma Labs ABSweden556515-6196Lindhagensgatan 94, 112 18 StockholmThose customers that have purchased the Visma Recruit solution through Aditro.XXFIRESELLER, BASED ON PURCHASED PRODUCT
Lessor A/SDenmark2420010Gydevang 46, 3450 AllerødSaaS delivery of Lessor payroll solution in DenmarkXXDKBASED ON AGREEMENT
PostNord Strålfors ABSweden556102-9843Helsingborgsvägen 20, 341 33 LjungbyPrint and envelopingXXSEBASED ON AGREEMENT

Country The country from where personal data may be accessed
Relevant selection criteria:
Applicable for Delivery Model Choose the delivery model that is applicable to you as a customer to see which sub-processors may be involved in the processing of
personal data.
Country Here you see whether the sub processor is country specific or whether it applies to the Nordic region as a whole.
CUSTOMER SCOPE Here we have included several definitions to be able to determine if this sub processor is applicable to you.

ALL
This sub processor is applicable to all customers provided that the delivery model and country selection criteria are fulfilled.
ONE CUSTOMER
This sub processor is only applicable to one customer only, if in doubt please contact privacy@aditro.com
BASED ON AGREEMENT
This sub processors fulfil additional services on top of our products, these services are if applicable to you found in the Master
Agreement.
BASED ON PURCHASED PRODUCT
This sub processor is only applicable when you have purchased the product named in the main processing activities column.
RESELLER, BASED ON PURCHASED PRODUCT
This sub processor is only applicable when you have purchased the product named in the main processing activities, the product is
purchased through us and we perform our audit and controls relating to privacy and security towards this sub processor.

Data transferred outside EU/EEA

We have as part of our commitment to enrol equal requirements to our subcontractors and sub processors checked whether data will once within their domain be transferred to countries outside the EU/EEA. As of yet we are not and neither our processors transferring any data outside the EU/EEA. Any exclusions to this rule are always customer specific and expressly included in the data processing agreement with the customer.

As stated above, Aditro Analytics and Aditro Pay will be hosted by a third-party vendor, Microsoft Azure. Data hosted in the Microsoft Azure environment will be stored within the EU/EEA, but may in limited cases be accessed by Microsoft support resources located outside the EU/EEA as part of Microsoft’s support services, all such transfer will then be subject to the EU Standard Contractual Clauses and Microsoft’s adherence to the EU-US Privacy Shield, as set out in Microsoft’s Online Services Terms applicable from time to time (https://www.microsoft.com/en-us/trustcenter/Privacy/).

Entities assigned by law

Please see the overview of relevant laws that are observed under data processed as part of relevant legal obligations. Accounting laws may for example require us to store some source data that has been used for calculating relevant pay. Other laws may require us to share data directly with Tax Agencies.

Entities providing ancillary services

Entities that we may share data with are entities that provide ancillary services for our products. Payroll applications may transfer data towards Banks though our integration services. Please consult the master agreement you have with us as such sharing of data is expressly agreed.