Entities involved in the processing of data
We share personal data with other legal entities within Aditro group and with other legal entities for the purpose of delivering the agreed services, we thereby distinguish all processing activities by delivery method. Any public legal entities that we share data with are excluded in this overview but can be inferred from the overview under “data processed as part of legal obligations”, we are then either instructed by law to share data or we have expressly agreed the sharing of data with the customer such as there where the law instructs our customers to do so. Data may in this case be shared with foremost governmental agencies such as in the area of taxation, social healthcare, pensions, etc but also private firms such as banks and insurers.
We are thus distinguishing four different groups of entities with whom we share data.
1. Aditro group subsidiaries as sub-processors
2. External entities as sub processors
3. Entities assigned by law
4. Entities in the data lifecycle chain providing ancillary services for the customer
Aditro group subsidiaries as sub-processors
Data Protection and Information Security are central functions within the Aditro Group and all essential policies and controls are effectuated equally throughout all companies that form part of Aditro Group. We therefore hold that data delivered for the purposes of our fulfilment of a contractual obligation to one of the subsidiaries of Aditro Group is to be considered as data delivered to all subsidiaries of Aditro Group. The data exchanged between subsidiaries may however be limited based on the delivery model chosen and the country of operations.
On premise (OP)
During a normal on-premise delivery, the customer has the database containing personal data in-house and we are therefore unable to access the data without permission from the customer. All requirements relating to GDPR compliance mentioned on www.aditro.com/gdpr are applicable to all our products but as the market has shifted towards a cloud service based model we do have more of our newer products available for this model which may mean that functionalities are delivered through an onsite custom installation. Please contact our consulting team for more information.
Outside of onsite installations and maintenance of our products we may be able to access personal data in the normal course of business such as when providing support. In this case you as a customer will be taking initial contact and need to be aware of privacy best practice and operating standards.
Support Services. Any data delivered to us that may contain personal data is not identified as such there where it concerns the normal day-to-day business activities. E-mail and support tickets send to us are send over a trusted network but are left unencrypted. Such E-mails may contain personal data send to us and the sender should be aware that no large amounts of data are send in the text body of the E-mail. In this case think before you send applies and customers will be made aware and our staff will be trained to avoid unnecessary sharing of data.
Technical support services. Customer data for testing or for resolving errors in software or in the handling of software is only used upon consent from customer and preferably within customer environment. The data delivered to us in form of any attachment is removed within two years. We are sending files that may likely contain larger records of personal data such as CSV (excel) or XML files only encrypted and reduce where possible unique identifiers such as personal identification numbers. Of any files delivered to us that may likely contain sensitive data please ensure to:
1. Send files encrypted;
2. Filter personal data and alter by for example anonymizing where possible.
The information under “support services” and “technical support services” applies also to our cloud customers. Otherwise our software as a service will not entail the transfer of large data files as we already are in possession of the database. It is therefore also that we have a special responsibility towards your data. Your data is handled by our centralized Cloud Team with offices in Espoo, Finland. Here delivery management, change management, information security management are working close together to ensure both availability and integrity of your data. Under technical and organisational security measures you will be able to find more information on how your data is safeguarded and respected.
Business Process outsourcing (BPO)
Business Process Outsourcing is foremost done through the entities marked with “BPO” in the company name and data received in the execution of tasks is normally not shared outside the country of operations.
|Entity name||Country||Business ID||Address||Main processing activities||Applicable for Delivery Model|
|Aditro Enterprise Oy||Finland||2644026-6||PO Box 201, 02631 Espoo, Finland||Main processor for customers within ||X||X||X|
|Aditro Shared Services Oy||Finland||2644030-3||PO Box 201, 02631 Espoo, Finland||Cloud hosting, development, support and maintenance; IT security; technical consultancy; software support, maintenance and consultancy for all Cloud and BPO Customers of Aditro in the Nordics||X||X|
|Aditro BPO Oy||Finland||2644031-1||PO Box 201, 02631 Espoo, Finland||Main processor for BPO customers in Finland. Business process outsourcing services in Finland; payroll, travel management and super user services||x|
|Aditro Estonia OÜ||Estonia||11180790||Mäealuse 2/2|
EE-12918 Tallinn, Estonia
|Business process outsourcing services from Estonia, if and as agreed with the customer in the master agreement||X|
|Aditro Enterprise AB||Sweden||556985-9829||Box 1102, 172 22 Sundbyberg, Sweden||Main processor for customers within ||X||X||X|
|Aditro Shared Services AB||Sweden||556985-9811||Box 1102, 172 22 Sundbyberg, Sweden||Cloud development, support and maintenance; IT security; technical consultancy; software support, maintenance and consultancy||X||X|
|Aditro BPO AB||Sweden||556601-8080||Box 1102, 172 22 Sundbyberg, Sweden||Main processor for BPO customers in Sweden; Business process outsourcing services in Sweden, payroll, travel management and ||X|
|Aditro Enterprise AS||Norway||913 143 663||Trelastgata 3, 0191 Oslo||Main processor for customers within |
Cloud development, support and maintenance; IT security; technical consultancy; software support, maintenance and consultancy
|Aditro BPO AS||Norway||813 285 762|| |
Trelastgata 3, 0191 Oslo
|Main processor for BPO customers in Norway. Business process outsourcing services in Norway; payroll, travel management and super user services||X|
External entities as sub-processors
As part of our service delivery we may use external parties, in the case where such external parties have access to personal data these are listed here. Based on the access to personal data these sub-processors have received a criticality status critical or major. There where the sub-processor is listed as critical the sub-processor is subject to an on-site audit according to our audit policy.
Technical Support Services, customer data only used upon consent from customer and preferably within customer environment. There are limited entities that may be involved in sub processing and this is only due access to support incidents or through additional products purchased.
For cloud service management we have strategical partners for the provision of hosting services and back-ups management. Please find more information below.
Business Process Outsourcing (BPO)
As part of the business process outsourcing delivery model we have partnerships with companies foremost for the provision of ancillary services such as printing and postage of payslips, such ancillary services are always agreed on in the master agreement. Please find more information below.
|General Information||Selection criteria|
|Entity name||Country¹||Business ID||Address||Main processing activities||Delivery Model²||Countryᶾ||Customer Scope|
|Microsoft||Sweden||556533-4804||Box 27, 164 93 Kista||Access to information from Aditro support incodents for internal applications that may contain personal data.||X||X||X||NORDIC||ALL|
|Elisa Oyj*||Finland||0116510-6||Kaarlenkatu 11, 00530 Helsinki||Hosting of all Private sector cloud delivered applications||X||X||NORDIC||ALL|
|ProACT Finland Oyj||Finland||1084241-2||Aku Korhosen tie 8-10, 00440 Helsinki||Back-up services provider for Aditro internal applications (not including Aditro cloud environments).||X||X||NORDIC||ALL|
|CGI Suomi Oy||Finland||0357502-9||PL 38, 00381 Helsinki||Access to information from support incidents||X||X||X||FI||ONE CUSTOMER|
|Tom Sønderup I/S||Denmark||31824559||Jyllandsgade 9, 4100 Ringsted||Partner for BPO Delivery in Denmark||X||DK||ALL|
|Microsoft Azure||Sweden||556533-4804||Box 27, 164 93 Kista||Access to information from support incidents for Aditro Pay and hosting platform for Aditro Pay and Aditro Analytics||X||X||SE||BASED ON PURCHASED PRODUCT|
|Rely I Mälardalen AB||Sweden||556744-5589||Gånstavägen 4, 749 43 Enköping||Partner for HR (Personec HR) and TEIS and XAIS support||X||X||X||SE||BASED ON PURCHASED PRODUCT|
|Opus Capita Group Oy||Finland||1465570-2||Postintaival 7, 00230 Helsinki||Printing services, delivery services, transferring services to home addresses of pay slip or employment related information||X||FI||BASED ON AGREEMENT|
|Opus Capita AS||Norway||966565772||Postboks 500, 8601 Mo i Rana||Printing services, delivery services, transferring services to home addresses of pay slip or employment related information||X||NO||BASED ON AGREEMENT|
|Taavi Tarkvara OÜ||Estonia||10265337||Turu plats 5-17, Tallinn 11611, Eesti||Payroll and HR software provider in Estonia.||X||EE||BASED ON AGREEMENT|
|Evry Norge AS||Norway||933 012 867||Postboks 4, 1330 Fornebu||Hosting of Payroll solution dedicated for customer||X||NO||ONE CUSTOMER|
|Visma Software AS||Norway||933646920||Postboks 733 Skøyen, 0214 Oslo||Software provider, payroll system. SaaS service (storage, system admin, support) of payroll platform.||X||X||NO||ONE CUSTOMER|
|EG A/S||Denmark||84667811||Industrivej Syd 13 C, 7400 Herning||Hosting of Payroll solution dedicated for customer||X||X||DK||ONE CUSTOMER|
|Minuit||Finland||2695592-1||Yliskalliontie 3 J 2, 02210 Espoo||Delivery of customer specific subscriptions and reports for customers of Aditro’s Trip & Expense service||X||X||X||NORDIC||RESELLER, BASED ON PURCHASED PRODUCT|
|ReachMee AB||Sweden||556675-7810||Rosenlundsgatan 52, 118 63 Stockholm||Recruitment software as SaaS service (storage, system admin, support )||X||X||NORDIC||RESELLER, BASED ON PURCHASED PRODUCT|
|DGC One AB||Sweden||556624-1732||Sveavägen 143, 113 46 Stockholm||Provision of hosting services for above mentioned ReachMee recruitment software.||X||X||NORDIC||RESELLER, BASED ON PURCHASED PRODUCT|
|Norlic||Finland||0592518-4||Koulukatu 23, 68600 Pietarsaari||Support services for Aditro solutions, cloud hosting and support services relating to Norlic Ontime||X||X||FI||RESELLER, BASED ON PURCHASED SERVICE/PRODUCT|
|Visma Enterprise AB||Sweden||556329-3280||Lindhagensgatan 94, 112 18 Stockholm||Visma Recruit 3rd level support.||X||X||FI||RESELLER, BASED ON PURCHASED PRODUCT|
|Visma Labs AB||Sweden||556515-6196||Lindhagensgatan 94, 112 18 Stockholm||Those customers that have purchased the Visma Recruit solution through Aditro.||X||X||FI||RESELLER, BASED ON PURCHASED PRODUCT|
|Lessor A/S||Denmark||2420010||Gydevang 46, 3450 Allerød||SaaS delivery of Lessor payroll solution in Denmark||X||X||DK||BASED ON AGREEMENT|
|PostNord Strålfors AB||Sweden||556102-9843||Helsingborgsvägen 20, 341 33 Ljungby||Print and enveloping||X||X||SE||BASED ON AGREEMENT|
*Elisa Appelsiini Oy (1539836-5) was merged with its parent company Elisa Oyj 0116510-6, as per 31 December 2018.
Country The country from where personal data may be accessed
Relevant selection criteria:
Applicable for Delivery Model Choose the delivery model that is applicable to you as a customer to see which sub-processors may be involved in the processing of
Country Here you see whether the sub processor is country specific or whether it applies to the Nordic region as a whole.
CUSTOMER SCOPE Here we have included several definitions to be able to determine if this sub processor is applicable to you.
This sub processor is applicable to all customers provided that the delivery model and country selection criteria are fulfilled.
This sub processor is only applicable to one customer only, if in doubt please contact firstname.lastname@example.org
BASED ON AGREEMENT
This sub processors fulfil additional services on top of our products, these services are if applicable to you found in the Master
BASED ON PURCHASED PRODUCT
This sub processor is only applicable when you have purchased the product named in the main processing activities column.
RESELLER, BASED ON PURCHASED PRODUCT
This sub processor is only applicable when you have purchased the product named in the main processing activities, the product is
purchased through us and we perform our audit and controls relating to privacy and security towards this sub processor.
Data transferred outside EU/EEA
We have as part of our commitment to enrol equal requirements to our subcontractors and sub processors checked whether data will once within their domain be transferred to countries outside the EU/EEA. As of yet we are not and neither our processors transferring any data outside the EU/EEA. Any exclusions to this rule are always customer specific and expressly included in the data processing agreement with the customer.
As stated above, Aditro Analytics and Aditro Pay will be hosted by a third-party vendor, Microsoft Azure. Data hosted in the Microsoft Azure environment will be stored within the EU/EEA, but may in limited cases be accessed by Microsoft support resources located outside the EU/EEA as part of Microsoft’s support services, all such transfer will then be subject to the EU Standard Contractual Clauses and Microsoft’s adherence to the EU-US Privacy Shield, as set out in Microsoft’s Online Services Terms applicable from time to time (https://www.microsoft.com/en-us/trustcenter/Privacy/).
Entities assigned by law
Please see the overview of relevant laws that are observed under data processed as part of relevant legal obligations. Accounting laws may for example require us to store some source data that has been used for calculating relevant pay. Other laws may require us to share data directly with Tax Agencies.
Entities providing ancillary services
Entities that we may share data with are entities that provide ancillary services for our products. Payroll applications may transfer data towards Banks though our integration services. Please consult the master agreement you have with us as such sharing of data is expressly agreed.