Simployer Trust CenterGDPR and privacy › GDPR questions and answers

GDPR questions and answers

Subcontractors

Simployer engages subcontractors mainly for operations and maintenance of technical infrastructure. There are excellent companies with this as their expertise, and they help Simployer to deliver even better stability, scalability and security than we would manage on our own. That way Simployer can concentrate on being the best HRM solution provider. No one can be experts on everything.

The list of subcontractors is stated in the latest version of the Data Processing Agreement. Also, see the page "Sub processors".  

Yes, the Data Processing Agreement gives the Customer the opportunity to refuse any new subcontractors by terminating the agreement with Simployer with 30 days written notice. If the Customer would like to keep using Simployer, new subcontractors must be excepted. Simployer will never engage subcontractors that we don't consider to be GDPR compliant.

All subcontractors are Simployer's responsibility. The Customer only relates to Simployer and the agreements made with Simployer. Simployer signs DPA's with all of it's subcontractors.

No. Simployer have signed agreements with all subcontractors that no personnel at the subcontractor may access customer data without legitimate reason; that is, if the personnel is authorized by us our you, the Customer, to handle such data. Simployer have technical measures in place to prevent such access, and will only grant access when needed (when you, the Customer, grants access to assist in support or any other specified assignment/instructions, or in the event of an security-related incident).

Data will primarily be stored in data-centers within EU/EEU. See the entire list in the article "Sub processors".

Service-specific subcontractors may process data also outside of the EU/EEA but the categories of personal data and the retention time is limited, and we do regular evaluations to make sure that all use of subprocessors are compliant with GDPR and safe to use. 

No. According to the existing DPA, Simployer shall notify the Customer about any new subcontractors. If the Customer does not reject the new subcontractor, in writing, within 30 days from the notice, the new subcontractor is accepted to the existing DPA.

Processing of personal data in simployer

No one in Simployer has access to the customer's data unless the customer requests support and provides Simployer access to the system. In such a support scenario, a identifiable employee in Simployer will have access to the system for a limited period of time.

For the Time & Plan modules, a routine is established where the customer gives a written permission to access the system for each support case or request for assistance. This is done via a standardized method in the support system and as default the permission is valid for the current day. In case of other needs a different period can be specified.

For the vast amount of personal data in Simployer HRM, data is stored in Norway at Embriq's datacenter. Database data (data, information that is manually entered or populated into data-fields in Simployer HRM) is stored at Embriq in Norway, while documents (uploaded word-,pdf-files etc.) are stored in Microsoft Azure. The Microsoft Azure datacenter is located in Ireland and with back-up in the Netherlands.

GDPR does not require data to be stored specifically in Norway or even within EU, but more complex assessments are required in such cases. We regularly assess our subprocessors and storage-partners, and will always use partners that are GDPR-compliant and secure for us and our customers.

Yes, and it is the Customer which performs deletion of data in Simployer.

All communications where customer data flows over the internet is encrypted with SSL (https).

All our customers have access to our security and privacy documentation

No, Simployer offers no such functionality, but an administrator at the Customer can reset passwords for users in Simployer. Simployer also offers authentication through Active Directory, allowing users to use their work account to login to Simployer.

No, there is no such requirement. However, it may be an advantage that the employee has self-service for such data, as the employee is the one who themselves have the most updated and correct data. 

There is no specific answers to this in the legislation. The concept of "purpose" is deciding. However, it will not be allowed to store data forever (no purpose).

It is the customer who is the controller and who selects which personal data may be deleted from Simployer based on a risk assessment and the legal needs for data. Disabling users in Simployer removes access to personal data about the person, but the data is still stored.

Personal data related to the company (such as sick leave, holidays, documents, etc.) can be deleted separately in Simployer. Disabled users who do not have such data associated with their profile can also be physically deleted from the system. Simployer strived to make the deletion / anonymization procedures as flexible and user-friendly as possible for our customers.

By default, each user has access (and editing rights) to all personal data in Simployer. Simployer also has a report that the user can run, which shows which persons have access to the user's personal data and which persons can edit the user's personal data.

The Data Processing Agreement for Simployer complies with applicable national law and the GDPR.

General rules on handling of personal data

As a general rule, the employee has access to all personal data the employer has stored about the employee, with the following exceptions:

  • Content subject to confidentiality, eg. whistleblowing cases
  • Content that is used for statistical purposes only 

Only employees with a legal need have a cause to see personal data, in addition to the employee himself. Other categories of people with access can for example be the employees managers or payroll workers in the business.

Personal data is all information that can be linked to an individual. This may for example be:

  • Name
  • Address
  • Phone
  • Date of birth
  • Pictures
  • Fingerprint
  • Etc.

A sensitive personal data is information about:

  • racial or ethnic background, or political, philosophical or religious opinion
  • that a person has been suspected, sentenced, charged or convicted of a criminal offense
  • health conditions
  • sexual preferences
  • membership of trade unions
  • genetic and biometric information

This means that you must have a specific legal purpose for processing personal data. This may for example be consent from the person whos information is bein processed, in order to fulfil a contract or by requirements in relevant national law. 

In case of serious breaches of privacy, fines may be issued up to 4% of global annual turnover or 20 million euros, whatever is the highest. 

Responsibilities and roles related to privacy

The controller is the one who determines the purpose of processing personal data and the tools to be used. In a customer relationship with Simployer, it is the customer who is the controller.

A data processor is the person who processes personal information on behalf of the controller. In a customer relationship with Simployer, Simployer AS is a data processor.

All public entities must have a data protection officer. Private businesses need a privacy officer if

  • The main line of business requires regular and systematic monitoring of physical persons on a large scale
  • The main line of business consists in large-scale handling of special categories of personal data or information on convictions or criminal offenses.

We have created an interactive wizard to help you decide if your business needs a data protection officer. The tool is available as part of the subscription to the legal aid product, Privacy in Work Conditions.

Privacy in administration and follow-up of employment

Yes, a new leader may have transferred access to all minutes that will be necessary for his / her management. The minutes and accompanying documents belong to the employer, not the individual leader. New leader can therefore have access.

The employer can post photos and information on the intranet. For external publishing, for example, on the internet, the employer must consider whether the employee has reason to expect information to be published. Then it must be assessed in relation to the employee's position and function. Leaders and employees in outward facing functions will have to accept this, while it may be different if you are employed in, for example, production or a call center.