Skip to end of metadata
Go to start of metadata

    Below you will find answers to some of the questions we often get about Simployer and GDPR. If you have any further questions, feel free to contact us on phone 07505.

    Processing of personal data in Simployer

    Is there anyone at Infotjenester that has access to our data?

    No one in Infotjenester has access to the customer's data unless the customer requests support and provides Infotjenester access to the system. In such a support scenario, the named employee in Infotjenester will have access to the system for a limited period of time.

    Is there anyone at Capitech that has access to our data?

    For Capitech modules a routine is established where the customer gives a written permission to access the system for each support case or request for assistance. This is done via a standardized method in the support system and as default the permission is valid for the current day. In case of other needs a different period can be specified.

    Are customer data stored on servers in Norway?

    Yes, all data in Simployer is stored on servers in Norway. We use Embriq as a partner for Simployer. and Smart IT for Capitech modules. For customers with Capitech software on premise Capitech the data is stored on the customers serveres. data på kundens servere.

    However, GDPR does not require data to be stored in Norway.

    Does anyone outside EU / EEA have access to our customer data?

    No, only selected support staff at Infotjenester group may be granted access by the Customer to provide support.

    How are security practices / encryption, etc. in connection with the transfer of personal data?

    All communications where customer data flows over the internet is encrypted with SSL (https).

    Do you have a feature to delete all passwords at once in Simployer?

    No, Simployer offers no such functionality, but an administrator at the Customer can reset passwords for users in Simployer. Simployer also offers authentication through Active Directory, allowing users to use their work account to login to Simployer.

    Will Simployer be compliant with new GDPR by 25.05.2018?

    There is no certification scheme towards today's privacy legislation, and there will probably not be any such scheme in place before the GDPR enters into force. Simployer complies with Norwegian law today, and will continue to do so after the new GDPR has entered into force. Simployer is built according to the Data Protection Authority's privacy policy, and we will continuously implement new guidelines issued by the Data Inspectorate.

    Must all employees have access to edit personal data in a HR / Payroll system?

    No, there is no such requirement. However, it may be an advantage that the employee has self-service for such data, as the employee is the one who sits on the freshest data.

    How many years can you keep information about employees who have left?

    There is no specific answers to this in the legislation. The concept of "purpose" is deciding. However, it will not be allowed to store data forever (no purpose).

    For small businesses, with few employees, what should one start with and what is the minimum effort for small businesses?

    One must start with a survey to identify which personal data has been stored in which systems, who have access and how these data are used (purpose). The responsibility for the processing of personal data is the responsibility of the company (the controller).

    Deletion of Personal Data in Simployer - What is the best procedure to comply with GDPR?

    It is the customer who is the controller and who selects which personal data may be deleted from Simployer based on his risk assessment and the legal needs for data. Disabling users in Simployer removes access to personal data about the person, but the data is maintained. Personal data related to the company (such as sick leave, holidays, documents, etc.) can be deleted separately in Simployer. Disabled users who do not have such data associated with their profile can also be physically deleted from the system. Infotjenester is currently working to make the deletion / anonymization procedures as flexible and user-friendly as possible for our customers.

    How are rights to insight for the registered safeguarded?

    By default, each user has access (and editing rights) to all personal data in Simployer. Infotjenester will also develop a report that the user can run, which shows which persons have access to the user's personal data and which persons can edit the user's personal data.

    Is the Simployer DPA compliant with GDPR?

    The Data Processing Agreement for Simployer complies with Norwegian law. Infotjenester will offer all existing and new customers a revised data processing agreement that complies with GDPR, and follows new Norwegian law in good time before the GDPR enters into force.

    General rules on handling of personal data

    What access rights do the employee have?

    As a general rule, the employee has access to all personal data the employer has stored about the employee, with the following exceptions:

    • Content subject to confidentiality, eg. whistleblowing cases
    • Content that is used for statistical purposes only and which does not matter to the employee
    Who can access personal information?

    Only employees with a legal need have a reasonable cause to see personal data, in addition to the employee himself. They can for example be his or her manager or salary workers in the business.

    What is personal data?

    Personal data is all information that can be linked to an individual. This may for example be:

    • Name
    • Address
    • Phone
    • Date of birth
    • Pictures
    • Fingerprint
    • Etc.
    What is a sensitive personal data?

    A sensitive personal data is information about:

    • racial or ethnic background, or political, philosophical or religious opinion
    • that a person has been suspected, sentenced, charged or convicted of a criminal offense
    • health conditions
    • sexual preferences
    • membership of trade unions
    • genetic and biometric information
    What does it mean that a legal purpose is needed for processing personal data?

    This means that you must have a specific legal purpose for processing personal data. This may for example be the consent or by law.

    What are the fines for breach of GDPR?

    In case of serious breaches of privacy, fines may be fined up to 4% of turnover limited to 20,000,000 euros.

    Responsibilities and roles related to privacy

    Who is the controller?

    The controller is the one who determines the purpose of processing personal data and the tools to be used. In a customer relationship with Simployer, it is the customer who is the controller.

    What is a data processor?

    A data processor is the person who processes personal information on behalf of the controller. In a customer relationship with Simployer, Infotjenester AS is a data processor.

    Which businesses need a privacy officer?

    All public entities must have a privacy officer. Private businesses need a privacy officer if

    • The main line of business requires regular and systematic monitoring of physical persons on a large scale
    • The main line of business consists in large-scale handling of special categories of personal data or information on convictions or criminal offenses.

    We have created an interactive wizard to help you decide if your business needs a privacy officer. The tool is available as part of the subscription to the legal aid product, Privacy in Work Conditions .

    Privacy in administration and follow-up of employment

    Can minutes from employee conversations be transferred to a new leader?

    Yes, a new leader may have transferred access to all minutes that will be necessary for his / her management. The minutes and accompanying documents belong to the employer, not the individual leader. New leader can therefore have access.

    Can the employer submit photos and information of the employee on the intranet and the internet?

    The employer can post photos and information on the intranet. For external publishing, for example, on the internet, the employer must consider whether the employee has reason to expect information to be published. Then it must be assessed in relation to the employee's position and function. Leaders and employees in outward facing functions will have to accept this, while it may be different if you are employed in, for example, production or a call center.

    Can the employer deny employee access to the employee folder?

    As a main rule, no. The only reason to deny access is when permitted by law.

    In the proposal for new Personal Information Act § 13, some exceptions to the right for access are proposed, such as

    • it is required to keep secret for the purpose of prevention, investigation, disclosure and legal prosecution of criminal offenses
    • it must be considered unwarranted that the person acquainted becomes aware of his / her health or the relationship with persons who are close to him
    • by law or in accordance with law is subject to confidentiality
    • It would be contrary to obvious and fundamental private or public interests to inform about, including the consideration of the registered self.

    On this page

    • No labels