Below you will find answers to some of the questions we often get about Simployer and GDPR. If you have any further questions, feel free to contact us on phone 07505.
Processing of personal data in Simployer
No one in Infotjenester has access to the customer's data unless the customer requests support and provides Infotjenester access to the system. In such a support scenario, the named employee in Infotjenester will have access to the system for a limited period of time.
For Capitech modules a routine is established where the customer gives a written permission to access the system for each support case or request for assistance. This is done via a standardized method in the support system and as default the permission is valid for the current day. In case of other needs a different period can be specified.
Yes, all data in Simployer is stored on servers in Norway. We use Embriq as a partner for Simployer. and Smart IT for Capitech modules. For customers with Capitech software on premise Capitech the data is stored on the customers serveres. data på kundens servere.
However, GDPR does not require data to be stored in Norway.
No, only selected support staff at Infotjenester group may be granted access by the Customer to provide support.
Yes, it is the Customer which performs deletion of data in Simployer.
All communications where customer data flows over the internet is encrypted with SSL (https).
All our customers have access to our security and privacy documentation
No, Simployer offers no such functionality, but an administrator at the Customer can reset passwords for users in Simployer. Simployer also offers authentication through Active Directory, allowing users to use their work account to login to Simployer.
No, there is no such requirement. However, it may be an advantage that the employee has self-service for such data, as the employee is the one who sits on the freshest data.
There is no specific answers to this in the legislation. The concept of "purpose" is deciding. However, it will not be allowed to store data forever (no purpose).
One must start with a survey to identify which personal data has been stored in which systems, who have access and how these data are used (purpose). The responsibility for the processing of personal data is the responsibility of the company (the controller).
It is the customer who is the controller and who selects which personal data may be deleted from Simployer based on his risk assessment and the legal needs for data. Disabling users in Simployer removes access to personal data about the person, but the data is maintained. Personal data related to the company (such as sick leave, holidays, documents, etc.) can be deleted separately in Simployer. Disabled users who do not have such data associated with their profile can also be physically deleted from the system. Infotjenester is currently working to make the deletion / anonymization procedures as flexible and user-friendly as possible for our customers.
By default, each user has access (and editing rights) to all personal data in Simployer. Infotjenester will also develop a report that the user can run, which shows which persons have access to the user's personal data and which persons can edit the user's personal data.
The Data Processing Agreement for Simployer complies with Norwegian law. Infotjenester will offer all existing and new customers a revised data processing agreement that complies with GDPR, and follows new Norwegian law in good time before the GDPR enters into force.
General rules on handling of personal data
As a general rule, the employee has access to all personal data the employer has stored about the employee, with the following exceptions:
- Content subject to confidentiality, eg. whistleblowing cases
- Content that is used for statistical purposes only and which does not matter to the employee
Only employees with a legal need have a reasonable cause to see personal data, in addition to the employee himself. They can for example be his or her manager or salary workers in the business.
Personal data is all information that can be linked to an individual. This may for example be:
- Date of birth
A sensitive personal data is information about:
- racial or ethnic background, or political, philosophical or religious opinion
- that a person has been suspected, sentenced, charged or convicted of a criminal offense
- health conditions
- sexual preferences
- membership of trade unions
- genetic and biometric information
This means that you must have a specific legal purpose for processing personal data. This may for example be the consent or by law.
In case of serious breaches of privacy, fines may be fined up to 4% of turnover limited to 20,000,000 euros.
Responsibilities and roles related to privacy
The controller is the one who determines the purpose of processing personal data and the tools to be used. In a customer relationship with Simployer, it is the customer who is the controller.
A data processor is the person who processes personal information on behalf of the controller. In a customer relationship with Simployer, Infotjenester AS is a data processor.
All public entities must have a privacy officer. Private businesses need a privacy officer if
- The main line of business requires regular and systematic monitoring of physical persons on a large scale
- The main line of business consists in large-scale handling of special categories of personal data or information on convictions or criminal offenses.
We have created an interactive wizard to help you decide if your business needs a privacy officer. The tool is available as part of the subscription to the legal aid product, Privacy in Work Conditions .
Privacy in administration and follow-up of employment
Yes, a new leader may have transferred access to all minutes that will be necessary for his / her management. The minutes and accompanying documents belong to the employer, not the individual leader. New leader can therefore have access.
The employer can post photos and information on the intranet. For external publishing, for example, on the internet, the employer must consider whether the employee has reason to expect information to be published. Then it must be assessed in relation to the employee's position and function. Leaders and employees in outward facing functions will have to accept this, while it may be different if you are employed in, for example, production or a call center.
As a main rule, no. The only reason to deny access is when permitted by law.
In the proposal for new Personal Information Act § 13, some exceptions to the right for access are proposed, such as
- it is required to keep secret for the purpose of prevention, investigation, disclosure and legal prosecution of criminal offenses
- it must be considered unwarranted that the person acquainted becomes aware of his / her health or the relationship with persons who are close to him
- by law or in accordance with law is subject to confidentiality
- It would be contrary to obvious and fundamental private or public interests to inform about, including the consideration of the registered self.
- No labels