The GDPR and Data Act in Bookkeeping & Invoicing

Here you will find information about EU data protection legislation when you use Bookkeeping & Invoicing. If you use other solutions or integrations, you will also need to check how the legislation affects them.

Read more on spiris.se about our Privacy Statement for Bookkeeping & Invoicing.

All companies that handle personal data and operate within the EU must comply with GDPR (General Data Protection Regulation). This means that you are responsible for ensuring that the personal data of your customers, employees and suppliers is handled securely.

The basic GDPR regulations:

  • You may only manage personal data if you comply with all the requirements of the regulation.
  • You may only collect personal data for specified purposes.
  • You may only collect personal data that is necessary in order for you to fulfil the specified purposes.
  • If you are in possession of personal data, the data must be continuously updated and correct.
  • When the specified purposes have been fulfilled, the data should be deleted.
  • Personal data must be stored securely to prevent them from being altered or stolen.

  • You must be able to prove that your processing of personal data complies with the GDPR regulations.

You can find more general information on GDPR on spiris.se.

Here you can read about what you need to do to fulfill the GDPR requirements for personal data management when working in Bookkeeping & Invoicing.

Consent can be given in different ways. Verbally, in writing, or in some cases by receiving the data directly from the person you are collecting data about. This could be the case if, for instance, your customer has given you their email address and other personal data in order to subscribe to your company's newsletter. If you run a webshop, there is often a step at checkout where the customer approves the purchase terms and conditions as well as giving you their consent to store personal data about them.

Depending on what the purpose of you recording personal data is, it may in some cases be advisable to more formally request the customer's consent. You can read more about this and see examples of when to use consent and not at the Swedish Authority for Privacy Protection website in the article Samtycke (in Swedish).

Keep in mind that it is your responsibility to inform the person about whom you are collecting personal data and the purpose of it. When verbally informing and collecting consent, we recommend that you also let the customer know where they can find more information about how your company manages personal data.

According to the law, you are obligated to inform those you collect personal data about regarding the fact that you are collecting data and the purpose of the data collection. The person you have collected data about has the right to request access to the data you have recorded. In Bookkeeping & Invoicing, there may be information recorded about customers, suppliers and employees.

How to compile such personal data is described below.

One way of compiling the information you have recorded about an individual customer is to go to Sales - Customers and open the customer in editing mode. Take a picture of what is shown on the screen. Send the picture to your customer.

Alternatively, you can make an export of the customer records under Settings - Import and export. Open the file, copy the first row with headers and the row containing information about the customer, paste the rows into a separate spreadsheet which you then save and send to the customer.

If you mostly conduct sales with other companies, and not private individuals, you may still have recorded information that class as personal data. One such example could be notes about contact persons. Those who run sole proprietorships also count as natural persons, meaning that the GDPR requirements regarding the recording of personal data apply here too.

One way of compiling the information you have recorded about an individual supplier is to go to Purchasing - Suppliers and open the supplier in editing mode. Take a picture of what is shown on the screen. Send the picture to your supplier.

Alternatively, you can make an export of the supplier records under Settings - Import and export. Open the file, copy the first row with headers and the row containing information about the supplier, paste the rows into a separate spreadsheet which you then save and send to the supplier.

Suppliers who run sole proprietorships also count as natural persons, meaning that the GDPR requirements regarding the recording of personal data apply here too. Keep in mind that you may still have recorded information about suppliers with other company types in the Notes and Contact person fields.

You are only allowed to store personal data for as long as they are needed to fulfill the purpose you stated when collecting the data. The data should be removed after it has served its purpose. You should therefore regularly go over and verify that the personal data you have stored are up-to-date and used according to their original purpose.

Any person you have stored personal data about may also request that the data you have stored be removed. Please note that local accounting legislation takes precedence over GDPR, and that accounting documents which contain personal data should therefore be stored for 7 år.

Delete or pseudonymise

In Bookkeeping & Invoicing it is not possible to delete a customer or supplier that you have created an invoice for. It is also not possible to delete an employee who you have created payslips for. If you have customers, suppliers and employees that you cannot delete, but for which you no longer need to store personal data, you can instead choose to pseudonymise the data.

To pseudonymise the data for a customer or supplier you open them in the editing mode and select Pseudonymise. All personal data in the affected fields will then be completely removed. In the mandatory fields, the data is replaced by *****. Please note that you cannot undo the edit once it has been saved.

If you want to delete an employee you have to contact our customer support agents.

Payroll: For more information, check out the online help for Payroll.

Own salary: For more information, check out the online help for Own salary.

Personal data include any information which, directly or indirectly, may identify a natural person. Please note that a sole proprietorship also class as a natural person. According to GDPR you may only collect personal data for specified purposes. These purposes may differ between companies, depending on what business they conduct. One purpose could for example entail storing address information in order to invoice a customer.

Examples of personal data include information such as name, address, telephone number and personal identity numbers. However, since the law states that personal data can be any information that directly or indirectly can be linked to a natural person, such data may also include photos or a description of the distinguishable features of a person. For more information we recommend further reading at Integritetsskyddsmyndighetens website.

According to GDPR, the person whom you have collected personal data about has the right to access to the following information:

  • who you are
  • the purpose of the data collection
  • what legal grounds that support it
  • whether the information is shared with others
  • how long the data will be stored

The person whom you have collected personal data about has the right to request access to the data.

Personal data appear in fields that have a predetermined purpose, such as name, telephone number and address fields. These data are easy to compile if someone contacts you and asks for them. In addition to fields that have a specific purpose, personal data may also be stored in other places, such as in free text fields and comments. We recommend that you avoid entering personal data in these fields since it is difficult to locate, analyse and compile this kind of information.

Your personal data is securely stored on servers at our infrastructure provider and on servers at Visma Spcs AB. More information about data storage in Visma Spcs AB's cloud based solutions can be found in www.visma.com/trust-centre.

Personal data entered is stored on Spiris servers and by our infrastructure provider. For more information on how we handle personal data, you can find everything on the Information on our terms and conditions - Data Protection and Privacy page.

If you have exported records from Bookkeeping & Invoicing, you may also have data stored locally on your computer or any other location where you may have saved these files.

Please note that you are always responsible for the data you have collected, and that GDPR applies no matter how data has been stored or distributed. If you consult a third party supplier, you must therefore establish a data processing agreement between your company and the company you are consulting. Read more about this below.

As a business owner you sometimes transfer personal data to others, often without even thinking about it. Data could for example be transferred to credit reference companies, webshops as well as invoicing and payment solutions. When a so-called third party supplier receives your personal data they become a processor.

As a business owner you are also a controller, meaning that you are always responsible for the data you receive. You are also responsible for any data that is transferred to third party suppliers. In such cases, a data processing agreement between yourself and your third party suppliers is required. Read more about personuppgiftsbiträdesavtal.

You work entirely cloud-based, which means that the personal data you register is stored with us. Because we process personal data on your behalf, it makes us a third party supplier. As such, a data processing agreement is needed between Spiris and us. The agreement that you authorise before access is granted includes such an assistance agreement.

The EU’s Data Act has been designed to give you, the customer, greater control over your data. The aim is to make it easier to share information, switch between different cloud services and ensure that you retain ownership of your own business data. At Spiris, we see this as an opportunity to make your daily life even easier. We want you to use our financial platform because it offers you the best value, not because your data is locked in.

What does the Data Act mean for you?

The law grants you, as a user of our services, several important rights:

  • Right to data portability: You can easily download your data if you wish to switch providers or transfer the information to your own.
  • Seamless switching: It should be free of charge and technically straightforward to cancel a subscription and switch providers.
  • Transparency: You have the right to know exactly what data can be exported and in what format.
  • Deletion: You can request that your data be permanently deleted when you stop using a feature.

What data is included in an export?

We aim to ensure that you can access all relevant information in a format that is easy to import into other systems (such as CSV, Excel or SIE). Examples of what can be exported include customer and supplier registers, items, journal entries, invoices, reports, payslips, employment details, supporting documents for employer declarations, tax return forms, annual reports, customer lists and time records. See Exportable data in Bookkeeping & Invoicing below for details and a link to the instructions.

Is there any data that cannot be exported?

Yes, there are some exceptions. We cannot export information relating to intellectual property rights of Spiris or trade secrets, such as our internal program code or business logic. Nor do we export technical metadata (logs) required for the platform’s security and operation.

What about programs that are installed locally on my computer?

For locally installed applications (OnPrem), such as local versions of payroll software or accounting software, all data is stored on your own computer or server. As we do not have access to your local storage, we cannot carry out the export for you, but we provide clear guides on how to do it yourself within the programme.

What happens to my data if I decide to cancel my subscription?

When you cancel your subscription, you have the right to request that your data be deleted. Please bear in mind, however, that there are legal requirements, such as the Accounting Act, which stipulate that certain information must be retained for a specific period of time. It is your responsibility to do this.

Is there a charge for exporting my data?

We do not charge for the export of your data. If your subscription has a minimum contract period and is cancelled early in accordance with the Data Act, any fees already paid will not be refunded, and you will be required to pay the outstanding amount as if the minimum contract period had been completed.

Exportable data in Bookkeeping & Invoicing

Exportable data Format Instructions
Fixed assets list, detailed PDF, CSV Reports
Period allocation report PDF, CSV Reports
Project list PDF, CSV Reports
Supplier ledger PDF, CSV Reports
Export of customer register CSV Importing or exporting customer records
Export of article register CSV Importing or exporting article records
Export of supplier register CSV Importing or exporting supplier records
Export of cost centres CSV Importing or exporting cost centre records

Video tutorials

See all movies about Bookkeeping & Invoicing

Support forum

Try Spiris accounting software

Searchword: data inspection authority, privacy policy, data protection policy