Payroll
GDPR in Payroll
Here you can find information about the GDPR (General Data Protection Regulation) when using Payroll. If you have other solutions or links, you need to check how the GDPR affects them too.
What is GDPR?
All companies that handle personal data and operate within the EU must comply with GDPR (General Data Protection Regulation). This means that you are responsible for ensuring that the personal data of your customers, employees and suppliers is handled securely.
The basic GDPR regulations:
- You may only manage personal data if you comply with all the requirements of the regulation.
- You may only collect personal data for specified purposes.
- You may only collect personal data that is necessary in order for you to fulfil the specified purposes.
- If you are in possession of personal data, the data must be continuously updated and correct.
- When the specified purposes have been fulfilled, the data should be deleted.
- Personal data must be stored securely to prevent them from being altered or stolen.
-
You must be able to prove that your processing of personal data complies with the GDPR regulations.
You can find more general information on GDPR on spiris.se.
Work according to GDPR in Payroll
Below you see what you can do to meet the GDPR requirements in Payroll.
Compiling personal data records
An employee has the right to ask you if you have any of their personal data records registered in the payroll program. In such cases you must be able to share this data with the employee. Take a picture of what is shown on the screen and send the picture to your customer.
Delete registered personal data
According to GDPR, personal data may be stored for as long as the employer needs the data to follow legal obligations, laws and regulations. Personal data which is handled in the payroll process are viewed as bases which may be needed in cases of audits, disputes and controls in order to prove that the legal requirements have been followed. When personal data is registered and linked to transactions in the payroll process, the employee cannot claim the right to have such personal data linked to payroll transactions removed.
However, when an employee leaves the company, you should delete information that is not necessary to save. Below you see our recommendation on what data should be deleted.
Delete or pseudonymise data
In Payroll it is not possible to delete the data of an employee for whom you have created payslips.
If you have employees that you cannot delete, but for which you no longer need to store personal data, you can delete the data.Read more under Data to delete as soon as the final salary payment has been made.
If you terminate your Payroll subscription, you will not be able to make changes to your company. You will only be able to view the information. In such cases you can pseudonymise the employees' sensitive data. To do this, go to each employee under Employees and click on Pseudonymise employee. Data such as address, email address and bank account number will then be removed.
Data to delete as soon as the final pay has been paid
The information in the following fields under Payroll - Employees should be deleted when the final pay has been paid.
- Payment to should be changed to Cash so that the settings under Clearing number and Account number are deleted (on the Pay tab).
- Notes (on the Basic information tab), such as next of kin contact details
Remove access to functions. Read more in the topics Remove an employee's access to Employee. and Remove access to Payslip. Then remove the login to spiris.se.
When access to the solutions is removed, the history will disappear as data without purpose can't be stored according to GDPR.
Data to delete one year after an employee has ended their employment
Contact and postal information should be saved for a year after an employee has ended their employment at the company. The information in the following fields under PayrollLön Smart - Employees and the Basic information tab should then be deleted:
- Address
- Postcode
- City
- Country
- Phone
- Mobile phone
We recommend that you set up a yearly routine to go through and delete data for any employees who have left the company during the previous year.
Please note that some information must be stored for longer, for example details about employees' pension insurances.
Personal data collection
Personal data include any information which, directly or indirectly, may identify a natural person. Please note that a sole proprietorship also class as a natural person. According to GDPR you may only collect personal data for specified purposes. These purposes may differ between companies, depending on what business they conduct. One purpose could for example entail storing address information in order to invoice a customer.
Examples of personal data include information such as name, address, telephone number and personal identity numbers. However, since the law states that personal data can be any information that directly or indirectly can be linked to a natural person, such data may also include photos or a description of the distinguishable features of a person. For more information we recommend further reading at
According to GDPR, the person whom you have collected personal data about has the right to access to the following information:
- who you are
- the purpose of the data collection
- what legal grounds that support it
- whether the information is shared with others
- how long the data will be stored
The person whom you have collected personal data about has the right to request access to the data.
Personal data appear in fields that have a predetermined purpose, such as name, telephone number and address fields. These data are easy to compile if someone contacts you and asks for them. In addition to fields that have a specific purpose, personal data may also be stored in other places, such as in free text fields and comments. We recommend that you avoid entering personal data in these fields since it is difficult to locate, analyse and compile this kind of information.
Personal data storage
Payroll is cloud-based, which means that the personal data you register is stored on the servers of our infrastructure provider as well as on Spiris servers. More information on how data is stored in Spiris can be found at Visma Trust Centre.
If you have exported accounting data, you may also have data stored locally on your computer or any other location where you may have saved these files.
Please note that you are always responsible for the data you have collected, and that GDPR applies no matter how data has been stored or distributed. If you consult a third party supplier, you must therefore establish a data processing agreement between your company and the company you are consulting. Read more about this below.
Data processing agreement
As a business owner you sometimes transfer personal data to others, often without even thinking about it. Data could for example be transferred to credit reference companies, webshops as well as invoicing and payment solutions. When a so-called third party supplier receives your personal data they become a processor.
As a business owner you are also a controller, meaning that you are always responsible for the data you receive. You are also responsible for any data that is transferred to third party suppliers. In such cases, a data processing agreement between yourself and your third party suppliers is required.
Processing agreement between Spiris and you as the customer.
You work entirely cloud-based, which means that the personal data you register is stored with us. Because we process personal data on your behalf, it makes us a third party supplier. As such, a data processing agreement is needed between Spiris and us. The agreement that you authorise before access is granted includes such an assistance agreement.
Related topics
Work smarter
