The GDPR and Data Act in Payroll

Here you will find information about EU data protection legislation when you use Payroll. If you use other solutions or integrations, you will also need to check how the legislation affects them.

All companies that handle personal data and operate within the EU must comply with GDPR (General Data Protection Regulation). This means that you are responsible for ensuring that the personal data of your customers, employees and suppliers is handled securely.

The basic GDPR regulations:

  • You may only manage personal data if you comply with all the requirements of the regulation.
  • You may only collect personal data for specified purposes.
  • You may only collect personal data that is necessary in order for you to fulfil the specified purposes.
  • If you are in possession of personal data, the data must be continuously updated and correct.
  • When the specified purposes have been fulfilled, the data should be deleted.
  • Personal data must be stored securely to prevent them from being altered or stolen.

  • You must be able to prove that your processing of personal data complies with the GDPR regulations.

You can find more general information on GDPR on spiris.se.

Below, you can read more about what you can do to meet the demands for managing personal data according to GDPR.

An employee has the right to ask you if you have any of their personal data records registered in the payroll program. In such cases you must be able to share this data with the employee. Take a picture of what is shown on the screen and send the picture to your customer.

According to GDPR, personal data may be stored for as long as the employer needs the data to follow legal obligations, laws and regulations. Personal data which is handled in the payroll process are viewed as bases which may be needed in cases of audits, disputes and controls in order to prove that the legal requirements have been followed. When personal data is registered and linked to transactions in the payroll process, the employee cannot claim the right to have such personal data linked to payroll transactions removed.

However, when an employee leaves the company, you should delete information that is not necessary to save. Below you see our recommendation on what data should be deleted.

Delete or pseudonymise data

It is not possible to delete the data of an employee for whom you have created payslips.

If you have employees that you cannot delete, but for which you no longer need to store personal data, you can delete the data.Read more under Data to delete as soon as the final salary payment has been made.

If you terminate your Payroll subscription, you will not be able to make changes to your company. You will only be able to view the information. In such cases you can pseudonymise the employees' sensitive data. To do this, go to each employee under Employees and click on Pseudonymise employee. Data such as address, email address and bank account number will then be removed.

Please note that you cannot undo the pseudonymisation.

Data to delete as soon as the final pay has been paid

The information in the following fields under Payroll - Employees should be deleted when the final pay has been paid.

  • Payment to should be changed to Cash so that the settings under Clearing number and Account number are deleted (on the Pay tab).
  • Notes (on the Basic information tab), such as next of kin contact details

Remove access to functions. Read more in the topics Remove an employee's access to Employee. and Remove access to Payslip. Then remove the login to spiris.se.

When access to the solutions is removed, the history will disappear as data without purpose can't be stored according to GDPR.

Data to delete one year after an employee has ended their employment

Contact and postal information should be saved for a year after an employee has ended their employment at the company. The information in the following fields under PayrollLön Smart - Employees and the Basic information tab should then be deleted:

  • Address
  • Postcode
  • City
  • Country
  • Phone
  • Mobile phone
  • Email

We recommend that you set up a yearly routine to go through and delete data for any employees who have left the company during the previous year.

Please note that some information must be stored for longer, for example details about employees' pension insurances.

Personal data include any information which, directly or indirectly, may identify a natural person. Please note that a sole proprietorship also class as a natural person. According to GDPR you may only collect personal data for specified purposes. These purposes may differ between companies, depending on what business they conduct. One purpose could for example entail storing address information in order to invoice a customer.

Examples of personal data include information such as name, address, telephone number and personal identity numbers. However, since the law states that personal data can be any information that directly or indirectly can be linked to a natural person, such data may also include photos or a description of the distinguishable features of a person. For more information we recommend further reading at Integritetsskyddsmyndighetens website.

According to GDPR, the person whom you have collected personal data about has the right to access to the following information:

  • who you are
  • the purpose of the data collection
  • what legal grounds that support it
  • whether the information is shared with others
  • how long the data will be stored

The person whom you have collected personal data about has the right to request access to the data.

Personal data appear in fields that have a predetermined purpose, such as name, telephone number and address fields. These data are easy to compile if someone contacts you and asks for them. In addition to fields that have a specific purpose, personal data may also be stored in other places, such as in free text fields and comments. We recommend that you avoid entering personal data in these fields since it is difficult to locate, analyse and compile this kind of information.

Payroll is cloud-based, which means that the personal data you register is stored on the servers of our infrastructure provider as well as on Spiris servers. More information on how data is stored in Spiris can be found at Visma Trust Centre.

If you have exported accounting data, you may also have data stored locally on your computer or any other location where you may have saved these files.

Please note that you are always responsible for the data you have collected, and that GDPR applies no matter how data has been stored or distributed. If you consult a third party supplier, you must therefore establish a data processing agreement between your company and the company you are consulting. Read more about this below.

As a business owner you sometimes transfer personal data to others, often without even thinking about it. Data could for example be transferred to credit reference companies, webshops as well as invoicing and payment solutions. When a so-called third party supplier receives your personal data they become a processor.

As a business owner you are also a controller, meaning that you are always responsible for the data you receive. You are also responsible for any data that is transferred to third party suppliers. In such cases, a data processing agreement between yourself and your third party suppliers is required. Read more about personuppgiftsbiträdesavtal.

You work entirely cloud-based, which means that the personal data you register is stored with us. Because we process personal data on your behalf, it makes us a third party supplier. As such, a data processing agreement is needed between Spiris and us. The agreement that you authorise before access is granted includes such an assistance agreement.

The EU’s Data Act has been designed to give you, the customer, greater control over your data. The aim is to make it easier to share information, switch between different cloud services and ensure that you retain ownership of your own business data. At Spiris, we see this as an opportunity to make your daily life even easier. We want you to use our financial platform because it offers you the best value, not because your data is locked in.

What does the Data Act mean for you?

The law grants you, as a user of our services, several important rights:

  • Right to data portability: You can easily download your data if you wish to switch providers or transfer the information to your own.
  • Seamless switching: It should be free of charge and technically straightforward to cancel a subscription and switch providers.
  • Transparency: You have the right to know exactly what data can be exported and in what format.
  • Deletion: You can request that your data be permanently deleted when you stop using a feature.

What data is included in an export?

We aim to ensure that you can access all relevant information in a format that is easy to import into other systems (such as CSV, Excel or SIE). Examples of what can be exported include customer and supplier registers, items, journal entries, invoices, reports, payslips, employment details, supporting documents for employer declarations, tax return forms, annual reports, customer lists and time records. See Exportable data in Payroll below for details and a link to the instructions.

Is there any data that cannot be exported?

Yes, there are some exceptions. We cannot export information relating to intellectual property rights of Spiris or trade secrets, such as our internal program code or business logic. Nor do we export technical metadata (logs) required for the platform’s security and operation.

What about programs that are installed locally on my computer?

For locally installed applications (OnPrem), such as local versions of payroll software or accounting software, all data is stored on your own computer or server. As we do not have access to your local storage, we cannot carry out the export for you, but we provide clear guides on how to do it yourself within the programme.

What happens to my data if I decide to cancel my subscription?

When you cancel your subscription, you have the right to request that your data be deleted. Please bear in mind, however, that there are legal requirements, such as the Accounting Act, which stipulate that certain information must be retained for a specific period of time. It is your responsibility to do this.

Is there a charge for exporting my data?

We do not charge for the export of your data. If your subscription has a minimum contract period and is cancelled early in accordance with the Data Act, any fees already paid will not be refunded, and you will be required to pay the outstanding amount as if the minimum contract period had been completed.

Exportable data in Payroll

Under Payroll – Reports, you can generate these reports. They can be exported to PDF and CSV. Read more in the topic Reports.

Reports

  • Accounting records
  • Pay history, pay codes
  • Pay for a selected period
  • Frånvarolista
  • Pay history
  • Overtime list
  • Ackumulatorlista
  • Holiday pay liability list
  • Payroll tax report
  • Basis for holiday calculation
  • Payment list
  • Basis to Fora (manual reporting)
  • Basis for reduction in working hours/working time account

Company information

  • Accounting records
  • Lönebesked
  • Holiday pay liability list
  • Overtime list
  • Frånvarolista
  • Payroll tax report

Reports from the solution Employee

If you use Employee, you can generate the following reports there:

Exportable data Format Instructions
Time reports PDF

The time report

Time registrations PDF

Track time registrations report

Employee ledger PDF

Employee ledger

Employee details (schedule, agreements, balances, etc.) PDF

Personal data report

Balance report PDF

Balance report

Related topics

Spiris integritetspolicy (in Swedish)

What is GDPR?

Work smarter

Discover our payroll courses!

Video tutorials

See all movies about Payroll

Payroll management

Get help with your questions about payroll management in our forum

 

Support forum

Discover Payroll!