GDPR - General Data Protection Regulation in Accountor

You may be confident that your personal data is appropriately processed and protected when you are engaging in business with us.

Introduction

The GDPR is one of the most discussed topics at the moment and vigorous rumors start to spread around. For example, there are pretensions that data portability is always applicable or that personal data may not be processed outside the EU or EEA. It doesn’t come as a surprise that companies are unsure how to operate internally or with their service providers.

There is nothing to be worried about when you are handling business with us or when Accountor processes personal data. Please have a look on our preparations for the GDPR and how it will impact relevant stakeholders such as enterprise customers, as well as their representatives and employees, Accountor’s own personnel or other individuals.

The GDPR – What Is It About

The General Data Protection Regulation (vernacularly the GDPR) is a new legislation imposed by the EU, which applies to the use of personal data. The GDPR entered into force in May 2018.

What Is the Purpose of the GDPR?

The GDPR is a step forward in ensuring transparency in handling of data. The new regulation shall apply to any business, whether or not it is based in an EU country and which processes the data of EU citizens. It is primarily about protecting individuals’ personal details and the aim of the GDPR is to give EU citizens the control over their personal data and change the approach of organizations across the world towards data privacy. Thus, the GDPR enshrines a wide range of existing and new rights for individuals in respect of their personal data. Accordingly, this means strengthening individuals’ rights of controlling the use of their personal data.

Which Information Is Personal Data?

Personal data refers to any information from which a natural person can be directly or indirectly identified. It does not matter whether the information relates to an individual in person or in the context of professional or public life.

Examples of Personal Data:

  • a name
  • a photo
  • an email address
  • voice or bank details

The GDPR’s Different Requirements to Various Stakeholders

For organizations such as companies, public entities and communities, the GDPR means a demand of increasing and tightening obligations and requirements when they process personal data. The organizations have to assess their ability to provide data in compliance with the GDPR’s format obligations. For example, it may be necessary to develop formatting capabilities to meet access requests.

What Do Organizations Have to Do in Practice?

  • Take more proactive approach towards management of personal data
  • Determine what data their business possesses
  • Ascertain how and where the data are retained
  • Set legally defensible policies for how the data will be collected, managed, and destroyed
  • Include data protection considerations in the core of their business activities
  • Protect any personal data in their possession
  • Implement appropriate protection measures taking into account the risk level the processing may cause for individuals etc.

Accountor’s Roles

Accountor plays different roles in the processing of personal data depending on the context of processing.

Accountor As a Service Provider

Data processor is a party processing personal data on behalf of other entity. As a service provider, we usually process personal data on behalf of our customers in the role of a data processor, e.g. when providing

  • payroll services
  • accounting services
  • hosted IT-services

We also provide software services to our customers, which are used for the processing of data, yet the customers install and operate the software themselves. In such case, Accountor is not a processor since it does not have any access to personal data processed therein.

As regards both cases, Accountor does not have independent rights in regard to personal data and we must follow instructions agreed with our customers. Customers have decision-making powers on the means and the purposes of the processing and, thus, they are in the role of a data controller. Consequently, the customers are responsible for the lawfulness of the processing.

However, when providing services Accountor does not only act as a data processor but also as a data controller. In such cases we

  • manage and control our relationship with customers
  • administer services provided
  • process personal data of our customer’s representatives, decision makers and other contact persons

Thus, we are responsible for the processing conducted in our role as a data controller.

Accountor As an Employer

Naturally, we process personal data of our employees in the employment relation. In such case, Accountor is a data controller who is responsible for the lawfulness of the processing no matter whether the processing is carried out internally or externally by the data processor. The same applies to leased employees.

In addition, Accountor may acquire some services for its employees that are closely related to the employment relation and personal data are processed therein.

A practical example of such situation:

Accountor may acquire occupational health care services. In regard to personal data processed in that context Accountor is not a data controller nor a data processor. Company just takes care of the expenses as part of the employment relation but does not have the right to control or decide on the personal data.

Consequently, the health care provider is the data controller.  

How Has Accountor Prepared for the GDPR?

We have acknowledged and identified at early phase that the GDPR will have material impacts on our services and processes. We have initiatives to ensure that we are doing correct activities and that we have sufficient resources to achieve GDPR compliance. Therefore, we have initiated a group wide GDPR project in 2016 to implement applicable requirements into our daily operations.

We have cultivated our privacy culture by building a comprehensive privacy framework starting from Privacy Policy approved by our Board of Directors, as well as, drafted relevant instructions, guidelines and implemented those into our daily operations.  Accountor’s top management is firmly following all initiatives for strengthening our responsible business manners including implementation of the GDPR. Each of our business unit is responsible for the implementation of data protection in their operations by taking into account applicable data protection requirements and the nature of our business. This also includes documentation, personnel awareness, and training as well as process and system changes in the existing operations. Existing agreements will be reviewed and required updates concluded where necessary.  

Data Protection Officer and Other People Responsible for Data Protection

We have nominated a person in all our units and companies who is responsible for data protection in their respective business. Moreover, we have appointed a Data Protection Officer for the group who has strengthened our data protection resources and the project by supporting and advising units in their data protection activities. A data protection officer

  • develops and secures the implementation of data protection
  • informs and instructs the management of their obligations
  • monitors compliance with the applicable legislation

Together with other dedicated resources, all our units are implementing the GDPR requirements where necessary in connection with their own projects and initiatives. Progress of the GDPR project is reported to our Chief Operating Officer.

Privacy Framework, Documentation and Internal Training

We have built a group wide privacy framework starting from Privacy Policy and moved gradually into detailed guidance and interpretations on, inter alia,

  • individual’s rights,
  • data protection impact assessment and
  • a valid consent.

Group level tools and methods are available for units to ensure their vendor’s GDPR compliance or for conducting a data protection impact assessment. New agreement templates are also prepared be used in sales and in procurement.

Additionally, we have documented our processing activities in different organizations in accordance with the requirements. For example, a detailed roadmap for each unit has been prepared in order to close gaps between existing processing operations and the requirements have been identified.

In addition, we continuously train relevant stakeholders in each unit in order for them to understand the GDPR and respective obligations better. The specific GDPR training material has been prepared for all Accountor’s employees in accordance to their respective duties.

Units Implementing the GDPR

However, we have very different units and companies in Accountor Group. Since each unit is responsible for their own implementation activities, they are at different stages in their implementation activities depending on amongst other their maturity and organizational structure. For example, some units are currently updating their customer agreements and some are still in the planning phase. Further, some units are conducting data protection impact assessments for their existing processing operations while some are still defining their internal process for such purpose. 

Even though there are still some activities required, we are in full speed. We are on our way to improve our transparency policy. Our aim is to

  • describe the implementation of data protection in our Privacy Statements and notices,
  • product documentation in order to ensure that transparent information of the processing of personal data is always available for both, our enterprise customers and individuals.

Further, units are working with system development in order to implement individuals’ rights in each system. The implementation of activities is followed regularly and reported to our top management.

Information Security

Since the security attacks are continuously getting stronger, it means that our security must be constantly monitored in order to stay protected and insulated from evolving threats. As regards information security, a process to strengthen our group level information security resources is ongoing. The impact and risks of personal data processing are assessed before starting processing and thereafter when needed, so that data protection is embedded into and maintained in all operations.

Furthermore, we plan to build data protection safeguards into our products and services from the earliest stages of development. We are currently in a process to build Group level Information Security Governance framework to cover all business operations and units. Group wide incident management process is under preparation and a potential tool for those purposes is piloted.

Data protection activities are documented appropriately and reviewed on a regular basis. Our aim undoubtedly is to be GDPR compliant

  • in all identified activities in our systems, processes and necessary documentation
  • in existing instructions and guidelines
  • in a timely manner before the regulation enters into force in May 2018

GDPR Commercial

Consultation

MyGDPR

We also provide various services to our customers to address requirements arising from data protection and the GDPR. Those are especially directed towards small and medium size companies.

With the help of our Accountor myGDPR tool, we can help you to map your current status in data protection matters, and after mapping the status, give you consultation on how your processes, agreements and practices should be updated in order to be GDPR compliant. Accountor myGDPR consists of a tool-assisted mapping service and supporting advisory service regarding the mapping (GDPR compliancy roadmap) and an easy to use Software-as-a-Service tool for DIY use for assessment of required tasks and platform for documentation.

Accountor myGDPR supports you to conduct the self-assessment of meeting the GDPR requirements, interpret the current state analysis and prioritize the identified GDPR-compliancy tasks into an action plan. In addition, Accountor myGDPR DIY Tool enables you to evaluate and document the GDPR compliancy of operations and processes, as well as related documentation and identify needed tasks to improve your GDPR compliance in the areas where gaps are detected.

Just let your contact person at Accountor know if you would like to hear more about our GDPR services and we will be in touch with you.

Contact Us

We appreciate you contacting us. If you have any questions or concerns on data protection or the GDPR, please do not hesitate to contact us. Your request will be forwarded to the appropriate person and we will contact you as soon as possible.

As regards general compliance and Group level activities please contact privacy@accountorgroup.com

As regards local implementation activities or status of implementation, please contact our unit or company you are dealing with: pavel.antonov@accountor.ru

As regards commercial services concerning the GDPR and provided by us, please contact: timo.sivonen@accountor.ru or givi.enukidze@accountor.ru

General

We are in progress of being trustworthy, responsible and ethical towards our clients, partners, employees, directors and other stakeholders in all of our operations. Accountor is a professional service provider who takes its responsibility to comply with applicable laws and regulations valid at the given time, as well as any rules and decisions imposed by relevant authorities. Therefore, we adhere to national and EU-level data protection regulations, official recommendations and guidelines, decisions imposed by relevant authorities, as well as, all of our processes and policies are based on the applicable legislation. This also applies to processing of personal data, no matter how the processing is carried out. 

FAQ

Who does the GDPR affect?

The GDPR does not only apply to organizations located within the EU, but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity, which processes personal data on behalf of the controller.

What are the common terms and definitions used in relation to the GDPR?

  • Data controller: the entity that determines the purposes, conditions and means of the processing of personal data         
  • Data Protection Impact Assessment: a tool used to identify and reduce the privacy risks of entities by analyzing the personal data that are processed and the policies in place to protect the data
  • Data processor: the entity that processes data on behalf of the data controller
  • Data subject: a natural person whose personal data are processed by a controller or a processor
  • Personal data breach: a breach of security leading to the accidental or unlawful access, destruction, misuse, etc. of personal data
  • Personal data: any information related to a natural person that can be used to identify the person directly or indirectly
  • Processing: any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.

When a Data Protection Impact Assessment (DPIA) needs to be carried out?

DPIA is an assessment that evaluates the necessity and proportionality of data processing to manage risk to data subjects and ensures that their rights are adequately protected. The GDPR requires DPIA only for high-risk data processing activities.