Privacy Compliance
Accountor is trustworthy, responsible, and ethical towards our clients, partners, employees, directors, and other stakeholders in all our operations. As a professional service provider, we take responsibility to comply with applicable laws as well as authorities’ decisions. We are also committed to follow best industry practices in our processing operations. We handle all personal data responsibly and confidentially. This is essential to fulfill our mission which is to be the leading partner for companies of all sizes and to enhance employee experience.
Accountor's Roles
Accountor may have different obligations regarding data protection based on its role in the processing activities.
Accountor as a service provider is a data processor
As a data processor Accountor is processing personal data on behalf of our customers as part of service delivery. In this role, Accountor will only process personal data for the purpose of fulfilling contractual obligations towards customers. Accountor is the processor e.g., when providing
- payroll services
- accounting services
- hosted IT-services
In the given case, Accountor’s customers are data controllers responsible for the lawfulness of the processing. Accountor and customers agree on details of the personal data processing through a data processing agreement. Our standardized agreement contains necessary clauses to ensure compliance with privacy laws while also enabling provision of high-class services.
When Accountor licenses software to customers who operate it independently on their own, Accountor is a processor to the extent it has access to customer’s environment, for example when providing remote IT-support.
Accountor as a data controller
Accountor is a data controller when it processes personal data for its own benefit and decides how and for what purposes data is processed. In such cases, we typically process personal data of our customer’s representatives, decision makers, and other contact persons. Further, the same applies when we provide purely consulting services e.g., legal or tax consultation. As a controller Accountor is responsible for the lawfulness of the processing.
In these cases, data may be processed e.g., for
- developing new services
- managing our relationship with the customer
- marketing our services
Accountor is also a controller when it is processing personal data of its employees or leased employees in the employment relation.
You may find more information how Accountor processes personal data here.
How Accountor is complying with the Data Protection Laws
Governance
Accountor has a governance framework to ensure compliance with privacy laws, internal policies, and industry best practices. We have established dedicated privacy roles across our organization. In our governance model Risk and Compliance Committee, consisting of selected leaderment team members, governs and monitors privacy compliance and related risks
Each business unit is responsible for the implementation of data protection requirements in their operations. Operational privacy support for units is provided by data protection managers, other local privacy experts or local legal team. We have a data protection policy approved by Risk and Compliance Committee as a basis of more detailed instructions on specific areas of data protection. Such instructions often include also methods for implementation in practice e.g., risk assessment or supplier compliance verification templates.
Training and awareness
Our personnel has received mandatory trainings on data protection. In addition, we have more advanced training for selected stakeholders in e.g., service development, HR, and marketing.
We carry out awareness initiatives and communicate on topical data protection topics through intranet and other communication channels.
Privacy processes
We have defined and implemented relevant privacy processes. For example, we have a process to handle personal data breaches wherein the breach is appropriately addressed, possible risks mitigated, and notified to relevant stakeholders. Further, to the extent applicable, we assess privacy risk before starting new processing activities through a standardized method in order to ensure individual’s rights.
Processors
We use trustworthy (sub-)processors as our suppliers and have a method to verify their compliance with applicable privacy requirements. We conclude appropriate data processing agreements with the processors including clauses necessary to protect rights of individuals.
Accountability
Accountor pursues to demonstrate its compliance with help of methods and tools which are selected on the case-by-case basis. Methods may include e.g. privacy year clock, reviews, or audits. Compliance maturity and development activities are reported to the top management in appropriate manner for example through monthly business reviews.
Information Security
Accountor has information security framework that is aligned with industry best practices and applicable laws. Information Security policy is approved by Risk and Compliance Committee and reviewed yearly. Policy is implemented through more detailed instructions derived therefrom as well as with daily practices. ISO27001 has been the guiding framework for policy, instructions and practices.
Information security is managed by information security team. Team is led by Chief Information Security Officer, who in turn reports to top management. Information Security operations include performing risk assessments and audits, creating work plans to reduce risks, and implementing those work plans. Implementation of security activities are documented and regularly reviewed.
Accountor has yearly trainings on information security reflecting the policy and instructions to ensure compliance with applicable requirements.
Contact us
We appreciate you contacting us. If you have any questions or concerns on data protection or would like to exercise your rights as an individual, please do not hesitate to contact us at privacy@accountor.com.
Useful links: Accountor Privacy Statements