Accountor is trustworthy, responsible, and ethical towards our clients, partners, employees, directors, and other stakeholders in all of our operations. As a professional service provider, we take responsibility for complying with applicable laws as well as authorities’ decisions. We are also committed to following the best industry practices in our processing operations. We handle all personal data responsibly and confidentially. This is essential to fulfill our mission, which is to be the leading partner for companies of all sizes and to enhance employee experience.
Accountor may have different obligations regarding data protection. They depend on its role in the data processing activities.
Accountor as a service provider is a data processor
As a data processor, Accountor is processing personal data on behalf of our customers as part of service delivery. In this role, Accountor will only process personal data for the purpose of fulfilling contractual obligations towards our customers. Accountor is the processor e.g., when providing
- payroll services;
- accounting services; or
- related IT-services.
In such cases, Accountor’s customers are defined as data controllers. They are responsible for the lawfulness of the processing. Accountor and the customers agree on the details of the personal data processing through a data processing agreement. Our standardized agreement contains necessary clauses to ensure compliance with privacy laws while also enabling provision of high-quality services.
When Accountor licenses software to customers who operate it independently on their own, Accountor is a data processor. This, however, is limited to the extent that it has an access to customer’s environment, for example when providing remote IT-support.
Accountor as a data controller
Accountor is a data controller when it processes personal data for its own benefit and decides how and for what purposes the data is processed. In such cases, we typically process personal data of our customers’ representatives, decision makers, and other contact persons. Further, the same applies when we provide purely consulting services e.g., legal or tax consultation. As a controller, Accountor is responsible for the lawfulness of the processing.
In these cases, data may be processed e.g., for
- developing new services;
- managing our relationship with the customer; or
- marketing our services.
Accountor is also a data controller when it is processing personal data of its employees or leased employees in an employment relation.
You may find more information how Accountor processes personal data here.
How Accountor is complying with the Data Protection Laws
Accountor has a governance framework to ensure compliance with privacy laws, internal policies, and industry best practices. We have established dedicated privacy roles across our organization. In our governance model, the Risk and Compliance Committee, consisting of selected leaderment team members, governs and monitors privacy compliance and related risks at the group level with the help of the Data Protection Officer (DPO). The DPO reports to Chief Information Officer (CIO), who is a member of Accountor Leaderment Team.
Each business unit is responsible for the implementation of data protection requirements in their operations. The data protection managers provide operational privacy support for the units. The data protection managers are part of group privacy team led by the DPO.
We have a data protection policy approved by the Risk and Compliance Committee. The policy is a basis of more detailed instructions on specific areas of data protection. Such instructions often include also methods for implementation in practice e.g., risk assessment or supplier compliance verification templates.
Training and awareness
Our personnel has completed regular mandatory trainings on data protection. In addition, we have more advanced training for selected stakeholders in e.g., service development, HR, and marketing. We carry out awareness initiatives and communicate on topical data protection topics through intranet and other communication channels.
We have defined and implemented relevant privacy processes. For example, we have a process to handle personal data breaches wherein the breach is appropriately addressed, possible risks mitigated, and notified to relevant stakeholders. Further, to the extent applicable, we assess all privacy risks before starting new processing activities through a standardized method in order to ensure individuals’ rights.
We use trustworthy (sub-)processors as our suppliers and have a method to verify their compliance with applicable privacy requirements. We conclude appropriate data processing agreements with the processors including clauses necessary to protect the rights of individuals.
Accountor pursues to demonstrate its compliance with help of methods and tools which are selected on a case-by-case basis. The methods may include e.g. privacy annual clock, reviews, or audits. Compliance maturity and development activities are reported to the top management in appropriate manner, for example through monthly business reviews.
Accountor has an information security framework that is aligned with industry best practices and applicable laws. Our Information Security policy is approved by the Risk and Compliance Committee and reviewed yearly. The policy is implemented through more detailed instructions derived therefrom as well as with daily practices. ISO27001 has been the guiding framework for the policy, instructions and practices.
Information security is managed by the group information security team. The team is led by the Group Information Security Officer reporting to CIO, who in turn reports to Accountor’s CEO. Information Security operations include performing risk assessments and audits, creating work plans to reduce risks, and implementing those work plans. Implementation of security activities are documented and regularly reviewed. Accountor carries out yearly trainings for its employees on information security. The training reflects the policy and instructions to ensure compliance with applicable requirements.
We appreciate you contacting us. If you have any questions or concerns on data protection or would like to exercise your rights as an individual, please do not hesitate to contact us at firstname.lastname@example.org.
Useful links: Accountor Privacy Statements