2020-01-21

För information på svenska - klicka här!

Information about our processing of personal data in connection with customer assignments.

In connection with customer assignments, Aspia AB (corporate reg. no. 559137-8350) (below ”Aspia”, ”us” and/or ”we”) will process certain personal data in capacity as a data controller. We inform you as a Client representative herein of how we, as a data controller, process your personal data.

The purpose of this notice is to inform you as a representative, authorized signatory, owner or similar (“representative”) of our Client of how we process your personal data and your rights connected to the processing. We process your personal data in accordance with applicable data protection law, including the General Data Protection Regulation (the “GDPR”), and have taken technical and organizational measures necessary to protect the personal data. For information on how we process personal data for marketing purposes, or within the scope of our sales process, please see the privacy notice on our website.

The Client undertakes to share this notice to all its representatives which personal data Aspia processes in accordance with this notice.

What personal data do we process?

Registration of contact persons in client register and administration of the assignment

Prior to and during the assignment, Aspia processes contact information (e.g. name, personal ID no., address, phone no. and email) and details about the engagement contract (e.g. signature of the engagement contract or information provided to us in correspondence) of the Client’s representatives in Aspia’s client register. The processing is necessary to administer the assignment and to invoice for work performed. The legal basis for this processing is our legitimate interest and to be able to perform the engagement contract. We keep this information for as long as necessary to fulfil the engagement contract, or as long as necessary in accordance with mandatory archiving and accounting rules (a minimum period of seven years).

Know-your-customer and anti-money laundering measures according to anti-money laundering laws

Personal data concerning representatives is processed in connection with the Client and/or assignment acceptance process, and continuously during the assignment, to fulfil and maintain necessary know-your-customer (“KYC”) measures, as well as to undertake and document measures pursuant to the Swedish act on measures against anti-money laundering and financing of terrorism (the “anti-money laundering law”). Such processing is necessary to fulfil applicable legal obligations. We process your contact information (e.g. name, personal ID no., address, phone no. and email) and in some cases copies of personal identification documents. If you are in a leading position/owner, we also perform background checks (to confirm the beneficial owner), and may also process information about criminal convictions and offences. Personal data processed for anti-money laundering purposes will be retained for a minimum of five years after the engagement contract has been terminated, but may in certain cases be retained for up to ten years.

Risk and client due diligence assessments according to industry standards

We process your personal data (e.g. name, personal ID no., address, phone no. and email) and certain publicly available information to perform risk assessments of assignments and clients, in accordance with industry standards (e.g. FAR, the Swedish institute for auditors, accounting consultants, tax advisers, payroll consultants, and specialists, and Reko, the Swedish standard for accounting and payroll services). We also perform financial background checks for this purpose. Our legal basis for the risk assessments is a balancing of interests test, where we have a legitimate interest to manage risks in our organization as well as a professional obligation to comply with FAR’s standards. Personal data processed for risk assessments and client due diligence are retained for ten years after the engagement contract has been terminated.

Business monitoring and statistics 

After termination of an assignment, Aspia may process contact details of representatives (e.g. name, personal ID no., address, phone no. and email) to carry out business monitoring and statistics. This processing is based on a balancing of interests test to satisfy our legitimate interest to perform business monitoring and to prepare general statistics, e.g. to evaluate client satisfaction or to conduct internal reporting to owners and stakeholders (e.g. banks). The processing will be carried out during the term of the engagement contract and to fulfil the purpose of these processing activities. We will retain the information for three years after the engagement contract has been terminated. We will thereafter retain statistics of aggregated information (information which may not identify you as a data subject).

FAR’s industry standards and quality controls 

Aspia is a member of the industry standard organization FAR and operates in accordance with the Swedish standard on accounting and payroll services, Reko. Reko is a well-known quality standard and thereby normative for the practice and performance of accounting and payroll services. As a FAR member, Aspia is subject to quality controls on a regular basis. Within the scope of such controls, personal data processed previously in the scope of assignments may be processed again, for the purpose of conducting quality controls of performed work within the assignment, in accordance with Aspia’s legitimate interest to fulfil the requirements set out by FAR as the legal basis. Personal data processed for this purpose is the personal data included in our working papers (e.g. contact details, documentation for acceptance/re-assessment of the assignment, engagement contracts, assignment planning, information about performed tasks, notes, provided advice and reports, routine, descriptions, etc. in accordance with Reko’s requirements). Personal data included in our working papers, which is necessary in order to comply with FAR’s requirements and to conduct quality controls, will be retained for ten years after the contract has been terminated.

The establishment, exercise or defence of legal claims 

We will retain working papers based on a balancing of interests test to satisfy our legitimate interest to document the assignment. Personal data necessary to fulfil this purpose will therefore also be retained. In the event of a legal claim,  personal data retained and included in working papers (e.g. name, address, phone no., email and personal data used for background and risk assessments, see above) will be processed in order to establish, exercise or defend Aspia from legal claims. Personal data will be retained for ten years after the assignment has been terminated to fulfil this purpose.

Where is the personal data from?

Personal data processed for the above purposes are provided by the representative, the Client, the Client’s group companies, the Swedish Tax Authority, the Swedish Companies Registration Office or other public sources and databases. 

Transfer and disclosure of personal data

We are required to ensure that the information processed within the scope of the assignment is not accessible for unauthorized persons, implying that the personal data will be treated confidentially. In certain cases, we need to transfer personal data, which will be done in accordance with the GDPR, please see below.

Data processors 

In order to fulfil our purposes with the personal data processing, we engage service providers of IT, archiving services, email services, pre-systems in relation to our assignments (e.g. for our payroll, accounting, tax and advisory services), service providers of public databases and monitoring systems, document management systems and others processing personal on Aspia’s behalf (in capacity as data processors). Aspia’s data processors are only permitted to process personal data in accordance with Aspia’s instructions. Data processors are also required by law to take appropriate technical and organizational security measures to protect the personal data.

Companies within the Aspia group

We may also transfer personal data to other companies within the Aspia group for administrative purposes, internal reporting, and to fulfil the processing purposes described in this privacy notice.

Other data controllers and authorities

We may also disclose personal data to other recipients, e.g. to perform quality controls, conduct risk assessments, comply with applicable law or a request/order from a competent court or authority (e.g. the competent county administration in terms of KYC and anti-money laundering measures), financial reporting to owners and banks, reporting to FAR, and to satisfy Aspia’s legitimate interest to establish, exercise or defend Aspia from legal claims (e.g. debt settlement companies and/or authorities, such as debt collectors and bankruptcy trustees). We may also disclose personal data to insurance companies or advisors in conjunction with legal proceedings to the extent necessary to satisfy our legitimate interests.

Transfer to third countries outside the EU/EEA

Our aim is to process all personal data within the EU/EEA, but we may in certain cases transfer personal data to recipients in countries outside the EU/EEA, which may not have the same level of protection of the personal data as in the EU. Necessary measures will be taken to ensure that the personal data is adequately protected, e.g. by entering into the EU Commission’s standard contractual clauses (available here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en) or ensure that other appropriate security measures are in place.

Protection of personal data 

We are responsible for protecting the personal data processed through necessary technical and organizational security measures, taking into account what is appropriate considering the character and sensitivity of the personal data. Our systems and our organization are arranged to avoid access by unauthorized persons to the personal data processed in relation to the assignment. The processing of the personal data is not conducted beyond the necessary purposes and timeframes.

Your rights 

You have certain rights in relation to how we process your personal data:

  • Right of access (copy of your personal data) - you have the right to request information about what personal data we process about you, e.g. by requesting a copy of your personal data.

  • Right to rectification - you have the right to request rectification or completion of your personal data, if you believe that personal data about you is inaccurate or incomplete.

  • Right to object to processing for direct marketing purposes - you may at any time unsubscribe to send-outs by notifying us, e.g. by clicking on the unsubscription link in the email. 

  • Right to object to processing based on Aspia’s legitimate interest - you have, in certain instances, right to object to our processing, and we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests.

  • Right to restriction of the processing - you may request that we restrict the processing, e.g. if you consider that the personal data is inaccurate or if the personal data is no longer necessary for the purpose.

  • Right to erasure - you may in certain instances request us to erase your personal data, e.g. if the personal data is no longer necessary for the purpose of the processing, or if you consider that the processing is unlawful in accordance to applicable data protection law.

  • Right to data portability - in certain cases, you have the right to request access to the personal data about you in a structured, commonly used and machine-readable format (data portability) and transfer the personal data to another data controller.

Please note that we are required to retain personal data processed for the acceptance or re-assessment of an assignment for at least ten years. This implies that we are not permitted to erase personal data included in such documentation within this time period, and in certain instances it is not permitted to rectify the personal data. Due to the said reasons, it is not possible to fulfil a data subject request relating to restriction or limitation of the processing.

Contact details 

If you have any questions, you may contact us through personuppgiftsombudet@aspia.se or at; Data Protection Responsible, Aspia AB, Box 6350, 102 35 Stockholm. You also have the right to turn to the competent data protection supervisory authority, (Integritetsskyddsmyndigheten, IMY: www.imy.se) if you have a complaint.