{"id":4688,"date":"2023-01-03T10:31:53","date_gmt":"2023-01-03T10:31:53","guid":{"rendered":"https:\/\/backoffice.as\/?page_id=4688"},"modified":"2023-03-08T05:10:49","modified_gmt":"2023-03-08T05:10:49","slug":"gdpr","status":"publish","type":"page","link":"http:\/\/backoffice.as\/en\/gdpr\/","title":{"rendered":"GDPR"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
<\/div>\n\t\t\t\t\t\t
\n\t\t\t\n\t\n\t\n\t\n<\/svg>\t\t<\/div>\n\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

General Data Protection Regulation (GDPR)<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Let's start with the simple:<\/h2>
  1. Remote access by a company outside the EEA to data in a Norwegian company is considered a transfer.<\/li>
  2. It is not illegal to transfer accounting data without personal data.<\/li>
  3. In order for you to legally transfer personal data out of the EEA, you must, among other things, have the right routines and agreements in place that ensure a sufficient level of protection on the same lines as in the EEA.<\/li>
  4. For the transfer of sensitive personal data, additional and extended measures must be considered.<\/li><\/ol>

    1. What is a transfer?<\/h2>

    It is not a transfer when you are on holiday outside the EEA and remotely connect to the accounting program to make payroll for a customer. The reason is that the employee (you) is not another data controller, joint data controller or data processor.
    If there is an employee of a company outside the EEA who has the same remote access and makes the payroll run for your customer, this is considered a transfer, even if no data is downloaded. You must then ensure that the personal data is adequately secured.<\/p>

    2. What is a personal data?<\/h2>

    Directly from the Norwegian Data Protection Authority: Personal data | The Norwegian Data Protection Authority<\/a>
    Personal information is all information and assessments that can be linked to you as an individual. Typical personal data are name, address, telephone number, e-mail and social security number. An image is considered personal data if people can be recognised, and audio recordings can be personal data even if no names are mentioned in the recording. Biometrics such as fingerprints, iris patterns, head shape (for facial recognition) are also personal data. etc.<\/p>

    3. Transfer personal data out of the EEA<\/h2>

    The Norwegian Data Protection Authority's websites and the helpline provide very good information. We have been in constant contact with them to find the right agreements and how to fill them out. See about the businesses' duties: Transfer of personal data outside the EEA | The Norwegian Data Protection Authority. <\/a>Before data is transferred, a separate agreement must be drawn up that secures the personal data. We use the version of the Standard Contractual Clauses with annexes that the Norwegian Data Protection Authority has recommended to us. The contract, routines around security and our transparency towards our customers ensure proper processing of personal data outside the EEA.<\/p>

    Our agreements regarding personal data have been reviewed and quality assured by the law firm PricewaterhouseCoopers AS.<\/p>

    4. What is Sensitive personal data (called special categories in the law)?<\/h2>

    The Act defines a number of categories of information that require more processing than other information:<\/p>