General Data Protection Regulation (GDPR)

Let's start with the simple:

1. Remote access by a company outside the EEA to data in a Norwegian company is considered a transfer.
2. It is not illegal to transfer accounting data without personal data.
3. In order for you to legally transfer personal data out of the EEA, you must, among other things, have the right routines and agreements in place that ensure a sufficient level of protection on the same lines as in the EEA.
4. For the transfer of sensitive personal data, additional and extended measures must be considered.

1. What is a transfer?

It is not a transfer when you are on holiday outside the EEA and remotely connect to the accounting program to make payroll for a customer. The reason is that the employee (you) is not another data controller, joint data controller or data processor.
If there is an employee of a company outside the EEA who has the same remote access and makes the payroll run for your customer, this is considered a transfer, even if no data is downloaded. You must then ensure that the personal data is adequately secured.

2. What is a personal data?

Directly from the Norwegian Data Protection Authority: Personal data | The Norwegian Data Protection Authority
Personal information is all information and assessments that can be linked to you as an individual. Typical personal data are name, address, telephone number, e-mail and social security number. An image is considered personal data if people can be recognised, and audio recordings can be personal data even if no names are mentioned in the recording. Biometrics such as fingerprints, iris patterns, head shape (for facial recognition) are also personal data. etc.

3. Transfer personal data out of the EEA

The Norwegian Data Protection Authority's websites and the helpline provide very good information. We have been in constant contact with them to find the right agreements and how to fill them out. See about the businesses' duties: Transfer of personal data outside the EEA | The Norwegian Data Protection Authority. Before data is transferred, a separate agreement must be drawn up that secures the personal data. We use the version of the Standard Contractual Clauses with annexes that the Norwegian Data Protection Authority has recommended to us. The contract, routines around security and our transparency towards our customers ensure proper processing of personal data outside the EEA.

Our agreements regarding personal data have been reviewed and quality assured by the law firm PricewaterhouseCoopers AS.

4. What is Sensitive personal data (called special categories in the law)?

The Act defines a number of categories of information that require more processing than other information:

• information on ethnic origin
• information about political opinion
• information about religion
• information about philosophical beliefs
• information about trade union membership
• genetic information
• biometric information for the purpose of uniquely identifying someone
• health information
• information about sexual relationships
• information about sexual orientation

We have also created routines for work tasks so that sensitive information can be legally processed outside the EEA.

How does the Back Office ensure that personal data is processed in a legal manner outside the EEA?

We use the Norwegian Data Protection Authority's Data Processing Agreement How to create a data processor agreement? | The Norwegian Data Protection Authority which is approved by the European Data Protection Board (EDPB).

In addition, we use Standard Contractual Clauses (SCC) which contain the European Commission's standard privacy regulations Transfer of personal data outside the EEA | The Norwegian Data Protection Authority.

These two agreements, with attachments, provide a detailed description of responsibility, security and how the personal data must be processed to ensure that Europeans' personal data is as well protected after the "transfer" to a third country as it is in the EEA.