ERATIO – Privacy Statement
Personal privacy and security is of utmost importance and supersedes any other requirements.
Use of data outside ERATIO, that is either entered by the Customer or collected on behalf of the Customer, requires the Customers’ explicit consent. The same applies to Customers’ Employees.
Scope and Acceptance
This Privacy Statement applies to all business processes in ERATIO and to all websites, domains, mobile solutions, cloud services and communities as well as ERATIO-branded websites and third party social networks (e.g. Facebook).
The Statement provides information about data processing carried out by ERATIO.
Personal data is information that can identify you as a person, such as an email address, street address or phone number. Processing your personal data is necessary for us to serve you. By providing us with your personal data, you accept the practices and terms described in this Privacy Statement. Please do not use ERATIO’s sites or services, or provide your personal data if you do not agree.
Data Processing Agreement (DPA)
We are utilising Visma online services and Norlønn online services, ensuring all data is properly managed according to GDPR. These services supports collecting personnel data via apps, meaning you don’t send personal and sensitive data via insecure channels such as email. Email is stored on many non-secured devices (laptop, mobile phone, mobile pads etc), and there is a high potential risk of sensitive data being stored without proper consent. For this reason, ERATIO automatically deletes non-managed emails after 6 months.
24SO DPA, Visma Trust Center and Norlønn DPA provides information related to GDPR and security. These DPAs are applicable to all ERATIO’s customers, and we neither store nor process sensitive, personal data in any other systems.
DPA related to ERATIO’s processing of personal data is incorporated in our agreement (Oppdragsavtale for Regnskapstjenester).
We do not offer customer-specific DPA.
Whose Data we Process
We process data about Customers, and our Customers’ employees, as provided by the Customer and Customers’ employees.
In this Statement, data subjects may also be referred to as persons or you.
What Data we Process
We process data as required by law and as per agreement with Customer.
- Financial company data for bookkeeping and reporting to the government
- Contact information to customer contact person(s):
- Firstname, lastname, email address, phone number
- Tags such as “Customer”, “Payroll”, “Newsletter” for information via email
- Confirmation of emails opened, and links clicked in emails
- Employee data:
- Firstname, lastname, address – For payroll services
- Social security number – For payroll services
- Email address – For payroll services (sending digital payslips)
- Tax information – For payroll services
- Bank account number – For payroll services
- Job title and salary – For payroll services
- Union membership – For payroll services
- What we don’t process or store:
- Political or philosophical affiliation
- Health information
- Sexual orientation
- Genetic or biometric data
Data Security and Retention
How we keep your personal data secure
ERATIO takes the trust you place in us seriously. We are committed to preventing unauthorized access, disclosure or other deviant processing of your data. Furthermore, we are committed to ensure proper use of the information, to maintain data integrity and to secure data availability. As part of our commitment, we utilize reasonable and appropriate physical, technical, and administrative procedures and measures to safeguard the information we collect and process. ERATIO has implemented a number of security measures, including:
Secure operating environments – ERATIO stores your data in secure operating cloud environments that are only accessible to ERATIO employees and subcontractors on a need-to-know basis. We also follow generally accepted industry standards in this respect and ensure subcontractors do the same.
Encryption of personal data and payment information – ERATIO uses industry-standard encryption to provide protection for sensitive information, such as personal data and credit card information, sent over the Internet.
Prior authentication for account access – ERATIO requires its registered users to verify their identity (e.g. login ID and password) before they can access or make changes to their account in order to prevent unauthorized access.
- Multi Factor Authentication (MFA) – ERATIO employees are required and forced to use 2-factor authentication to log in to systems holding sensitive personal data.
Please note that these protections do not apply to the personal data that you choose to share in public areas such as social media.
How long we store your personal data
ERATIO will only retain your personal data for as long as necessary for the stated purpose and as required by law, while also taking into account our need to answer queries or resolve problems and to comply with legal requirements under applicable laws. E.g. Bokføringsloven in Norway.
This means that we may retain your personal data for a reasonable period after your last interaction with us. When the personal data that we collect is no longer required in this way, we destroy or delete it in a secure manner. We may process data for statistical purposes, but in such cases, data will be anonymised.
All the while you are in a current agreement you may initiate porting (eksport) of your data.
Subcontractors and Export of Personal Data
In some cases, we will use subcontractors to process personal data. These subcontractors are typically vendors of cloud services or other IT hosting services. When using subcontractors, ERATIO enter into a data processing agreement (DPA) in order to safeguard your privacy rights.
If the processing of data is performed outside of the EU, we will make sure that the DPA is based on the EU Standard Contractual Clauses or that the data importer is certified according to the EU/US Privacy Shield framework. In such cases, we will also inform our Customers about the export of data. ERATIO is not responsible for providing such information to data subjects whose data is controlled by our Customers.
Changes to this Statement
If we modify our Privacy Statement, we will post the revised statement here, with an updated revision date. We encourage you to review the Statement regularly. If we make significant changes to our Statement that materially alter our privacy practices, we may also notify you by other means, such as sending an email or posting a notice on our corporate website and/or social media pages prior to the changes taking effect.
The last update of this Privacy Statement 01.08.2019 (24SO introduced)
How to Contact us
We value your opinion. If you have any comments or questions about our Privacy Statement, any unresolved privacy or data use concerns that we have not addressed satisfactorily, or concerning a possible breach of your privacy, please send them to firstname.lastname@example.org.
We will handle your requests or complaints confidentially. Our representative will contact you to address your concerns and outline the options regarding how these may be resolved. We aim to ensure that complaints are resolved in a timely and appropriate manner.
If you have questions regarding information we have stored about you, feel free to email us and we will contact you shortly.