Visma Lön Smart
GDPR in Visma Lön Smart
The General Data Protection Regulation (GDPR), may seem overly complicated. To help you get a better overview, we have gathered information about what you can do to comply with GDPR when working in Visma Lön Smart.
The information on this page refers to the usage of Visma Lön Smart in its basic format. If you have any extensions or integrations with other services you should also look into how GDPR affects those.
What is GDPR?
All companies that handle personal data and operate within the EU must comply with GDPR (General Data Protection Regulation). This means that you are responsible for ensuring that the personal data of your customers, employees and suppliers is handled securely.
The basic GDPR regulations:
- You may only manage personal data if you comply with all the requirements of the regulation.
- You may only collect personal data for specified purposes.
- You may only collect personal data that is necessary in order for you to fulfil the specified purposes.
- If you are in possession of personal data, the data must be continuously updated and correct.
- When the specified purposes have been fulfilled, the data should be deleted.
- Personal data must be stored securely to prevent them from being altered or stolen.
-
You must be able to prove that your processing of personal data complies with the GDPR regulations.
At vismaspcs.se (in Swedish) you will find more general information about GDPR.
Work according to GDPR in Visma Lön Smart
Below you see what you can do to meet the GDPR requirements in Visma Lön Smart.
Compiling personal data records
An employee has the right to ask you if you have any of their personal data records registered in the payroll program. In such cases you must be able to share this data with the employee. Take a picture of what is shown on the screen and send the picture to your customer.
Delete registered personal data
According to GDPR, personal data may be stored for as long as the employer needs the data to follow legal obligations, laws and regulations. Personal data which is handled in the payroll process are viewed as bases which may be needed in cases of audits, disputes and controls in order to prove that the legal requirements have been followed. When personal data is registered and linked to transactions in the payroll process, the employee cannot claim the right to have such personal data linked to payroll transactions removed.
When an employee ends their employment at the company you should however delete any data that is not necessary to store. Below you see our recommendation on what data should be deleted.
Delete or pseudonymise data
In Visma Lön Smart it is not possible to delete the data of an employee for whom you have created payslips.
If you have employees that you cannot delete, but for which you no longer need to store personal data, you can delete the data.Read more under Data to delete as soon as the final salary payment has been made.
If you terminate your Visma Lön Smart subscription, you will not be able to make changes to your company. You will only be able to view the information. In such cases you can pseudonymise the employees' sensitive data. To do this, go to each employee under Employees and click on Pseudonymise employee. Data such as address, email address and bank account number will then be removed.
Data to delete as soon as the final pay has been paid
The information in the following fields under Lön Smart - Employees should be deleted when the final pay has been paid.
- Payment to should be changed to Cash so that the settings under Clearing number and Account number are deleted (on the Pay tab).
- Notes (on the Basic information tab), such as next of kin contact details
For employees using additional services, you should deactivate each service and remove their vismaspcs.se login.When the services have been deactivated, the service history will be deleted since it is not allowed to store data without purpose according to GDPR.
Data to delete one year after an employee has ended their employment
Contact and postal information should be saved for a year after an employee has ended their employment at the company. The information in the following fields under Lön SmartLön Smart - Employees and the Basic information tab should then be deleted:
- Address
- Postcode
- City
- Country
- Phone
- Mobile phone
We recommend that you set up a yearly routine to go through and delete data for any employees who have left the company during the previous year.
Please note that some information must be stored for longer, for example details about employees' pension insurances.
Personal data collection
Personal data include any information which, directly or indirectly, may identify a natural person. Please note that a sole proprietorship also classes as a natural person. According to GDPR you may only collect personal data for specified purposes. These purposes may differ between companies, depending on what business they conduct. One purpose could for example entail storing address information in order to invoice a customer.
Examples of personal data include information such as name, address, telephone number and personal identity numbers. However, since the law states that personal data can be any information that directly or indirectly can be linked to a natural person, such data may also include photos or a description of the distinguishable features of a person. For more information we recommend further reading at
According to GDPR, the person whom you have collected personal data about has the right to access to the following information:
- who you are
- the purpose of the data collection
- what legal grounds that support it
- whether the information is shared with others
- how long the data will be stored
The person whom you have collected personal data about has the right to request access to the data.
In the program you find personal data in fields that have a fixed purpose, such as name, phone number and address. If a customer requests access to any information that has been stored about them, this data can easily be compiled. Besides fields with a fixed purpose, personal data can also be stored in other parts of the program, such as in free text fields and comments. We recommend that you avoid entering personal data in these fields since it is difficult to locate, analyse and compile this kind of information.
Personal data storage
Your program is cloud-based, which means that the personal data you record is stored on our infrastructure supplier’s servers, as well as our servers here at Visma. More information about how data is stored in Visma’s cloud-based programs can be found at www.visma.com/trust-centre.
If you have exported accounting data from Visma Lön Smart, you may also have data stored locally on your computer or any other location where you may have saved these files.
Please note that you are always responsible for the data you have collected, and that GDPR applies no matter how data has been stored or distributed. If you consult a third party supplier, you must therefore establish a data processing agreement between your company and the company you are consulting. Read more about this below.
Data processing agreement
As a business owner you sometimes transfer personal data to others, often without even thinking about it. Data could for example be transferred to credit reference companies, webshops as well as invoicing and payment solutions. When a so-called third party supplier receives your personal data they become a processor.
As a business owner you are also a controller, meaning that you are always responsible for the data you receive. You are also responsible for any data that is transferred to third party suppliers. In such cases, a data processing agreement between yourself and your third party suppliers is required. Read more about data processing agreement (in Swedish).
Processing agreement between Visma Spcs and you as a customer
Your program is cloud-based, which means that any personal data that you register in the program are stored by Visma Spcs. Because we process personal data on your behalf, it makes us a third party supplier. Therefore, a data processing agreement between Visma Spcs and yourself should be established. Such an agreement is included in the agreement you approve when you start using your program.
