1. Home>

Privacy compliance with SD Worx Nordics

The decisions you make with respect to the processing of your data are critical for ensuring compliance with your obligations under the General Data Protection Regulation (GDPR). But how will you comply with these obligations while also meeting your legal requirements under national legislation and your specific business needs?

Classify your data with our classification program in line with data protection principles to simplify compliance. Meet your legal requirements with ease thanks to our minimum retention times. Do you need to add special purpose categories or set different retention times than those proposed? No problem. Simply tailor these policies to your business needs with our fully customizable solutions.

A processor should merely process your data according to your instructions. We see ourselves as more than just your processor – as your business partner, we are committed to sharing our expertise by building smart features to make your data decisions easier.

To fully use Privacy features in our products we recommend to follow the four simple steps below, choose to follow our standard for data classification and retention or modify settings to suit your business needs.

Don’t hesitate to get in touch if you have any questions.

More information regarding customer processing, can be found here.


First, you will need to define the lawful basis for the processing of your data as we need to know this before we can proceed to the following steps and it may affect the removal process. Separating personal data into privacy categories is a prerequisite for the data report and data export functions, which are important for safeguarding data subject rights. Purpose categories and retention times need to be defined to ensure that statutory requirements and your specific business needs are met, and this will in turn result in your own records of processing. We need you to analyze your data flows so that we can help you set up secure transfer methods and you can establish clearly defined access rights settings.

    1. Mark lawful basis of processing


    Personal data required for performance of employment contract.


    Personal data not necessary for the performance of the employment contract.

    A lawful basis is required for processing personal data. Contract, consent, legitimate interest and statutory law are among the lawfulness categories available. You can use our Records of Processing as a template if you do not process personal data on the basis of consent or legitimate interest.

      2. Classify data for proper management

      Personal data relating indirectly to a person because the chance that it will apply to others is high and the distinctive nature is low.

      Personal data that is unique or highly unique to only on individual.

      Data that is sensitive due to its nature.

      All personal data that is part of our standard configuration is divided into the three categories mentioned above. The sensitive data category is in line with the limitative special categories of processing in the GDPR. Directly identifying personal data and sensitive data will be compiled with your records of processing in a data report to notify your employees of the typical type of data processed and the data export (portability) function will deliver all data in a machine-readable format.

        3. Perform data life-cycle settings

        Data is required for the product to fulfill its purpose.

        Data is required for compliance with a statutory obligation.

        Data that we process but do not need.

        Each lawfulness category may have one or more purposes of processing. We have added several predefined purposes as a recommendation, but you are welcome to adapt them to your business and responsibilities as a controller. The purposes are grouped by purpose classification. You will then need to set retention times based on the purposes of processing. We also provide recommended retention times tailored to your national statutory requirements in our Records of Processing for use at your discretion. Once you have set your purposes of processing and retention times, you will have what you need to prepare your records of processing.

          4. Set up access rights and control data flow

          Direct transmission
          Fewer processing operations on data reduces stress on integrity and accuracy.

          Sensitive or highly unique directly identifying personal data should be encrypted.

          Data should not be accessible to anyone who does not need it or should not have access to it.

          Controlling who has access to data and how it is transferred is essential for maintaining accuracy, integrity and security. Start by analyzing your data flows, especially at the end of the data life cycle. Based on your analysis, we can help you set up email encryption, a direct connection between your company and ours, and/or direct integrations with third parties such as unions, banks and employee benefit providers.