Entities involved in the processing of data
We share personal data with other legal entities within SD Worx group and with other legal entities for the purpose of delivering the agreed services, we thereby distinguish all processing activities by delivery method. Any public legal entities that we share data with are excluded in this overview but can be inferred from the overview under “data processed as part of legal obligations”, we are then either instructed by law to share data or we have expressly agreed the sharing of data with the customer such as there where the law instructs our customers to do so. Data may in this case be shared with foremost governmental agencies such as in the area of taxation, social healthcare, pensions, etc. but also private firms such as banks and insurers.
We are thus distinguishing four different groups of entities with whom we share data.
1. SD Worx group subsidiaries as sub-processors
2. External entities as sub processors
3. Entities assigned by law
4. Entities in the data lifecycle chain providing ancillary services for the customer
SD Worx group subsidiaries as sub-processors
Data Protection and Information Security are central functions within the SD Worx Group and all essential policies and controls are effectuated equally throughout all companies that form part of SD Worx Group. We therefore hold that data delivered for the purposes of our fulfilment of a contractual obligation to one of the subsidiaries of SD Worx Group is to be considered as data delivered to all subsidiaries of SD Worx Group. The data exchanged between subsidiaries may however be limited based on the delivery model chosen and the country of operations.
On premise (OP)
During a normal on-premise delivery, the customer has the database containing personal data in-house and we are therefore unable to access the data without permission from the customer. All requirements relating to GDPR compliance mentioned on https://www.sdworx.com/en-en/gdpr are applicable to all our products but as the market has shifted towards a cloud service based model we do have more of our newer products available for this model which may mean that functionalities are delivered through an onsite custom installation. Please contact our consulting team for more information.
Outside of onsite installations and maintenance of our products we may be able to access personal data in the normal course of business such as when providing support. In this case you as a customer will be taking initial contact and need to be aware of privacy best practice and operating standards.
Support Services. Any data delivered to us that may contain personal data is not identified as such there where it concerns the normal day-to-day business activities. E-mail and support tickets send to us are send over a trusted network but are left unencrypted. Such E-mails may contain personal data send to us and the sender should be aware that no large amounts of data are send in the text body of the E-mail. In this case think before you send applies and customers will be made aware and our staff will be trained to avoid unnecessary sharing of data.
Technical support services. Customer data for testing or for resolving errors in software or in the handling of software is only used upon consent from customer and preferably within customer environment. The data delivered to us in form of any attachment is removed within two years. We are sending files that may likely contain larger records of personal data such as CSV (excel) or XML files only encrypted and reduce where possible unique identifiers such as personal identification numbers. Of any files delivered to us that may likely contain sensitive data please ensure to:
1. Send files encrypted;
2. Filter personal data and alter by for example anonymizing where possible.
The information under “support services” and “technical support services” applies also to our cloud customers. Otherwise our software as a service will not entail the transfer of large data files as we already are in possession of the database. It is therefore also that we have a special responsibility towards your data. Your data is handled by our centralized Cloud Team with offices in Espoo, Finland. Here delivery management, change management, information security management are working close together to ensure both availability and integrity of your data. Under technical and organisational security measures you will be able to find more information on how your data is safeguarded and respected.
Business Process Outsourcing (BPO)
Business Process Outsourcing is foremost done through the entities marked with “BPO” in the company name and data received in the execution of tasks is normally not shared outside the country of operations.
|Entity name||Country||Business ID||Address||Main processing activities||Applicable for Delivery Model|
|SD Worx Finland Oy||Finland||2644026-6||PO Box 201, 02631 Espoo, Finland||Main processor for customers within private sector in Finland (excl. BPO customers) ; software support, maintenance and consultancy services for all customers in the private and public sectors||X||X|
|SD Worx Finland Oy||Finland||2644026-6||PO Box 201, 02631 Espoo, Finland||Cloud hosting, development, support and maintenance; IT security; technical consultancy; software support, maintenance and consultancy for all Cloud and BPO Customers of SD Worx in the Nordics||X|
|SD Worx Finland Oy||Finland||2644026-6||PO Box 201, 02631 Espoo, Finland||Main processor for BPO customers in Finland. Business process outsourcing services in Finland; payroll, travel management and super user services|
|SD Worx Estonia Oü||Estonia||11180790||Mäealuse 2/2
EE-12918 Tallinn, Estonia
|Business process outsourcing services from Estonia, if and as agreed with the customer in the master agreement|
|SD Worx Sweden AB||Sweden||556935-7857||Box 1102, 172 22 Sundbyberg, Sweden||Main processor for customers within private sector in Sweden (excl. BPO customers); software support, maintenance and consultancy services for all customers||X||X|
|SD Worx Sweden AB||Sweden||556935-7857||Box 1102, 172 22 Sundbyberg, Sweden||Cloud development, support and maintenance; IT security; technical consultancy; software support, maintenance and consultancy||X|
|SD Worx Sweden AB||Sweden||556935-7857||Box 1102, 172 22 Sundbyberg, Sweden||Main processor for BPO customers in Sweden; Business process outsourcing services in Sweden, payroll, travel management and super user services.|
|SD Worx Norway AS||Norway||913143663||Trelastgata 3, 0191 Oslo||Main processor for customers within private sector in Norway (excl. BPO customers); software support, maintenance and consultancy services for customers
Cloud development, support and maintenance; IT security; technical consultancy; software support, maintenance and consultancy
|SD Worx Norway AS||Norway||913143663||Trelastgata 3, 0191 Oslo||Main processor for BPO customers in Norway. Business process outsourcing services in Norway; payroll, travel management and super user services|
External entities as sub-processors
As part of our service delivery we may use external parties, in the case where such external parties have access to personal data these are listed here. Based on the access to personal data these sub-processors have received a criticality status critical or major. There where the sub-processor is listed as critical the sub-processor is subject to an on-site audit according to our audit policy.
Technical Support Services, customer data only used upon consent from customer and preferably within customer environment. There are limited entities that may be involved in sub processing and this is only due access to support incidents or through additional products purchased.
For cloud service management we have strategical partners for the provision of hosting services and back-ups management. Please find more information below.
Business Process Outsourcing (BPO)
As part of the business process outsourcing delivery model we have partnerships with companies foremost for the provision of ancillary services such as printing and postage of payslips, such ancillary services are always agreed on in the master agreement. Please find more information below.
|General Information||Selection criteria|
|Entity name||Country of processing||Business ID||Address||Main processing activities||Delivery Model²||Countryᶾ||Customer Scope||Processor since4|
|Microsoft AB||Netherlands /EU||502052-1307||Microsoft Ireland Operations Limited One Microsoft Place, South County Industrial Park, Leopardstown, Dublin 18, D18 P521||Access to information from SD Worx support incidents for internal applications that may contain personal data.||X||X||X||NORDIC||ALL||May-18|
|Elisa Oyj*||Finland||0116510-6||Ratavartijankatu 5 00520 Helsinki||Hosting of all SD Worx cloud delivered applications||X||X||NORDIC||ALL||May-18|
|NetNordic (Formerly known as Fiarone Oy)||Finland||2342645-0||Nereis Business Garden
|Security Event Monitoring and Storage||X||X||NORDIC||ALL||Apr-20|
|ProACT Finland Oy||Finland||1084241-2||Elimäenkatu 17-19 00510 Helsinki||Proact Oy is Maintenance and hardware operations partner and service provider to SD Worx Cloud and Internal ICT operations||X||X||NORDIC||ALL||May-18|
|DNA Oyj||Finland||0592509-6||Läkkisepäntie 21, 00620 Helsinki||DNA / Telenor Finland is Service provider in area of Datacenter services and Datacenter infrastructure without access to any of SD Worx systems located in DNA Premises||X||X||NORDIC||ALL||Aug-20|
|Sønderup I/S||Denmark||3.2E+07||Jyllandsgade 9, 4100 Ringsted||Partner for BPO Delivery in Denmark||X||DK||ALL||May-18|
|Microsoft Azure||Netherlands /EU||502052-1307||Microsoft Ireland Operations Limited One Microsoft Place, South County Industrial Park, Leopardstown, Dublin 18, D18 P521||Access to information from support incidents for SD Worx Pay and hosting platform for SD Worx Pay and SD Worx Analytics||X||X||SE||BASED ON PURCHASED PRODUCT||May-18|
|Rely Sweden AB||Sweden||556744-5589||Gånstavägen 4, 749 43 Enköping||Partner for HR (Personec HR) and TEIS and XAIS support||X||X||X||SE||BASED ON PURCHASED PRODUCT||May-18|
|Posti Group Oyj||Finland||1531864-4||Postintaival 7, 00230 Helsinki||Printing services, delivery services, transferring services to home addresses of pay slip or employment related information||X||FI||BASED ON AGREEMENT||May-18|
|POSTI MESSAGING AS||Norway||9.7E+08||Sven Oftedals vei 8A 0950 Oslo||Printing services, delivery services, transferring services to home addresses of pay slip or employment related information||X||NO||BASED ON AGREEMENT||May-18|
|Taavi Tarkvara OÜ||Estonia||1E+07||Turu plats 5-17, Tallinn 11611, Eesti||Payroll and HR software provider in Estonia.||X||EE||BASED ON AGREEMENT||May-18|
|Lessor A/S||Denmark||2420010||Engholm Parkvej 8 3450 Allerød||SaaS delivery of Lessor payroll solution in Denmark||X||X||DK||BASED ON AGREEMENT||Jun-20|
|Evry Norge AS||Norway||933 012 867||Postboks 4, 1330 Fornebu||Hosting of Payroll solution dedicated for customer||X||NO||ONE CUSTOMER||May-18|
|Talentech AB||Sweden||556675-7810||Rosenlunds gatan 52, 118 63 Stockholm||Recruitment software Reachmee as SaaS service (storage, system admin, support )||X||X||NORDIC||RESELLER, BASED ON PURCHASED PRODUCT||May-18|
|Iver Sverige AB||Sweden||556575-3042||Sveavägen 143, 113 46 Stockholm||Provision of hosting services for above mentioned ReachMee recruitment software.||X||X||NORDIC||RESELLER, BASED ON PURCHASED PRODUCT||May-18|
|Scrive AB||Sweden||556816-6804||Grev Turegatan 11A, 114 46 Stockholm||Partner to SD Worx to provide SaaS service and mobile apps for e-signing of documents||X||X||NORDIC||RESELLER, BASED ON PURCHASED PRODUCT||Dec-18|
|Cilron Oy||Finland||3267131-9||Sahakuja 4, 05800 Hyvinkää||Support services for SD Worx solutions, cloud hosting and support services relating to Cilron Ontime||X||X||FI||RESELLER, BASED ON PURCHASED SERVICE/ PRODUCT||May-18|
|PostNord Strålfors AB||Sweden||556102-9843||Terminalvägen 24 171 73 Solna||Printing services, delivery services, transferring services to home addresses of pay slip or employment related information||X||X||SE||BASED ON AGREEMENT||May-18|
|ServiceNow Nederland BV||Netherlands /EU (**)||5.3E+07||Hoekenrode 3, 1102 BR Amsterdam||Customer support platform as a SaaS Service; storage and back-up of user account data, ticket data, log data (more information on processing by Sofigate is available at https://www.sdworx.com/en-en/gdpr-servicenow)||X||X||X||NORDIC||ALL||May-20|
|Sofigate Services Oy||Finland||2181137-1||Teknikantie 12, FIN-02150 Espoo||2nd Line Support to SD Worx for ServiceNow||X||X||X||NORDIC||ALL||May-20|
|Nomentia Oy||Finland||2855557-7||Linnoitustie 6 B, 02600 Espoo, Finland||Transferring payment data from our payroll solution to customers employees bank accounts||X||FI||ALL||May-20|
*Elisa Appelsiini Oy (1539836-5) was merged with its parent company Elisa Oyj 0116510-6, as per 31 December 2018.
** see also below under Data transferred outside of EU/EEA
Country The country from where personal data may be accessed
Relevant selection criteria:
Applicable for Delivery Model Choose the delivery model that is applicable to you as a customer to see which sub-processors may be involved in the processing of
Country Here you see whether the sub processor is country specific or whether it applies to the Nordic region as a whole.
CUSTOMER SCOPE Here we have included several definitions to be able to determine if this sub processor is applicable to you.
This sub processor is applicable to all customers provided that the delivery model and country selection criteria are fulfilled.
This sub processor is only applicable to one customer only, if in doubt please contact firstname.lastname@example.org
BASED ON AGREEMENT
This sub processors fulfil additional services on top of our products, these services are if applicable to you found in the Master
BASED ON PURCHASED PRODUCT
This sub processor is only applicable when you have purchased the product named in the main processing activities column.
RESELLER, BASED ON PURCHASED PRODUCT
This sub processor is only applicable when you have purchased the product named in the main processing activities, the product is
purchased through us and we perform our audit and controls relating to privacy and security towards this sub processor.
Data transferred outside EU/EEA
We have as part of our commitment to enrol equal requirements to our subcontractors and sub processors checked whether data will once within their domain be transferred to countries outside the EU/EEA. As of yet we are not and neither our processors transferring any data outside the EU/EEA. Any exclusions to this rule are always customer specific and expressly included in the data processing agreement with the customer.
As stated above, SD Worx Analytics and SD Worx Pay will be hosted by a third-party vendor, Microsoft Azure. Data hosted in the Microsoft Azure environment will be stored within the EU/EEA, but may in limited cases be accessed by Microsoft support resources located outside the EU/EEA as part of Microsoft’s support services, all such transfer will then be subject to the EU Standard Contractual Clauses, as set out in Microsoft’s Online Services Terms applicable from time to time (https://www.microsoft.com/en-us/trustcenter/Privacy/).
** As stated at www.sdworx.com/en-en/gdpr-servicenow, security log data (IP address, log on/log off data may in limited cases be accessed by ServiceNow employees also outside EU/EEA countries.
Entities assigned by law
Please see the overview of relevant laws that are observed under data processed as part of relevant legal obligations. Accounting laws may for example require us to store some source data that has been used for calculating relevant pay. Other laws may require us to share data directly with Tax Agencies.
Entities providing ancillary services
Entities that we may share data with are entities that provide ancillary services for our products. Payroll applications may transfer data towards Banks though our integration services. Please consult the master agreement you have with us as such sharing of data is expressly agreed.