Protection and integrity in the processing of personal data
Protecting personal privacy is important to us. When our agency assists our client companies with matters such as payroll, accounting, tax issues and other consulting services, we process personal data on behalf of the client company. In auditing and other review assignments, we process personal data independently. Regardless of the assignment, we need to process personal data for our own administration and to comply with various regulations regarding, for example, the assessment of our assignments.
We summarise here how we process personal data. We have compiled this information to highlight what personal data we process, the legal basis we have for processing it and what we do with the data. We also want to inform you about our responsibility to protect your rights and privacy.
What is personal data?
Personal data is any information that makes it possible to identify a living physical person. Examples of personal data include name, address and social security number. However, any information that makes a person identifiable is also considered personal data, such as customer numbers, login details, bank account numbers, telephone numbers, property designations, vehicle registration numbers or photographs. Companies and other legal entities are not considered personal data, even if a person's name is included in the company name. Information relating to individuals in a company is personal data. The same applies to information relating to sole traders.
Certain information is considered particularly sensitive personal data, such as information about health, religious beliefs or trade union membership. We must be able to handle this type of information because it can affect salaries, accounting and taxes. We also need to handle personal identification numbers in certain contexts to securely identify a specific person and for reporting to various authorities, insurance companies, etc. Financial circumstances, on the other hand, are not considered sensitive data in this context.
How do we use personal data and on what basis?
Depending on the services we provide to a client company, different personal data is processed, and the purpose of the processing also varies. We only process personal data in order to perform the services we have agreed upon with our customers. In addition, we need to process certain personal data for our evaluation and administration of the assignments. The personal data that is processed depends on the assignment we have in the individual customer assignment, which is described in more detail below.
Payroll, accounting, taxes and other financial services
When the agency assists with, for example, accounting, payroll, tax returns and other consulting services, personal data must be processed in order to perform the services we have undertaken to deliver to our client companies. In these cases, the agency is a personal data processor. This means that the responsibility for processing personal data lies with the client company and the agency must follow its instructions when performing the assignment. A personal data processing agreement has been entered into between the client company and the agency, regulating the respective parties' responsibilities and tasks regarding the processing of personal data. This agreement includes instructions specifying how personal data is to be processed. The various services involve the processing of personal data in order to provide the following services:
- Payroll services: Processing of hours, absences and expenses, etc., to produce documentation for payroll payments and reporting to authorities, insurance companies, etc., as well as documentation for accounting purposes.
- Ongoing accounting: Accounting services that include processing vouchers and ledgers and handling payments.
- Financial statements and annual reports: Ongoing accounting is compiled in interim and annual financial statements and budgets, as well as analyses and follow-ups of the company's financial development, including industry and competitor comparisons.
- Tax matters: Preparing or verifying tax returns, including income tax returns with calculation appendices and income tax returns for the company's owners and their related parties, tax returns, employer declarations, as well as periodic summaries and tax calculations.
- Disclosure of information: registration matters and statistics for insurance companies, including Fora, the Swedish Companies Registration Office, the Swedish Tax Agency, the Swedish Social Insurance Agency, the Swedish Public Employment Service, Statistics Sweden and other authorities.
- Provide advice on payroll, accounting, tax and corporate law issues arising from the assignments undertaken by the firm.
The legal basis for processing personal data is to fulfill the agreement that the client company has entered into with the agency. We also process personal data to fulfill legal obligations as set out in, for example, accounting and tax legislation, labour law and collective agreements.
Auditing
In auditing, it is the auditor who decides whether and which personal data should be processed. Auditing activities include various assurance engagements, such as auditing and various certifications that may be based on legislation or agreements, as well as audit consulting. The auditor's independent role and the regulation of the audit engagement mean that the auditor is responsible for the processing of personal data. This means, among other things, that no personal data processing agreement is required for the audit assignment. Auditing is regulated by company law, which refers to good auditing practices and good auditing standards, the content of which is expressed in various standards and decisions based on legislation. In cases where there is no legislation, which may be the case for certain audits and for various certification services, the processing of personal data is based on the agreement entered into between the client and the auditor. Accordingly, the processing of personal data is based on legal obligations and agreements.
1 The term is defined in Section 2, paragraph 8 of the Auditors Act (2001:883).
The agency's own administration
Common to all our assignments is that we must evaluate our customer relationships. This is done to identify any conflicts of interest and ensure that we can meet ethical requirements for impartiality and, in audit assignments, also requirements for independence. Under the Swedish Act (2017:630) on measures against money laundering and terrorist financing, we must perform a risk assessment of all clients and assignments. For these purposes, we must process personal data about a company's representatives, owners and their related parties. We may also need to process personal data in the context of quality control of work performed and to handle any claims or complaints. The processing of personal data for this purpose is based on a legal obligation and the agency's legitimate interest in being able to meet professional requirements.
In addition, we need to process personal data to plan and administer assignments, which includes, for example, planning when and how assignments are conducted and reporting which assignments are conducted as a basis for our documentation of work performed and as a basis for invoicing and the agency's own accounting, etc. We also process login details when users at client companies have access to various systems and storage spaces. Personal data is also used to distribute newsletters on current legislative issues. We may also provide information about new services, products and activities organised by the agency. The basis for processing personal data is to fulfill the agreement entered into between the client company and the agency. Documentation requirements are governed by legal obligations regulated by government regulations and professional standards. In other respects, the agency's processing of personal data is based on the legitimate interest in being able to fulfill and follow up on assignments.
Common to all assignments
We always strive to process as little personal data as possible. The data that is processed depends on the specific assignment for each customer. The table below lists the types of personal data that we may need to process in different types of assignments:
| Categories of personal data: | Salaries | Ongoing reporting | Financial statements | Tax matters | Consulting | Auditing | Assignment assessment | Own administration |
|---|---|---|---|---|---|---|---|---|
| Contact details: Name, address, telephone number, email address and job title | X | X | X | X | X | X | X | X |
| Copies of ID documents, etc. | X | |||||||
| Login and authorization details: User, IP number, password, codes and signatures that can indicate who performed what within the assignment, for example. | X | X | X | X | X | X | X | X |
| Personal identification number and coordination number, when necessary to securely identify a specific person | X | X | X | X | X | X | X | X |
| Designations that link a specific person to an organisation or function, e.g., employee, customer and supplier numbers, job title, occupation code and overarching categories | X | X | X | X | X | X | ||
| Agreements, e.g., employment agreements, service agreements and agreements with customers and suppliers | X | X | X | X | X | X | X | |
| Information about health and absence, e.g., doctor's notes, sick leave, leave of absence and parental leave | X | X | X | X | X | |||
| Information about marital status, children and close relatives and their involvement in companies | X | X | X | X | X | X | ||
| Information about salary, pension, benefits and vacation | X | X | X | X | X | X | X | |
| Trade union membership and agreement affiliation | X | X | X | X | ||||
| Financial information, such as account numbers, income, insurance, vehicle and verification data | X | X | X | X | X | X | X | |
| Executive measures, such as wage garnishment | X | X | X | X | X | |||
| Holdings of securities, real estate and other assets, as well as liabilities and collateral | X | X | X | X | X | |||
| Information on income types: capital, business activities and services, as well as ownership in closed companies | X | X | X | X | X | |||
| Membership in the Church of Sweden or other religious community | Â X | X | ||||||
| Decisions by the Swedish Tax Agency | Â X | Â X | X | X | X | X | X | Â X |
Storage of personal data
Personal data will not be stored for longer than necessary. The agency normally stores personal data processed in various assignments provided by the agency for up to 10 years after the end of the financial year in which we processed it. The basis for storage is the legal and professional standards according to which we work. Personal data in the agency's own accounts is stored until the end of the calendar year that occurs seven years after the end of the company's financial year, which is in accordance with the rules of the Accounting Act.
After the storage period, the data is deleted or anonymised. Personal data is also stored in the agency's backup system. Backups may contain data that has been deleted or anonymised. In exceptional cases where files are restored from a backup, the restored files that were previously deleted or anonymised will again be deleted or anonymised.
Cooperation regarding personal data
We obtain personal data from the customer company and, where applicable, from affiliated companies. We also obtain personal data from the company's accounts, including verifications and other documentation of business transactions, as well as data from the company's representatives. We also use personal data from publicly available sources that we obtain from Creditsafe, Bisnode, and various authorities, such as the Swedish Companies Registration Office and the Swedish Tax Agency. We may also obtain personal data in engagement notices from, for example, banks and balance inquiries, etc.
The agency never sells personal data or transfers it to third parties for marketing purposes. However, we use sub-processors to handle personal data and collect personal data from others. A list of such companies can be found on our website. We may need to disclose personal data to the following categories of recipients:
- Suppliers (both within and outside the EU/EEA), who provide IT services, software and other services. These include, when necessary, suppliers of the services we have described above.
- Suppliers for the agency's own administration of assignments, e.g., accounting, time and expense management, invoice management, any claims and credit reports on behalf of the agency.
- Accounting consultants and other advisors and suppliers engaged by the customer when it is part of the agency's assignment to disclose or collect data from them.
- Banks, insurance companies or government agencies to fulfill data reporting or service provision obligations as described above.
- Another agency within LR Revision & Redovisning or another agency engaged by the agency for the purpose of monitoring or maintaining ethical requirements, performing quality checks, handling any claims and complaints, as well as safeguarding the agency's legal interests.
- Other recipients when required by law, other statutes or official decisions.
Recipients who process personal data on behalf of the agency enter into a personal data processing agreement with us in order to ensure that personal data is processed correctly and securely.
Normally, we only use suppliers in Sweden or within the EU/EEA area. If we, or our suppliers, use subcontractors outside the EU/EEA to process personal data on our behalf, we take specific protective measures, such as signing agreements that include the standard model clauses for data transfer adopted by the European Commission and available from the European Commission's website.
When personal data is shared with a recipient who is an independent data controller, such as a bank, insurance company or public authority, the recipient's privacy policy and information on personal data processing apply.
Security of personal data
Under applicable law, the agency is responsible for ensuring that the personal data processed is protected by the necessary technical and organisational security measures, taking into account what is appropriate in relation to the nature and sensitivity of the personal data. This means that we have procedures and rules regarding data protection and backup. The agency's systems and organisation are arranged so that unauthorised persons do not have access to the personal data processed in connection with the assignment.
However, data transmission via the Internet (e.g., communication via email) poses a security risk. Therefore, complete protection against third-party access to transmitted data cannot be guaranteed. We therefore recommend that sensitive personal data or data with a high level of confidentiality should not be sent to us via unencrypted email, portable storage media or cloud services lacking adequate data protection.
The Agency takes various security measures and uses means of communication to reduce risks, particularly when transferring sensitive personal data.
Your rights
You have a number of rights under data protection legislation, with which we will naturally comply. If you wish to exercise any of your rights, please contact us using the contact details provided under Contact on this website.
- Access to your personal data – you have the right to receive confirmation of whether we process your personal data and an extract of the data that is processed. However, the right to an extract of personal data does not include memos in the form of documentation or data subject to confidentiality.
- Request correction – you have the right to have incorrect information corrected. However, in most cases, information included in our assignment documentation cannot be changed retrospectively in accordance with professional rules. For this reason, it is not always possible to comply with a request to correct information.
- Request deletion – you have the right to have your data deleted under certain circumstances. However, data included in our assignment documentation must be retained and may not be deleted within the storage period specified above.
- Object to processing based on our legitimate interest and to processing for direct marketing purposes – you have the right to object to the processing of your personal data or to have the processing restricted
- Right to data portability – you have the right to request that personal data be transferred from us to another company, authority or organization. This right is limited to data that you yourself have provided to us and where the legal basis for our processing is consent or an agreement to which the data subject is a party.
Any request for access, correction or deletion must be made in writing to the contact address for the agency listed under contact details on this website.
The supervisory authority for data protection issues is the Swedish Data Protection Authority. If you believe that we have processed your personal data in violation of this privacy policy or applicable laws and regulations, you have the right to file a complaint with the Swedish Data Protection Authority.
Changes to our privacy policy, etc.
The Agency may make changes to this privacy policy from time to time. Changes will be announced via updates on our website. We recommend that you visit our website regularly to ensure that you agree to any changes or additions.
If you have any comments or questions about this privacy policy or our use of your personal data, or if you wish to make a request, please contact us.
