GDPR in Period & Year

The General Data Protection Regulation (GDPR), may seem overly complicated. To help you get a better overview, we have gathered information about what you can do to comply with GDPR when working in Period & Year.

The information on this page refers to the usage of Period & Year in its basic format. If you have any extensions or integrations with other services you should also look into how GDPR affects those.

What is GDPR?

The General Data Protection Regulation (GDPR) is a EU regulation which replaced 95/46/EC and other national regulations that previously regulated how personal data was managed.

On the 25th of May 2018, the new General Data Protection Regulation (GDPR) was implemented for all members of the EU. For EEA member states, including Norway, GDPR came into force in July 2018. GDPR replaced the Data Protection Directive 95/46/EC and other national regulations which previously regulated how personal data should be managed.

The basic GDPR regulations:

• You may only manage personal data if you comply with all the requirements of the regulation.
• You may only collect personal data for specified purposes.
• You may only collect personal data that is necessary in order for you to fulfil the specified purposes.
• If you are in possession of personal data, the data must be continuously updated and correct.
• When the specified purposes have been fulfilled, the data should be deleted.
• Personal data must be stored securely to prevent them from being altered or stolen.
• You must be able to prove that your processing of personal data complies with the GDPR regulations.

At visma.no you will find more general information about GDPR.

Work according to GDPR in Period & Year

Below, you can read more about what you can do to meet the demands for managing personal data according to GDPR.

Disclose registered personal data

An individual has the right to ask you if you have any personal information about them. If that is the case, you must be able to share the information with the individual. The easiest way to do this in the program is to generate a PDF file, which contains these data, in Report center.

Delete personal data

The accounting data stored in Period & Year must be kept for a minimum of five years according to the Bookkeeping Act. This includes any personal data entered in appendices, tax forms and annual report documents, which means that the Bookkeeping Act overrides GDPR in these cases.

Therefore, these personal data cannot be anonymized or "pseudonymized" for as long as the Bookkeeping Act has precedence over GDPR.

External appendices

It is possible to upload external appendices for reconciliation purposes in Period & Year. You need to make sure that any personal data in these appendices have a clear purpose related to your bookkeeping.

Personal data collection

Personal data include any information which, directly or indirectly, may identify a natural person. Please note that a sole proprietorship also class as a natural person. According to GDPR you may only collect personal data for specified purposes. These purposes may differ between companies, depending on what business they conduct. One purpose could for example entail storing address information in order to invoice a customer.

According to GDPR, the person whom you have collected personal data about has the right to access to the following information:

• who you are
• the purpose of the data collection
• what legal grounds that support it
• whether the information is shared with others
• how long the data will be stored

The person whom you have collected personal data about has the right to request access to the data.

In the program you find personal data in fields that have a fixed purpose, such as name, phone number and address. If a customer requests access to any information that has been stored about them, this data can easily be compiled. Besides fields with a fixed purpose, personal data can also be stored in other parts of the program, such as in free text fields and comments. We recommend that you avoid entering personal data in these fields since it is difficult to locate, analyse and compile this kind of information.

Personal data in Period & Year

In Period & Year, personal data are stored in certain appendices, in tax forms and in documents in the annual report. The purpose of gathering these personal data in Period & Year is based on legislation.

Free-form text fields, which are used for comments etc, could be used to enter personal data or information that could be associated with individuals. Avoid entering sensitive information in these fields.

Appendices

Certain appendices related to for example salaries, loans and receivables in Reconciliation BS contain fields used for personal data, such as name and monthly pay. This is information that must be provided according to the Bookkeeping Act.

When uploading external appendices, make sure that any personal data in these have a clear purpose related to your bookkeeping.

Tax forms and annual report

In Year-end closing - Tax forms and Year-end closing - Annual report, personal data are entered into certain forms and documents.

Below, different types of personal data that can be entered in these parts of the service are listed:

On a corporate level

• Company information
• Accountant's information
• Auditor's information
• Role in company/board of directors
• Shareholder information

On an individual level

• Name and address
• Date of birth
• Organisation number/Personal identity number
• Phone number
• E-mail address

Personal data storage

Period & Year is a cloud based service, which means that the personal data you enter in the program are stored on our infrastructure supplier’s servers as well as on Visma’s servers. More information about data storage in Visma’s cloud based services can be found in www.visma.com/trust-centre.

If you have generated reports in Period & Year, personal data could also be stored locally on your computer or in another storage location.