Log in

I want to access:
HRM &frankly Expert Equal Pay Handbooks

Processing activities in AlexisHR


Click here for processing activities in Simployer


Purpose of AlexisHR (the system)

The system makes internal routines and processes between employees, managers and HR in the business more effective and professional.

The system is adapted to current legislation and is based on the customer's and our best practices. The system enables the customer to fulfill its duties as an employer in a competent and secure manner.

Simployer's processing activities in the system

Simployer acts as a data processor for the customer who is the controller. Simployer performs processing on behalf of the customer by providing standardized systems that enable the customer to perform the processing that the system offers. Simployer makes basic database management on their own initiative for the purpose of ensuring secure data storage, availability for the customer and confidential data processing. Backup of data to a remote location is part of the service.

In connection with the establishment of the system, selected and agreed upon employees of Simployer will assist the customer with populating the system with the correct basic data. After the system is established and handed over to the customer, Simployer employees will not have direct access to the customer's data unless the customer gives access in connection with support, or this is required to ensure that data is not lost or to comply with the law.

The customer's processing activities in the system

Simployer provide for the Customer to be able to perform data processing using the system. The activities that appear in the system are specific by modules. See sub texts below regarding the processing by the specific modules.

Employee's consent

The basic condition for processing personal data is laid down in the General Data Protection Regulation, "GDPR", article 5 and 6. 

The term "sensitive personal information" is a common term for particularly sensitive personal data that has a special protection. In GDPR art. 4 15. it is states that "health information" is personal data regarding a physical persons physical or psychological health [..]" Initially, information about sick absence and other health conditions will therefore be sensitive personal information. Data limited to informing about shorter absence (eg absence due to cold etc) may be assumed to be non-sensitive information. However, information about eg. prolonged sick leave is probably sensitive personally identifiable information. This distinction between sensitive and non-sensitive personal data related to sick absence has been confirmed by telephone by the Norwegian Data Protection Authority by a senior adviser at Simployer.

Thus, it is not possible to provide a clear, general answer to the extent of which the boundary between sensitive and non-sensitive personal data goes as far as absence information is concerned. Our recommendation is therefore that employers treat all personal information in accordance with the terms that apply to sensitive personal information.

The GDPR mandates that processing of sensitive personal data requires, firstly, that one of the conditions in the legislation is fulfulled. Article 6 states that the conditions for processing is that the processing is subject to one of six different alternative conditions set forth in Article 6, 1. a. through f. In our opinion, points a) and b) are the most relevant in this case.

The relevant legal basis for our assessment on this, is article 6. 1. b. An employer has a number of different legal obligations to his employees, such as the duty to pay sickness benefits, systematic follow-up of HSE and other labor law obligations. Common to these obligations is that they arise from a contract of employment which commits employers to, for instance, to pay sickness benefits. The employer's registration of absence date, and whether the absence is due to own sickness or the absence is due to children's sickness, is necessary to fulfill the employment agreement and safeguard the interests of employees.

In our opinion,, GDPR art. b. and f. are adequate legal basis for the employer's storage of sickness data without the employee's consent. The employer therefore does not need to obtain consent from the employee for such sickness data to be registered.

Data transparency

Simployer allows for registration of various roles in a hierarchy, and all employees are assigned to an immediate superior, which in turn is allocated to their immediate superior. In the following we will discuss the issue of employers being obliged to impose restrictions on how far up the hierarchy such an approach may be, for example, if employee personnel data may only be available to the immediate superior and thus not available to the immediate superior's head.

The Personal Information Act or the Working Environment Act does not explicitly regulate the extent to which the organization's personal data may be available. However, in our opinion, the legitimate access to the information will depend on the official need for such access. Access must not be open to all the managers of an employer, but only those who will use the information in the performance of their duties. This will usually include the employee's immediate superior as well as the Human Resources Department and the Payroll Department.

How far up in the hierarchy there will be a formal need for access to the employee's sickness data may thus vary. This means that  it is up to the employer to decide on the question, and the employer must himself draw the limit for who has a formal need for access to employee data . However, in order to facilitate such a delimitation, Simployer must enable each company to block access for persons who do not have a decent need.

Physical storage of data

There are no specific rules on how data that can be traced to people is stored, other than that it is to be stored in a safe way where access and availability are limited. The Norwegian Data Protection Authority has made general guidelines for how the applicable legislation is to be interpreted:  http://www.datatilsynet.no

Read more about data storage in Simployer.

Processing activities per module

The references are related to the Data processing Agreement and which hosting partners are involved with the different modules.

Reference K1
Module description and processing HR Admin

The purpose of the Processing activities is for Simployer to provide the Services to the Client as set out in, and for the duration of, the Agreement.

HR Admin amplifies the organization's productivity and gather employee data centrally. Alexis master data management ensures data transfering with payroll always is up to date and reduces error while saving time. Simplifies workflows and gives opportunity to take action without leaving Slack or Teams, while Alexis works in the background. 
Types of personal data

The Supplier may Process the following categories of Personal data:

  • Contact information (such as name, address, e-mail, telephone number, working title, workplace)  
  • Social security number
  • Education and experience
  • Financial information (such as salary, tax and bank account information)
  • Information about absence from work (such as leave of absence, holiday, parental leave etc)
  • Sensitive personal data (to the extent submitted by the Client)
Special categories None
Reference K2
Module description and processing Documents

The purpose of the module is to store, share and protect documents.

The document archive is a protected storage for all types of documents related to the employee. By default, the employee has the opportunity to add, edit, and delete documents about himself. The nearest manager can add, change, and delete documents about their employees. 

The module offers role management so that selected persons can add, change, and delete documents about other employees. The nearest manager or selected person at the customer can choose to make documents hidden or visible for the employee.

The content of the documents is solely the responsibility of the controller.
Types of personal data Binary data (documents), metadata on documents.
Special categories May occur, depending on content in documents.
Reference L
Module description and processing Time management

The purpose of the module is to keep track of attendance and absence, as well as the timeflex balance for employees.

Streamlines time and attendance processes. Customizes policies and reports to the organization's unique needs, increases transparency internally and easily exports master data to payroll. Enables teams to perform tasks directly in Slack or Teams for higher productivity and a better employee experience.
Types of personal data Information about attendance and absence periods for employees.
Special categories None
Reference K3
Module description and processing E-signing

The purpose is to manage documents and collect signatures.

Alexis’ integrated E-signing feature allows the organization to create, distribute and sign documents or policies with little to no effort. Automatically saved in the relevant account for reliable storage and easy access.
Types of personal data Signatures
Special categories May occur, depending on content in documents.
Reference M
Module description and processing Whistleblowing

The purpose of the module is to manage competences in a business.

Givse people surrounding the organization a safe and secure channel to speak up anonymously about concerning behavior. Alexis’ integrated feature Whistleblowing allows the organization to establish trust with people and stay compliant with regulations. Easily set up a Whistleblowing channel that is accessible, easy to use and secure.
Types of personal data Depending on input from the whistleblower, the content is stored in text fields, and may contain personal data about the whistleblower and other affected parties.
Special categories May occur, depending on content in reported data.
Reference N
Module description and processing Workflows

The purpose of the module is to automate workflows.

With workflow automation in AlexisHR, a company can simplify routine tasks like sick-leave follow-up or role reassignments, keeping everything consistent and efficient. Plus, its flexibility means it can be tailored to fit unique needs.
Types of personal data  
Special categories None
Reference O
Module description and processing People Analytics

The purpose of the module is to turn any data into actionable insights.

Strategic decisions are often made better when backed by well-founded data. In Alexis, the company can turn any data into actionable insights. Easily detect trends or patterns with automatic absence alerts and become more proactive.
Types of personal data  
Special categories None
Reference P
Module description and processing Handbooks

The purpose of the module is to host and publish organizational content in the form of employee manuals and leader manuals.

Produces high-quality and informative handbooks customized to the company.
Types of personal data Name, email, organizational content.
Special categories None
Reference Q
Module description and processing Payroll reports

The purpose of the module is to run payroll requires precision and care. Free up time by exporting payroll reports or use turn-key integrations that automatically update your payroll system from Alexis master data.
Types of personal data Contact information, salary information
Special categories Normally none.
Special categories None

How can we help?

We’re here for every step of your employee journey. From intuitive software for people management to hands-on learning programs and expert support from our legal team — we've got you covered.

Vector Book a meeting

Curious to see Simployer in action? Book a demo today and discover your new HR toolkit!
Talk to Sales

Vector Need a hand? We’re here to help!

Looking for answers or updates? Our Support Center has everything you need—FAQs, release notes, customer care, and more. Dive in or reach out; we’re here to help!
Go to support