Skip to content
English
Customer portal
Go to www.timeplan.se
  • There are no suggestions because the search field is empty.

General Data Protection Regulation (GDPR) (en)

Version 1.1 – Last updated 18 November 2025

GDPR and Personal Data in Timeplan

On 25 May 2018, the Swedish Personal Data Act (PUL) was replaced by the EU General Data Protection Regulation (GDPR). The regulation applies to all organisations processing personal data.

Every organisation (the data controller) must map its personal data processing, establish a lawful basis, document the purposes and determine how long the data will be stored.

For organisations using Timeplan, Exsens AB acts as the data processor. Below is a summary of how personal data is processed in Timeplan and how the system supports your GDPR compliance.

This information forms part of the appendix to the Data Processing Agreement (DPA) entered into between the customer and Exsens AB. In case of discrepancies, the signed DPA prevails.

Data Subject Rights

The Swedish Authority for Privacy Protection (IMY) has summarised the rights of data subjects under the GDPR. Below is an explanation of how these rights are handled in Timeplan.

Right of Access

The personal data stored in Timeplan can primarily be found under “Personal Information” and “Additional Information”.

Further information, including employment data, can be extracted using the Employee Report under Staff → Reports.

Most personal data is also available directly to the employee in the Web App under “Personal Information”.

Right to Rectification

Permissions in Timeplan determine which users may view or change personal data. Any changes made are updated immediately throughout the entire system.

Customers can also allow employees to update certain fields themselves in the Web App. This can be adjusted easily via Timeplan Support.

Right to Erasure (“Right to be Forgotten”)

Personal data in Timeplan may be deleted in two ways:

1. Manual deletion by the customer

Using the “Delete” function permanently removes the person and associated data immediately.

2. Automatic deletion through Timeplan’s retention routines

(see section below)

Right to Object to Direct Marketing

It is the customer’s responsibility not to use system data for disallowed purposes.

Exsens AB treats all customer data with strict confidentiality. We do not copy, store or disclose personal data to third parties without explicit consent, and only when required to provide support according to the agreement.

Timeplan Support never changes internal permissions for customers — only the customer’s Super Administrator can approve such changes.

Right to Data Portability

The employee may obtain their personal data in a structured format via the Employee Report.

How Long Is Data Stored in Timeplan?

Data is deleted both manually and automatically.

Automatic Deletion – Standard Intervals

Step 1 (after 6 months)

  • General user events (e.g., logins)

Step 2 (after 12 months)

  • Unused work shifts

  • Unused base schedules

  • Persons created but never employed

  • Bank details and personal messages for persons with ended employment

Step 3 (after 48 months)

  • Time stamps

  • Time clock messages

  • Terminal messages

  • Access control time stamps

  • Approvals

  • Absences

  • Work shifts

  • Persons with ended employment

Step 4 (after 60 months)

  • Account balances (retained only on cost centre level)

Customers may request customised retention periods via Support.

Storage Required by Law

If other legislation requires continued storage (e.g. bookkeeping laws), data will only be retained for as long as legally required.

Security and Data Breaches

Data breaches generally fall into two categories:

  1. Unauthorised access through the Timeplan user interface

  2. Unauthorised access to the database or interception of data traffic

Access Protection

  • Login is performed with username and password

  • Password policy can be configured by the customer (complexity, validity period, minimum length, etc.)

  • Inactive users are automatically logged out (default 15 minutes)

  • The permission model defines exactly what data each user may access

Biometric Identification

Fingerprints are never stored as images but converted into coordinate data. These coordinates cannot be reconstructed back into a fingerprint.

Encryption and Hosting

  • All traffic is encrypted (HTTPS/TLS)

  • Timeplan is hosted on Microsoft Azure

  • Data is stored in Microsoft’s Northern Europe datacenter (Ireland)

  • Server access is restricted to specific IP addresses

  • Maintenance is performed via encrypted VPN

  • Regular security updates and antivirus protection are applied

Consent and Data Protection Impact Assessments (DPIA)

The customer is responsible for:

  • informing employees,

  • obtaining consent when required,

  • performing Data Protection Impact Assessments for processing activities with high risk.

Informing Employees

Timeplan’s messaging function can be used to inform employees and record when the information has been read.

Personal Data in Timeplan

Exsens AB is the data processor. The customer is the data controller. Below is a list of the types of personal data that may be stored in Timeplan.

General

  • First name

  • Last name

  • Employment number

  • Nickname

  • Personal identity number

  • Date of birth

  • Gender

  • Address

  • Phone number

  • Mobile number

  • Email

  • Card number

  • Nationality

  • Language skills

  • Work permit (valid until date)

  • Work experience

  • Emergency contact details (name, address, phone 1, phone 2)

  • Bank name

  • Bank account number

  • Completed training and competencies

  • Photo

  • Fingerprint (stored as coordinate data, not an image)

  • Tax deductions, tax percentage

  • General notes

  • Payslips

  • Absence types (e.g. sickness, parental leave, care of child)

Employment Information

  • Employer

  • Position

  • Employment start date

  • Employment end date

  • Salary

  • Weekly working hours

  • Collective agreement

  • Workplace

  • Vacation entitlement

  • Vacation agreement

Sub-processors

Exsens AB uses the following sub-processors:

Company Description Company type Location
HubSpot Inc Sales contact management and support tickets Incorporated Germany
Microsoft Ireland Operations Ltd Hosting of virtual servers Ltd Ireland
Assently AB Digital signing AB Sweden / global per their policy
GetAccept AB Contract signing AB Frankfurt, Germany
SendGrid Email notifications Ltd USA
Vimeo Video guides Inc USA
AppCues In-app guidance Inc USA

Exsens AB is fully responsible for ensuring that all sub-processors meet the same requirements as set out in our Data Processing Agreement.

Customers will be informed before new sub-processors are engaged and have the right to object.

Transfers to the USA are carried out using the EU Commission’s Standard Contractual Clauses (SCC) together with supplementary safeguards.