Data protection laws and regulations aim to protect the privacy and integrity of individuals (data subjects) when organisations process their personal data. Pagero, acting as a processor, processes personal data on behalf of its customers. Pagero Group also processes personal data on a daily basis, relating to employees, job applicants and business contacts, in the role of controller in order to provide the different services offered by Pagero.
In order to protect the privacy and integrity of data subjects, Pagero works continuously to ensure that personal data are processed in a lawful and secure manner. These efforts are the collective responsibility of everyone at Pagero who has access to personal data in their work role.
Why this policy exists
- Comply with data protection laws and regulations and employ good practice
- Protect the rights of business contacts, employees, job applicants and prospective customers
- Are open about how we store and process personal data
The basic principles for our processing of personal data
To ensure the privacy and integrity of data subjects, our processing shall abide by the following principles:
- Legality, accuracy and transparency – We only process personal information in a lawful, fair and transparent manner in relation to the individual to whom the data concerns and ensure that the personal data processed are accurate and, where necessary, updated.
- Purpose limitation – We only process data gathered for specific, explicit and legitimate purposes.
- Data minimisation – We only process personal data required for the actual purpose of the processing.
- Storage minimisation – We do not store personal data for longer than is necessary to fulfil the stated purpose or to comply with legal requirements.
- Privacy and confidentiality – We implement technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, dissemination and other prohibited processing.
Use of personal data
We use personal data mainly to:
- Provide our services
- Administer, manage and develop our businesses and services, which includes managing our relationships with customers and prospective customers
- Develop our businesses and services
- Administer and manage IT systems, websites and applications
The categories of personal data typically processed by us in relation to the services we provide are:
- Contact details (e.g. e-mail address, contact number)
- Employment details (e.g. role, grade, experience, performance appraisals)
How long are personal data retained?
We do not retain personal data longer than necessary with regard to the purpose of the processing, unless the data must or may be retained for a longer period of time by law.
The personal data that may be processed before providing and in connection with our services will be retained both during and after the completion of any assignment. This means that personal data is stored for varying time periods depending on either which services the customer has ordered as per local retention requirements or the legal grounds we may have for the lawful processing of the personal data.
We may use personal data for our direct marketing purposes where:
- The information has been collected from the data subject and the data subject could reasonably expect us to use it for such marketing purposes
- The information has been collected from the data subject’s employer or on behalf of one of our customers or someone other than the data subject and we have either obtained the data subject’s consent or it is impractical for us to obtain the data subject’s consent before that particular use
In all our marketing activities, we offer the option to not receive direct marketing communications from us or to not receive any further marketing communications at all.
Transfer of personal data
Transfer within Pagero Group
We may transfer or disclose the personal data that we collect to third-party contractors, subcontractors, and/or their subsidiaries and affiliates who may be supporting us in providing services to data subjects.
We may also disclose personal data to professional advisers to establish, exercise or defend our legal rights and to obtain advice in connection with running our business or when explicitly requested by our customers.
Such third parties may engage additional parties in the processing of personal data. It is our policy to only engage with third parties that are bound to maintain the appropriate levels of security and confidentiality, to process personal data only as instructed by us and to implement the same obligations downstream to their third parties.
Finally, we may also disclose personal data to law enforcement, regulatory or other government agencies if required under applicable laws or regulations.
Transfer to countries outside the European Economic Area (EEA)
Personal data may be transferred to and stored in countries other than the country in which our customers are located. This includes countries outside the European Economic Area (EEA) and countries that do not have laws providing specific protection for personal data.
Where we collect personal data within the EEA, transfer outside the EEA will only take place:
- To a recipient located in a country that provides an adequate level of protection for your personal information; and/or
- Under an agreement that satisfies EU requirements for the transfer of personal data outside the EEA, such as standard contractual clauses approved by the European Commission.
When acting as a processor, we rely on our customers having ensured that the necessary legal grounds are in place when transferring personal data to us for further processing. The legal grounds for us to process personal data as a controller vary depending on the circumstances. Which data can be processed and on which legal grounds are assessed on a case-by-case basis.
We have implemented multiple physical and cyber security measures in order to protect our and our customer’s information (including personal data). This involves detecting, investigating and resolving security threats.
Each year, we subject ourselves to a security evaluation performed by an independent auditor in order to ensure and document that our systems maintain a satisfactory level of security and that we work continuously with security processes in our day-to-day operations. If you would like to know more how we work with security, please visit pagero.com/why-pagero/information-security.
A cookie is a small text file that a website asks to store on the visitor’s device and contains a certain amount of information and a time stamp. The web browser saves the information on the device and returns the information in the cookie to the visited website each time the browser requests pages/pictures from the website.
Cookies are used in our services to improve the user experience and to optimise the website and mobile applications. There are two kinds of cookie:
- The first kind, which is referred to as a permanent cookie, saves a file that remains on the visitor’s device. This is used, for example, to be able to adapt a website to the visitor’s preferences, choices and interests, as well as for producing statistics.
- The second kind, which is called a session cookie, is stored temporarily in the memory of the visitor’s device during the time they visit a website. Session cookies are deleted when you close your web browser.
We use both session and permanent cookies. Regardless of the kinds of cookie used on our website, no personal data (e.g. e-mail address, name) concerning visitors are saved.
See the web browser’s help pages for more information about how to check which cookies are stored in your browser, how to remove them and even how to change the settings for accepting cookies.
Legal rights of data subjects
Pagero AB, company registration number 556581-4695, of Västra Hamngatan 1, SE-411 17 Gothenburg, Sweden, is responsible for the processing of personal data as described above when Pagero acts as a controller. This means that we are responsible for the correct processing of personal data in accordance with the applicable personal data laws and regulations.
- Where we act as data controller, data subjects have the right to request information about which of their personal data we process. Data subjects are also entitled to request that incorrect or incomplete personal data be corrected or deleted. Further to this, data subjects are entitled to object to certain processing of personal data and to request the restriction of such processing. Finally, data subjects have the right to request their provided personal data in a machine-readable format that can be transferred to another controller.
Note that the abovementioned rights may be limited due to confidentiality or other compulsory rules and regulations.
- Where we act as data processor, data subjects should in the first instance contact the data controller. Any direct communications from data subjects will be forwarded to the data controller, unless otherwise prescribed by compulsory rules and regulations.
For questions or complaints about how we process personal data, or requests to exercise your legal rights, please contact us by e-mail at firstname.lastname@example.org or by letter at the above address.