Data protection laws and regulations aim to protect the privacy and integrity of individuals (data subjects) when organisations process their personal data. Pagero processes personal data on behalf of its customers but is also processing personal data in relation to employees, job applicants and business contacts in the course of Pagero’s daily operations.
In order to protect the privacy and integrity of data subjects, Pagero works continuously to ensure that personal data are processed in a lawful and secure manner. These efforts are the collective responsibility of everyone at Pagero who has access to personal data in their work role.
Why this policy exists
- Comply with data protection laws and regulations and employ good practice
- Protect the rights of business contacts, employees, job applicants and prospective customers
- Are open about how we store and process personal data
The basic principles for our processing of personal data
To ensure the privacy and integrity of data subjects, our processing shall abide by the following principles:
- Lawfulness, fairness and transparency – We only process personal information in a lawful, fair and transparent manner in relation to the individual to whom the data concerns and ensure that the personal data processed are accurate and, where necessary, updated
- Purpose limitation – We only process data gathered for specific, explicit and legitimate purposes
- Data minimisation – We only process personal data required for the actual purpose of the processing
- Storage limitation – We do not store personal data for longer than is necessary to fulfil the stated purpose or to comply with legal requirements
- Privacy and confidentiality – We implement technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, dissemination and other prohibited processing
Use of personal data
Products and services
We use personal data to:
- Provide our services
- Administer, manage and develop our businesses and services, which includes managing our relationships with customers and prospective customers
- Develop our businesses and services
- Administer and manage IT systems, websites and applications
The categories of personal data processed by us on behalf of our customers in accordance with our agreement:
- Data provided by Customer to us as a part of Customer’s use of the service (e.g invoices and other business documents, including customer employee contact information and other invoice data)
The categories of personal data typically processed by us in relation to the services we provide are, based on our legitimate interest:
- Contact details for customer representatives (e.g. e-mail address, contact number)
- Service desk enquiries (e.g name, issue, error logs and support requests)
The categories of personal data processed by us in relation to our websites based on our legitimate interest are:
- Information collected though cookies (e.g technical information such as browser type, session time, error codes)
- Information that you provide to us through web forms (e.g contact information, information for participation in an event)
We use personal data based on our legitimate interest for our direct marketing purposes that we collect:
- Directly from the individual through meetings, web forms or cookies
- From the data subject’s employer or from referrals from one of our customers or someone other than the data subject
The categories of personal data processed by us for marketing purposes are:
- Contact details to representatives of potential customers (name, title, email, phone)
- IP-addresses collected though cookies for ad campaigns
In all our marketing activities, we offer the option to not receive direct marketing communications from us or to not receive any further marketing communications at all.
How long are personal data retained?
We do not retain personal data longer than necessary with regard to the purpose of the processing unless the data must or may be retained for a longer period of time by law.
Personal data processed on behalf of our customers:
Such personal data is kept in accordance with our customers’ instructions and our agreement with them, including personal data relating to support enquiries.
Personal data relating to potential or current customer representatives:
Customer representatives contact information is kept for the duration of our agreement with the customer or until that specific individual no longer represents our customer. Information relating to representatives of potential customers is kept no longer than 1 year after the collection was made unless the potential customer is or is in the process of becoming a customer. Pagero will however always delete information relating to a representative of a potential customer per that individual’s request.
Personal data collected through websites etc:
Personal data collected through web forms are kept no longer than for the purposes they were collected, e.g responding to questions, managing event participations etc. Personal data collected through cookies are kept in accordance with our cookie section.
Transfer of personal data
Transfer within Pagero Group
We may transfer or disclose the personal data that we collect to third-party contractors, subcontractors, and/or their subsidiaries and affiliates who may be supporting us in providing services to our customers.
We may also disclose personal data to professional advisers to establish, exercise or defend our legal rights and to obtain advice in connection with running our business or when explicitly requested by our customers.
Such third parties may engage additional parties in the processing of personal data. We only engage with third parties that are bound to maintain the appropriate levels of security and confidentiality, to process personal data only as instructed by us and to implement the same obligations downstream to their third parties.
Finally, we may also disclose personal data to law enforcement, regulatory or other government agencies if required under applicable laws or regulations.
Transfer to countries outside the European Economic Area (EEA)
Personal data may be transferred to and stored in countries other than the country in which our customers are located. This includes countries outside the European Economic Area (EEA) and countries that do not have laws providing specific protection for personal data. We only transfer personal data on behalf of our customers when we have been instructed to do so in accordance with our agreements.
Where we collect personal data within the EEA, transfer outside the EEA will only take place:
- To a recipient located in a country that provides an adequate level of protection for your personal information; and/or
- Under an agreement that satisfies EU requirements for the transfer of personal data outside the EEA, such as standard contractual clauses approved by the European Commission or the Privacy Shield framework.
Onward transfers under the Privacy Shield Framework
Where we transfer personal data that Pagero Inc has received under the Privacy Shield framework, we remain responsible and liable for that personal data if we were to transfer it to a third party acting as an agent on our behalf, unless we can prove that we were not responsible for the events giving rise to the damage.
We have implemented multiple physical and cybersecurity measures in order to protect our and our customer’s information (including personal data). This involves detecting, investigating and resolving security threats.
Each year, we subject ourselves to a security evaluation performed by an independent auditor in order to ensure and document that our systems maintain a satisfactory level of security and that we work continuously with security processes in our day-to-day operations. If you would like to know more how we work with security, please visit https://www.pagero.com/information-security/.
A cookie is a small text file that a website asks to store on the visitor’s device and contains a certain amount of information and a time stamp. The web browser saves the information on the device and returns the information in the cookie to the visited website each time the browser requests pages/pictures from the website.
Cookies are used in our services to improve the user experience and to optimise the website and mobile applications. There are two kinds of cookies:
- The first kind, which is commonly referred to as a permanent cookie, saves a file that remains on the visitor’s device. This is used, for example, to be able to adapt a website to the visitor’s preferences and choices such as language settings etc, as well as for producing statistics.
- The second kind, which is called a session cookie, is stored temporarily in the memory of the visitor’s device during the time they visit a website. Session cookies are deleted when you close your web browser.
We use both session and permanent cookies to track the number of visitors on our sites, which pages are most frequented and to find and assess technical issues. We use Google Analytics, and you can read more about how Google Analytics processes cookie data and how you can manage your cookie settings at https://policies.google.com/privacy/partners
See the web browser’s help pages for more information about how to check which cookies are stored in your browser, how to remove them and even how to change the settings for accepting cookies.
Legal rights of data subjects
Where we act as data controller, data subjects have the right to request information about which of their personal data we process. Data subjects are also entitled to request that incorrect or incomplete personal data be corrected or deleted. Further to this, data subjects are entitled to object to certain processing of personal data and to request the restriction of such processing, and also have a right to opt-out from onward transfers and uses outside the original purposes from which they were originally collected under the Privacy Shield framework. Finally, data subjects have the right to request their provided personal data in a machine-readable format that can be transferred to another controller. Data subjects also have a right to issue complaints to a supervisory authority relating to Pagero’s processing of their personal data, please see the section “complaints and dispute resolution” below for more information.
Note that the abovementioned rights may be limited due to confidentiality or other mandatory rules and regulations.
Where we act as data processor, including transfers of personal data under the Privacy Shield Framework, data subjects should in the first instance contact the data controller. Any direct communications from data subjects will be forwarded to the data controller, unless otherwise prescribed by mandatory rules and regulations. This also applies to the right to opt-out from onward transfers and uses outside the original purposes from which they were originally collected under the privacy shield framework.
For questions or complaints about how we process personal data, or requests to exercise your legal rights, please contact us by e-mail at firstname.lastname@example.org or by letter at the above address.
Complaints and dispute resolution
Pagero will investigate and attempt to resolve complaints and disputes regarding our use and disclosure of personal information. Any questions or complaints should first be sent to our Data Protection Officer email@example.com. Complaints that cannot be solved between you and the Pagero can be referred to a relevant Data Protection Authority, and Pagero will work with relevant Data Protection Authority to resolve such matter. You can find contact information to your relevant Data Protection Authority by following this link: https://edpb.europa.eu/about-edpb/board/members_en. Complaints relating to transfers of an EU resident’s personal data under the Privacy Shield Framework shall also be referred to the Data Protection Authorities. A Swiss resident whose complaint has not been satisfactorily addressed may contact the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland using the information provided on