Privacy Notice

Pagero’s data Privacy Notice

1. Introduction

Data protection laws and regulations aim to protect the privacy and integrity of individuals (data subjects) when organizations process their personal data. Pagero processes personal data on behalf of its customers but is also processing personal data in relation to employees, job applicants and business contacts in the course of Pagero’s daily operations.

In order to protect the privacy and integrity of data subjects, Pagero works continuously to ensure that personal data are processed in a lawful and secure manner. These efforts are the collective responsibility of everyone at Pagero who has access to personal data in their work role.

This privacy notice explains why and how Pagero collect and use personal data relating to business contacts, visitors on webpages and customer data, and provides information about the rights of data subjects in relation to their personal data. This privacy notice ensures that we:

  • Comply with data protection laws and regulations and data protection good practice
  • Protect the rights of business contacts, website visitors and prospective customers
  • Are open about how we store and process personal data.

2. Who is covered by this Privacy Notice

This Privacy Notice covers all those who:

  • use the Pagero websites and digital channels,
  • contact us or otherwise communicate with Pagero, for example via email,
  • are a representative of a customer, prospective customer, supplier or partner to Pagero,
  • follow Pagero or interact with us on our social media, and
  • sign up for or attend an event or similar activities that Pagero arranges.

Other available notices:

  • For users of our services (for example Pagero Online, Pagero Freight or Pagero Health services), please see the Privacy Notice available on the login page of each respective product.
  • For recruits, please see the Privacy Notice available both on the career page and within our application system.
  • For employees, please see the Privacy Notice available on our intranet and attached to your employment contract.
  • For Thomson Reuters-specific processing of personal data (where Pagero is not participating) please see the Thomson Reuters Privacy statement available here.

3. Responsibility for the use of your personal data

Pagero, part of Thomson Reuters. Pagero and its subsidiaries are owned by Thomson Reuters Corporation, a company registered at 19 Duncan Street Toronto, Canada.  In this privacy notice, “Pagero”, “us” and “we” refer to the Pagero group part of Thomson Reuters, including Pagero AB and any of its subsidiaries. Pagero AB is a company registered in Sweden with company registration number 556581-4695, of Västra Hamngatan 1, SE-411 17 Gothenburg, Sweden. Each entity within Pagero group is a separate legal entity but follows the same principles and standards for the protection of personal data, and the means and purposes of processing personal data is established at group level by Pagero AB unless explicitly stated otherwise. Contact details for each Pagero entity can be found on our website, www.pagero.com/contact-us.

Pagero shares personal data with the other companies of the Thomson Reuters Corporation in certain cases, for example when Thomson Reuters IT infrastructure is used by Pagero or as described in specific processing activities below. Pagero and Thomson Reuters may both independently collect and process personal data for sales and marketing purposes. The notice herein covers processing by Pagero only. The Thomson Reuters privacy notice is available here

For the section “Pagero EU-US transfers”, the recipient Pagero entity is Pagero Inc, 150 North Michigan Avenue Suite 1950 Chicago, IL 60601 and the recipient Thomson Reuters entity is Thomson Reuters US LLC 700 Canal Street, 1st Floor Stamford, CT 06902. 

Processing of personal data on behalf of our customers

We also process personal data on behalf of and in accordance with the instructions of our customers as a processor. Our processing of personal data on behalf of our customers is governed by Data Processing Agreement(s) (DPAs), which are a part of our service agreement with each customer. This Privacy Notice does not cover our processing of personal data as a processor, as it is our customers who are responsible for this processing. If you have any questions relating to this, please contact [email protected] and we will support you and guide you to the correct responsible organization for the processing of your data. 

4. Personal data that we collect

We collect and use different categories of personal data about you. Please note that it is not certain that we collect and use all categories of personal data about you. Which personal data we actually collect and use about you depends on how you interact with us and which role you have, for example if you are a user of our website or services or a contact person for a customer or supplier of ours.

We collect and use the following categories of personal data:

  • Identity information, which makes it possible to identify you, for example your name.
  • Contact information, which makes it possible to contact you, including your address, email address and telephone number.
  • User generated information that is generated based on your activity and use of our websites, digital channels, and services, including clicks and visits on our websites.

  • Profile information, which concerns your profile including your username, title and name and address to the company or organisation that you work for.
  • Communication with us, including contents in email or the responses you provide when participating in a survey.
  • Picture, video and audio material which includes video footage of you, your picture or voice, as may be found in photographs and video and audio recordings.
  • Technical information about the device that you use when using our websites and digital channels, including type of device, version of browser and operating system.

Based on the personal data that we collect about you, we also use personal data that is derived or compiled from this information:

  • Case history relating to support matters
  • User behaviour on or websites and in our digital channels
  • Customer profile 
  • Communication history

5. Sources from which we collect personal data

The personal data that we collect about you is mainly collected directly from yourself when you provide your personal data to us, for example when you use our websites, participate in a survey or an event, contact or otherwise communicate with us.  

We also collect where necessary personal data from other sources, including:

  • Affiliates of Pagero,
  • The company or organization that you work for,
  • Social network platforms if you follow or interact with us on social media,
  • Partners that we collaborate with, for example to carry out an event or similar activities,
  • Publicly available sources for example websites or public records,
  • External persons that provide your personal data to us, for example in connection with communication or an event or similar activity, and
  • Employees or hired personnel that provided your personal data to us.

6. Our use of personal data

We use the personal data we collect for the purposes listed below. Please note that all purposes for our use of personal data may not apply to you. The purposes for which we use your personal data depends on how you interact with us and the nature of your relationship with Pagero, for example if you are a user of our website or a contact person of a customer or supplier of ours.

In short, we use personal data to manage the relationship with our customers, suppliers and partners, provide our services, communicate with you and others, develop and improve our business and services, carry out events and other activities, and to fulfill our legal obligations and manage and defend legal claims and rights.

Below we have listed the purposes for which we collect and use personal data within different areas. To read more about which categories of personal data, which legal basis that we rely on for our use of personal data and for how long personal data is stored in relation to each purpose, please see our detailed information on our use of personal data.

Manage our relationships with customers, suppliers and partners and to provide our services

Marketing & Sales activities

Provide support & related activities

Fulfil legal obligations and manage, defend and exercise legal claims and rights

7. Transfers of personal data

 

Transfers of personal data to various recipients

We share personal data with various recipients if it is necessary for the purposes that we use personal data, please see “Our use of personal data” in section 6 above. To read more about for which purposes and which categories of personal data we share with recipients and which legal basis we rely on for sharing personal data, please see our detailed information on our use of personal data.

We share personal data with:

  • Affiliates of the Pagero group. The group companies collaborate and therefore share personal data with each other, for example to manage our relationships with customers, suppliers and partners and to provide our services where several affiliates are involved in the provision of the services and in connection with communication.
  • Partners that we collaborate with for example when carrying out events and similar activities and in connection with communication.
  • Social network platforms that we use to provide offers and direct marketing and to communicate about us, our business and our services. When we automatically share personal data by using cookies and similar technologies with these platforms, we are – where applicable – jointly responsible for the collection and transfer of your personal data to the social network platform together with the relevant platform. However, each party is separately responsible for its own subsequent use of your personal data shared with the social network platform. Where the social network platform processes your personal data on our behalf and in accordance with our instructions in connection with any subsequent use of your personal data shared with the social network platform, the relevant platform is a processor for the processing of your personal data. To ensure that your personal data is protected, we have entered into specific arrangements with the relevant social network platforms which outlines the roles and responsibilities of each party in relation to your personal data where we and the social network platform is jointly responsible for the use of your personal data. Please see our detailed information on our use of personal data to read more about the social network platforms that we are jointly responsible with for the use of your personal data.
  • Service providers that provide services to us and which needs access to your personal data to provide such services. These service providers provide, for example, IT services (for example business office tools) and communication services (which enable us to send you messages and newsletters). Where the service providers process personal data on our behalf, they act as processors for us, and we are responsible for the processing of your personal data. They must not use your personal data for their own purposes and are contractually and legally obliged to protect your personal data.
  • Other recipients such as external advisors, public authorities and law enforcement where needed for example to fulfil legal obligations or manage, defend and exercise legal claims and rights.

Transfers of personal data to Pagero Inc and Thomson Reuters Inc under the EU-US Data Privacy Framework

Pagero and Thomson Reuters complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Pagero Inc and Thomson Reuters Inc has certified to the U.S. Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  Pagero and Thomson Reuters has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) Program, and to view both the Pagero Inc and the Thomson Reuters Inc certification, please visit https://www.dataprivacyframework.gov/ 

Accountability for Onward Transfer
We will not share, sell or distribute any of the information you provide to us without your consent, except as described in this privacy notice. 

Pagero and Thomson Reuters may share your information with external third parties, such as vendors, consultants and other service providers who are performing certain services on behalf of Pagero. Such third parties have access to Personal Data solely for the purposes of performing the services specified in the applicable service contract, and not for any other purpose. Pagero and Thomson Reuters requires these third parties to undertake security measures consistent with the protections specified in this privacy notice.

Pagero and Thomson Reuters will remain responsible for the processing of personal data it receives under the DPF and subsequently transfers to a third party acting as an agent on its behalf, unless Pagero proves that it is not responsible in an event giving rise to damage.

In the event Pagero and/or Thomson Reusters transfer personal data covered by this DPF Policy to a third party acting as a controller, we will do so consistent with any notice provided to data subjects and any consent they have given (where applicable), and only if the third party has given us contractual assurances that it will (i) process the personal data for limited and specified purposes consistent with any consent provided, (ii) provide at least the same level of protection as is required by the DPF Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the personal data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Pagero and/or Thomson Reuters has knowledge that a third party acting as a controller is processing Personal Data covered by this DPF Policy in a way that is contrary to the DPF Principles, Pagero and/or Thomson Reuters will take reasonable steps to prevent or stop such processing.

The Federal Trade Commission (FTC) has jurisdiction over Pagero’s and Thomson Reuters compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. Pagero and/or Thomson Reuters may be required to disclose Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

Dispute Resolution under the Data Privacy Framework

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Pagero and Thomson Reuters commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.To contact us regarding any transfers made under the Data Privacy Framework, please see section 13 “If you have questions”. If you have not received timely response to your concern, or we have not addressed your concern to your satisfaction, you may seek further assistance, at no cost to you, from the EU Data Protection Authorities panel. You can invoke this right by contacting your national data protection Authority (DPA).   You may also invoke binding arbitration to determine whether a Pagero Inc has violated its obligations under the Data Privacy Framework Principles. Further information can be found on the official DPF website.

Transfers of personal data to third countries outside the EU/EEA

We have subsidiaries and affiliates in various countries both inside and outside of the EU/EEA. We share personal data between affiliates of the Pagero and Thomson Reuters Group and your personal data will when shared between relevant affiliates be transferred to third countries outside the EU/EEA which may not provide an adequate level of protection for personal data. We have an intra-group data transfer agreement to ensure an essentially equivalent level of protection for your personal data and that personal data is processed by each Pagero and Thomson Reuters affiliate in a lawful, fair, secure, and transparent manner. We comply with laws on the transfer of personal data between countries to help ensure your data is protected, wherever it may be. 

Moreover, we use service providers, which also may use sub-contractors, that are established in third countries outside the EU/EEA. To ensure an essentially equivalent level of protection for your personal data when transferred (or otherwise made available) to service providers in third countries outside of the EU/EEA which do not provide an adequate level of protection, we use the EU Commission’s adopted standard contractual clauses for international transfers according to decision 2021/914 and implement – in light of the law and practices of the third country – necessary supplementary measures. Supplementary measures include technical, contractual and organisational measures that are necessary to bring the level of protection of the personal data transferred to an essentially equivalent level protection.

For more information on the safeguards that we have taken to protect personal data, please contact us. You will find contact details under “If you have questions” in section 13 below.

8. Your rights

 

Rights in relation to the use of your personal data

You have certain rights in relation to the use of your personal data. For example, you have the right to request access and a copy of your personal data, and request that we, under certain circumstances, rectify, delete or restrict the use of your personal data. You can read more about these rights below in this section, or visit the Swedish supervisory authority’s website page on data subject rights. If you wish to exercise your rights, please use any of the following options:

For additional contact details, please see "If you have questions" in section 13 below.

We normally reply to your request within one month

We normally reply to your request within one month following the date that we received the request. If your request is complex or if you have submitted several requests at the same time, we may need additional time to respond to your request. If we consider it necessary to extend the time to respond to your request, we will notify you of this and the reason as to why we need more time to respond to your request within one month following the date that we received your request. The time to respond to your request can be extended with up to a maximum of two months.

Moreover, if we for some reason cannot, wholly or partly, respond to your request, we will notify you of this and the reason as to why we cannot reply to your request within one month following the date that we received the request.

If you have submitted your request electronically, for example via email, we will also respond to your request electronically, unless you request otherwise.

We need to confirm your identity to reply to your request

When you submit a request to exercise your rights, we need to confirm your identity to ensure that you are who you claim to be. This to avoid that we, for example, disclose personal data to an unauthorized person or in error delete personal data. If we do not have sufficient information to confirm your identity, we can request that you provide supplementary information about yourself needed to confirm your identity. We only request such information that is reasonable and necessary to your identity.

If you use an authorized agent

We may request evidence of that you have provided such agent with an power of attorney, or that the agent otherwise has valid signed authority to submit requests on your behalf, and ask that you verify your identity directly with us.

Additional information on your rights

You have the right to:

  • Request confirmation if we process personal data about you.
  • Request access to and a copy of your personal data.
  • Request rectification of your personal data that is incorrect or incomplete. Please note that previously provided personal data that may be seen as outdated may not, depending on the circumstances and the context, be incorrect.
  • Withdraw your consent to our use of your personal data that is based on your consent.
  • Request erasure of your personal data in some circumstances, but not in cases where we, for example, are legally obligated to keep your personal data.
  • Unsubscribe from marketing communications which you for example can do by clicking on an unsubscribe link in the communication. Where applicable you can unsubscribe from communication in Your account.
  • Request restriction of your personal data in certain circumstances and you can then, at least for a certain period of time, prevent us from using your personal data for other purposes that for example to manage and defend a legal claim or to comply with legal obligations that we are subject to.
  • Object to the processing of your personal data that is based on our or another party’s legitimate interest for reasons related to your specific situation and if we cannot show that we have a compelling reason for our use of personal data we will stop using your personal data for the relevant purpose.
  • Transfer your personal data (data portability) under certain circumstances by requesting a copy of your personal data that you have provided to us in a structured format that you can transfer to another recipient.

Please note that these rights are not absolute and that there may be exceptions. You can learn more about data subject rights and how they work by visiting the Swedish supervisory authority’s page on data subject rights.

9. Additional information for California residents

The California Consumer Privacy Act, together with the California Consumer Privacy Rights Act (“CCPA”), affords consumers residing in California certain rights in relation to their personal information. If you are a California resident, please see the Thomson Reuters Privacy Statement regarding Pagero’s and Thomson Reuters collect, disclose and sell or share personal information related to Californian consumers, available here.

10. We protect your personal data

We use technical and organizational security measures to protect your personal data against unauthorized disclosure of, or access to, personal data. This involves detecting, investigating and resolving incidents. If you would like to know more regarding how we work with security, please visit our page on information security.

11. Use of cookies and similar technologies

We use cookies and other technologies on our websites. To read more about our use of cookies and similar technologies, please see our cookie policy.

12. Updates to this Privacy Notice

We regularly update this Privacy Notice. Our use of personal data may change, for example we may collect personal data for new purposes, collect additional categories of personal data or share your personal data with other recipients than outlined in this Privacy Notice. If our use of personal data changes, we will update this Privacy Notice to reflect such changes. At the top of this page, you can see when this Privacy Notice was last updated. If we make material changes that are not only editorial to this Privacy Notice, we will notify you of any such changes and what they mean to you in advance.

13. If you have questions

If you have questions about this Privacy Notice, our use of your personal data or if you wish to exercise your rights, please contact us at:

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your country. A list of the data protection authorities within EU and contact details can be found on the European Data Protection Board’s website.

Detailed information regarding the use of personal data

Our use of personal data

Manage our relationships with customers, suppliers and partners and to provide our services

Marketing & Sales activities

Provide support & related activities

Fulfill legal obligations and manage, defend and exercise legal claims and rights

Other important information