# Privacy Notice

for Pagero Online
^{Last updated: December 2024}

# 1. Introduction

Data protection regulations and privacy laws aim to protect the privacy and integrity of individuals (data subjects) when organisations process their personal data. When Pagero provides its service Pagero Online, Pagero processes personal data on behalf of its customers but also processes personal data as a Controller in relation to users when providing Pagero Online and its support services.

In order to protect the privacy and integrity of data subjects, Pagero continuously works to ensure that personal data are processed in a lawful and secure manner. These efforts are the collective responsibility of everyone at Pagero who has access to personal data in their work role.

This privacy notice explains why and how Pagero collects and uses personal data relating to users of our services and provides information about the rights of data subjects in relation to their personal data. This privacy notice ensures that we:

• Comply with data protection regulations and privacy laws and follow good practices for data protection.
• Protect the rights of users and those data who is processed in the services.
• Are open about how we store and process personal data.

# 2. Who is covered by this privacy notice

This Privacy Notice covers you who:

• Use our service Pagero Online.
• Access and use our Support Center and Support Services.

Other available notices:

• For our general Privacy Notice, please refer to https://www.pagero.com/trust-center/privacy-notice.
• For users of our other services (for example, Pagero Freight or Pagero Health services), please refer to the Privacy Notice available at the login page of each respective product.
• For recruits, please see the Privacy Notice available both on the job and within our application system.
• For employees, please see the Privacy Notice available on our intranet and attached to your employment contract.

# 3. Responsibility for the use of your personal data

Pagero – part of Thomson Reuters. Pagero and the subsidiaries of Pagero group are a part of Thomson Reuters Corporation, a company registered at 19 Duncan Street Toronto, Canada. As used in this privacy notice, “Pagero”, “us” and “we” refer to the Pagero group part of Thomson Reuters, including Pagero AB and any of its subsidiaries. Pagero AB is a company registered in Sweden with company registration number 556581-4695, of Västra Hamngatan 1, SE-411 17 Gothenburg, Sweden. Each affiliate within Pagero is a separate legal entity but follows the same principles and standards for the protection of personal data. The means and purposes of processing personal data are established at the group level by Pagero AB unless explicitly stated otherwise. Contact details for each Pagero affiliate can be found on our website, www.pagero.com/contact-us.

Unless otherwise stated, the entities within the group with whom Pagero will share personal data or who will have access to the personal data when providing Pagero Online are set out in our sub-processor list at https://www.pagero.com/sub-processors (PW: Compliance).

For the section “Pagero EU-US transfers”, the recipient Pagero entity is Pagero Inc, 150 North Michigan Avenue Suite 1950 Chicago, IL 60601.

# Processing of personal data on behalf of our customers

When providing Pagero Online, we mainly process personal data as a processor on behalf of our customers and in accordance with their instructions. Our processing of personal data on behalf of our customers is governed by Data Processing Agreement(s) (“DPAs”), which is a part of our service agreement with each customer. In order for you to understand which data we may process about you on behalf of our customer, we have a section for personal data we process as a Processor in the section Pagero as a processor. If you have any questions relating to our processing on behalf of customers, please contact dpo@pagero.com. We will support you and guide you to the organisation responsible for the processing of your data.

# 4. Personal data that we collect

We collect and use different categories of personal data about you. Please note that it is not certain that we collect and use all categories of personal data about you. Which personal data we actually collect and use about you depends on how you interact with us and your role.

We collect and use the following categories of personal data:

• Identity information, which makes it possible to identify you, for example, your name.

• Contact information, which makes it possible to contact you, including your address, e-mail address and telephone number.

• Profile information, which concerns your profile, including your username, title, and name and address to the company or organisation that you work for.

• Communication with us, including contents in e-mail or the responses you provide when submitting a support case.

• Technical information about the device that you use when using our websites and services, including type of device, version of browser, and operating system.

• Anonymized and aggregated user-generated information that is based on your activity and use of our websites and services, including clicks and visits on our websites.

• Survey responses you submit to us when responding to our surveys.

Based on the personal data that we collect about you, we also use personal data that is derived or compiled from this information:

• Case history relating to support matters.

• Security Logs relating to your use and access to our services.

# 5. Sources from which we collect personal data

The personal data that we collect about you is mainly collected directly from you when you provide your personal data to us, for example, when you use our service Pagero Online, participate in a survey, contact or otherwise communicate with us.

We also collect or are provided, where necessary personal data from other sources, including:

• Affiliates of Pagero.

• The company or organisation that you work for.

• Employees or hired personnel that provided your personal data to us.

# 6. Our use of personal data

We use the personal data that we collect for the purposes listed below. Please note that all purposes for our use of personal data may not apply to you. For which purposes we use your personal data depends on how you interact with us and the nature of your relationship with Pagero.

In short, we use personal data to provide our service Pagero Online, provide support, ensure the security and functionality of our services, and improve our business and services.

Below, we have listed the purposes for which we collect and use personal data within different areas. In the first part, we have included information on the data we process on behalf of our customers and, thereafter, more information about which categories of personal data we use, which legal basis we rely on, and how long personal data is stored in relation to each purpose we act as the Controller, please see our detailed information on our use of personal data: Pagero as a controller.

# As a Processor

• Provide our service Pagero Online

# As a Controller

# Provide our services and fulfill our security obligations

• Ensure technical functionality and security in Pagero Online
• Use of technical, functional and security cookies in Pagero Online
• Incident management
• Provide Support Services
• Enable functionality and security in the Support Center

# Quality assurance, improving our services & surveys

• Quality assurance of customer support
• Conduct surveys to measure customer satisfaction & improve and enhance our services
• Anonymized analytics to track usage to improve our services

# 7. Transfers of personal data

# Transfers of personal data to various recipients

We share personal data with various recipients if it is necessary for the purposes for which we use personal data. Please see "Our use of personal data" in section 6 above. To read more about for which purposes and which categories of personal data we share with recipients and which legal basis we rely on for sharing personal data, please see our detailed information on our use of personal data: Pagero as a processor and Pagero as a controller.

We share personal data with:

• Affiliates of the Pagero group which includes where specified also the Thomson Reuters group companies. The Pagero and Thomson Reuters companies collaborate and therefore share personal data with each other, for example, when providing our services and support. For Pagero Online and the support services, the sharing is limited to the affiliates listed at https://www.pagero.com/trust-center/subprocessors (PW: Compliance)

• Service providers that provide services to us and which needs access to your personal data to provide such services. These service providers provide, for example, IT services (for example business office tools) and our support case service tool. Where the service providers process personal data on our behalf, they act as processors for us, and we are responsible for the processing of your personal data. They must not use your personal data for their own purposes and are contractually and legally obliged to protect your personal data.

• Sub-processors that we use to deliver parts of our services to customers, as agreed in each customer agreement. All our subprocessors are listed at https://www.pagero.com/trust-center/subprocessors (PW: Compliance). They must not use your personal data for their own purposes and are contractually and legally obliged to protect your personal data.

• Other recipients such as external advisors, public authorities, and law enforcement where needed, for example, to fulfill legal obligations or manage, defend, and exercise legal claims and rights.

# Transfers of personal data to Pagero Inc and Thomson Reuters Inc under the EU-US Data Privacy Framework

Pagero and Thomson Reuters complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Pagero Inc and Thomson Reuters Inc has certified to the U.S. Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Pagero and Thomson Reuters has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view both the Pagero Inc and the Thomson Reuters Inc certification, please visit https://www.dataprivacyframework.gov/

# Accountability for Onward Transfer

We will not share, sell or distribute any of the information you provide to us without your consent, except as described in this privacy notice.

Pagero and Thomson Reuters may share your information with external third parties, such as vendors, consultants and other service providers who are performing certain services on behalf of Pagero. Such third parties have access to Personal Data solely for the purposes of performing the services specified in the applicable service contract, and not for any other purpose. Pagero and Thomson Reuters requires these third parties to undertake security measures consistent with the protections specified in this privacy notice.

Pagero and Thomson Reuters will remain responsible for the processing of personal data it receives under the DPF and subsequently transfers to a third party acting as an agent on its behalf, unless Pagero proves that it is not responsible in an event giving rise to damage.

In the event Pagero and/or Thomson Reuters transfer personal data covered by this DPF Policy to a third party acting as a controller, we will do so consistent with any notice provided to data subjects and any consent they have given (where applicable), and only if the third party has given us contractual assurances that it will (i) process the personal data for limited and specified purposes consistent with any consent provided, (ii) provide at least the same level of protection as is required by the DPF Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the personal data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Pagero and/or Thomson Reuters has knowledge that a third party acting as a controller is processing Personal Data covered by this DPF Policy in a way that is contrary to the DPF Principles, Pagero and/or Thomson Reuters will take reasonable steps to prevent or stop such processing.

The Federal Trade Commission (FTC) has jurisdiction over Pagero’s and Thomson Reuters compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. Pagero and/or Thomson Reuters may be required to disclose Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

# Dispute Resolution under the Data Privacy Framework

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Pagero and Thomson Reuters commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.To contact us regarding any transfers made under the Data Privacy Framework, please see section 13 “If you have questions”. If you have not received timely response to your concern, or we have not addressed your concern to your satisfaction, you may seek further assistance, at no cost to you, from the EU Data Protection Authorities panel. You can invoke this right by contacting your national data protection Authority (DPA). You may also invoke binding arbitration to determine whether a Pagero Inc has violated its obligations under the Data Privacy Framework Principles. Further information can be found on the official DPF website.

# Transfers of personal data to third countries outside the EU/EEA

We have subsidiaries and affiliates in various countries both inside and outside of the EU/EEA. Depending on where our customers purchasing our service are located and through their choice of settings and services we may share personal data between affiliates of the Pagero and Thomson Reuters Group and your personal data will when shared between relevant affiliates be transferred to third countries outside the EU/EEA which may not provide an adequate level of protection for personal data. We have an intra-group data transfer agreement to ensure an essentially equivalent level of protection for your personal data and that personal data is processed by each Pagero and Thomson Reuters affiliate in a lawful, fair, secure, and transparent manner. We comply with laws on the transfer of personal data between countries to help ensure your data is protected, wherever it may be. To understand which affiliates may process your data when we provide our services and act as a Processor, please refer to our sub-processor page https://www.pagero.com/sub-processors (PW:Compliance).

Moreover, we use service providers, which may also use sub-contractors, established in third countries outside the EU/EEA. To ensure an essentially equivalent level of protection for your personal data when transferred (or otherwise made available) to service providers in third countries outside of the EU/EEA which do not provide an adequate level of protection, we use the EU Commission's adopted standard contractual clauses for international transfers according to decision 2021/914 and implement – in light of the law and practices of the third country – necessary supplementary measures. Supplementary measures include technical, contractual and organisational measures that are necessary to bring the level of protection of the personal data transferred to an essentially equivalent level protection.

For more information on the safeguards that we have taken to protect personal data, please contact us. You will find contact details under "If you have questions" in section 13 below.

# 8. Your rights

# Rights in relation to the use of your personal data

You have certain rights in relation to the use of your personal data. For example, you have the right to request access and a copy of your personal data, and request that we, under certain circumstances, rectify, delete or restrict the use of your personal data. You can read more about these rights below in this section, or visit the Swedish supervisory authority’s website page on data subject rights. If you wish to exercise your rights, please use any of the following options:

• Submit a request through the Thomson Reuters Data Subject Rights Portal
• Email us at privacy.issues@thomsonreuters.com or dpo@pagero.com
• call us at 866-633-7656

For additional contact details, please see "If you have questions" in section 13 below.

# We normally reply to your request within one month

We normally reply to your request within one month following the date that we received the request. If your request is complex or if you have submitted several requests at the same time, we may need additional time to respond to your request. If we consider it necessary to extend the time to respond to your request, we will notify you of this and the reason as to why we need more time to respond to your request within one month following the date that we received your request. The time to respond to your request can be extended by up to a maximum of two months.

Moreover, if we cannot, wholly or partly, respond to your request for some reason, we will notify you of this and the reason within one month following the date that we received the request.

If you have submitted your request electronically, for example, via e-mail, we will also respond to it electronically unless you request otherwise.

# We need to confirm your identity to reply to your request

When you submit a request to exercise your rights, we need to confirm your identity to ensure that you are not somebody else than who you claim to be. This is to avoid disclosing personal data to an unauthorised person or deleting personal data in error. If we do not have sufficient information to confirm your identity, we can request that you provide supplementary information about yourself. We only request such information that is reasonable and necessary to your identity.

# If you use an authorized agent

We may request evidence of that you have provided such agent with a power of attorney or that the agent otherwise has valid signed authority to submit requests on your behalf, and ask that you verify your identity directly with us.

# Additional information on your rights

You have the right to:

• Request confirmation if we process personal data about you.

• Request access to and a copy of your personal data.

• Request rectification of your personal data that is incorrect or incomplete. Please note that previously provided personal data that may be seen as outdated may not be incorrect, depending on the circumstances and context.

• Withdraw your consent to our use of your personal data that is based on your consent.

• Request erasure of your personal data in some circumstances, but not in cases where we, for example, are legally obligated to keep your personal data.

• Request restriction of your personal data in certain circumstances, and you can then, at least for a certain period of time, prevent us from using your personal data for other purposes, for example, to manage and defend a legal claim or to comply with legal obligations that we are subject to.

• Object to the processing of your personal data based on our or another party's legitimate interest for reasons related to your specific situation. If we cannot show that we have a compelling reason for our use of personal data, we will stop using your personal data for the relevant purpose.

• Transfer your personal data (data portability) under certain circumstances by requesting a copy of your personal data that you have provided to us in a structured format that you can transfer to another recipient.

Please note that these rights are not absolute and that there may be exceptions. You can learn more about data subject rights and how they work by visiting the Swedish supervisory authority’s page on data subject rights.

# 9. Additional information for California residents

The California Consumer Privacy Act, together with the California Consumer Privacy Rights Act (“CCPA”) affords consumers residing in California certain rights in relation to their personal information. If you are a California resident, please see the Thomson Reuters Privacy Statement regarding Pagero’s and Thomson Reuters collect, disclose, and sell or share personal information related to Californian consumers, available here.

# 10. We protect your personal data

We use technical and organisational security measures to protect your personal data against unauthorised disclosure of, or access to, personal data. This involves detecting, investigating and resolving incidents. If you would like to know more about how we work with security, please visit our page on information security.

# 11. Use of cookies and similar technologies

We use a limited set of cookies and other technologies in our service, Pagero Online, and our Support Center. To read more about our use of cookies and similar technologies in Pagero Online, please see our Pagero Online Cookie Notice. To read more about our use of cookies and similar technologies in our Support Center, please see our Support Center Cookie Notice.

# 12. Updates to this privacy notice

We regularly update this Privacy Notice. Our use of personal data may change; for example, we may collect personal data for new purposes, collect additional categories of personal data, or share your personal data with other recipients than outlined in this Privacy Notice. If our use of personal data changes, we will update this Privacy Notice to reflect such changes. At the top of this page, you can see when this Privacy Notice was last updated. If we make material changes that are not only editorial to this Privacy Notice, we will notify you of any such changes and what they mean to you in advance.

# 13. If you have questions

If you have questions about this Privacy Notice, our use of your personal data or if you wish to exercise your rights, please contact us at:

• Submit a request through the Thomson Reuters Data Subject Rights Portal
• Email us at privacy.issues@thomsonreuters.com or dpo@pagero.com
• call us at 866-633-7656

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your country. A list of the data protection authorities within EU and contact details can be found on the European Data Protection Board's web-site.