# Personal data we process as the controller --- ## **Ensure technical functionality and security in Pagero Online** ### What we do We use your personal data to ensure necessary technical functionality and security of our IT systems and our service Pagero Online, for example, in connection with access controls and for security logging and error handling. For information on which security measures that we implement, please visit our page on [information security](https://www.pagero.se/informationssakerhet/). ||| **Categories of personal data** - User credentials - Log data ||| **Legal basis** _Legitimate interest (Article 6.1 f) of the GDPR)._ The use of your personal data is necessary to satisfy our legitimate interest in ensuring the technical functionality and security of our IT systems and services and fulfilling our responsibility of ensuring the security of our service provided to our customers according to Article 32 of the GDPR. It is our assessment that our legitimate interest outweighs your interest of not having your personal data processed for this purpose. ||| ### Storage period User credentials are stored as long as the user is an active user and up to 3 months thereafter. Logs are kept with different timespans depending on the type of log, the shortest being 3 months, and some logs are kept indefinitely after being anonymized. ### Sharing of data We share this data with suppliers of internal IT systems where such data is processed internally with information security and RnD teams. ### Third-country transfers Yes, internally to group companies and suppliers of IT systems subject to the Standard Contractual Clauses, the Data Privacy Framework and additional technical and organizational security measures. --- ## Incident management ### What we do To manage incidents in the services and fulfil our legal and contractual obligations to manage and report incidents, we will process personal data that is necessary to investigate, report and remediate a specific incident. Depending on the type of incident, such as an availability incident or a confidentiality incident, we may process personal data relating to our security logs, metadata about affected customer documents, your registered incident email and any support case data related to the incident. ||| **Categories of personal data** - User credentials - Log data - Support case data - Metadata about affected customer documents - Your registered incident email ||| **Legal basis** _Legitimate interest (Article 6.1 f) of the GDPR)._ The use of your personal data is necessary to satisfy our legitimate interest in ensuring that we appropriately manage, remediate and report incidents according to our legal and contractual obligations when providing our services. It is our assessment that our legitimate interest outweighs your interest of not having your personal data processed for this purpose. ||| ### Storage period Personal data in relation to support case data are kept according to our support process. Logs and documentation in relation to the specific incident is kept indefinitely as evidence. The incident email is stored for as long as our customer keeps the incident email registered in our services and/or is using our services. ### Sharing of data We share this data with suppliers of internal IT systems where such data is processed internally with information security and RnD teams. ### Third-country transfers Yes, internally to group companies and suppliers of IT systems subject to the Standard Contractual Clauses, the Data Privacy Framework and additional technical and organizational security measures. --- ## **Use of technical, functional and security cookies in Pagero Online** ### What we do For Pagero to ensure technical functionality and security of Pagero Online, strictly necessary and functional cookies and similar technologies may be used within the service. This includes remembering your settings and preferences. ||| **Categories of personal data** - Language settings - Cookie data - Technical Information - IP Address ||| **Legal basis** _Legitimate interest (Article 6.1 f) of the GDPR)._ The use of your personal data is necessary to satisfy our legitimate interest in ensuring the technical functionality and security of our services and fulfilling our responsibility of ensuring the security of our service provided to our customers according to Article 32 of the GDPR. It is our assessment that our legitimate interest outweighs your interest of not having your personal data processed for this purpose. ||| ### Storage period Language Settings, Cookie Data, and Technical Information are stored during the period stated in the Pagero Online Cookie Notice. ### Sharing of data We share this data with suppliers of internal IT systems where such data is processed internally and R&D teams. ### Third-country transfers Yes, internally to group companies and suppliers of IT systems subject to the Standard Contractual Clauses, the Data Privacy Framework and additional technical and organizational security measures. --- ## **Provide support services** ### What we do We use your personal data to respond to questions when you contact our support and to provide customer service. ||| **Categories of personal data** - Case history - Communication - Communication history - Contact information - Identity information - Order information - Order history - Profile information - Technical information ||| **Legal basis** _Legitimate interest (Article 6.1 (f) of the GDPR)._ The use of your personal data is necessary to satisfy our legitimate interest of responding to questions that you have and to provide customer service, for example providing customer support and managing any potential issues, errors and incidents that the customer may experience using our services. It is our assessment that our legitimate interest outweighs your interest of not having your personal data processed for this purpose, especially when you yourself has reached out to us. ||| ### Storage period Personal data related to the individual who submitted the support request is deleted after a period of twenty-four (24) months of inactivity. Support cases (without the connection to the submitter) are kept for seven (7) years in order to ensure consistency in the delivery of our services to customers. ### Sharing of data This data may be accessed by the supplier of our support case system and internally within the group companies. ### Third country transfers Yes, this data may be accessed by Pagero employees located in a third country subject to the Standard Contractual Clauses, the Data Privacy Framework and additional technical and organizational security measures. The supplier of the support cases system may upon prior authorization access specific cases for technical support subject to the Standard Contractual Clauses. --- ## **Enable functionality and security in the Support Center** ### What we do We use cookies and similar technologies to enable functionality on our websites and ensure the security of the Support Center, including remembering your settings and preferences. ||| **Categories of personal data** - Cookie consent settings - Cookie data ||| **Legal basis** _Legitimate interest (Article 6.1 (f) of the GDPR)._ Where we use cookies (and similar technologies) for this purpose, we rely on our legitimate interest of providing strictly necessary functionality for our websites to function and ensure their security. It is our assessment that our legitimate interest outweighs your interest in not having your personal data processed for this purpose. _Consent (Article 6.1 (a) of the GDPR)._ Where we use cookies (and similar technologies) that are not strictly necessary for the website to function, we base this processing on your consent to cookies. ||| ### Storage period Personal data is stored during the period stated in the [Pagero Support Center Cookie Notice](https://support.pagero.com/hc/en-us/p/cookie-notice). ### Sharing of data This data may be accessed by the supplier of our support case system, the third-party cookie provider, and internally within the Group Companies. ### Third country transfers Yes, this data may be accessed by Pagero employees and third-party cookie providers located in a third country subject to the Standard Contractual Clauses, the Data Privacy Framework where applicable and additional technical and organizational security measures. --- ## **Quality assurance of customer service** ### What we do If you have been in contact with our customer support, we use your personal data to ask if you would like to help us ensure the quality of our customer service and support processes by providing your feedback. It is completely voluntary to provide feedback. ||| **Categories of personal data** - Support case data - Name and email - Title and organization - Contact information - Identity information - Order information - Order history - Profile information ||| **Legal basis** _Legitimate interest (Article 6.1 (f) of the GDPR)._ The use of your personal data is necessary to satisfy our legitimate interest of ensuring the quality of our customer service in order to provide the best customer service experience possible. It is our assessment that our legitimate interest outweighs your interest of not having your personal data processed for this purpose. ||| ### Storage period Personal data related to the individual who submitted the feedback is deleted after a period of twenty-four (24) months of inactivity. ### Sharing of data This data may be accessed by the supplier of our support case system and internally within the group companies. ### Third country transfers Yes, this data may be accessed by the supplier of our support case system, Pagero employees located in a third country subject to the Standard Contractual Clauses and additional technical and organizational security measures. --- ## **Conduct surveys to measure customer satisfaction & improve and enhance our services** ### What we do We use the personal data that you share with us when responding to a survey to improve our understanding of our customers, their needs, preferences, and opinions. The information will be used to develop our products and services so that we can serve our customers better. You can unsubscribe from our communications at any time by clicking on the unsubscribe link in the communication or by contacting us. ||| **Categories of personal data** - Name - Email - Country of employment - Department, seniority level and organization - Your submitted opinions & responses - User-generated information ||| **Legal basis** _Consent (Article 6.1 (a) of the GDPR)._ The use of your personal data is based on the consent that you provide when filling out and submitting your response to our surveys. Storage period: Personal data included in the survey is kept for up to thirty-six (36) months. ||| ### Sharing of data We share this data with suppliers of internal IT systems where such data is processed, and internally within the group companies. ### Third-country transfers Yes, internally to group companies and suppliers of IT systems, subject to the Standard Contractual Clauses and additional technical and organizational security measures. --- ## **Anonymized analytics to track performance & usage to improve our services** ### What we do We use anonymized and aggregated data generated by users of our service Pagero Online in order to track usage and performance of our service Pagero Online in order to improve our services. ||| **Categories of personal data** - IP Address & User Agent pseudonymized by rotating salts. - Anonymised & aggregated usage information ||| **Legal basis** _Legitimate interest (Article 6.1 (f) of the GDPR)._ Until the browser information has been anonymized, we rely on our legitimate interest in assessing the performance and use of our services to improve them. We assess that our legitimate interest outweighs your interest in not having your personal data processed for this purpose. ||| ### Storage period We do not store the raw data. The collected information is run through a hash function with a rotating salt to pseudonymize the information. Old salts are kept for up to 24 hours and are therefore deleted to ensure that it is not possible to link to you as a user from one day to another. After the old salts have been deleted, the anonymized and aggregated user information is kept for up to twelve (12) months. ### Sharing of data We share this data with suppliers of internal IT systems where such data is processed and internally within the group companies after anonymization. ### Third-country transfers Yes, after anonymization internally to group companies and suppliers of IT systems, subject to the Standard Contractual Clauses and additional technical and organizational security measures.