# ONESOURCE Pagero Support Privacy Notice *Latest update: February 2026* ## 1. Introduction This privacy notice explains why and how Thomson Reuters collect and use personal data relating to customers and other individuals in our support process. This includes when an individual visits our support pages, submits a question through our support portal, calls, emails or chats with us with a question. ### Who is covered by this Privacy Notice This Privacy Notice covers you who: - Visit the support website at https://www.thomsonreuters.com/en-us/help/pagero, or - Contact us or otherwise communicates with the ONESOURCE Support, for example via e-mail or phone. **Other available notices:** - For users of our services (for example ONESOURCE Pagero, Pagero Freight or Pagero Health services), please see the Privacy Notice available at the log-in page of each respective product. - For recruits, please see the Privacy Notice available both on the job and within our application system. - Our group wide-privacy statement for other processing activities within the group, please see the [Thomson Reuters Privacy statement](https://www.thomsonreuters.com/en/privacy-statement.html). ## 2. Responsibility for the use of your personal data Thomson Reuters, including Pagero AB and its subsidiaries are owned by Thomson Reuters Corporation, a company registered at 19 Duncan Street Toronto, Canada. As used in this privacy notice, "TR", "us" and "we" refer to the Thomson Reuters group. Each entity within Thomson Reuters group is a separate legal entity but follows the same principles and standards for the protection of personal data, and the means and purposes of processing personal data is established at group level by the Thomson Reuters Corporation unless explicitly stated otherwise. Contact details to each business segment can be found on our website, https://www.thomsonreuters.com/en/contact-us. For a list of principal subsidiaries, see page 159 of [Thomson Reuters' 2024 Annual Report](https://ir.thomsonreuters.com/static-files/c5ebb955-9a43-4b86-9047-4707e5bab703). ### Processing of personal data on behalf of our customers We also process personal data on behalf of and in accordance with the instructions of our customers as a processor. Our processing of personal data on behalf of our customers is governed by Data Processing Agreement(s) (DPAs), which is a part of our service agreement with each customer. This Privacy Notice does not cover our processing of personal data as a processor, since it is our customers that are responsible for this processing. If you have any questions relating to this, please contact your sales representative and we will support you and guide you to the correct responsible organization for the processing of your data. ## 3. Personal data that we collect As part of our support process and when you visit our support webpages, we collect and use the following categories of personal data: - **Identity information**, which makes it possible to identify you, for example your name. - **Contact information**, which makes it possible to contact you, including your address, e-mail address and telephone number. - **User generated information** that is generated based on your activity and use of our websites, digital channels, and services, including clicks and visits on our websites. - **Profile information**, which concerns your profile including your username, title, and name and address to the company or organisation that you work for. - **Communication with us**, including contents in a support ticket, e-mail, chat or phone call information. - **Technical information** about the device that you use when using our websites and digital channels, including type of device, version of browser and operating system. Based on the personal data that we collect about you, we also use personal data that is derived or compiled from this information: - **Case history** relating to support matters, - **Customer profile**, and - **Communication history**. ## 4. Sources from which we collect personal data The personal data that we collect about you is mainly collected directly from yourself when you provide your personal data to us when submitting a ticket or calling us. We may also get basic contact data related to you from the company or organization that you work for. ## 5. Our use of personal data We use the personal data that we collect for the purposes listed below. Please note that all purposes for our use of personal data may not apply to you. The purposes for which we use your personal data depends on how you interact with us, for example if you solely visit our support webpage or if you call us or submit a ticket. In the course of providing support, we process personal data for the different purposes: **Provide support & related activities** - [Provide support services](#provide-support-services) - [Quality assurance of customer support](#quality-assurance-of-customer-service) - [Enable functionality and security in the Support Center](#enable-functionality-and-security-in-the-support-center) To read more about which categories of personal data, which legal basis that we rely on for our use of personal data and for how long personal data is stored in relation to each specific purpose, please see our [detailed information on our use of personal data](#13-detailed-information-regarding-the-use-of-personal-data). ## 6. Transfers of personal data ### Transfers of personal data to various recipients We share personal data with various recipients if it is necessary for the purposes that we use personal data, please see "Our use of personal data" in section 5 above. To read more about for which purposes and which categories of personal data we share with recipients and which legal basis we rely on for sharing personal data, please see our [detailed information on our use of personal data](#13-detailed-information-regarding-the-use-of-personal-data). We share personal data with: - **Affiliates** of the Thomson Reuters group. The group companies collaborate and therefore share personal data with each other where several affiliates are involved in the provision of the support services. - **Service providers** that provide services to us and which needs access to your personal data to provide such services. These service providers provide, for example, IT services (for example business office tools) and communication services (which enable us to send you messages and newsletters). Where the service providers process personal data on our behalf, they act as processors for us, and we are responsible for the processing of your personal data. They must not use your personal data for their own purposes and are contractually and legally obliged to protect your personal data. - **Other recipients** such as external advisors, public authorities and law enforcement where needed for example to fulfil legal obligations or manage, defend and exercise legal claims and rights. ### Transfers of personal data under the EU-US Data Privacy Framework Thomson Reuters complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Thomson Reuters Inc has certified to the U.S. Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Thomson Reuters has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view the Thomson Reuters Inc certification, please visit https://www.dataprivacyframework.gov/ ### Accountability for Onward Transfer We will not share, sell or distribute any of the information you provide to us without your consent, except as described in this privacy notice. Thomson Reuters may share your information with external third parties, such as vendors, consultants and other service providers who are performing certain services on behalf of Thomson Reuters. Such third parties have access to Personal Data solely for the purposes of performing the services specified in the applicable service contract, and not for any other purpose. Thomson Reuters requires these third parties to undertake security measures consistent with the protections specified in this privacy notice. Thomson Reuters will remain responsible for the processing of personal data it receives under the DPF and subsequently transfers to a third party acting as an agent on its behalf, unless Thomson Reuters proves that it is not responsible in an event giving rise to damage. In the event Thomson Reuters transfer personal data covered by this DPF Policy to a third party acting as a controller, we will do so consistent with any notice provided to data subjects and any consent they have given (where applicable), and only if the third party has given us contractual assurances that it will (i) process the personal data for limited and specified purposes consistent with any consent provided, (ii) provide at least the same level of protection as is required by the DPF Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the personal data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Thomson Reuters has knowledge that a third party acting as a controller is processing Personal Data covered by this DPF Policy in a way that is contrary to the DPF Principles, Thomson Reuters will take reasonable steps to prevent or stop such processing. The Federal Trade Commission (FTC) has jurisdiction over Thomson Reuters compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. Thomson Reuters may be required to disclose Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements. ### Dispute Resolution under the Data Privacy Framework In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Thomson Reuters commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner's Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. To contact us regarding any transfers made under the Data Privacy Framework, please see [section 12 "If you have questions"](#12-if-you-have-questions). If you have not received timely response to your concern, or we have not addressed your concern to your satisfaction, you may seek further assistance, at no cost to you, from the EU Data Protection Authorities panel. You can invoke this right by contacting your national data protection Authority (DPA). You may also invoke binding arbitration to determine whether Thomson Reuters has violated its obligations under the Data Privacy Framework Principles. Further information can be found on the official DPF website. ### Transfers of personal data to third countries outside the EU/EEA We have subsidiaries and affiliates in various countries both inside and outside of the EU/EEA. We share personal data between affiliates of the Thomson Reuters Group and your personal data will when shared between relevant affiliates be transferred to third countries outside the EU/EEA which may not provide an adequate level of protection for personal data. We have an intra-group data transfer agreement to ensure an essentially equivalent level of protection for your personal data and that personal data is processed by each Thomson Reuters affiliate in a lawful, fair, secure, and transparent manner. We comply with laws on the transfer of personal data between countries to help ensure your data is protected, wherever it may be. Moreover, we use service providers, which also may use sub-contractors, that are established in third countries outside the EU/EEA. To ensure an essentially equivalent level of protection for your personal data when transferred (or otherwise made available) to service providers in third countries outside of the EU/EEA which do not provide an adequate level of protection, we use the EU Commission's adopted [standard contractual clauses for international transfers](https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en) according to decision 2021/914 and implement – in light of the law and practices of the third country – necessary supplementary measures. Supplementary measures include technical, contractual and organisational measures that are necessary to bring the level of protection of the personal data transferred to an essentially equivalent level protection. For more information on the safeguards that we have taken to protect personal data, please contact us. You will find contact details under "If you have questions" in section 12 below. ## 7. Your rights ### Rights in relation to the use of your personal data You have certain rights in relation to the use of your personal data. For example, you have the right to request access and a copy of your personal data, and request that we, under certain circumstances, rectify, delete or restrict the use of your personal data. You can read more about these rights below in this section, or visit the [EDPB's website page on data subject rights](https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-opinions/guidelines-individual-rights_en). If you wish to exercise your rights, please use any of the following options: - Submit a request through the [Thomson Reuters Data Subject Rights Portal](https://privacyportal.onetrust.com/webform/dbf2b346-49f4-4422-9bc5-93d53e5fbf35/draft/06ad5e0c-e930-459b-95e0-8e1cb4dc3c96) - Email us at privacy.issues@thomsonreuters.com - Call us at +1 (866) 633-7656 For additional contact details, please see "If you have questions" in section 12 below. ### We normally reply to your request within one month We normally reply to your request within one month following the date that we received the request. If your request is complex or if you have submitted several requests at the same time, we may need additional time to respond to your request. If we consider it necessary to extend the time to respond to your request, we will notify you of this and the reason as to why we need more time to respond to your request within one month following the date that we received your request. The time to respond to your request can be extended with up to a maximum of two months. Moreover, if we for some reason cannot, wholly or partly, respond to your request, we will notify you of this and the reason as to why we cannot reply to your request within one month following the date that we received the request. If you have submitted your request electronically, for example via e-mail, we will also respond to your request electronically, unless you request otherwise. ### We need to confirm your identity to reply to your request When you submit a request to exercise your rights, we need to confirm your identity to ensure that you are not somebody else than who you claim to be. This to avoid that we for example disclose personal data to an unauthorised person or in error delete personal data. If we do not have sufficient information to confirm your identity, we can request that you provide supplementary information about yourself needed to confirm your identity. We only request such information that is reasonable and necessary to your identity. ### If you use an authorized agent We may request evidence of that you have provided such agent with a power of attorney, or that the agent otherwise has valid signed authority to submit requests on your behalf, and ask that you verify your identity directly with us. ### Additional information on your rights You have the right to: - **Request confirmation** if we process personal data about you. - **Request access** to and a copy of your personal data. - **Request rectification** of your personal data that is incorrect or incomplete. Please note that previously provided personal data that may be seen as outdated may not, depending on the circumstances and the context, be incorrect. - **Withdraw your consent** to our use of your personal data that is based on your consent. - **Request erasure** of your personal data in some circumstances, but not in cases where we, for example, are legally obligated to keep your personal data. - **Unsubscribe from marketing communications** which you for example can do by clicking on an unsubscribe link in the communication. Where applicable you can unsubscribe from communication in Your account. - **Request restriction** of your personal data in certain circumstances and you can then, at least for a certain period of time, prevent us from using your personal data for other purposes that for example to manage and defend a legal claim or to comply with legal obligations that we are subject to. - **Object to the processing** of your personal data that is based on our or another party's legitimate interest for reasons related to your specific situation and if we cannot show that we have a compelling reason for our use of personal data we will stop using your personal data for the relevant purpose. - **Transfer your personal data** (data portability) under certain circumstances by requesting a copy of your personal data that you have provided to us in a structured format that you can transfer to another recipient. Please note that these rights are not absolute and that there may be exceptions. You can learn more about data subject rights and how they work by visiting the [EDPB website on data subject rights](https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-opinions/guidelines-individual-rights_en). ## 8. Additional information for California residents The California Consumer Privacy Act, together with the California Consumer Privacy Rights Act ("**CCPA**") affords consumers residing in California certain rights in relation to their personal information. If you are a California resident, please see the [Thomson Reuters Privacy Statement](https://www.thomsonreuters.com/en/privacy-statement.html) regarding how Thomson Reuters collect, disclose, and sell or share personal information related to Californian consumers. ## 9. We protect your personal data We use technical and organisational security measures to protect your personal data against unauthorised disclosure of, or access to, personal data. This involves detecting, investigating and resolving incidents. If you would like to know more regarding how we work with security, please visit our page on [information security](https://www.pagero.com/trust-center). ## 10. Use of cookies and similar technologies We use cookies and other technologies on our websites. To read more about our use of cookies and similar technologies, please see our [cookie policy](https://www.thomsonreuters.com/en/privacy-statement#cookies). ## 11. Updates to this Privacy Notice We regularly update this Privacy Notice. Our use of personal data may change, for example we may collect personal data for new purposes, collect additional categories of personal data or share your personal data with other recipients than outlined in this Privacy Notice. If our use of personal data changes, we will update this Privacy Notice to reflect such changes. At the top of this page, you can see when this Privacy Notice was last updated. If we make material changes that are not only editorial to this Privacy Notice, we will notify you of any such changes and what they mean to you in advance. ## 12. If you have questions If you have questions about this Privacy Notice, our use of your personal data or if you wish to exercise your rights, please contact us at: - Submit a request through the [Thomson Reuters Data Subject Rights Portal](https://privacyportal.onetrust.com/webform/dbf2b346-49f4-4422-9bc5-93d53e5fbf35/draft/06ad5e0c-e930-459b-95e0-8e1cb4dc3c96) - Email us at privacy.issues@thomsonreuters.com - Call us at +1 (866) 633-7656 If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your country. A list of the data protection authorities within EU and contact details can be found on the [European Data Protection Board's website](https://edpb.europa.eu/about-edpb/about-edpb/members_en). ## 13. Detailed information regarding the use of personal data ### Provide support services #### What we do We use your personal data to respond to questions when you contact our support and to provide customer service. ||| **Categories of personal data** - Case history - Communication - Communication history - Contact information - Identity information - Order information - Order history - Profile information - Technical information ||| **Legal basis** _Legitimate interest (Article 6.1 (f) of the GDPR)._ The use of your personal data is necessary to satisfy our legitimate interest of responding to questions that you have and to provide customer service, for example providing customer support and managing any potential issues, errors and incidents that the customer may experience using our services. It is our assessment that our legitimate interest outweighs your interest of not having your personal data processed for this purpose, especially when you yourself has reached out to us. ||| #### Storage period Support cases (without the connection to the submitter) are kept for seven (7) years in order to ensure consistency in the delivery of our services to customers. #### Sharing of data This data may be accessed by the supplier of our support case system and internally within the Thomson Reuters Group. #### Third country transfers Yes, this data may be accessed by Thomson Reuters employees located in a third country subject to the Standard Contractual Clauses, the Data Privacy Framework and additional technical and organizational security measures. The supplier of the support cases system may upon prior authorization access specific cases for technical support subject to the Standard Contractual Clauses. --- ### Quality assurance of customer service #### What we do If you have been in contact with our customer support, we use your personal data to ask if you would like to help us ensure the quality of our customer service and support processes by providing your feedback. It is completely voluntary to provide feedback. ||| **Categories of personal data** - Support case data - Name and email - Title and organization - Contact information - Identity information - Order information - Order history - Profile information ||| **Legal basis** _Legitimate interest (Article 6.1 (f) of the GDPR)._ The use of your personal data is necessary to satisfy our legitimate interest of ensuring the quality of our customer service in order to provide the best customer service experience possible. It is our assessment that our legitimate interest outweighs your interest of not having your personal data processed for this purpose. ||| #### Storage period Personal data related to the individual who submitted the feedback is deleted after a period of twenty-four (24) months of inactivity. #### Sharing of data This data may be accessed by the supplier of our support case system and internally within the group companies. #### Third country transfers Yes, this data may be accessed by Thomson Reuters Group employees located in a third country subject to the Standard Contractual Clauses and additional technical and organizational security measures. --- ### Enable functionality and security in the Support Center #### What we do We use cookies and similar technologies to enable functionality on our websites and ensure the security of the Support Center, including remembering your settings and preferences. ||| **Categories of personal data** - Language settings - Cookie consent settings - Cookie data ||| **Legal basis** _Legitimate interest (Article 6.1 (f) of the GDPR)._ Where we use cookies (and similar technologies) for this purpose, we rely on our legitimate interest of providing strictly necessary functionality for our websites to function and ensure their security. It is our assessment that our legitimate interest outweighs your interest in not having your personal data processed for this purpose. _Consent (Article 6.1 (a) of the GDPR)._ Where we use cookies (and similar technologies) that are not strictly necessary for the website to function, we base this processing on your consent to cookies. ||| #### Storage period Personal data is stored during the period stated in the [Cookie Notice](https://www.thomsonreuters.com/en/privacy-statement#cookies). #### Sharing of data This data may be accessed by the supplier of our support case system, the third-party cookie provider, and internally within the Thomson Reuters group. #### Third country transfers Yes, this data may be accessed by Thomson Reuters employees and third-party cookie providers located in a third country subject to the Standard Contractual Clauses, the Data Privacy Framework where applicable and additional technical and organizational security measures.