Beleid inzake de bescherming van persoonsgegevens van cliënten..
1. WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA
Prenax AB on behalf of Prenax Group (Prenax Next SAS) is responsible for personal data, which means that we are responsible for how your personal data is processed and that your rights are safeguarded.
2. WHY WE COLLECT YOUR PERSONAL DATA
Prenax AB on behalf of the Prenax Group (the Data Processor) processes personal data on behalf of its Client (The Data Controller) for the purpose of providing Subscription Services. We may need personal data to comply with agreements or laws and to perform customer and market analyses. We may also need personal data to provide you with good service, for example in terms of marketing, follow-up and information. For each specific processing of personal data where we collect personal data from you, we inform you about the processing of personal data. We collect personal data only when we have a legal basis for doing so. Prenax complies with the EU General Data Protection Regulation (GDPR) and is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF).
3. WHERE DO WE PROCESS YOUR PERSONAL DATA
Prenax guarantees that it will not transfer any personal data other than as set out in this policy.
We strive to process data within the EU but in some cases transfer personal data to recipients in countries outside the EU/EEA. Personal data processed by our US entity resides in our US data center. To ensure that personal data is adequately protected, we will take the necessary measures, e.g. by entering into the EU Commission's Standard Contractual Clauses (SCC) or ensuring that there are other appropriate safeguards and mechanisms in place.
When the Data Controller orders in writing any published material sourced outside of the EU/EEA, he expressly agrees that the personal data necessary to process the order is transferred outside of the EU/EEA to the country of origin of the publisher. In such event, the Data Processor must comply with any requirements established by any data protection authority or any other governmental authorities necessary for the granting of approval by such authorities for the transfer of personal data outside of the EU/EEA, including by adherence to the Commission’s standard contractual clauses as set out by Commission Decision of 5 February 2010 with later amendments, to the extent applicable
4. HOW LONG DO WE SAVE YOUR PERSONAL DATA?
We save your information as long as the information is necessary to fulfill the purposes for which the data was originally collected, and we also have clear deletion routines set up. The storage of data is also limited by legal requirements and will also be saved as long as required by applicable legislation.
Further information about storage time is given at the start of specific personal data processing and if you have questions about processing times, you are welcome to contact us at privacy@prenax.com.
5. WHAT PERSONAL DATA DO WE PROCESS?
We process personal data only when we have a legal basis. Here are examples of personal data we process:
· Name
· Address
· E-mail address
· Telephone number
· information about department affiliation and position.
· Information that you have registered yourself and voluntarily provided
· We also process information about website visitors' usage, clicks on the website, traffic data (IP address and device model) and data traffic source (e.g. if you clicked through to our website through campaigns) More information about the processing of personal data can be found in section 6
6. FOR WHAT PURPOSE DO WE PROCESS YOUR DATA?
The following scenarios describe our processing of personal data
· To communicate with and answer questions from you
Purpose: We process your personal data for the purpose of communicating with you and answering questions from you when you interact with us, e.g. if we receive a question from you regarding our range of services.
Categories of personal data: We collect your name, email address, address, telephone number (work) and other information that you provide to us (e.g. department affiliation and job title).
Legal basis: The legal basis for this processing is a balance of interests to satisfy our legitimate interest in being able to communicate with you and handle questions from you.
Storage period and/or criteria: We process your personal data for as long as it is necessary to fulfill our purpose and we will then delete the personal data, unless we have another purpose according to this privacy notice.
· Carrying out surveys
Purpose: We process your personal data when you participate in surveys.
Categories of personal data: We collect your name, email address, address, telephone number (work) and other information that you provide to us (e.g. in free text fields).
Legal basis: The legal basis for this processing is a balance of interests to satisfy our legitimate interest in being able to understand how our products and services should be designed to meet existing and potential customers' needs.
Storage period and/or criteria: We process your personal data for as long as it is necessary to fulfill our purpose and will then delete the personal data, unless we have another purpose according to this privacy notice. As an existing or potential customer, you always have the opportunity to decline to participate in surveys or surveys.
· Use, troubleshooting and keeping statistics for our website
Purpose: We process certain information about website visitors in order to use our website as intended, to keep statistics and perform troubleshooting.
Categories of personal data: Personal data is collected via cookies and consists e.g. of IP address, device model and data traffic source (e.g. if you clicked through to our website through campaigns).
Legal basis: We process such personal data based on our legitimate interest in being able to improve the website. You can object to this processing at any time by adjusting your cookie preferences.
Storage period and/or criteria: Unless you have adjusted your cookie preferences, we process your personal data for as long as necessary to fulfill our purpose and will subsequently delete the personal data, unless we have another purpose according to this Privacy Notice.
· Marketing mailings & newsletters
Purpose: We process personal data to offer information and news mailings to representatives of existing and potential customers. Personal data is collected directly from representatives of existing and potential customers, e.g. in connection with events, through cookies or through public registers
and databases. The information is provided by telephone, letter, e-mail, SMS and/or equivalent contact channels, as well as through advertising.
Categories of personal data: Personal data processed is name, e-mail address, address, telephone number (work) and information about department affiliation and position. We also process information about website visitors' usage, clicks on the website, traffic data (IP address and device model) and data traffic source (e.g. if you click through to our website through campaigns) through cookies to optimize marketing.
Legal basis: The legal basis for this processing is our legitimate interest in being able to provide information about and market our services.
Storage period and/or criteria: The personal data will be saved until the purpose of these is fulfilled. You can always ask us to unsubscribe. We will then stop processing your personal data for this purpose.
· Implementation of marketing activities and events
Purpose: We may contact you as a representative of existing or potential customers in order to invite you to Marketing activities (events, lectures, seminars, courses or similar). We process personal data to the extent necessary to carry out the activity, to follow up participation and to be able to target marketing.
Categories of personal data: We process your name, e-mail address, address, telephone number (work) and other relevant contact details that you have provided to us, which we have collected from public registers and databases, or from our CRM systems if you are an existing customer representative, in order to be able to send out notices, list of participants and material before and after the activity.
Legal basis: We process your personal data according to our legitimate interest in being able to inform you about events that we organize, carry out the event and to be able to direct offers of our services to the participants.
Storage period and/or criteria: We process your personal data for as long as it is necessary to carry out the event. The participant list is saved for administration and follow-up so that we can target marketing to participants about our services. You may object to our processing of your personal data for this purpose at any time and we will then stop processing your personal data, unless we have a different purpose as set out in this Privacy Notice.
· To deliver our services
Purpose: We process your personal data in regard to deliver our services.
Categories of personal data: We collect your name, email address, address, telephone number (work) and other information that you and/or your organization provides to us (e.g. department affiliation and job title).
Legal basis: Contractual basis, when we enter into an agreement with a customer, the consent for us to process personal data is handled by the customer’s organization, as it is the data controller of your personal data. In case you wish to exercise your right to have your personal data removed this must be requested by the customer organization’s DPO due to contractual obligations. In case your consent is required for data processing, we will not process your data until you have acknowledged your consent. You have the right to withdraw your consent at any time. We will then no longer process your personal data or obtain new ones, provided that it is not necessary to fulfil our obligations under contract or law.
Storage period and/or criteria: We process your personal data for as long as it is necessary to fulfill our contract and to fulfill our legal and regulatory commitments and we will then delete the personal data, unless we have another purpose according to this privacy notice.
7. WHO MAY WE SHARE YOUR PERSONAL DATA WITH?
7.1 Sub-contractors
Prenax does not currently use subcontractors for its subscription services, but in the event that this should occur, Prenax would expect and require the same policy compliance as laid out in this document from its subcontractors.
7.2 Sub-processors
In cases where necessary, we share your personal data with companies that in one way or another are suppliers to us. These suppliers are called data sub-processors. All companies that process personal data on our behalf do so and according to our instructions and under our supervision.
When your personal data is shared with data sub-processors, it is only for the purposes we have specified. We check all sub-processors to ensure that they can provide sufficient guarantees for the security and confidentiality of personal data. We ensure that organizational and technical measures are in place and have written agreements with all data sub-processors in which they guarantee the security of the personal data processed and undertake to comply with our security requirements as well as restrictions and requirements regarding the international transfer of personal data, e.g. DPA and Standard Contractual Clauses, where applicable.
We never pass on your personal data to any other third party.
8. DATA SUBJECTS RIGHTS
You have certain rights related to how we process your personal data, namely:
· Right of access (so-called register extract) - you have the right to request information about what personal data we process about you, e.g. by requesting a so-called register extract.
· Right to rectification - if you believe that personal data about you is incorrect or incomplete, you have the right to request correction of or supplement your personal data.
· Right to object - in some cases you have the right to object to our personal data processing. The right to object applies when personal data is processed in the context of a balance of interests, and we will not continue with the personal data processing unless we have reasons that outweigh your privacy interest.
· Right to restriction of processing - you can request restriction of processing if, for example, you believe that the personal data is incorrect. In such cases, you can also request that the processing of the data be restricted while the accuracy of the data is being investigated.
· Right to erasure - you can in some cases request that the personal data be deleted, e.g. if they are no longer necessary for the purpose for which they are processed or if you consider the processing to be incompatible with applicable data protection legislation.
· Right to data portability - you also have the right in some cases to receive the personal data concerning you in a structured, commonly used and machine-readable format (data portability) for transfer to another personal data controller.
· Right to withdraw your consent - you can, at any time, withdraw a consent and then we will stop processing the personal data for that purpose.
· Right to object to processing for direct marketing purposes - you can, at any time, unsubscribe from mailings by notifying us or, if possible, clicking on an unsubscribe link in the mailing.
9. SECURITY
· Security measures- Prenax has implemented appropriate technical and organizational security measures to protect all personal data. This protection is against, and not limited to, accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in violation of the provisions laid down in the Directive 95/46 EC of the European Parliament and of the Council and any applicable laws implementing it and/or any latter amendments hereof, including the Regulation (EU) 2016/679 of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the EU Directive (hereinafter altogether (referred to as the “Data Protection Legislation”).
· Audit- Prenax permits clients (subject to reasonable and appropriate confidentiality undertakings) to audit Prenax data processing activities and compliance to verify and/or procure that Prenax are in full compliance with their obligations under the General Data Protection Regulation (GDPR).
· Confidentiality- Prenax ensures that its employees processing personal data have committed themselves to the obligation of confidentiality regarding any personal data processed.
· Notice- Prenax shall immediately inform the client if, in its opinion, an instruction infringes the Data Protection Legislation.
· Software Security- All Prenax systems are built with software security as a vital part of the design. This implies that all systems are designed and built upon the assumption that malicious practices always can occur, and that all systems and processes need to be prepared for these events.
10. EU-U.S. DATA PRIVACY FRAMEWORK
Prenax Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), as set forth by the U.S. Department of Commerce. Prenax Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) regarding the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern.
To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Below we inform you about the type of personal data we process and why, the possible third parties with whom we share your personal data and why, your rights and your choices, as well as how to file a complaint and how to reach us.
10.1 What type of data do we receive and why
According to the DPF, we process both HR and non-HR personal data. Details regarding the processing of HR-related personal data is outlined in Prenax's internal GDPR policy.
For information on how we handle personal data related to customers and suppliers, please refer to sections 5 "What personal data do we process?" and 6 "For What Purpose Do We Process Your Data?" in this document. We process your personal data in a way that is relevant and proportionate with the purposes described above and/or subsequently authorized by you in accordance with DPF Principles.
We also comply with the DPF Principles by implementing processes described in this external GDPR policy to ensure your personal data is accurate, complete, up-to-date and reliable for its intended use.
We also take reasonable and appropriate security measures to protect your personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the personal data.
10.2 Who do we share your information with and why
All the personal data that we share are described in section 7. Who may we share your personal data with in this policy.
Today, we disclose personal data to third parties in those cases where it is necessary or legally required. These third parties are suppliers (data processors) and in those cases we always write a data processing agreement (DPA), or other protective measures, e.g. Standard Contractual Clauses. We also require from our data processors to provide the same level of protection as the one guaranteed by the DPF Principles.
We may be required to disclose your personal information in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.
10.3 Your rights and your choices
Your rights as a data subject are detailed in Section 8 (“Data Subject rights”), in this policy. In addition, we provide you with options regarding how your personal information is used and shared. You have the right to opt-out of:
· the use of your personal information for direct marketing communications
· the disclosure of your personal information to third parties
· the use of your personal information for purposes other than those for which it was originally collected or subsequently authorized by you.
For sensitive personal information, we require your explicit “opt-in” (i.e. your consent) if such information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by you.
10.4 How to submit a complaint
In accordance with DPF Principles, Prenax Inc. commits to resolve complaints in relation to the processing of your personal data. Any individuals with inquiries or complaints regarding the use or disclosure of Personal Data in accordance with the DPF Principles should first contact Prenax Inc. using the contact information in the section How to contact us below.
We will endeavor to respond to your inquiries, investigate, and resolve complaints expeditiously and at the latest within 45 days at no cost to you and by reference to the EU-US DPF Principles.
10.4.1 Independent Recourse Mechanism
If you have an unresolved DPF complaint that you believe we have not satisfactorily addressed, Prenax Inc. are also committed to refer the complaint to JAMS Data Privacy Dispute Resolution Program. This program is an independent dispute resolution provider located in the U.S. and is made available to you free of charge. For more information or to submit a complaint, please visit: https://www.jamsadr.com/DPF-Dispute-Resolution.
10.4.2 Binding Arbitration
Under certain conditions, more fully described on the Data Privacy Framework website, you may be entitled to invoke binding arbitration when other dispute resolution options do not satisfactorily resolve your concerns.
Please note that Prenax Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
10.5 Onward transfers
If Prenax Inc. transfers information onward to a third-party service provider acting as Prenax Inc. agent, Prenax US continues to remain liable under the DPF Principles if the agent processes the information in a manner inconsistent with the DPF’s Principles, unless Prenax Inc. is not responsible for the event giving rise to the damage.
10.6 How to contact us
For any inquiries or complaints about EU-U.S. Data Privacy Framework or our practices concerning personal data, please contact us at:
Prenax Inc.
Pete Prentice
Address: 10 Ferry St, Ste 137 Concord, NH 03301 USA
Phone: +1 (603) 717-0383 Email: privacy@prenax.com
11. DATA BREACH NOTIFICATION
Prenax (the Data Processor) shall without undue delay notify the Client (the Data Controller) in case of any identified or potential breach of personal data. The notification shall include any other information required in order for the client to comply with the General Data Protection Regulation (GDPR)., including information about the nature of the breach and measurements taken to control it.
12. COMPLAINT
If you believe that Prenax is not handling your personal data correctly, you always have the right to file a complaint regarding Prenax personal data processing to the Swedish Authority for Privacy Protection (IMY) or your local authority within EU and EEA. More information can be found on the Swedish Authority for Privacy Protection website https://www.imy.se/.
13. CONTACT
If you would like or need to get in touch with Prenax regarding privacy and data protection issues, please contact us at privacy@prenax.com.
14. CHANGES TO THIS PRIVACY POLICY
Prenax reserves the right to update or change this policy at any time and you should regularly visit this website to get the latest version.