Privacy Policy Benify Application

Statement of purpose

Benify values and takes pride in processing personal data with a high level of integrity and security. In this policy, Benify explains why and how we process personal data.

Key terms and definitions

There are some key legal terms that it is essential to know in order to understand this policy. Below is a description of these terms.

Personal data is information related to an identified or identifiable natural person or data subject. An identifiable person is someone who can be identified, either directly, for example through a personal identity number, or indirectly, through use of the data in conjunction with other information in the possession of the data controller. Certain special categories of personal data, including racial or ethnic origin, trade union membership, sexuality, physical or mental health conditions, and religious beliefs, are considered sensitive data. Such data require higher protection and safeguards.

Processing personal data includes any operation or set of operations performed on personal data, whether or not by automatic means. So, processing includes disclosure by transmission, structuring, amending, storing and many other activities performed on personal data.

Controller is the natural or legal person who determines the purposes and means of the processing of their personal data. The controller is entitled to engage other parties to process personal data on its behalf. Such party is called a processor. The processor is thus acting under the authority of the controller and is only allowed to process the controller’s personal data on instructions from the controller or if required by applicable law.

Why Benify processes personal data

Benify provides software as a service to our clients in order to assist them in improving and managing their employees’ compensation, thereby strengthening their employer brands. The services are provided through Benify’s digital benefit portal where employees of our clients log in as end-users to view and manage their compensation and benefits. Provision of these services thus require Benify to processes personal data of our clients identifying and relating to our clients’ employees as data subjects.

Consequently, each client is the controller of their respective personal data and Benify is engaged as a processor acting under the authority, and on the behalf, of our clients.

When end-users log on to the benefit portal for the first time, they are informed about the client’s role as controller, Benify’s role as a processor and the general purposes for which their personal data is being processed by Benify.

How Benify processes personal data

The benefit portal is tailored to each client’s service request. The processing activities carried out by Benify therefore differ between different clients, but generally includes (without being limited to) the following operations:

  • Receiving personal data related to the end-users of the portal from clients and end-users
  • Integrating the personal data in the benefits portal to set up individual accounts and further personalize the experience of the portal
  • Administrating orders and salary transactions related to orders made by the data subjects in the benefit portal, and transmitting the data back to the client
  • Developing new tools, products of services for our clients
  • Communicating with end-users and client administrators regarding use of the benefit portal

Benify only processes the clients’ personal data in order to provide them with our services for digital processing of compensation and benefits, and only pursuant to their instructions or as required by law. When authorized by clients to process personal data for continuous development, testing and troubleshooting in the benefit portal, Benify uses pseudonymized, anonymized or aggregated data to the extent possible.

Benify’s processing activities is governed by written Data Processing Agreements between Benify and each client. These agreements states that Benify is acting as a processor under the authority of the controller and shall comply with instructions from the client and relevant data protection authority. It also imposes certain obligations on Benify regarding how to process personal data in order to ensure privacy rights and secure routines.

Since Benify processes our clients’ personal data as a processor during delivery of the service, the client as controller determines the purposes and means of the processing.

The only case where Benify acts as controller of personal data which was originally controlled by a client is if Benify is obligated to process such personal data in order to comply with applicable law regarding e.g. archiving of financial records.

Independent suppliers

The companies that offer their products and services in the portal are independent suppliers. They are not sub-contractors of Benify but have entered into cooperation agreements with Benify pursuant to which they offer their products and services in the benefit portal as a digital marketplace for the clients and end-users. The supplier is therefore the contractual counterparty in relation to orders made in the portal, not Benify.

In order to complete a purchase in the portal, the end-user must confirm the supplier (i) gaining access to relevant personal data of the end‑user and (ii) processing that personal data in order to fulfill its obligations to the end-user. If the end user confirms the order, Benify will send the order to the supplier and provide the supplier with relevant personal data relating to the end-user.

When an order is completed by the end-user, the supplier is the controller of the personal data it has received. The supplier is therefore responsible for determining the purpose and means of processing such data.

Sub-processors Benify AB

Any sub-processor engaged by Benify AB that will process personal data under the authority, and on behalf, of Benify AB must enter into a separate Data Processing Agreement with Benify AB. Pursuant to this agreement, the sub-processor agrees to comply with instructions from relevant data controller and applicable data protection legislation.

Benify AB has several subsidiaries supplying services in local markets around the world. Benify AB acts as a sub-processor of, and has entered into a data processing agreement with, each local subsidiary. This means that the majority of the sub-processors are contracted by Benify AB, and the local subsidiaries procure the majority of sub-contracted services through Benify AB.

Benify AB is obliged to keep its clients informed about any sub-processor engaged to process the clients’ personal data and the clients are entitled to object to such sub-processor processing.

Entity Processing activity Storage location Processing location
Benify processing AB Invoice partner EU EU
Lifeplan AB Pension & Insurance
consulting partner
EU EU
Printline Idéproduktion AB Prints and sends
welcome mail to users
EU EU
Zendesk Inc. Provider of customer
service system
EU USA
CGI Sverige AB Provider of Electronic
identification service
EU EU
IP Only AB Provider of Contact
center system
EU EU

Data storage and transfer

Benify only stores and processes personal data in the Benify benefit portal within the European Economic Area (EEA). No personal data is transferred to any third country outside of the EEA.

If a client or end user registers a support issue at the Benify support, name and contact details together with a description of the support issue will be collected. This information is stored within the European Economic Area (EEA) but could, for trouble shooting purposes, be remote accessed by the support system supplier in USA. Benify has a model clause agreement with the supplier, and the supplier is connected to Privacy Shield.

Benify’s data centers are located in Sweden and Germany.

Information security

In order to achieve a structured and strategic approach to information security, we run our security program in compliance with a range of well-known industry standards. We appreciate that these attestations matter, as they provide independent assurance to our customers.

As a part of our security program we are ISO 27001 and ISO 27018 certified, we issue ISAE3000 reports and we are also a part of the Cloud Security Alliance STAR program.

For further information, see the Benify security page available on our public website.

Cookies

In the Benify application we use cookies, which are tiny files that are downloaded to your computer. We use different types of cookies to improve your experience.

Necessary cookies make the application usable by enabling basic functions like page navigation and access to secure areas of the application. The application cannot function properly without these cookies.

Preference cookies enables the application to remember information that changes the way the application behaves or looks, like your preferred language or the region that you are in.

Statistic cookies helps us to understand how you interact with the application by collecting and reporting information anonymously.

You can prevent the setting of cookies by adjusting the settings on your browser. Be aware that disabling cookies will affect the functionality of the application. Disabling cookies will usually result in also disabling certain functionality and features. Therefore, it is recommended that you do not disable cookies.

Marketing & communication

Benify provides and communicates high street discounts for or our end-users via e-mail, also known as BenifyDeals. This type of communication is by Benify considered to be direct marketing which requires each end-users consent (opt-in). The consent for BenifyDeals will be collected at first log-in. If you do not leave your consent no BenifyDeals communication will take place. Each end-user always has the possibility to withdraw BenifyDeals consent (opt-out) in the Benify portal and directly in the received e-mail.

Review

This policy will be continually monitored and will be subject to an annual review. Document owner is responsible for annual review. In case of recurring critical incidents there may be additional reviews.