Privacy Policy Benify Application

Statement of purpose

Benify values and takes pride in processing personal data with a high level of integrity and security. In this policy, Benify explains why and how we process personal data.

Key terms and definitions

There are some key legal terms that it is essential to know in order to understand this policy. Below is a description of these terms.

Personal data is information related to an identified or identifiable natural person or data subject. An identifiable person is someone who can be identified, either directly, for example through a personal identity number, or indirectly, through use of the data in conjunction with other information in the possession of the data controller. Certain special categories of personal data, including racial or ethnic origin, trade union membership, sexuality, physical or mental health conditions, and religious beliefs, are considered sensitive data. Such data require higher protection and safeguards.

Processing personal data includes any operation or set of operations performed on personal data, whether or not by automatic means. So, processing includes disclosure by transmission, structuring, amending, storing and many other activities performed on personal data.

Controller is the natural or legal person who determines the purposes and means of the processing of their personal data. The controller is entitled to engage other parties to process personal data on its behalf. Such party is called a processor. The processor is thus acting under the authority of the controller and is only allowed to process the controller’s personal data on instructions from the controller or if required by applicable law.

Why Benify processes personal data

Benify provides software as a service to our clients in order to assist them in improving and managing their employees’ compensation, thereby strengthening their employer brands. The services are provided through Benify’s digital benefit portal where employees of our clients log in as end-users to view and manage their compensation and benefits. Provision of these services thus require Benify to processes personal data of our clients identifying and relating to our clients’ employees as data subjects.

Consequently, each client is the controller of their respective personal data and Benify is engaged as a processor acting under the authority, and on the behalf, of our clients.

When end-users log on to the benefit portal for the first time, they are informed about the client’s role as controller, Benify’s role as a processor and the general purposes for which their personal data is being processed by Benify.

How Benify processes personal data

The benefit portal is tailored to each client’s service request. The processing activities carried out by Benify therefore differ between different clients, but generally includes (without being limited to) the following operations:

  • Receiving personal data related to the end-users of the portal from clients and end-users
  • Integrating the personal data in the benefits portal to set up individual accounts and further personalize the experience of the portal
  • Administrating orders and salary transactions related to orders made by the data subjects in the benefit portal, and transmitting the data back to the client
  • Developing new tools, products of services for our clients
  • Communicating with end-users and client administrators regarding use of the benefit portal

Benify only processes the clients’ personal data in order to provide them with our services for digital processing of compensation and benefits, and only pursuant to their instructions or as required by law. When authorized by clients to process personal data for continuous development, testing and troubleshooting in the benefit portal, Benify uses pseudonymized, anonymized or aggregated data to the extent possible.

Benify’s processing activities is governed by written Data Processing Agreements between Benify and each client. These agreements states that Benify is acting as a processor under the authority of the controller and shall comply with instructions from the client and relevant data protection authority. It also imposes certain obligations on Benify regarding how to process personal data in order to ensure privacy rights and secure routines.

Since Benify processes our clients’ personal data as a processor during delivery of the service, the client as controller determines the purposes and means of the processing.

The only cases where Benify acts as controller of personal data which was originally controlled by a client is if:

  • Benify is obligated to process such personal data in order to comply with applicable law regarding e.g. archiving of financial records.
  • When Benify conducts voluntary surveys for the purpose of improving the service for clients and end users.

Independent suppliers

The companies that offer their products and services in the portal are independent suppliers. They are not sub-contractors of Benify but have entered into cooperation agreements with Benify pursuant to which they offer their products and services in the benefit portal as a digital marketplace for the clients and end-users. The supplier is therefore the contractual counterparty in relation to orders made in the portal, not Benify.

In order to complete a purchase in the portal, the end-user must confirm the supplier (i) gaining access to relevant personal data of the end-user and (ii) processing that personal data in order to fulfill its obligations to the end-user. If the end user confirms the order, Benify will send the order to the supplier and provide the supplier with relevant personal data relating to the end-user.

When an order is completed by the end-user, the supplier is the controller of the personal data it has received. The supplier is therefore responsible for determining the purpose and means of processing such data.

Sub-processors Benify

Any sub-processor engaged by Benify that will process personal data under the authority, and on behalf, of Benify must enter into a separate Data Processing Agreement with Benify. Pursuant to this agreement, the sub-processor agrees to comply with instructions from relevant data controller and applicable data protection legislation.

Benify is obliged to keep its clients informed about any sub-processor engaged to process the clients’ personal data and the clients are entitled to object to such sub-processor processing.

Benify AB has several subsidiaries supplying services in local markets around the world. Benify AB acts as a sub-processor of, and has entered into a data processing agreement with, each local subsidiary. This means that the majority of the sub-processors are contracted by Benify AB, and the local subsidiaries procure the majority of sub-contracted services through Benify AB.

Benify AB sub-processors

EntityProcessing activityStorage locationProcessing location
Benify processing ABInvoice partner (Group company)EUEU
Expenses Benify ABProvider of payment services (Group company)EUEU
UAB Benify OperationsProvider of internal services (Group company)EUEU
Lifeplan ABPension & Insurance
consulting partner (Group company)
EUEU
Zendesk Inc.Provider of customer
service system
EUEU/USA
CGI Sverige ABProvider of Electronic
identification service
EUEU
IP Only ABProvider of Contact
center system
EUEU
Atlassian Inc.Provider of customer issue management systemEUEU/USA
Boost.aiProvider of support chat platformEUEU

 

Benify BV sub-processors

EntityProcessing activityStorage locationProcessing
location
Benify ABBenify application hostingEUEU

 

Benify France Sarl sub-processors

EntityProcessing activityStorage locationProcessing
location
Benify ABBenify application hostingEUEU

 

Benify DE GmbH sub-processors

EntityProcessing activityStorage locationProcessing
location
Benify ABBenify application hostingEUEU

 

Benify AS (Norway) sub-processors

EntityProcessing activityStorage locationProcessing
location
Benify ABBenify application hostingEUEU

 

Benify OY sub-processors

EntityProcessing activityStorage locationProcessing
location
Benify ABBenify application hostingEUEU

 

Benify AS (Denmark) sub-processors

EntityProcessing activityStorage locationProcessing
location
Benify ABBenify application hostingEUEU
Telehuset ASAlternative/backup customer service providerEUEU

 

Data storage and transfer

Benify only stores and processes personal data in the Benify benefit portal within the European Economic Area (EEA). No personal data is transferred to any third country outside of the EEA.

If a sub-processor processes personal data outside the EEA, Benify has (i) entered into so called standard contractual clauses with the sub-processor, and (ii) ensured that additional security measures are in place, which in combination guarantee a relevant level of protection of the individuals’ rights when such processing is conducted.

Benify’s data centers are located in Sweden.

Information security

In order to achieve a structured and strategic approach to information security, we run our security program in compliance with a range of well-known industry standards. We appreciate that these attestations matter, as they provide independent assurance to our customers.

As a part of our security program we are ISO 27001, ISO 27018 and ISO 27701 certified, we issue ISAE3000 (SOC 2 type II) reports and we are also a part of the Cloud Security Alliance STAR program.

For further information, see the Benify security page available on our public website.

Rights of data subjects

According to the EU General Data Protection Regulation (2016/679) you as a data subject have the right to free information regarding the stored data on you as well as the right to correct, block or delete this data. You also have the right to submit a complaint to the relevant supervisory authority.

Contact your employer if you would like to exercise your rights.

Cookies

In the Benify application we use cookies, which are tiny files that are downloaded to your computer. We use different types of cookies to improve your experience. Our cookies are divided into different categories which requires your consent, with the exception of necessary cookies and the cookie that saves the current status of your cookie settings. This cookie is set based on legitimate interest.

Your consent to cookies and your choice of cookie settings will be stored in a specific cookie (necessary). Your cookie consent is valid for 12 months and after this period you will be asked for a new consent. You can at any time change your cookie settings or withdraw your cookie consent from your user account in the Benify application. Cookies can also be managed thru your browser settings.

The cookie categories we use may include:

Necessary cookies make the application usable by enabling basic functions like page navigation and access to secure areas of the application. The application cannot function properly without these cookies.

Preference cookies enables the application to remember information that changes the way the application behaves or looks, like your preferred language or the region that you are in.

Statistic cookies helps us to understand how you interact with the application by collecting and reporting information anonymously.

Marketing & communication

Benify provides and communicates high street discounts for or our end-users via e-mail, also known as BenifyDeals. This type of communication is by Benify considered to be direct marketing which requires each end-users consent (opt-in). The consent for BenifyDeals will be collected at first log-in. If you do not leave your consent no BenifyDeals communication will take place. Each end-user always has the possibility to withdraw BenifyDeals consent (opt-out) in the Benify portal and directly in the received e-mail.

BenifyDeals is a client specific service and may not be included in all portals.

Review

This policy will be continually monitored and will be subject to an annual review. Document owner is responsible for annual review. In case of recurring critical incidents there may be additional reviews.