Statement of purpose
Benify values and takes pride in processing personal data with a high level of integrity and security. In this policy, Benify demonstrates how we process personal data and our main legal responsibilities.
Personal data definition
The legal definition of personal data is information from which the individual concerned can be identified. Identification can be either directly, for example a personal security number, or indirectly, i.e. through use of the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.
Some data is considered to be sensitive personal data. This includes e.g. racial or ethnic origin, trade union membership, physical or mental health conditions, sexuality and religious beliefs. The term processing personal data includes any action which is taken with regard to personal data, whether or not by automatic means, for example collecting, amending, sending and keeping data.
Legal principles on processing personal data
Benify’s processing of personal data always complies with the following principles that set out our main legal responsibilities.
1. Legitimacy, correctness and transparency – Processing of personal data must be carried out in accordance with applicable law and in a correct manner. It shall also be transparent for data subjects how its personal data is processed, for example how it is collected and used.
2. Purpose limitation – There must be specific, lawful and legitimate purposes for processing personal data. These purposes govern how the data may be processed and shall be known to data subjects, prior to collecting its data.
3. Data minimization – All personal data must be adequate, relevant and limited. The scope shall be related to the specified purpose for which the data is processed.
4. Accuracy – The personal data shall remain accurate, valid and fit for its purpose.
5. Limitation of storage – Personal data that permits identification of the data subject cannot be kept for a longer period than is necessary to fulfill its specific purposes. When personal data is no longer needed for those purposes, it shall be deleted or pseudonymized.
6. Integrity and confidentiality – The processor of personal data shall protect the data subjects’ integrity and privacy by making sure that the personal data is secure by means of appropriate technical, physical and organizational security measures.
7. Accountability – The processor of personal data is responsible to ensure that the data protection principles are adhered to and must be able to demonstrate its compliance.
Why Benify processes personal data
Benify provides software as a service to our clients in order to help them in creating strong employer brands through Benify’s digital web based portal for employee compensation and benefits. The portal therefore contains personal data identifying our clients’ employees, i.e. the end-users.
When processing personal data, Benify do so in order to assist our clients to fulfill their obligations as employers, e.g. by ensuring that all employees get their compensation and benefits. Each client is therefore the controller of its personal data as it determines the purpose and means of processing the data. And Benify is the processor of the personal data as we only process the client’s personal data on the client’s behalf and pursuant to its instructions.
How Benify processes personal data
The cooperation between the client as a controller and Benify as a processor is governed by a Data Processing Agreement, a DPA, that imposes that imposes certain obligations on Benify on how to process personal data in order to ensure privacy rights and secure routines. The DPA also states that Benify shall comply with instructions from the client and relevant Data Protection Authority.
Due to the relation between Benify and the client, where Benify acts as a processor, no consent is required from the data subjects. Instead, the end-user will be informed about their personal data being processed by Benify when they log in to the portal for the first time.
Consent to independent suppliers
The companies that offer their products and services in the portal are independent suppliers. They are not sub-contractors to Benify. Instead, they have entered into agreements with Benify pursuant to which they use the portal as a digital marketplace for their products and services. The supplier is therefore the contractual counterparty in relation to orders made in the portal, not Benify.
In order to complete a purchase in the portal, the end-user must agree to the supplier (i) gaining access to relevant personal data of the end-user and (ii) processing that personal data in order to fulfill its obligations to the end-user. The purchase confirmation includes such a consent.
When a purchase is confirmed by the end-user and thus completed, the supplier is the controller of the personal data it has received. The supplier is therefore responsible for determining the purpose and means of processing such data.
Data storage and transfer
Benify only stores and processes personal data within the European Economic Area (EEA). Benify’s data centers are located in Sweden and Germany.
Any subcontractor to Benify that processes personal data on behalf of Benify must enter into a separate DPA with Benify, pursuant to which the subcontractor agrees to comply with instructions from relevant data controller and applicable data protection legislation.
Benify is obliged to keep its clients informed about any subcontractor engaged to process the clients’ personal data and the clients are entitled to object to such processing.
The GDPR provides the following rights for individuals:
1. The right to be informed
2. The right of access to its personal data being processed
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling
Benify is obligated to ensure the individuals’ rights. However, the controller is responsible for all processing of its personal data being compliant with the GDPR and thus decides how Benify shall process its personal data.
Accordingly, any questions or requests from end-users regarding Benify’s processing of their personal data shall be directed to the data controller.
The security of personal data is important to Benify. We ensure that appropriate security measures are taken to protect personal data at all times and we follow generally accepted standards and frameworks to protect personal data. This means that personal data, for example, is protected against unauthorized access, changes or destruction.
In order to achieve a structured and strategic approach to information security, Benify has a fully implemented information security management system according to ISO/IEC 27001 which caters to both administrative and technical security controls.
Benify is therefore ISO/IEC 27001:2013 certified. The certification process has been performed by an independent external certification body that has been accredited by an accreditation body.
This policy will be continually monitored and will be subject to an annual review. Document owner is responsible for annual review. In case of recurring critical incidents there may be additional reviews.