Statement of purpose
Benify values and takes pride in processing personal data with a high level of integrity and security. In this policy, Benify explains why and how we process personal data.
Key terms and definitions
There are some key legal terms that it is essential to know in order to understand this policy. Below is a description of these terms.
Personal data is information related to an identified or identifiable natural person or data subject. An identifiable person is someone who can be identified, either directly, for example through a personal identity number, or indirectly, through use of the data in conjunction with other information in the possession of the data controller. Certain special categories of personal data, including racial or ethnic origin, trade union membership, sexuality, physical or mental health conditions, and religious beliefs, are considered sensitive data. Such data require higher protection and safeguards.
Processing personal data includes any operation or set of operations performed on personal data, whether or not by automatic means. So, processing includes disclosure by transmission, structuring, amending, storing and many other activities performed on personal data.
Controller is the natural or legal person who determines the purposes and means of the processing of their personal data. The controller is entitled to engage other parties to process personal data on its behalf. Such party is called a processor. The processor is thus acting under the authority of the controller and is only allowed to process the controller’s personal data on instructions from the controller or if required by applicable law.
Why Benify processes personal data
Benify provides software as a service to our clients in order to assist them in improving and managing their employees’ compensation, thereby strengthening their employer brands. The services are provided through Benify’s digital benefit portal where employees of our clients log in as end-users to view and manage their compensation and benefits. Provision of these services thus require Benify to processes personal data of our clients identifying and relating to our clients’ employees as data subjects.
Consequently, each client is the controller of their respective personal data and Benify is engaged as a processor acting under the authority, and on the behalf, of our clients.
When end-users log on to the benefit portal for the first time, they are informed about the client’s role as controller, Benify’s role as a processor and the general purposes for which their personal data is being processed by Benify.
How Benify processes personal data
The benefit portal is tailored to each client’s service request. The processing activities carried out by Benify therefore differ between different clients, but generally includes (without being limited to) the following operations:
• Receiving personal data related to the end users of the portal from clients and end-users
• Integrating the personal data in the benefits portal to set up individual accounts and further personalize the experience of the portal
• Administrating orders and salary transactions related to orders made by the data subjects in the benefit portal, and transmitting the data back to the client
• Developing new tools, products of services for our clients
• Communicating with end-users and client administrators regarding use of the benefit portal
Benify only processes the clients’ personal data in order to provide them with our services for digital processing of compensation and benefits, and only pursuant to their instructions or as required by law. When authorized by clients to process personal data for continuous development, testing and troubleshooting in the benefit portal, Benify uses pseudonymized, anonymized or aggregated data to the extent possible.
Benify’s processing activities is governed by written Data Processing Agreements between Benify and each client. These agreements states that Benify is acting as a processor under the authority of the controller and shall comply with instructions from the client and relevant data protection authority. It also imposes certain obligations on Benify regarding how to process personal data in order to ensure privacy rights and secure routines.
Since Benify only processes our client’s personal data as a processor, and the client as controller determines the purposes and means of the processing, which is that the processing is necessary for the performance of our clients’ employment contracts, no consent is required from the data subjects for Benify’s processing operations.
Individual consent to independent suppliers
The companies that offer their products and services in the portal are independent suppliers. They are not sub-contractors of Benify but have entered into cooperation agreements with Benify pursuant to which they offer their products and services in the benefit portal as a digital marketplace for the clients and end-users. The supplier is therefore the contractual counterparty in relation to orders made in the portal, not Benify.
In order to complete a purchase in the portal, the end-user must give its consent to the supplier (i) gaining access to relevant personal data of the end-user and (ii) processing that personal data in order to fulfill its obligations to the end-user. The consent is given as a separate step in the ordering process. If the end user consents, Benify will send the order to the supplier and provide the supplier with relevant personal data relating to the end-user.
When an order is completed by the end-user, the supplier is the controller of the personal data it has received. The supplier is therefore responsible for determining the purpose and means of processing such data.
Any subcontractor engaged by Benify that will process personal data under the authority, and on behalf, of Benify must enter into a separate DPA with Benify. Pursuant to this agreement, the subcontractor agrees to comply with instructions from relevant data controller and applicable data protection legislation.
Benify is obliged to keep its clients informed about any subcontractor engaged to process the clients’ personal data and the clients are entitled to object to such subcontractor’s processing.
Data storage and transfer
Benify only stores and processes personal data within the European Economic Area (EEA). No personal data is transferred to any third country outside of the EEA.
Benify’s data centers are located in Sweden and Germany.
The security of personal data is important to Benify. We ensure that appropriate security measures are taken to protect personal data at all times and we follow generally accepted standards and frameworks to protect personal data. This means that personal data, for example, is protected against unauthorized access, changes or destruction.
In order to achieve a structured and strategic approach to information security, Benify has a fully implemented information security management system according to ISO/IEC 27001 which caters to both administrative and technical security controls. Benify is therefore ISO/IEC 27001:2013 certified. The certification process has been performed by an independent external certification body that has been accredited by an accreditation body.
For further information, see the Benify security page available on our public website.
This policy will be continually monitored and will be subject to an annual review. Document owner is responsible for annual review. In case of recurring critical incidents there may be additional reviews.