Data privacy is important to us. This means that we process data about identified or identifiable individuals, which is called personal data, with due care and in accordance with applicable data protection law.
To learn more about our approach to compliance with the EU General Data Protection Regulation (GDPR), please click here.
This Privacy Notice describes how we, that is Basware Corporation supported by its worldwide affiliated companies, process personal data we collect from individuals in relation to their use of our websites, ordering and use of our services and attendance at our events (collectively, our “Services”). In legal terms, we are the data controller, as we determine the means and/or purposes of the processing.
This Privacy Notice does not apply to personal data mentioned on business documents that our customers transmit to our systems when using our Services. In legal terms, we are the data processor of such personal data and our customers are the data controllers. Our Personal Data Processing Notice describes the measures we take to assist our customers to comply with data protection law that applies to them. It is published on our business data webpage.
Some of our services might be subject to a separate privacy notice, as published on the related website or in connection with the related service.
This Privacy Notice only covers data processing carried out by Basware. The Privacy Notice does not address, and we are not responsible for, the privacy practices of any third parties, also in cases where Services include hyperlinks to third parties’ websites or when cookies are set by third parties.
2. Personal data
The personal data we collect from individuals using our Services (“Users”) mostly consists of user data, such as name, business function, gender, business address, telephone number, email address and other personal data Users provide to us. This is mostly information in relation to an individual’s role at his/her company that does not concern him/her as a private person or as an individual consumer customer. These companies that individuals are working for, mostly are our prospects, customers, suppliers or partners. The specific kind of user data collected will depend on the Services used.
We may also collect technical data in relation to Users, such as IP address, browser type and version, preferred language, geographic location, operating system and computer platform, the full URL clickstream to, through, and from our Services, including date and time, websites accessed immediately before and after visiting our websites, services Users viewed or searched for while using our Services, and parts of our Services that Users have visited. Although we do not normally use technical data to identify individuals, sometimes individuals can be recognized from it, either alone or when combined or linked with user data. In such situations, technical data can also be considered to be personal data under applicable law and we will treat the combined data as personal data.
We process personal data for the following purposes:
- to allow us to run, maintain and develop our business,
- to allow us to offer and provide our Services,
- to allow us to conduct information and promotional campaigns (including direct marketing) related to our Services (including by phone, mail and email), keeping Users informed about our Services and special offers that are likely to interest them,
- to allow us to perform the contract we have signed with our customers, suppliers or partners,
- to allow customer service management, e.g. when Users contact our service desk,
- to allow contract management, e.g. to address our invoices to our customers,
- to enhance our Services and the use thereof,
- to perform research and analysis relating to our Services,
- to perform tracking of the use of our Services,
- to conduct market surveys and/or
- to detect fraud, e.g. breaches of intellectual property rights.
In consideration of the collection and processing for the purposes listed above, Basware Corporation is supported by its affiliated companies acting as data processors on behalf of and under the responsibility of Basware Corporation.
Should the personal data of the User be provided to us via our prospect, customer, supplier or partner, we shall assume that our prospect, customer, supplier or partner has informed the User of this Privacy Notice.
4. Storage period
We do not store the personal data for longer than is legally permitted and necessary for the related processing purposes. The storage period depends on the type of personal data, the purposes and the applicable law and therefore varies per use.
Typically, we store User’s personal data for as long as the User is using our Services or for as long as we have another purpose to do so and, thereafter, for no longer than is required or permitted by law or necessary for internal reporting and reconciliation purposes.
We erase personal data after the above described storage period or when the User requests us to erase his/her personal data.
5. Legitimate grounds for processing
We process personal data to pursue our legitimate interest to run, maintain and develop our business. Furthermore, we process personal data to comply with our legal obligations.
In some parts of our Services, we might request Users’ consent for the processing of their personal data for specific purposes. In that event, Users may withdraw their consent at any time.
6. Rights of Users
Right to access. Any User may contact us to get confirmation as to whether or not we are processing User’s personal data. Where we do process User’s personal data, we will inform User of what categories of personal data we process regarding him/her, the processing purposes, the categories of recipients to whom personal data have been or will be disclosed and the envisaged storage period or criteria to determine that period.
Right to withdraw consent. In case our processing is based on a consent granted by the User, the User may withdraw the consent at any time by contacting us or by using the functionalities of our Services. Withdrawing a consent may lead to fewer possibilities to use our Services.
Right to rectification. Any User has the right to have inaccurate or incomplete personal data we store about the User rectified or completed.
Right to object. In case our processing is based on our legitimate interest to run, maintain and develop our business, any User has the right to object at any time to our processing. We shall then no longer process User’s personal data unless for the provision of our Services or if we demonstrate other compelling legitimate grounds for our processing that override User’s interests, rights and freedoms or for legal claims. Notwithstanding any consent granted beforehand for direct marketing purposes, any User has the right to prohibit us from using his/her personal data for direct marketing purposes, by contacting us or by using the functionalities of the Services or unsubscribe possibilities in connection with our direct marketing messages.
Right to restriction of processing. Any User has the right to obtain from us restriction of processing of User’s personal data, as foreseen by applicable data protection law, e.g. to allow our verification of accuracy of personal data after User’s contesting of accuracy or to prevent us from erasing personal data when personal data are no longer necessary for the purposes but still required for User’s legal claims or when our processing is unlawful. Restriction of processing may lead to fewer possibilities to use our Services.
Right to data portability. Any User has the right to receive User’s personal data from us in a structured, commonly used and machine-readable format and to independently transmit those data to a third party, in case our processing is based on User’s consent and carried out by automated means.
Right to erasure. Any User has the right to have personal data we process about the User erased from our systems if the personal data are no longer necessary for the related purposes, if we have unlawfully processed the personal data or if the User objects to processing for direct marketing. Any User furthermore has the right to erasure if the User withdraws consent or objects to our processing as meant above, unless we have a legitimate ground to not erase the data. We may not immediately be able to erase all residual copies from our servers and backup systems after the active data have been erased. Such copies shall be erased as soon as reasonably possible.
How to use these rights. To exercise any of the above mentioned rights, User should primarily use the functions offered by our Services. If such functions are however not sufficient for exercising such rights, Customer shall send us a letter or email to the address set out below under Contact, including the following information: name, address, phone number, email address and a copy of a valid proof of identity. We may request additional information necessary to confirm User’s identity. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded.
We implement and maintain reasonable and appropriate technical and organizational security measures to protect the personal data we process, from unauthorized access, alteration, disclosure, loss or destruction. Our security measures are summarized on our business data webpage.
We regularly audit the application of our security measures and we ask third party experts to review our security controls against international standards. These audits help us to further improve our security level.
Should despite of our security measures, a security breach occur that is likely to result in a risk to the data privacy of Users, we will inform the relevant Users and other affected parties, as well as relevant authorities when required by applicable data protection law, about the security breach as soon as reasonably possible.
We only share personal data within our organization if and as far as necessary for the purposes specified in this Privacy Notice. Our staff members processing personal data are bound to confidentiality.
We do not share personal data with any third party outside of our organization unless one of the following circumstances applies.
Necessary for the purposes. We may share personal data with third parties to the extent our Services foresee such disclosure and Users submit their personal data for that purpose, such as through an address book to create connections and facilitate our Services. We may furthermore share personal data with our affiliated companies and other service providers that support us in the realization of the purposes specified in this Privacy Notice, such as by performing data hosting, direct marketing and customer services. Our agreements with these service providers foresee privacy and security commitments from these service providers that are no less protective than our own commitments described in this Privacy Notice. If our Users provide personal data directly to a third party, such as through a link on our website, the processing is typically based on such third party’s notice.
For legal reasons. We may share personal data with third parties if we have good-faith belief that their access to and use of the personal data is necessary (i) to meet any applicable law and/or court order, (ii) to detect, prevent or otherwise address fraud, security or technical issues, and/or (iii) to protect the interests, properties or safety of us, our Users or the public, in accordance with the law. We will notify Users about such disclosure, as far as reasonably possible.
In relation to corporate restructuring. If we are in a process of merger, acquisition or asset sale, we may transfer personal data to the involved third party. We continue to ensure the confidentiality of all personal data.
Upon User’s consent. We may share personal data with third parties for other reasons than the ones mentioned above, if we obtained User’s explicit consent to do so. The User has the right to withdraw this consent at any time.
9. Location and transfer
We and our service providers have operations in several locations in the world. Consequently, we and our service providers may transfer personal data to, or access it from, countries outside User’s country of domicile.
We take steps to ensure that Users’ personal data receives an adequate level of protection in the countries in which we process it.
In case our processing is subject to any EU data protection law and Users’ personal data is transferred from the European Economic Area to a service provider for processing in any country outside the European Economic Area that is not recognized by the EU Commission as providing an adequate level of protection for personal data, we provide for appropriate safeguards by EU Commission’s standard contractual clauses or by any other appropriate safeguard as foreseen under the applicable data protection law.
Further information regarding the international transfer of personal data may be obtained by contacting us.
10. Lodging a complaint
In case any User considers our processing of his/her personal data to be inconsistent with applicable data protection law, a complaint may be lodged with the local supervisory authority for data protection.
This Privacy Notice is dated March 1, 2018. We may update this Privacy Notice at any time if required in order to reflect changes in our data processing practices, in personal data protection laws or otherwise. For substantial changes to this Privacy Notice, we will use reasonable endeavors to provide notice thereof. The current version can be found on our website.
The English version of this Privacy Notice shall govern in the event of any conflict with or substantial translation changes into a non-English language.
Any User having any question or request on this Privacy Notice or our privacy practices, can contact us