Planview Privacy
Last modified: October 16, 2023
Planview’s commitment to privacy extends to every facet of the organization to ensure customer data is managed with the utmost of care.
Privacy Statement and internal Privacy Policy
Planview maintains a comprehensive privacy statement describing the types of personal identifiable information we collect, how and why we use, share and in what way we secure that information. We also inform about how you can access and exercise your rights as a registered, and how to update your information.
Planview’s Privacy Policy is an internal document subject to ISO 27701 standard. The policy instructs how employees and contractors shall process and handle personal identifiable information of customers, users and prospects. The policy is complemented by specific instructions to each business area, depending on the nature of that business area and what personal identifiable information they process.
From a privacy perspective, Plainview’s operations are divided between processing activities we perform on behalf of our customers (our products and services), and activities performed for our own business (marketing). Our responsibilities are varying depending on the subject matter of the processing activities.
UPDATE WITH REGARDS TO NEW EU (202I/914) STANDARD CONTRACTUAL MODEL CLAUSES
Data transfers due to the new EU (2021/914) Standard Contractual Model Clauses (“SCC”), and in accordance with “Schrems II”.
Planview uses EU based data centers for hosting EMEA customer data. In the event customer is based outside EU, and Planview is instructed to process personal data of customers’ users based within EU, the EU Model Clauses shall be signed by the parties.
Planview has a comprehensive and robust data protection security program in place that supplements the SCC’s. All data is encrypted when processed. All systems, as well as all operational activities by Planview employees, are monitored to ensure confidentiality, availability and resilience of the services, including restoration in the event of a breach. Regular testing, assessments and reviews of the security measures are performed to evaluate its effectiveness. Planview partners with the most acknowledged companies of data center providers, cloud service providers, analytic platforms and incident detection and response providers to facilitate and monitor the services. Planview is certified for ISO 27001/27701 and SOC 2 audited on an annual basis.
Planview believes the SCC in combination with all other safeguards in place can ensure customer data remains protected in alignment with the GDPR requirements. However, Planview follows the development and guidance’s from the EU Supervisory authorities and the EDPS closely for additional supplementary arrangements as updated.
UPDATES TO US PRIVACY REGULATIONS
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (“CPRA”) – effective January 1, 2023
The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (CCPA) expands upon the privacy rights available to Californian citizens, listing data protection requirements with which companies must comply. Planview is adhering to the CCPA requirements, including opinions and guidance from regulatory authorities. Planview does not “sell” our customers’ personal identifiable information (PII). Planview does not rent, disclose, release, transfer, make available or otherwise communicate PII to a third party for monetary or other valuable consideration. Planview does share user aggregated and/or anonymized information regarding customer and users’ usage of our offered services with third parties (i.e. Sub-processors) through integrations, for the performance of the contracted services and to provide customers with more relevant content of our services. As Planview is a SaaS provider and processes customer and user data only as instructed for the purpose of executing the services as we’ve committed to in our customer contracts, we do not distribute or deploy customer data for any other commercial purposes.
The CPRA amends the CCPA and includes additional privacy protections for consumers. Under the CPRA, Planview is further classified as a “Service Provider” and in furtherance of this legislation does not retain, use, disclose, or otherwise process PII for any purpose other than for the specific purpose of performing its obligations under its agreements or outside of the direct business relationship it has with customers. Furthermore, Planview does not retain, use, disclose, or otherwise process any PII to advance Planview’s or any other person’s or entity’s commercial or economic interests.
Virginia Consumer Data Protection Act (“VCDPA”) – effective January 1, 2023
Planview is not subject to the new legislation effective for Virginia residents, as the VCDPA applies to persons that conduct business in the Commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth of Virginia and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25.000 consumers and derive over 50 percent of gross revenue from the sale of personal data, where “consumers” are defined as natural persons who is a resident of the Commonwealth of Virginia acting only in an individual or household context and does not include a natural person acting in a commercial or employment context. Planview is a SaaS provider in only the commercial or employment context.
For information of what PII we have received or collected of you as a user, or to exercise your rights as a registered, please make a request at our Data Subjects Access Request portal (DSAR).
EU General Data Protection Regulation (GDPR)
As a global company, Planview understands the important link between privacy and customer trust. All Planview entities adheres to the GDPR requirements. The appointment and ongoing efforts of a dedicated Data Privacy Officer (DPO), based in EU (Sweden), are the basis of an increased focus toward earning that trust.
The principles relating to processing of personal data as stated in the GDPR are focus for our compliance work.
Lawfulness – We process personal data strictly for our own business, and in accordance with our privacy policy. We inform customers and individuals about our processing activities in our privacy statement. Our Data Processing Agreement (DPA) is available for any and all to review.
Purpose limitation – We process personal data strictly for the purpose of 1) fulfilling the contractual requirements agreed upon between our customers and us, and/or 2) marketing our products to customers and prospects.
Data Minimization – We require only identifiable contact information of customers and users of our products, as well as for our marketing activities. Customer records are being is regularly reviewed and evaluated for accuracy. We have processes in place to ensure we fulfill the rights of a registered individual (data subject) by our DSAR portal.
Storage limitation (retention) – We keep and store customer data during the term of contract. Customer accounts are deleted at the earliest convenience after contract expiry. Back up logs are stored for an extended amount of time. Information in customer and user records are stored in our marketing systems for one year after terminated contract. Consent is required for longer storage. At any time during the term of contract, all customer data used in the product is offered portability.
Integrity and confidentiality – We have implemented technical and organizational measures to ensure all data is protected and secured. We have internal access controls and authorization requirements to all data. All employees are subject to our privacy policy and specific instructions. Annual mandatory trainings and seminars are provided to ensure sufficient awareness and knowledge is achieved. For further description of our technical measures to protect data, please review our information of security.