Planview maintains a comprehensive privacy statement describing the types of personal identifiable information we collect, how and why we use, share and in what way we secure that information. We also inform about how you can access and exercise your rights as a registered, and how to update your information.
From a privacy perspective, Plainview’s operations are divided between processing activities we perform on behalf of our customers (our services), and activities performed for our own business (marketing). Our responsibilities are varying depending on the subject matter of the processing activities.
UPDATE WITH REGARDS TO NEW EU (202I/914) STANDARD CONTRACTUAL MODEL CLAUSES
Data transfers due to the new EU (2021/914) Standard Contractual Model Clauses (“SCC”), and in accordance with “Schrems II”.
Planview uses EU based data centers for hosting EMEA customer data. In the event customer is based outside EU, and Planview is instructed to process personal data of customers’ users based within EU, the EU Model Clauses shall be signed by the parties.
Planview has a comprehensive and robust data protection security program in place that supplements the SCC’s. All data is encrypted when processed. All systems, as well as all operational activities by Planview employees, are monitored to ensure confidentiality, availability and resilience of the services, including restoration in the event of a breach. Regular testing, assessments and reviews of the security measures are performed to evaluate its effectiveness. Planview partners with the most acknowledged companies of data center providers, cloud service providers, analytic platforms and incident detection and response providers to facilitate and monitor the services. Planview is certified for ISO 27001, 27701 and SOC 2.
Planview believes the SCC in combination with all other safeguards in place can ensure customer data remains protected in alignment with the GDPR requirements. However, Planview follows the development and guidance’s from the EU Supervisory authorities and the EDPS closely for additional supplementary arrangements as updated.
The California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (CCPA) expands upon the privacy rights available to Californian citizens, listing data protection requirements with which companies must comply. Planview is adhering to the CCPA requirements, including opinions and guidance’s from regulatory authorities. Planview does not “sell” our customers’ personal identifiable information (PII). Planview does not rent, disclose, release, transfer, make available or otherwise communicate PII to a third party for monetary or other valuable consideration. Planview does share user aggregated and/or anonymized information regarding customer and users’ usage of our offered services with third parties (i.e. Sub-processors) through integrations, for the performance of the contracted services and to provide customers with more relevant content of our services. As Planview is a SaaS provider and processes customer and user data only as instructed for the purpose of executing the services as we’ve committed to in our customer contracts, we do not distribute or deploy customer data for any other commercial purposes.
For information of what PII we have received or collected of you as a user, or to exercise your rights as a registered, please make a request at our Data Subjects Access Request portal (DSAR).
EU General Data Protection Regulation (GDPR)
As a global company, Planview understands the important link between privacy and customer trust. All Planview entities adheres to the GDPR requirements. The appointment and ongoing efforts of a dedicated Data Privacy Officer (DPO), based in EU (Sweden), are the basis of an increased focus toward earning that trust.
The principles relating to processing of personal data as stated in the GDPR are focus for our compliance work.
Purpose limitation – We process personal data strictly for the purpose of 1) fulfilling the contractual requirements agreed upon between our customers and us, and/or 2) marketing our products to customers and prospects.
Data Minimization – We require only identifiable contact information of customers and users of our products, as well as for our marketing activities. Customer records are being is regularly reviewed and evaluated for accuracy. We have processes in place to ensure we fulfill the rights of a registered individual (data subject) by our DSAR portal.
Storage limitation (retention) – We keep and store customer data during the term of contract. Customer accounts are deleted at the earliest convenience after contract expiry. Back up logs are stored for an extended amount of time. Information in customer and user records are stored in our marketing systems for one year after terminated contract. Consent is required for longer storage. At any time during the term of contract, all customer data used in the product is offered portability.