Update with regards to Privacy Shield Invalidation July 16th
Data transfers due to Privacy Shield invalidation announced by the CEJU C-311/18 Facebook Ireland – Schrems (“Schrems II”)
Planview has recommended to enter into EU 2010/87 Standard Contractual Model Clauses (SCC) with all its customers as an exhibit to the Planview Data Processing Agreement. Planview has not relied on Privacy Shield as the sole mechanism for data transfers between EU/EEA and US. As a result of the invalidation, Planview now require all EU/EEA customers to amend SCC’s to the services agreement. Planview has also ensured there are SCC in place with all third-party vendors (i.e. sub-processors).
Planview has a comprehensive and robust data protection security program in place that supplements the SCC’s. All data is encrypted in transfer and at rest. All systems, as well as all operational activities by Planview employees, are monitored to ensure confidentiality, availability and resilience of the services, including restoration in the event of a breach. Regular testing, assessments and reviews of the security measures are performed to evaluate its effectiveness. Planview partners with the most acknowledged companies of data centre providers, cloud service providers, analytic platforms and incident detection and response providers to facilitate and monitor our services. Planview is certified for ISO 27001 and SOC 2.
The European Data Protection Board (EDPB) is currently analysing the Court’s judgment to determine the kind of supplementary measures that could be provided in addition to SCCs, whether legal, technical or organisational measures, to transfer data to third countries where SCCs will not provide the sufficient level of guarantees on their own.
Planview believes the SCC in combination with all other safeguards in place can ensure customer data remains protected in alignment with the GDPR requirements. However, Planview follows the development and guidance’s from the EU Supervisory authorities and the EDPS closely for additional supplementary arrangements when announced.
Planview maintains a comprehensive privacy statement describing the types of personal identifiable information we collect, how and why we use, share and in what way we secure that information. We also inform about how you can access and exercise your rights as a registered , and how to update your information.
From a privacy perspective, Plainview’s operations are divided between processing activities we perform on behalf of our customers (our products), and activities performed for our own business (for marketing). Our responsibilities are varying depending on the subject matter of the processing activities.
The California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (CCPA) is a U.S. California privacy law entering into force 1 January 2020. It expands upon the privacy rights available to Californian citizens, listing data protection requirements with which companies must comply. Planview is closely following the CCPA requirements, including opinions and guidance’s from regulatory authorities. We will adapt our practices where necessary to ensure that we are compliant also to this law if there are specific additional requirements that the EU General Data Protection Regulation (2016/679) is not covering with regards to processing of PII.
Planview does not “sell” our customers’ personal identifiable information (PII). Planview does not rent, disclose, release, transfer, make available or otherwise communicate PII to a third party for monetary or other valuable consideration. Planview does share user aggregated and/or anonymized information regarding customer and users’ usage of our offered services with third parties (i.e. Sub-processors) through integrations, for the performance of the contracted services and to provide customers with more relevant content of our services. As Planview is a SaaS provider and processes customer and user data only as instructed for the purpose of delivering and performing the services as we’ve committed to in our customer contracts, we do not distribute or deploy customer data for any other commercial purposes.
For information of what PII we have received or collected of you as a user, or to exercise your rights as a registered, please make a request at our Data Subjects Access Request portal (DSAR).
EU General Data Protection Regulation (GDPR)
GDPR went into effect in 2018 and imposes strict requirements related to the way organizations store and process the personal data of EU citizens. As a global company, Planview understands the important link between privacy and customer trust. All Planview entities adheres to GDPR. The appointment and ongoing efforts of a dedicated Data Privacy Officer (DPO), based in EU (Sweden), are the basis of an increased focus toward earning that trust.
The principles relating to processing of personal data as stated in the GDPR are focus for our compliance work.
Purpose limitation – We process personal data strictly for the purpose of 1) fulfilling the contractual requirements agreed upon between our customers and us, and/or 2) marketing our products to customers and prospects.
Data Minimization – We require only identifiable contact information of customers and users of our products, as well as for our marketing activities. Customer records are being is regularly reviewed and evaluated for accuracy. We have processes in place to ensure we fulfill the rights of a registered individual (data subject) by our DSAR portal.
Storage limitation (retention) – We keep and store customer data during the term of contract. Customer accounts are deleted 30 days after contract expiry. Back up logs are stored for the maximum 90 days for customer convenience. Information in customer and user records are stored in our marketing systems for one year after terminated contract. Consent is required for longer storage. At any time during the term of contract, all customer data used in the product is offered portability.