Your individual rights and integrity are important to us. This integrity policy describes how we collect, use, store and share personal data. The policy is a supplement to our general terms and conditions, service-specific terms and SLA as well as our personal data processor agreement. This policy applies from the 25th of May 2018.
The integrity policy applies when PAAM Systems provides services and products related to purchase, service issues and other contact with PAAM Systems, such as website visits.
What information do we gather?
We collect information about you directly or indirectly when you contact our customer assistance or use our web services/forms where you provide personal information. Contact information and delivery address are essential when ordering a physical product. To be able to offer you assistance, send invoice or otherwise contact you in important matters some data must be collected. This information is name, company addresses, billing information, email, title and phone number, if you haven’t agreed to something else.
User data from our webpage is collected to ensure operation and to detect or prevent threats that may compromise security. We therefore save your IP-address with timestamps and navigation information for a limited time.
How do we protect your personal data?
We have taken technical and organizational measures to process and protect your data from loss, manipulation and unauthorized access. We adapt our security routines according to developments in the technical field. We choose our suppliers carefully to ensure that they maintain the same high standard of data management as we do. By limitation and role-based access to our systems containing personal data, we minimize access to your personal information. Encryption, multi-factor authentication and password policy are used as far as possible for each system.
For how long do we store the data?
We store personal data if it is necessary to fulfill our obligation to you as a customer or if we’re required to save it by applicable law. When the agreement expires, the data will be deleted or anonymized.
Who is responsible for the personal data?
PAAM Systems are the data controller when you as a customer or stakeholder are registered in our systems. When you use our products, you are the data controller and PAAM Systems is the personal data processor when you use our assistance or a hosting solution.
Who have access to your personal data?
We do not provide personal data to third parties unless you, the customer, are informed about it. We must disclose certain information to third parties if, for example, a delivery of a product is to be completed or if we’re required by law to provide information to authorities.
What rights do you have?
As a customer you have the right to extract the information we have gathered about you and receive instructions on how you can be able to access them.
Changes in personal data are made through communication with us.
If you object to the accuracy of the data we have registered, you may request that we limit the processing of these data to storage only. We can then stop any other processing (which also means we must stop delivery of our services) until a correction has been made or until it is possible to determine what is correct or not.
For personal data that has been processed and collected automatically (supported by consent) you have the right to obtain the data in machine-readable format.
Under some circumstances you have the right to request deletion of your personal data. For example:
- If there is no legal basis for the processing, or the processing is illegal
- There is no legitimate reason for continued processing
- You oppose the processing or direct marketing
We need satisfactory basis for identity verification to be able to perform such act as above. Your request to exercise your rights is assessed on a case-by-case basis based in current circumstances. We may also have to keep your personal data to fulfill legal obligations, legal claims or enforce our active agreements.
Changes in the policy
This policy can be edited from time to time to comply with the current laws and security updates. If major changes are made it will be communicated with the registered via e-mail. To keep up to date with minor updates we recommend that you read this periodically at our webpage.
If you have comments or questions you are welcome to contact us through our customer assistance by email, phone or via our webpage.
Personal data processor Agreement
Between you (Personal Data Controller) and customer to PAAM Systems AB, org. nr 556842-0672, Hjälmarvägen 65, 702 86 Örebro (Personal data processor), toghether with appointed Master Licensees and their Sub-licensees, which can be found on the contact page.
Regulation 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), hereinafter called the Regulation, requires written Personal Data Processor Agreements when a party is to process Personal Data on behalf of another party. This Personal Data Processor Agreement is an addendum to the existing Agreement between the parties, or Order placed according to conditions stipulated in the Quote, Service Level and/or Hosting Service.
1.1. “Personal Data” refers to any information relating to an identified or identifiable physical person, wherein an identifiable physical person is a person who can be identified directly or indirectly with reference to an identifier. Example of identifiers are a name, identification number, location or online identifier or one of more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of the physical person.
1.2. “Registered” means the person referred to as Personal Data.
1.3. “Process” or “Processing” means an action or combination of actions on sets of personal data, whether performed automated or not, such as collection, registration, organization, structuring, storage, processing or modification, production, reading, use, transfer by transmission, dissemination or provision by other means, adjustment or assembly, restriction, erasure or destruction.
1.4. “Regulation” refers to GDPR (General Data Protection Regulation)
1.5. “Processor” refers to the Personal Data Processor (The provider of the service)
1.6. “Controller” refers to the Personal Data Controller (The customer)
1.7. “Instruction” refers to the documented Instructions on Data Processing provided by the Data Controller to the Data Processor
1.8. Otherwise, terms in this agreement shall be interpreted in accordance with the Regulation.
2. Processing of personal data
2.1. The Data Processor will, in delivery of the Main Services to the Data Controller, process certain categories and types of Personal Data in behalf of the Data Controller. These are General Personal Data like name, contact information such as e-mail address, phone number and postal address regarding the customer’s personnel and its customers.
2.2. The Processor shall only Processes Personal Data on assignment occasioned from an agreement with the Controller when the Main Services in some manner requires attention. The Processing is preliminary lead by the Controller except when the Controller uses the Hosting Service, where the Processing also includes storage of Personal Data.
2.3. The Processor shall have and maintain a register of processing activities in accordance with GDPR, article 32.
3.1. The Processor may only process Personal Data in accordance with the documented instruction from the Controller, unless The Processor is required by law to act without such instruction. The Instruction at the time of entering into this Personal Data Processor Agreement is that the Processor may only Process the Personal Data with the purpose of delivering the Main Services as described in the Main Service Level Agreement. Subject to the terms, the Controller may issue additional written instructions consistent with the terms of this Agreement. The Data Controller is responsible for ensuring that all individuals who provide written instructions are authorized to do so.
4. The Personal Data Processor’s obligations
4.1. The Processor commits to comply with GDPR as well as to keep informed of the Regulation and related legislation relevant to the agreed Processing.
4.2. The Processor may only Process Personal Data in accordance with this Agreement or, by the Instructions provided by the Controller. If the Processor does not have instructions that the Processor assesses are necessary to carry out the task assigned, or the instructions violates the Regulation, the Processor shall promptly inform the Controller and await further instructions. New instructions shall be documented.
4.3. The Personal Data Processor shall only Process Personal Data on equipment physically located within the EEA, including the use of cloud services. The Processor owns the right to move the data when deemed necessary for security reasons or to ensure the service level, but only after consulting the Controller.
4.4. For those cases where a Registered, the authorities or any other third-party request information from the Processor, the Processor shall refer to the Controller to withhold such information. The Processor shall promptly inform the Controller of any contact that may be of importance for the Processing of Personal Data. The Processor is not entitled to represent the Controller or act for the Controller against any third party without an explicit instruction.
4.5. If the Processor’s assistance is necessary and relevant, the Processor shall assist the Controller in preparing data protection impact assemssments in accordance with GDPR, article 35, along with any prior consulation in accordance with GDPR, article 36.
4.6. If the Controller receives a request from a Registered for the exercise of the Registered’s rights under the Applicabla Law and the correct legitimate reply to such a request necessitates the Processor’s assistance, the Processor shall assist the Controller by providing the necessary information and documentation. The Processor shall be given reasonable time to assist the Controller with such requests in accordance with the Applicable Law.
4.7. Upon detection of an incident regarding Personal Data, the Processor shall inform the Controller without unnecessary delay, and otherwise
assist the Controller to ensure that his or her obligations regarding personal data incidents can be fulfilled.
4.8. To the extent that it is relevant to the nature, extent, context and purpose of the Processing, the Processor shall carry out an impact assessment to determine if it is likely that the processing may lead to a high risk for the Registered’s rights. The impact assessment shall be based on article 35 in the Regulation. The Processor shall consult the authorities if the assessment shows that the processing lead to a high risk for the Registered.
4.9. Following expiration or termination of the Agreement, the Processor will delete or return to the Controller all Personal Data in its possession except to the extent the Processor is required by Applicable law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this Agreement will continue to apply to such Personal Data.
5.1. The Processor is given general authorization to engage tird-parties to Process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Controller, provided that the Processor notifies the Controller in writing regarding the use of a potential Sub-Processor before any agreement or Processing of Personal Data are made by the Sub-Processor. If the Controller objects to the Sub-Processor, the Controller shall give notice hereof in writing within fifteen (15) days from receiving the notification from the Processor.
5.2. In the event the Controller objects to a new Sub-Processor and the Processor cannot accommodate the Controller’s objection, the Controller may terminate the Services by providing written notice to the Processor.
5.3. The Processor shall conclude a written Agreement with any Sub-Processor. Such Agreement shall at minimum provide the same data protection obligations as the ones applicable to the Processor, including the obligations under this Data Processor Agreement.
5.4. The Processor is at the time of entering into this Data Processor Agreement using the Sub-Processor Digital Ocean (only for the Hosting Service). If the Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added here.
6.1. The Processor shall take reasonable technical and organizational measures to protect Personal Data against unauthorized access, destruction and amendment in accordance with the requirements of the Regulation, with regard to the requirements of article 32. This is done by actions like; (i) restricting access to systems and servers by both physical and digital perimeter control; (ii) encrypt traffic, storage, devices and servers where it’s possible; (iii) using multifactor for all systems, servers and devices where it’s possible.
7.1. The Personal Data Processor undertakes not to disclose any information to a third party regarding the Processing of Personal Data covered by this agreement or any other instructions received from the Controller. The confidentiality obligation also applies after this agreement has expired.
7.2. The Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Data Controller in writing has agreed.
7.3. The Processor undertakes to ensure that individuals authorized to Process Personal Data undertake the same level of confidentiality as applies to the Personal Data Process by this agreement or applicable law.
8. The Personal Data Controller commitments
8.1. The Personal Data Controller shall ensure that the processing is made in accordance with the Regulation. The Controller is responsible, inter alia, for informing the Registered of the Processing and if necessary gather consent.
8.2. The Controller shall inform the Processor without delay of any changes in the Processing of Personal Data that may affect the Processor.
9. Remuneration and costs
9.1. The Controller shall remunerate the Processor for any time and material used to adopt and change the processing activities in order to comply with any changes to the Controller’s Instruction, including implementation costs and additional costs required to deliver the Main Services due to the change in the Instruction.
9.2. The Processor is exempted from liability for non-performance with the Main Agreement if the performance of the obligations under the Main Agreement would be in conflict with any changed Instrucion or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case; (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can be implemented; and (iii) in the period of time until the Main Agreement is changed to reflect the new Instruction and commercial terms thereof.
10.1. In case of a Registered or other third party direct claims against the Personal Data Controller due to the Processing of Personal Data by the Personal Data Processor, the Controller shall be held free from the complaint. This is if the claim is due to the Processors violation of this agreement or if notified instructions has been unkempt.
11. Agreement rewording
11.1. If required by law in the field of regulatory requirements, this agreement shall be renewed without undue delay in such manner that it is compliant with the legislation that caused the rewording.
12. Agreement period
12.1. This agreement is valid for as long as the Personal Data Processor is processing Personal Data for the Personal Data Controller. This is governed by Agreement describing the type of service to which the Processing refers.
What are cookies?
The Internet is designed in such a way that all communication standard is “stateless”. This means that each time you visit a website your browser treats communication as an independent transaction. Thus, the Internet does not know that it is you who visit a specific site for the first or the tenth time.
On our website – www.paam-systems.com – we offer some features to our visitors that “requires” that we know whether you have visited us before. This has been solved by using something called Cookies. This is an established solution used throughout the Internet. Have you ever used sites such as Google, Facebook, Twitter, or similar, you have already guaranteed at least one cookie on your computer now.
Technically, a cookie can be described as a small file sent from the Web site you are visiting to your computer. This is stored on your computer either in the working memory (session cookies) or as a text file (persistent cookies). We use both of these types at www.paam-systems.se to “recognize” visitors who have visit us sooner. We save no form of personal information about you, but only a “flag” to keep track of that your browser has visit www.paam-systems.se earlier.
You can choose whether to accept cookies from www.paam-systems.com by changing your browser settings. If your browser is set to not accept cookies, not all features of our site will work.