Planview Privacy
Last modified: August 27, 2024
Planview’s commitment to privacy extends to every facet of the organization to ensure customer data is managed with the utmost care.
Privacy Statement and internal Privacy Policy
Planview maintains a comprehensive privacy statement describing the types of personal identifiable information we collect, how and why we use and share it, and in what way we secure that information. We also inform about how you can access and exercise your rights as a registered natural person (data subject), and how to update your information.
Planview’s Privacy Policy is an internal document subject to the ISO 27701 standard. The policy instructs how employees and contractors shall process and handle personal identifiable information of customers, users and prospects. The policy is complemented by specific instructions to each business area, depending on the nature of that business area and what personal identifiable information they process.
From a privacy perspective, Planview’s operations are divided between processing activities we perform on behalf of our customers (our products, services and support), and activities performed for our own business (e.g., marketing and sales, administration and improvement of our services, Planview communities and communication forums). Our responsibilities vary depending on the subject matter of the processing activities, as well as our role and influence as to how they are carried out.
INTERNATIONAL TRANSFERS OF PERSONAL IDENTIFIABLE INFORMATION
For our service delivery, Planview uses EU-based data centers for hosting EMEA customer data and, in some cases, UK-based data centers to host UK customer data. In the event that the sharing of data between customer and Planview, or between Planview and its subsidiaries or third-party partners, result in an international data transfer to a country which does not ensure an adequate level of protection under the GDPR, Planview shall enter into the European Commission-approved EU (2021/914) Standard Contractual Clauses (“SCC”) to protect the transferred data. Moreover, when applicable, Planview shall also adopt Standard Contractual Clauses to protect personal identifiable information subject to Swiss law or enter into the UK Data Transfer Addendum.
Planview has a comprehensive and robust data protection security program in place that supplements the SCC’s. All data is encrypted when processed. All systems, as well as all operational activities by Planview employees, are monitored to ensure confidentiality, availability and resilience of the services, including restoration in the event of a breach. Regular testing, assessments and reviews of the security measures are performed to evaluate their effectiveness. Planview partners with the most acknowledged data center providers, cloud service providers, analytic platforms and incident detection and response providers to facilitate and monitor the services. Planview is certified for ISO 27001/27701 and SOC 2 audited on an annual basis.
Planview believes the SCC in combination with all other safeguards in place can ensure customer data remains protected in alignment with the GDPR requirements. However, Planview follows the developments and guidance from the EU Supervisory Authorities and the EDPB closely for additional supplementary arrangements as updated.
PRIVACY REGULATIONS
As a global company, Planview understands the important link between privacy and customer trust. All Planview entities adhere to strict privacy and data protection requirements to ensure compliance with the privacy regulations to which Planview is subject across the world. The appointment and ongoing efforts of a dedicated Data Privacy Officer (DPO), based in the EU (Sweden), are the basis of an increased focus toward earning that trust.
The following principles relating to processing of personal data are the focus for our compliance work.
Lawfulness, Fairness and Transparency – We process personal data strictly for our own business, and in accordance with our privacy policy and any applicable laws, always ensuring we have a legal basis to do so. We implement internal policies and procedures to ensure that we do not process personal data in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to customers or individuals. We inform customers and individuals about our processing activities in our privacy statement. Our Data Processing Agreement (DPA) is available for any and all to review.
Purpose Limitation – We process personal data strictly for 1) fulfilling the contractual requirements agreed upon between our customers and us, and for their own purposes, and/or 2) our own specified, explicit and legitimate purposes as data controllers, detailed in our privacy statement.
Data Minimization and Accuracy – We require only identifiable information of customers and users of our products, as necessary to fulfill the purposes for which they are processed. Customer records are regularly reviewed and evaluated for accuracy and actuality. We have processes in place to ensure we fulfill the rights of a registered individual (data subject) by our DSAR portal.
Storage Limitation (Retention) – We keep and store customer data only during our contract term, notwithstanding any additional data retrieval period as agreed with the customer and/or any longer legally mandatory retention periods. Customer accounts are deleted at the earliest convenience after contract expiry. Back up logs are stored for an extended amount of time. At any time during the term of the contract, all customer data used in the product is offered portability.
Integrity and Confidentiality – We have implemented technical and organizational measures to ensure all data is protected and secured. We have internal access controls and authorization requirements for all data. All employees are subject to our privacy policy and specific instructions. Annual mandatory trainings and seminars are provided to ensure sufficient awareness and knowledge is achieved. For further description of our technical measures to protect data, please review our information of security.
Planview does not “sell” our customers’ personal data or personal identifiable information (PII). Planview does not rent, disclose, release, transfer, make available or otherwise communicate PII to a third party for monetary or other valuable consideration. Planview does share user aggregated and/or anonymized information regarding customer and users’ usage of our offered services with third parties (i.e., Sub-processors) through integrations, for the performance of the contracted services and to provide customers with more relevant content of our services.
As Planview is a SaaS provider and processes customer and user data only as instructed for the purpose of executing the services as we’ve committed to in our customer contracts, we do not distribute or deploy customer data for any other commercial purposes. Planview does not retain, use, disclose, or otherwise process PII for any purpose other than for the specific purpose of performing its obligations under its agreements, or outside of the direct business relationship it has with customers.