In the light of the CJEU ruling on the case referred to as “Schrems II”, most businesses must now assess their transfers of personal data to third countries, including the US. Pagero is a global provider of cloud-based solutions used by businesses to reach other businesses worldwide, and is therefore naturally affected by the implications of the ruling. Pagero’s business is built upon providing secure and compliant solutions for our customers, and we are continuously monitoring the legal landscape to be up to date. Here we have gathered some key information that may be useful when assessing your use of Pagero’s services in the light of the Schrems II case:
The Pagero Services:
- The platform (Pagero Online) is hosted in Sweden but;
- Pagero utilizes a subprocessor in Sri Lanka for R&D and technical support which means that the employees of that subprocessor have access rights to Pagero Online.
- If you have selected any additional service (such as for example print, scanning or data capture) the additional service may be provided by a provider based outside of the EU in accordance with the specific agreement. You can find the list of all such providers here. Please reach out to your sales rep if you are unsure of which services and providers apply to you.
- Depending on where your recipients of documents are located, the service itself may allow you to transfer information to any recipient in the world.
The Pagero company:
Pagero is a global company with offices all over the world, which enables us to provide timely and efficient support to our customers as well as local project management. Presently, Pagero employees that have access to Pagero Online are located within the EU, with the exception of a limited number of individuals in our Dubai and US offices. Transfers of personal data within the group is governed by an intra group processing agreement and we have implemented technical and organizational measures to ensure the security of the data. Please read more about how we protect data here.
What Pagero has done to ensure the continued compliance with the GDPR in the light of Schrems II:
- We have reviewed all of our data flows and assessed all transfers of customer data
- We have updated our notices and data processing agreements to reflect the current situation and ensured to include appropriate transfer mechanisms to replace any transfers relying on Privacy Shield
- We have done our own risk assessment to ensure that we have done all we can to minimize the risks associated with any transfers, including ensuring the appropriate technical and organizational measures. The risk assessment may be provided to you to support your own assessment should you wish so.
Roadmap moving forward:
We see continued challenges for ourselves and our customers in an increasingly more complex legal landscape relating to data transfers and utilizing the benefits a global solution can bring. Therefore, we are currently pushing the following changes to ensure that all customers can continue to use our services:
- Within the next few weeks, we will close down the access to Pagero Online provided to our US employees and thus completely cease any such transfers.
- We have begun a project to re-structure our platform to support regional access, meaning that moving forward we can completely block all access to a customer’s data from a Pagero office outside of a specified region or country, such as for example the EU. This project is expected to be finalized during 2021.
If you have any questions or would like to discuss more, please do not hesitate to contact your sales rep or Pagero’s data protection officer at firstname.lastname@example.org