Privacy Notice for Customers and Business Stakeholders

1. Scope and Purpose

This Privacy Notice for Customers and Business Stakeholders (hereinafter referred to as the "Notice") applies to the processing of personal data conducted by 24SevenOffice company you are interacting with in the following contexts: 

•    Marketing and sales of services;
•    Customer agreements and customer management;
•    Provision and use of services from the Company; 
•    Acquiring services, vendor agreements and vendor management;
•    Co-operation activities and stakeholder management;
•    Sales opportunities and management thereof; or
•    Events organised by the Company and management thereof.

The protection of the privacy and personal data of individuals whose data are being processed in connection with services provided under the 24SevenOffice brand ("Services"), is a top priority of 24SevenOffice. In this Notice it is explained how we ensure that processing of personal data by the Company is done in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and national laws implementing these instruments as and when applicable.

When the Notice talks about "Company", "we", "us", or "our", it refers to the relevant company in 24SevenOffice responsible for the processing of your personal data. 

2. Roles and Responsibilities

Company processes personal data in connection with its customers both as a data controller and data processor. A data processor is the entity that processes personal data on behalf of a data controller. A data controller is the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.

2.1 Company as Data Processor

In the provision of services to customers, the Company primarily acts as data processor. In these cases, our customer determines the purposes and the means by which personal data is processed. This means that the customer is responsible for the lawfulness of the processing, including but not limited to the provision of transparent information on the processing as well as responding to the requests from data subjects. Details of the processing are defined in a separate data processing agreement between us and our customer. As a data processor, the Company only processes personal data on behalf of the data controller and in accordance with the data controller's instructions. 

2.2 Company as Data Controller

In some cases, the Company will on its own determine the purpose and means by which personal data related to customers and business stakeholders will be processed in connection with the Services. In these cases, we will act as data controller and ensure the lawfulness of processing your personal data. This Notice provides you information on the processing conducted as data controller.  

3. Processing of Personal Data

3.1 Collection of Personal Data from different Sources

We collect and process personal data, which:

• is provided by you when you communicate or do business with us, e.g. in connection with entering into a contract or in the Know Your Customer (KYC) process, when you buy the Services or contact us for providing Services or in connection with service and support requests, when you visit our premises or participate in our marketing or social media campaigns or other events;
  
  
• is generated in different contexts e.g., when using or logging into our Services, performing various transactions (e.g. paying bills), and making entries or participating an event organized by the Company;
  
  
• is obtained from companies affiliated with the Company, publicly available sources, or third parties, where permitted by applicable laws, e.g. information obtained from the company you represent or with which you otherwise connected to, from the Register of Business Enterprises or other official registries, business information systems or other similar publicly available databases such as financial sanctions, and any asset freezing registers.
  
  

3.2 What Personal Data we Process 

The personal data we collect and process includes the following categories of data:

• basic information, such as name, title and your relation to a company you represent and contact details (email, address and phone), nationality, and language preferences;
  
  
• information relating to our relationship, such as service and order details, contract information, payment details, billing information, or information related to your visit at our premises (such as surveillance camera footage, vehicle license plate number)
  
  
• information related to the KYC process as required by applicable legislation, such as identification information, information on right to represent the company, basic information about the customer and related representatives, responsible persons and actual beneficiaries (including their personal identity numbers), as well as information whether some of the above persons or any individual otherwise closely associated with is to be categorised as a politically exposed person and the basis thereto, and sanction register information.
  
  
• marketing data, e.g. product preferences, marketing permissions and prohibitions;
  
  
• your communication and interactions with us as well as generated records and material, such as correspondence, service requests, call recordings, your contribution to our campaigns (video, audio or other material e.g. content in social media) and events organised by us, as well as entries on the use of individual’s rights;
  
  
• service-related information, e.g. user IDs, passwords, and other authentication credentials as well as data or IT management details generated in connection with service provision e.g., login information, and how Services are used. 

 

3.3 Purpose and legal basis for processing personal data 

Your personal data is processed for the following purposes and based on the legal basis as identified below:

 

• Sales, service provision, and management of customer relationship: Data is processed for the purposes of selling, providing and delivering our Services and to manage the customer relationship between us and you, or between us and a company you represent, are employed in, or otherwise associated with. This includes e.g., customer support, handling service requests, fault repair, and invoicing. For this purpose, we process various categories of personal data, including but not limited to data in the following categories (as further described in the previous section):
  
  (i)     "basic information";
  (ii)    "information relating to our relationship";
  (iii)    "information relating to "Know Your Customer" obligations; and
  (iv)    "your communication and interactions with us"; and
  (v)    "service-related information".
  
  The legal basis of processing personal data for this purpose is the performance of contracts regarding our Services and our legitimate interests in managing the customer relationship.
  
  
• For communication, marketing, and related analytics: Data is processed for the purpose of informing you about the Services we are offering, producing material or content for marketing or social media campaigns, market research, and customer surveys. 
  
  Outgoing communication with customers, in-app posts, product tours, banners, surveys, and emails are sent by a tool for outbound purposes. Our communication tools also provide information and statistics about the use of the Services. Such statistics may be used to develop and improve customer or user experience.
  
  For this purpose, we process various categories of personal data, including but not limited to data in the following categories (as further described in the previous section): 
  
  (i)    "basic information";
  (ii)    "information relating to our relationship";
  (iii)    "marketing data";
  (iv)    "your communication and interactions with us"; and
  (v)    "service-related information". 
  
  The legal basis for processing for this purpose is the performance of the contract regarding our Services or our legitimate interest in obtaining information to better understand our stakeholders, e.g. customers, and to promote our Services. 
  
  In addition to the above, the Company posts blogs about customer testimonials, news and posts on other social media outlets, available to users following Company’s blogs or social media channels or associated advertising tools. Such content may only include personal data concerning individuals who have freely consented thereto.
  
  
• Quality assurance, security, and development: Data is processed to analyse and develop our Services and operations, such as for creating new product features, automating operations, training artificial intelligence, improving processes, and for statistical purposes like managing our business. For this purpose, we may aggregate and pseudonymise "service-related information" (as defined above), and store usage patterns to optimise further development of the Services and to give you as an individual user of our Services a greater user experience.
  
  The legal basis of the aggregation and pseudonymisation process is our legitimate interest in optimizing and developing the Services and to ensure that our Services have an adequate level of information security, and to assure competitiveness of Services and operations.
  
  
• To protect, defend, or enforce our legal rights or compliance with the law, as well as responding to requests from government authorities. For this purpose, we may process all categories of personal data listed above in section 3.2 to the extent that necessary to comply with laws or protect our rights, for example in case we are part of a lawsuit. 
  
  The legal basis for processing for this purpose is our legal obligations or legitimate interest being able to demonstrate compliance of our operations and protect our rights in an appropriate manner. 

 

4. Notice Regarding Use of Third-Party Services

The Services may include Application Programming Interfaces (APIs) enabling our customers and their representatives to use certain third-party services. Such use of third-party services may include data transfers and data processing that the Company is not involved in or responsible for. We are not responsible for any such third-party data collection, storage, operating procedures, support, customisation or development activities. We strongly advise individuals to seek information regarding such third-party processing activities from the relevant data controller or the relevant third parties.

 

5. Disclosures and Transfer of Personal Data 

5.1 Disclosures to other Companies affiliated with the Company 

When we have a legitimate purpose and legal basis to do so, we may share personal data as mentioned in this Notice with other companies affiliated with us, as different companies in our group may be responsible for carrying out different tasks relating to sales, marketing or the provision of the Services. Such other companies may be acting as our data processors or as independent data controllers.   

 

5.2 Disclosures to other Third-Parties 

Company may disclose personal data about customers to external third parties who receive and process personal data as data processors or independent data controllers: 

In case of a merger or an acquisition, it might be necessary to give third parties access to data containing some degree of personal information. Such information will only be accessed by parties who have signed an appropriate non-disclosure agreement or parties who are bound by confidentiality obligations by law. As these independent data controllers process personal data for their own purposes, they are responsible for the lawfulness of processing of personal data. 

Company may also disclose personal data about customers to other third parties: 

• To business partners in order to fulfil the order and invoicing process in cases where you have purchased the Services through a partner. No other data will be shared.
  
  
• When a government authority or law enforcement make a lawful request for personal data or any other data processed by the Company;
  
  
• When they are engaged for the provision of services to us or to assist in the operation of our business and website, such as IT hosting, cloud service providers, administrative services, payment processors, customer satisfaction surveys. 
  
  

To ensure that your personal data is processed in line with data protection regulations, we always enter into the necessary data processing agreements (DPA) with all companies we engage to process personal data on behalf of us. If a third party that processes personal data uses your personal data for their own purposes, the service provider in question becomes responsible for the lawfulness of the processing. If possible, the Company will strive to ensure that further processing of your personal data is not incompatible with the original purposes which it was collected for.

 

5.3 Transfers of personal data outside the EEA

Your personal data is processed primarily in the European Economic Area (EEA). We may, however, transfer your personal data outside the EEA if our service provider or partner, who processes personal data, is located fully or partly (e.g., for technical administration) in a third country. Personal data may also be transferred to third countries, where this is required from the service provider under binding non-EU legislation.  

To the extent that your personal data is transferred to countries outside the EU/EEA, we will put in place appropriate safeguards to ensure that the personal data are subject to an equivalent level of protection as within the EU/EEA, including by entering into agreements based on the European Commission's standard data protection clauses or other approved transfer mechanisms.

6. Retention of Personal Data 

We will process your personal data only for as long as it is necessary to fulfil the purposes defined in this Notice. 

We have defined retention periods to all personal data we have on you. When defining such periods, we have considered various factors such as requirements for the statutory retention, the nature and sensitivity of personal data and the purposes the data is processed for. 

Your personal data processed based on a contractual relationship with you, or a company you represent, are stored, as a rule, for the duration of the contractual relationship or as long as the provision of the Services requires. After our relationship or service provision has ended, we typically store personal data that are necessary to protect our legitimate interests e.g., enabling response on requests or claims under applicable provisions concerning statute of limitations, or we may store your personal data, to the extent necessary, in order to respect your request not to receive direct marketing from us. 
If personal data is processed based on legal obligations, it is retained as long as required by law. Obligations to the storage of personal data are set, for example, by the Accounting and Anti-Money Laundering laws. 

7. Data Security

Company is committed to prevent unauthorised access, disclosure, or other deviant processing of your data. Your data is stored in a secure data operating environment with limited access for employees in the Company or our sub-processors. Access to data is on a need-to-know basis only. The operating environment and Company organisation are committed to follow the information security management standard ISO 27001.Bank payments use industry-standard encryption to provide protection for all information sent over internet. 

It is important when you as a customer evaluate the security of a cloud solution, understand and distinguish between security measures that the Company implements and operates, “Security in the Cloud”, and security measures that customers implement related to internal security of their own data. We are responsible for the operation and security of the Services, while you as a customer are responsible that no unauthorised entity gets access to you or any of your employees’ login information. That also includes leaving the Services logged on while leaving your IT asset for accessing information. E.g. we are not responsible for breach of security following customer's improper storage of authentication tools like e.g. passwords and mobile phones.

 

8. Your Rights as a Data Subject 

When we process your personal data, you have the following rights as a data subject: 

• Right of access and information:
  You can request a copy of all information about you in our registers, information about the purpose of the processing, where we have obtained the information from, disclosures of the information, retention period, and information about your rights as a data subject.
  
  
• Right to rectification:
  If you believe the data we have registered is inaccurate or incomplete, you can request that it be corrected or supplemented.
  
  
• Right to erasure:
  In certain cases, you can request that some information about you be deleted.
  
  
• Right to restriction:
  In certain cases, you can request that we temporarily restrict the way we process your personal data.
  
  
• Right to object:
  You can object to the processing of your data, if our processing of your personal data is based on our legitimate interest.
  
  
• Right to data portability:
  You may request to receive data collected on the basis of consent or for the fulfilment of an agreement in a machine-readable and commonly used file format. 
  
  
• Right to withdraw consent:
  If our processing of your personal data is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of the processing that has already taken place.
  
  

Please note that the rights above are not absolute, and certain rights are subject to exceptions and conditions as set out in applicable data protection laws. 
You always have the right to file a complaint with a supervisory authority if you believe your personal data has been processed in violation of applicable data protection laws.

National supervisory authorities are: 

• In Norway:     Datatilsynet 
• In Sweden:     Integritetsskyddsmyndigheten
• In Finland:     Tietosuojavaltuutettu 
  
  
  

9. Changes to this Privacy Notice

We will update this Notice as and when required to reflect any changes to our processing of personal data and/or changes to data protection regulations. You are encouraged to revisit this Notice from time to time. 

10. Contact details

If you have any questions regarding this Notice, the personal data we process about you, or details of the data controller in your specific situation, please contact us at privacy@24SevenOffice.com. 

 

Last review

Reviews

09 May 2025

 

Change log

Edited May 09, 2025

- Due to the organisational changes and for aligning information provision with the companies affiliated with 24SevenOffice, we have revised the structure of the Privacy Notice and made changes e.g., as follows: separated information on the processing of personal data of website users into a separate notice (“Privacy Notice for Website Users”), removed text on the processing of personal data on behalf of our customer companies as a data processor (which will be completely addressed in a data processing agreement with our customer company), included more detailed information on the categories of personal data processed, added information on the legal grounds for the processing, removed the section on California Privacy Rights (“CCPA”), edited the text regarding the transfers of personal data outside the EEA and retention of personal data. 

Edited: June 07, 2024
- Update paragraph about EU-US Data Privacy Framework

Edited: April 14, 2023
- Updated definition about Data Processor and Data Controller

Edited: February 17, 2023
- Removed dubble sentence in paragraph about "Storage and Transfer"

Edited: May 3, 2022
- Included paragraph covering compliance to California Consumer Privacy Act ("CCPA").

Edited: March 7, 2022
- Updated information about cookies as a consequence of the implementation of the new cookie policy. Removed information that no longer is relevant under "How 24SevenOffice collects your personal data". Updated information about sub-processors and ownership of supplier that falls under the Schrems II verdict. Move some parts to other sections where they are more natural.

Edited: April 23, 2021
- In connection with the introduction of 24SevenOffice Payroll module, a new section under 1. What data do 24SevenOffice process is included. This section regulates what type of data that 24SevenOffice process to deliver payroll functionality to its customers.

Edited: October 2, 2020
- Contact information email adress is updated

Edited: May 3, 2018
- First edition of revised Privacy Notice after the changes in the laws and regulation regarding processing of personal data, known as General Data Protection Regulation (GDPR)