Privacy policy

This is a description of the processing of personal data in accordance with the EU General Data Protection Regulation (2016/679) (GDPR).

This Privacy Policy describes how Visualised AB processes personal data in connection with MeetID.

MeetID is an application and related service for the secure management of digital meetings, including authentication, authorisation control and access control. The Service may be used together with the Customer’s existing meeting platforms, electronic identification services, communication services and other third-party services.

This Policy applies when MeetID is used, installed, authorised or administered, when a User is authenticated through the Service, when a Meeting Participant is granted access to a digital meeting, when support matters are handled, and when technical logs or security-related information are processed.

Definitions

Controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Personal Data means any information relating to an identified or identifiable natural person, hereinafter referred to as a Data Subject. An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing of Personal Data means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Third Party means a natural or legal person other than the Data Subject, the Controller or persons who, under the direct authority of the Processor, are authorised to process the Personal Data.

Service means MeetID, including the application, web flows, technical functions, authentication flows, access controls and related support and operational functions.

User means a natural person who uses, accesses or otherwise interacts with the Service, including administrators, meeting hosts, internal users, external meeting participants and other persons who are authenticated or granted access through the Service.

Customer means the organisation that uses or has entered into an agreement regarding MeetID.

Electronic Identification means electronic identification, electronic identity verification or another identity service approved by the Customer or Visualised AB and used to verify a User’s identity.

Third-Party Services means services, systems, platforms, software, APIs, identity services, communication services, hosting services or other technical components provided by a party other than Visualised AB and on which the Service may depend or with which it may integrate.

Log Data means technical logs, security logs, event data and other information generated when using the Service for the purpose of enabling operations, troubleshooting, security, traceability and regulatory compliance.

Allocation of roles in relation to the processing of personal data

Visualised AB is the Controller for the processing of personal data where Visualised AB itself determines the purposes and means of the processing, for example processing for operations, security, support, administration, contract follow-up, communication and regulatory compliance in relation to MeetID.

When MeetID is used by a Customer to create, administer or protect access to the Customer’s digital meetings, the Customer may be the Controller and Visualised AB may be the Processor. Where applicable, such processing is governed by a separate data processing agreement or other data protection agreement between Visualised AB and the Customer.

Where Visualised AB processes personal data as a Processor on behalf of a Customer, Visualised AB processes the personal data in accordance with the Customer’s documented instructions, the applicable data processing agreement and applicable data protection legislation.

Controller

Visualised AB
Company registration number: 556905-9560
Address: Rosenborgsgatan 12, 169 74 Solna, Sweden
Email: privacy@meetid.se

Contact details for data protection matters

The Data Subject may contact Visualised AB regarding any matter relating to the processing of personal data and the exercise of rights under the GDPR.

Where Visualised AB processes personal data as a Processor on behalf of a Customer, Visualised AB may need to refer the request to the Customer or handle the request in accordance with the Customer’s instructions.

Legal basis and purposes of the processing of personal data

The legal bases for the processing of personal data are:

– the contractual relationship between the Data Subject and the Controller;
– compliance with the Controller’s legal obligations; and
– the legitimate interests pursued by the Controller or by a third party.

Visualised AB processes personal data on the basis of contract, legal obligation and legitimate interests.

Contract is used as the legal basis where the processing is necessary to provide, administer and enable the use of MeetID, including functions for authentication, authorisation control, access control, support and administration.

Legitimate interest is used as the legal basis where the processing is necessary for operations, security, troubleshooting, incident management, logging, traceability, abuse prevention measures and to protect the Service, Customer Information, Users and other relevant parties.

Legal obligation is used as the legal basis where Visualised AB needs to process personal data to comply with requirements under law, decisions by public authorities, court orders, accounting rules or other legal obligations.

Where Visualised AB processes personal data as a Processor on behalf of a Customer, the Customer is responsible for ensuring that there is a legal basis for the processing. Visualised AB then processes the personal data in accordance with the Customer’s documented instructions, the applicable data processing agreement and applicable data protection legislation.

The purposes of the processing of personal data are to provide, administer, secure and further develop MeetID.

Personal data is processed in order to:

– provide MeetID and enable secure management of digital meetings;
– create, administer and manage access to meetings;
– verify Users’ identities through Electronic Identification or another approved authentication method;
– verify authorisation and ensure that the correct person is granted access to the correct meeting or function;
– manage invitations, Access Credentials, meeting references and other information required for the functionality of the Service;
– prevent, detect and investigate unauthorised access, misuse, incorrect authorisation and security incidents;
– provide support, troubleshooting, technical operations, logging and monitoring;
– maintain traceability, information security and regulatory compliance; and
– manage customer relationships, administration, documentation, agreements and legal requirements.

MeetID does not normally process meeting audio, video, chat or shared content, unless this is expressly stated in the functionality of the Service, in a separate agreement or in other information provided to the User.

Regular sources of data

Personal data may be collected from the Data Subject, from the Customer, from the Customer’s administrators, from meeting platforms, from electronic identification services, from other Third-Party Services used by the Customer together with MeetID, and through technical use of the Service.

Examples of technical use include authentication events, access attempts, system logs, error messages, timestamps and security events.

Personal data processed

Visualised AB processes only such personal data as is relevant and necessary for the purposes described in this Privacy Policy.

The following categories of personal data may be processed:

Account and user data:
Name, email address, organisation, user ID, role, permissions, administrator status and information regarding authorisation or access.

Meeting-related data:
Meeting references, meeting ID, meeting time, meeting host, invitation details, access status and technical information required to link the correct User or Meeting Participant to the correct meeting.

Data relating to Electronic Identification and authentication:
Name, identity reference, authentication status, time of authentication, result of identity verification and other information required to verify identity and authorisation. The electronic identification itself may be handled by an external identity service.

Technical data and Log Data:
IP address, timestamps, browser, device type, technical identifiers, error messages, security events, access logs and other information required for operations, troubleshooting, security and traceability.

Support and communication data:
Name, contact details, organisation, support matter, correspondence and information provided when contacting Visualised AB.

MeetID does not normally process meeting audio, video, chat or shared content, unless this is expressly stated in the functionality of the Service, in a separate agreement or in other information provided to the User.

Disclosure of personal data

Personal data may be shared with other recipients where necessary to provide, secure, administer or follow up MeetID, or where required by law, agreement, decision by a public authority or court order.

Personal data may be shared with the following categories of recipients:

– Customer’s authorised administrators and users;
– providers of operations, hosting, infrastructure and database operations;
– providers of security, logging, monitoring and incident management services;
– providers of support and case management systems;
– providers of electronic identification or electronic identity verification services;
– providers of meeting platforms and communication services; and
– public authorities, courts or other recipients where disclosure is required by law, decision by a public authority or court order.

Suppliers that process personal data on behalf of Visualised AB shall process the data pursuant to an agreement and only in accordance with instructions.

Transfers of personal data to third countries

Visualised AB endeavours to process personal data within the EU/EEA to the extent possible and appropriate, taking into account the functionality, operation and security of the Service.

Where personal data is transferred to, or made accessible from, a country outside the EU/EEA, this will only take place where there is an applicable legal basis and appropriate safeguards under data protection legislation, such as the European Commission’s standard contractual clauses, an adequacy decision or other applicable safeguards.

Where personal data is processed in Third-Party Services, such processing may also be subject to the respective third party’s terms and data protection information.

Protection of personal data

Visualised AB processes personal data in a manner intended to ensure appropriate security of the personal data, including protection against unauthorised processing and against accidental loss, destruction or damage.

Visualised AB uses technical and organisational safeguards adapted to the nature of the Service, the risks and the information processed. Such measures may include access controls, authorisation management, encryption, firewalls, logging, monitoring, security reviews, incident management, backup, system segmentation and staff training.

Access to personal data is restricted to persons and suppliers who need the data to perform their duties.

Retention period

Visualised AB retains personal data only for as long as necessary for the purposes set out in this Privacy Policy, or for as long as required under agreement, legal obligation, security requirements or documented procedures.

Account and administration data is normally retained for as long as the customer relationship or the User’s access to the Service continues and thereafter for the period necessary for agreements, support, documentation and legal requirements.

Meeting-related data is retained for as long as necessary to provide the Service, manage access, provide support and comply with contractual or legal requirements.

Log Data, security logs and access logs may be retained for a longer period for traceability, incident investigation, security and regulatory compliance. Such logs are normally retained for at least twelve (12) months, unless another retention period follows from agreement, security requirements or legal obligation.

Support data is retained for as long as necessary to handle the support matter and thereafter for the period necessary for follow-up, quality assurance, security and documentation.

When personal data is no longer needed, it is erased in accordance with Visualised AB’s procedures.

If MeetID is removed, uninstalled or the Customer’s use of the Service ceases, personal data may still be retained for the period necessary to perform agreements, handle support, comply with legal obligations, retain security logs, investigate incidents or comply with documented erasure and retention procedures.

Profiling

Personal data is not used for profiling or automated decision-making that produces legal effects concerning the Data Subject or similarly significantly affects the Data Subject.

MeetID may automatically check authentication status, authorisation and access conditions to determine whether a User should be granted access to a specific meeting or function. Such checks are used for security and access control.

Visualised AB does not sell personal data processed through MeetID.

Visualised AB does not use personal data from MeetID for advertising profiling, behavioural marketing or to build profiles for marketing purposes.

Rights of the Data Subject

Right of access to personal data

The Data Subject has the right to obtain confirmation as to whether his or her personal data is being processed and, where it is being processed, the right to receive a copy of the personal data.

Right to rectification

The Data Subject has the right to request that incomplete and inaccurate personal data concerning him or her be rectified. The Data Subject also has the right to have incomplete personal data completed by providing the necessary supplementary information.

Right to erasure

The Data Subject has the right to request erasure of his or her personal data. This applies, among other things, where the personal data is no longer necessary for the purposes for which it was collected, where the personal data has been unlawfully processed, or where the Data Subject has withdrawn the consent on which the processing is based.

Right to restriction of processing

The Data Subject has the right to request restriction of the processing of his or her personal data, including where the Data Subject contests the accuracy of the data or considers that the processing is unlawful.

Right to object

The Data Subject has the right to object to processing based on legitimate interests. Where personal data is processed for direct marketing purposes, the Data Subject always has the right at any time to object to the processing of his or her personal data for such marketing, including profiling related to such direct marketing.

Right not to be subject to automated decision-making

The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The above does not apply if the decision is necessary for entering into or performance of a contract between the Data Subject and the Controller, or if it is based on the Data Subject’s explicit consent.

Right to data portability

The Data Subject has the right to receive the personal data concerning him or her, as well as the personal data that the Data Subject has provided. The personal data shall be provided in a structured, commonly used and machine-readable format. The Data Subject also has the right to transmit such data to another Controller.

Right to lodge a complaint with the supervisory authority

The national supervisory authority for matters relating to personal data is the Swedish Authority for Privacy Protection. The Data Subject has the right to refer his or her matter to the supervisory authority if the Data Subject considers that the processing of his or her personal data infringes applicable legislation.

Other rights of the Data Subject

Requests to exercise rights shall be sent to Visualised AB using the contact details set out in this Policy.

Where Visualised AB processes personal data as a Processor on behalf of a Customer, Visualised AB may need to refer the request to the Customer or handle the request in accordance with the Customer’s instructions.

The rights may be restricted in certain cases, for example where continued processing is required by law, agreement, security requirements or in order to establish, exercise or defend legal claims.

Information on the processing of personal data relating to children

MeetID is not primarily directed at children under the age of 16.

If a Customer uses MeetID in contexts where children may be involved, the Customer is responsible for ensuring that there is a legal basis, necessary permissions and appropriate safeguards for such use.

Amendments to this Privacy Policy

Visualised AB may update this Privacy Policy when necessary, for example in the event of changes to MeetID, technical changes, changes to Third-Party Services, new legal requirements or changed processing procedures.

The latest published version applies from the date stated in the Policy.

In the event of material amendments, Visualised AB will provide information in an appropriate manner. If an amendment requires consent or another specific action under applicable data protection legislation, Visualised AB will handle this in accordance with the requirements of the law.