Processor privacy statement regarding Acubiz One mobile application
This processor privacy statement describes how the Acubiz One mobile application (“Acubiz One”), which is provided by the company Acubiz A/S (“Acubiz” or “we”; “us” and “our” defined correspondingly), collect, use and share personal data about you (the “User” or “you”) as you use Acubiz One.
Acubiz One has been developed to be used as an integral part of the service Acubiz Expense Management Service (“Acubiz EMS”), which is provided by Acubiz to business customers. The purpose is to make it possible for businesses to provide their employees, board members, etc. an easy way to register and approve businessrelated expenses, mileage tracking as well as time and absence reporting by using Acubiz One.
Personal data about you collected via Acubiz One are collected due to your relationship (typically as an employee, board member, volunteer or teacher) with one of our business customers (the “Customer”) with whom Acubiz has entered into an agreement regarding access for the Customer to use Acubiz EMS. When the Customer, typically via an Acubiz PRO user working in the Customer’s finance, payroll or HR department, configures you as a user of Acubiz EMS, personal data about you, such as full name, initials and work e-mail address, are registered by the Customer into the Acubiz EMS solution; and as Acubiz EMS (including Acubiz One) is subsequently used by you and the Customer, additional personal information may be collected and processed as further explained below.
Acubiz acts as a data processor for the Customer and this processor privacy statement is only intended to provide certain additional information to you regarding Acubiz One
The Customer is the data controller with regard to personal data about you that is collected and/or otherwise processed via Acubiz One. Acubiz thus only acts as a data processor for the Customer in this regard. Therefore, Acubiz has entered into a Data Processing Agreement with the Customer, to ensure that we only collect and process personal data as instructed by the Customer and in accordance with the EU General Data Protection Regulation (GDPR). This processor privacy statement does not change any terms of any agreement with the Customer but is simply intended to provide certain information to you regarding Acubiz One.
It is emphasized that this processor privacy statement is provided strictly for information purposes. The processor privacy statement does not constitute a contractual promise by Acubiz to you. Furthermore, for the avoidance of doubt, the existence of this processor privacy statement does not in any way change that the Customer is regarded as the data controller within the meaning of applicable data protection laws in relation to the personal data about you that is collected and/or otherwise processed via Acubiz One. The information provided in this privacy statement does not replace any information that the Customer may, in order to fulfil its obligations as a data controller, provide, or may already have provided, to you regarding its processing of personal data, and you should direct to the Customer any question about how data about you is processed within or relating to Acubiz EMS (including Acubiz One).
Collection and use of personal data in Acubiz One
Acubiz One is used in connection with Acubiz EMS to register and approve or decline single transactions and expense reports. To provide this service, different types of personal data about the User is collected through Acubiz One. The specific types of personal data that are collected may, depending on how the Customer has configured and uses Acubiz EMS and on the User’s use of Acubiz One, include:
- Full name
- Work e-mail
- Company ID
- Employee number
- Cell phone number
- Configuration information (username, password/passcode, choice of user interface language, approval limit, name of manager(s), relation to company structure, such as department code or cost center, etc.)
- Payment card details
- Transaction data (see below)
- License plate number of car
- Private address
- Bank details (BIC/Swift, IBAN)
Acubiz One uses the User’s company e-mail address, company ID and password for login purposes. This information is used as unique identification of the User and to allocate transactions.
The data forms in Acubiz One are Expense, Invoice, Per Diem, Mileage and Time, each of which are called transactions types. It depends on the Customer’s agreement with Acubiz and the Customer’s configuration of Acubiz EMS which of these transaction types you can enter into Acubiz EMS via Acubiz One.
Depending on the transaction type and the Customer’s configuration of Acubiz EMS, relevant business and accounting data on individual transactions (transaction data), such as date, amount, currency, purpose for the transaction, start and end addresses, route, department code or project number, one or more photos of a receipt, and other non-sensitive personal data relevant to the accounting process can be entered into Acubiz One. See separate sections below for further details regarding each transaction type.
Acubiz uses non-specific device information, such as device type, language settings and operating system, to optimize user experience as well as for the purpose of troubleshooting any bugs in, or crashes of, Acubiz One.
Input of sensitive personal data into Acubiz One is not allowed: The User must NOT enter or cause to be entered into Acubiz One personal data which belongs to any of the following categories, as Acubiz One is not intended for processing of personal data of such categories:
- Sensitive personal data (personal data covered by Article 9 of the GDPR), i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;
- Personal data relating to criminal convictions and offences (personal data covered by Article 10 of the GPDR); or
- Data regarding CPR numbers (or regarding any other national identification numbers/identifiers of general application for which specific conditions for processing apply pursuant to Member State law, cf. Article 87 of the GDPR).
The transaction types Expense and Invoice:
Acubiz One can be used to take photos of receipts, invoices, and other enclosures (payment documents) relevant for documenting that a business-related expense has occurred. Depending on the Customer’s configuration of Acubiz EMS, accounting-related details, such as amount, currency, date, country and type of cost, and possibly comments may via Acubiz One be added to the expense registration, and the combined registration with the photo(s) (if added) and the said data can subsequently via Acubiz One be submitted for further approval and processing.
Depending on the User’s consumption pattern of Acubiz One, the User might want to access and upload via Acubiz One a previously taken photo of a payment document. In order to do so, the User must grant Acubiz One permission to access the photo library of the User’s mobile device. Acubiz One supports the following photo library settings: ‘All photos’, ‘Selected photos’, or ‘None’; by which Acubiz One can respectively access all photos in the library, access only selected photo(s), or have no access to the photo library at all.
Any permission regarding Acubiz One using the camera and/or accessing the photo library of the User’s mobile device is granted by the User upon initial use of the feature. The User can at any time easily change the permission settings in Acubiz One or from the system settings of the mobile device.
Acubiz One does not use location tracking features of the User’s mobile device when registering expenses.
The transaction type Mileage:
For the transaction type Mileage (if part of the Customer’s configuration of Acubiz EMS) Acubiz One can be used to register business-related mileage and through an advanced rules and rates matrix to calculate the Customer’s mileage receivables. Thus, the registration of the trip including distance travelled, purpose of the trip, as well as the starting point and end destination addresses can be entered into Acubiz One and submitted via Acubiz One for further approval and processing.
The User can key in her/his starting point and destination addresses manually. Alternatively, for a more convenient usage of Acubiz One, and a more exact calculation of the distance between starting point and destination, the User may let Acubiz One use the location tracking feature of the User’s mobile device to track the actual route travelled.
Any permission regarding Acubiz One using the location tracking feature of the User’s mobile device is granted by the User upon initial use of the feature. The User can at any time easily change the permission settings in Acubiz One or from the system settings of the mobile device.
If the User does not want Acubiz One to use the location service of the mobile device, the ‘Do not allow’ setting should be selected.
Otherwise, the User may select the ‘Allow while using the app’ setting of the location service. GPS-tracking is then used to show the current location, map the route and calculate the distance travelled. Furthermore, the background usage of the location tracking ensures that the User can use the mobile device for other legal purposes while driving.
Acubiz One will not track the location of the User (even if the ‘Always’ setting is selected) until she/he begins tracking the route. The tracking of the location will stop once the User stops tracking the route.
The transaction type Time:
For the transaction type Time (if part of the Customer’s configuration of Acubiz EMS) Acubiz One is mainly used to register project related time spending as well as standard time compared to a weekly working scheme. Absence due to vacation, parental leave or illness may be registered as well. Where relevant, the Customer has set up the relevant wage types and mandatory comments for the User’s business purpose.
The relevant details (which depend on how the Customer has configured Acubiz EMS and may include, e.g., specification of account, type, dimensions and date) can be registered by the User in Acubiz One, and the time registrations can subsequently be submitted via Acubiz One for further approval and processing.
Acubiz One does not use location tracking features of the User’s mobile device when reporting time and absence.
Sources of the personal data
Some of the personal data about you collected by Acubiz One is retrieved from the Acubiz EMS service, e.g. configuration information that was provided by the Customer when configuring you as a user of Acubiz EMS, information you have previously entered into Acubiz EMS (including via Acubiz One) and, in some cases, transaction data from credit card company(ies) used by the Customer. The rest of the personal data about you is collected from you (including your mobile device) in connection with your use of Acubiz One.
Sharing of personal data
For the avoidance of doubt, the personal data collected via Acubiz One is available to the Customer (the data controller). (Accordingly, it may become available to any other users, persons or third parties to which the Customer chooses to provide access to such data (whether through Acubiz One or otherwise).)
Furthermore, as permitted under our Data Processing Agreement with the Customer, we may share the personal data with any sub-processors used by us in our provision of the Acubiz EMS service to the Customer.
Other than as set forth above, we do not, except if required by law, share the personal data with any third party without your prior permission to do so.
Security and retention of personal data
Acubiz uses appropriate technical and organisational measures to ensure in relation to its processing of the personal data a level of security that is in accordance with Danish law, the GDPR and the agreement between the Customer and Acubiz.
The period during which we will retain the personal data is determined in accordance with our agreement with the data controller (i.e., the Customer).
Under certain circumstances, local data protection laws (such as the GDPR) may give you certain rights vis-à-vis the data controller (i.e., the Customer) with respect to the personal data. These rights may, depending on the circumstances, include one or more of the following:
- A right to withdraw consent
- A right of access to personal data
- A right to rectify inaccurate personal data
- A right to have personal data erased
- A right to restrict processing of personal data
- A right to data portability
- A right to object to the processing of personal data
If the User has any questions on or seeks to excise any such rights, the User should contact the data controller, i.e., the Customer.
Updates to this processor privacy statement
Acubiz may change and update this processor privacy statement at any time and without notice, including to comply with applicable laws and other requirements. The latest version will at all times be available here: https://www.acubiz.com/privacy-policy/acubiz-one. You are advised to consult this statement regularly for any changes.