Spendesk, a simplified joint stock company registered with the Paris Trade and Companies Register under number 821 893 286 and having its registered office at 51, rue de Londres - 75008 Paris (France), provides an intuitive solution that helps companies to manage, pay and monitor more effectively their business expenses, available on the web and as a mobile app (hereinafter the “Spendesk Solution”), and publishes the websites accessible at www.spendesk.com and www.cfoconnect.eu/en/ (hereinafter the “Website”).
A. Overview / Introduction
As part of its activities, Spendesk is required to process Personal Data belonging to various categories of persons. This Personal Data may be collected from the Website, the Spendesk Solution, through third-party partners that are themselves data controllers (event partners, recruitment platforms, etc.), and is processed for the purposes indicated below.
Personal Data means any information relating to an identified or identifiable natural person; an “identifiable natural person” is deemed to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a telephone number, an email address, location data or an online identifier.
By subscribing to and/or using the Website and/or the Spendesk Solution, You acknowledge and accept that Spendesk processes certain Personal Data concerning You, as well as certain information on expenses incurred with the tools and/or recorded via the Spendesk Solution. In addition, Spendesk puts in place security measures aimed at guaranteeing the confidentiality, integrity and availability of Your Personal Data and limiting access only to persons with a need to know.
Below you will find the main answers to the questions You may have about Spendesk’s personal data protection commitments.
B. Spendesk Data Protection Officer
To supervise Spendesk’s commitments and its compliance with the Personal Data Regulation, Spendesk has appointed a Data Protection Officer (DPO), who can be contacted by email (firstname.lastname@example.org).
C. Spendesk statuses and responsibilities
As part of the processing of Your Personal Data, Spendesk may have the status of data controller or data processor. The specific terms of these statuses are set out below.
1. Spendesk, data controller
In accordance with the Personal Data Regulation, the data controller is the legal or natural person that determines the means and purposes of processing Personal Data.
As data controller, Spendesk processes Your Personal Data, in particular if you are:
Candidate(s), Spendesk employee(s);
Prospect(s), marketing contact(s), sales contact(s) at Spendesk’s Customer;
Beneficial owner(s), legal representative(s) of the Spendesk Customer;
User(s) of the Spendesk Solution;
Member(s) of the communities managed by Spendesk (including CFO Connect);
Internet user(s) browsing the Website.
Your Personal Data is processed by Spendesk, in its capacity as data controller, for the following purposes:
Management and monitoring of the candidate’s recruitment process (including background checks);
Management of the employment relationship and payment of employee-related social security contributions;
Management of the marketing relationship and management of Spendesk communities (including CFO Connect);
Required anti-money laundering and counter-financing of terrorism (AML-CFT) checks related to the Customer’s account opening and use;
Sales and contract management with the Spendesk Customer;
Research and development regarding the Spendesk Solution and the Website (including by conducting A/B tests);
Video and audio recording of calls to improve Spendesk services and to train and monitor the performance of Spendesk staff;
Incidents’ notification after subscription to the notification emails via the page https://spendesk.statuspage.io/;
Supervision of User accounts on the Spendesk Solution to provide technical support to the Customer and to train Spendesk staff authorised to process the Customer’s information; and
Detection, prevention and mitigation of fraudulent or other illegal activities.
2. Spendesk, data processor
In accordance with the Personal Data Regulation, the data processor is the legal or natural person that processes the Personal Data on behalf of and on the instructions of the Data Controller.
As data processor, Spendesk processes Your Personal Data in particular if you are:
User(s) of the Spendesk Solution in its free and/or paid versions.
Your Personal Data is collected either directly from You or indirectly as part of the API integration of third-party platforms into the Spendesk Solution or in connection with Personal Data that You choose to make public on third-party social media platforms.
Your Personal Data is processed by Spendesk, in its capacity as data processor, for the following purposes:
Provision of a SaaS Platform for payments, invoices and flows management to authorise Users’ business expenses;
Provision of Payment Services to the Customer and Users, including:
opening a payment account in the Customer’s name
issuing debit cards for each User at the Customer’s request
managing payment transactions (including by card and transfer)
managing requests and complaints from the Customer or one or more Users
Management of business expenses: payment and/or reimbursement of the User’s business expenses, analysis and retention of invoices and receipts in accordance with accounting and tax regulations;
Provision of anonymised data on industry trends in business expenses according to pre-determined criteria based on the Customer’s field of activity.
D. Details of Personal Data processed by Spendesk
1. Spendesk - data controller
|Processing purpose(s)||Data subject categories||Nature of the data processed||Legal basis/bases||Retention period(s)|
|Monitoring of the recruitment process||Candidates||Last name, first name, phone number, email address, CV, immigration data||Spendesk’s legitimate interest Consent Compliance with a legal obligation||If consent, up to two (2) years after the end of recruitment|
|Management of the employment relationship and payment of employee-related social security contributions||Employees||Last name, first name, phone number, email address, identity documents and social security affiliation documents, bank information, immigration data||Spendesk’s legitimate interest Performance of the employment contract Compliance with a legal obligation||During the term of the employment contract and during the retention periods imposed by the regulation applicable to labour law|
|Tracking of browsing on the Website (see details in the Cookies Policy)||Internet users||Cookie ID, IP address, browsing information||Spendesk’s legitimate interest Consent||Details of the retention periods are provided in the Cookies Policy|
|Management of the marketing relationship: invitation to events, newsletters, recategorisation as a prospect Relationship management in Spendesk communities||Member(s) of the community||Last name, first name, email address, telephone number, company, position, Slack ID||Spendesk’s legitimate interest Consent||Up to three (3) years after the last contact|
|Commercial prospection||Prospects||Last name, first name, email address, phone number, company, position||Spendesk’s legitimate interest Consent||Duration of prospection and up to thirty-six (36) months, unless prior opposition|
|AML-CFT checks related to the Customer’s account opening and use||Main User (or agent of the Spendesk Account), beneficial owner(s), legal representative(s) of the Customer||Last name, first name, postal address, date of birth, nationality, email address (only for the Main User), nature of the relationship with the Customer (only for beneficial owners), identity document and any other supporting document necessary for validating the Customer to enter into a business relationship, financial transaction data||Compliance with a legal obligation Spendesk’s legitimate interest||For the duration of the contractual relationship with the Customer and up to five (5) years after the end of the business relationship|
|Sales and contract management with the Spendesk Customer||Customer’s sales contact||Last name, first name, phone number, email address, company, position||Spendesk’s legitimate interest||For the duration of the contractual relationship and up to five (5) years after the end of the business relationship|
|Research and development||Internet users, Users||Browsing data, cookie ID or other tracker(s), device ID(s) (IP address, IDFA, ADID, etc.), session||Spendesk’s legitimate interest Consent||Depending on the project|
|Video and audio recording of calls for the purposes of improving Services, training and monitoring Spendesk staff performance||Employee, Prospect, Customer, User||Last name, first name, phone number, email address, voice, image||Spendesk’s legitimate interest Consent||Up to six (6) months after the date of the recording|
|Notification of incidents via the page https://spendesk.statuspage.io/||Person who subscribed to the notification||Phone number, email address, Slack identifier||Consent||Until opting out of notifications|
|Supervision of User accounts||Users||Last name, first name, company, position, financial transactions||Spendesk’s legitimate interest Consent||During account’s supervision|
|Systems’ security||Candidates, Employees, Users||Login data (User ID, device ID, logs), IP address||Spendesk’s legitimate interest||Up to three hundred and sixty-five (365) days after collection of the login logs|
2. Spendesk - data processor
|Processing purpose(s)||Categories of data subjects||Nature of the data processed||Legal basis/bases||Retention period(s)|
|Opening of the Customer’s Account||Main User (or agent of the Spendesk Account)||Last name, first name, postal address, date of birth, nationality, email address||Spendesk’s legitimate interest||For the duration of the contractual relationship and up to two (2) years after the end of the Main User’s use of the Spendesk Solution|
|Management of the use of the Spendesk Solution by the User||User(s)||Last name, first name, email address, phone number, postal address (only if sending a physical payment card), gender, picture (optional), position, IBAN (optional), login data (username, password, IP address)||Consent Compliance with a legal obligation||Up to two (2) years after the end of the User’s use of the Spendesk Solution|
|Management of business expenses||User(s)||Last name, first name, user ID, email address, financial transaction(s), invoice(s) and receipt(s)||Compliance with a legal obligation||Up to two (2) years after the end of the User’s use of the Spendesk Solution Up to five (5) years after the end of the business relationship Ten (10) years from the end of the calendar year in which invoices/receipts were received|
E. Use of sub-processors
As part of certain processing of Your Personal Data, Spendesk may use sub-processors.
Spendesk chooses its subcontractors with the utmost care and uses only subcontractors that provide sufficient security guarantees.
For more information on the subcontractors involved in the provision of the Spendesk Solution, please visit https://www.spendesk.com/en/legals/subprocessors.
F. Security measures
Spendesk places the utmost importance on the security of the Personal Data entrusted to it. In accordance with the Personal Data Regulation, Spendesk undertakes to take all necessary precautions to preserve the security of the Personal Data and, in particular, to protect it against accidental or unlawful destruction, accidental loss, corruption, dissemination or unauthorised access, as well as against any other form of unlawful processing or disclosure to unauthorised persons.
As such, Spendesk:
implements security practices and measures in accordance with our industry standards to ensure the integrity, availability and confidentiality of Your Personal Data;
implements a policy for managing rights to access Your Personal Data based on the principle of least privilege, need to know and function (Role based Access Control);
implements appropriate electronic, physical and management procedures to safeguard and preserve the processed data;
ensures that sufficient confidentiality measures are in place that comply with the persons who have access to Your Personal Data;
ensures that it only uses only partners and/or subcontractors that meet the security requirements requested by Spendesk;
performs regular security controls and audits on its systems to be able to attest to their robustness.
Spendesk does not otherwise disclose Your Personal Data to third parties, unless: (1) You (or the holder of Your account acting on Your behalf) requests or authorises its disclosure; (2) disclosure is necessary to process transactions or provide the services You have requested; or (3) Spendesk is obliged to transmit Your Personal Data to an administrative or judicial authority.
G. Hosting and transfer of Personal Data
The Personal Data processed by Spendesk is hosted on secure servers within the European Union.
In the event that Personal Data is transferred outside the European Union, Spendesk undertakes to implement the measures required by the Personal Data Regulation (security measures, adequate transfer mechanism, etc.).
H. Your rights over Your Personal Data
In accordance with the Personal Data Regulation, You have at any time a right of access, rectification, restriction, erasure and deletion of Personal Data concerning You, as well as a right to object and a right to portability.
You may also send us in advance your instructions regarding how Your Personal Data is handled after Your death.
To exercise Your rights, or to learn more about them, You can contact our Data Protection Officer:
by post: Spendesk SAS - Data Protection Officer (DPO) - 51 rue de Londres, 75008 Paris, France;
by email: email@example.com
We will respond to Your request within thirty (30) days, possibly renewable, and may request a copy of Your identity document for verification only.
However, we may not respond to some of Your requests to exercise rights, in particular where the processing of Your Personal Data is necessary for the performance of the current contract or the processing is carried out pursuant to a legal obligation applicable to Spendesk.
Regarding requests relating to the Personal Data processed as part of the Spendesk Solution, You may at any time edit Your personal identification data (title, first name, last name, email, telephone number, password) by logging into the “My profile” section of Your account, in accordance with the Spendesk Solution identification and use policy possibly implemented by Your employer.
You can request the exercise of Your rights by contacting Your employer (data controller), as well as by writing to us directly at firstname.lastname@example.org. We will inform Your employer of the nature of Your request and the action to take.
If You consider that Spendesk is not complying with its obligations regarding the protection of Personal Data or is failing to respond to Your requests satisfactorily, You may refer the matter to the French supervisory authority - National Commission for Information Technology and Civil Liberties (CNIL) - via its website (www.cnil.fr/en) or by post (CNIL, Service des Plaintes, 3 place de Fontenoy - TSA 80715 -75334 Paris Cedex 07).
Lastly, in accordance with the provisions of article L.561-45 of the French Monetary and Financial Code, You must send Your right of access request relating to the processing carried out as part of our obligations relating to AML-CFT indirectly to the French supervisory authority, the National Commission for Information Technology and Civil Liberties (CNIL).
To learn more about Your Personal Data protection rights, visit the CNIL website at www.cnil.fr/en.