Privacy Policy

Introduction and who we are

This privacy policy will help you understand how we may collect and use your personal information. This policy also describes your rights and how you can use your rights. You can easily contact Medius if you have any questions related to this policy.

References to "Medius" on this site should be considered as references to Medius Sverige AB and all of its subsidiaries and affiliates. Medius Sverige AB is a Swedish limited company with registration number 556820-2765, VAT number SE556820276501, registered office and address at Platensgatan 8, 582 20 Linköping , Sweden and email info@medius.com and phone +46 13 12 16 30. Jim Lucier is the CEO of the Medius Group.

Medius is the owner and publisher of the websites accessible at https://www.medius.com and https://www.expensya.com. Medius is acting in the capacity of Controller when collecting and processing personal data on its own behalf and for its own purposes. This means situations in which Medius determines the purposes and the means of such processing at its own discretion.

For certain services, Medius has been retained by our customers to process personal data as a Processor. In such cases, Medius shall process your personal data on behalf of and based on the specific instructions given by our customer as the Controller. The subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, together with the rights and obligations of the parties with respect to such processing will be covered by a data processing agreement (or equivalent terms) agreed between Medius and our customer. For example: suppliers who are invited by Medius’ customers to interact with them on the Medius Supplier Portal should take note that the Medius customer is the Controller in relation to the processing of their personal data. As such, business partners are encouraged to connect directly with the respective Medius customer to find out how their personal data is processed in the Supplier Portal.

What personal data do we process and from whom is such data collected?

The type of personal data that Medius processes about you may be:

  • Your contact details, such as name, address, telephone number and email address
  • Your job title, position including preferences and interests in a professional context and your company’s name
  • Website traffic information as provided by your web browser such as browser type, language and the address of the referring website and other traffic information such as IP address
  • Website visitor behavior such as which links you click and when
  • Any other information that we collect online from you and maintain in association with your account, such as your user name and password
  • Any other information that you provide to use when you are communicating with us

How We Collect Your Personal Information and How It Is Held

Medius may collect personal data directly from you when you make purchases of products and services, you request support for a product or service, you create a user account, you participate in surveys and evaluations or when you submit questions or comments to us.

On Medius’ websites you can register to access educational content, subscribe to our newsletters, sign up to our events and fill in a contact request. In general, Medius collects personal data directly from you when you register on our sites or fill out a form. We may also, with your consent, use cookies and other tracking technology when you use our websites in order to optimize your experience of these.

Cookie policy for www.medius.com and www.expensya.com

We may also collect information about you from other sources, including publicly available databases or third parties from whom we have purchased data or to whom you have provided your data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyze our records, identify new prospects for marketing, and provide information about our products and services that may be of interest to you.

How we use the information we collect and receive

Your personal data may be saved and processed by Medius for the following purposes:

  • In order to answer a contact request or to send you educational content, newsletters, press release and similar information or invitations for seminars and similar events to you. Accordingly, if you do not provide the requested personal information, Medius will not be able to respond to a contact request or to send you any newsletters or invitations and information.
  • For marketing and market research, as well as basis for Medius’ market and customer analyses, business and product development, and statistics
  • To personalize your experience (your information helps us to better respond to your individual needs)
  • To improve our websites (we continually strive to improve our websites offerings based on the information and feedback we receive from you)
  • To allow Medius to provide, maintain, monitor, improve and develop our business and services and to personalize our services for you

Purpose and lawful basis for the processing

In accordance with Medius’ assessment, the processing is necessary for the purposes of Medius' legitimate interest to enable our business and in answering a contact request, for the performance of a contract, or administering newsletters, information and invitations to you in accordance with your wishes to be contacted or to receive requested information, respectively.

In addition, Medius’ processing of your personal data for marketing purposes, for market research, for market and customer analysis, business and product development and statistics, is based on a legitimate interest. According to Medius’ assessment, the processing is necessary for Medius' legitimate interest to market its products and services, and to analyze and develop its business and operations.

Medius may also use your personal data for the purpose of compliance with applicable laws and protection of our legitimate business interests and legal rights, including but not limited to, use in connection with legal claims, compliance, regulatory, investigative purposes (including disclosure of such information in connection with legal process or litigation).

 

How long do we store your personal data?

In general, Medius will only retain your personal data for as long as necessary for the stated purpose, while also taking into account our need to answer queries or resolve problems and to comply with legal requirements under applicable law. This means that we may retain your personal data for a reasonable period after your last interaction with us (normally for a period of three calendar years from your last interaction with us but if you are representing a customer of Medius, we may keep your information for the duration of the contractual relationship and to the extent permitted also after the end of that relationship for as long as necessary to perform the purpose). When the personal data that we collect is no longer required in this way, we destroy or delete it in a secure manner.

Personal data provided in connection with newsletter subscriptions, event registrations or information requests are stored by Medius until you unsubscribe from the Medius Communications or Expensya Communications applicable service. However, if you unsubscribe, Medius will continue to process your personal data to the extent necessary to ensure by technical means that no further posting of newsletters, event invitations, educational information and similar are sent to you. If Medius does not save your personal data in this respect, Medius will not be able to ensure that no further newsletters, invitations or information will be sent to you. The continued processing of your personal data is, according to Medius' assessment, necessary for the purposes of Medius’ legitimate interest in preventing sending of newsletters, information and invitations to you in accordance with your expressed desire.

Your rights

You have the right to request a confirmation from Medius as to whether or not personal data concerning you are being processed and, where that is the case, obtain access to your personal data. You also have the right to request that Medius corrects any inaccuracies in your personal data and that Medius shall erase your personal data or restrict the processing of your personal data. You further have the right, at any time, to object to Medius’ processing of your personal data if you believe that Medius has no legitimate interest in processing the personal data or to the use of your personal data for the purposes of direct marketing. You have the right not to be subject to decisions based on automated decision-making. If the processing of your personal data is based on your consent or on performance of a contract to which you are a party, you shall have the right to receive your data in a structured, commonly used and machine-readable format (data portability). You are finally entitled to lodge a complaint regarding Medius’ processing of your personal data with a local supervisory authority in your country of residence. You can contact Medius for more information about these rights.

How do we share your personal data?

Ensuring your privacy is important to Medius. We do not share your personal data with third parties except as described in this privacy policy. We may share your personal data with:

  • Third party service providers (for example to email and hosting providers and partners that are administrating webinars or websites or distributing press releases and other information on behalf of Medius and to any other third parties to the extent such disclosure is required to enable products or services to be provided to you and/or our clients);
  • Business partners and channel partners;
  • Affiliated companies within our corporate structure; and
  • As needed for legal purposes (for example to authorities in accordance with applicable laws and regulations).

Medius may also share your personal data in connection with mergers, acquisitions or divestiture of all or parts of Medius’ business, where the acquiring entity as well as its consultants and Medius’ own consultants may obtain access to data managed by Medius.

When sharing your personal data with third parties we take appropriate technical, organizational and legal measures in accordance with applicable data protection legislation. Medius has also established Data Processing Agreements with any third party with which your personal data is shared.

 

Transfer of personal data

For personal data collected within EEA, the personal data collected is generally processed within EEA. In cases where Medius transfers your personal data outside the EEA, such transfer is based either on a decision by the EU Commission that the third country in question ensures an adequate level of protection, or on appropriate safeguards to ensure that your rights are protected. Examples of appropriate protection measures are standard contract clauses in combination with additional safeguards or binding corporate rules.

We may disclose personal information to our related third-party service providers located overseas. We take reasonable steps to ensure that the overseas recipients of your personal information do not breach the applicable privacy obligations relating to your personal information. We may disclose your personal information to entities that transfer data as provided in Exhibit 1.

Specifics about emails

In cases where an e-mail sent to or from Medius contains personal data, Medius’ receipt/dispatch and further processing of such e-mail means that we process personal data. E-mails almost always contain personal data because the e-mail address itself is usually considered as personal data. The e-mail may also contain other information that is considered as personal data. When Medius sends e-mails, we either do so to communicate with the recipient (e.g. to reply to an e-mail from him/her or to ask a question), or to inform the recipient of something.

The content of incoming e-mail is usually unknown when the email is received by Medius. When that is the case, the personal data contained in the e-mail is processed by Medius for the purpose of receiving and reading the e-mail to assess if the e-mail shall be deleted or if Medius shall take action. For e-mails sent from Medius, similar considerations are made in connection with dispatch of the e-mails.

If Medius, after receipt of an incoming e-mail, or in connection with sending an outgoing e-mail, considers that the e-mail should not be deleted, and that further processing is necessary, Medius will on a case-by-case basis decide the legal basis, means and period for the processing. The legal basis for the processing of e-mails depends among other things on the content of the e-mail and whether Medius has any relationship with the recipient/sender.

If an email received by Medius contains personal data about a third-party individual, Medius will inform such individual that Medius processes personal data about him/her, provided (i) the identity of the individual is clear and (ii) the provision of such information proves impossible or would involve a disproportionate effort for Medius.

If Medius upon receipt/dispatch of an e-mail, determines that the e-mail shall be deleted, deletion will be made within a reasonable time after receipt/dispatch. If Medius determines that further actions will be taken, it depends on the content of the e-mail, as well as the continued processing and purpose of the same, how long the e-mail, including the personal data, will be kept by Medius.

Complaints

You may exercise your rights by emailing us at privacy@medius.com or submitting a request here. We will respond to the complaint within 5 days of receipt and will take all the reasonable steps to reach a decision on the complaint within 30 days from the receipt of the complaint. We may disclose information regarding the complaint to any relevant contractor and/or provider that holds the personal information about the subject of the complaint. In the event you are not satisfied with the decision or resolution given by Medius, you may file a complaint to the relevant data protection authority, which, for Australian residents, can be done on the Information Commissioner’s website at www.oaic.gov.au.

Security

Medius takes security seriously. We take various steps to protect information you provide to us from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the information we collect, process and store, and the current state of technology. Please visit our trust center (https://www.medius.com/trust-center/) to read more about our security measures.

Changes to this privacy policy

We may change this policy from time to time and if we do we will post any changes on this page. If you continue to interact with us after those changes are in effect, you are agreeing to the revised policy. You can see previous versions of our privacy policy below.

Previous privacy policies:

Privacy policy 9 June 2021 - 19 December 2021

Privacy policy 27 January 2020 - 8 June 2021

Privacy policy 18 June 2019 - 26 January 2020

Privacy policy 7 February 2019 - 17 June 2019

Privacy policy 13 April 2018 - 6 February 2019

Privacy policy prior to 13 April 2018

Last updated: 6 May 2024