PRIVACY POLICY
PRIVACY POLICY
- The general data protection regulation & privacy policy (GDPR)
1.1 General data protection regulation and the personal data-law regulates the handling of personal data which includes all information attributable to a physical person, e.g. name, address, e-mail addresses, phone details etc.
1.2 General data protection regulation (GDPR) and the personal data-law lay down rules for when and how personal data is to be processed. Processing of personal data includes all data processed including – for example – collection, storage and deletion.
- MuchMoreWater’s privacy policy
2.1 We process personal data, as a data controller, as well as a data processor for our customers. We control and/or process personal data for our customers and have therefore adopted this privacy policy which describes how we treat personal data. Points 3-13 cover situations where we are data controllers, point 14 covers situations where we are processing data on behalf of our customers.
2.2 We prioritize the protection of personal data highly, regardless of the nature of the data and the transactions thereof. In relation to this we will take the necessary technical and organizational security measures to prevent that personal information is accidentally or illegally destroyed, lost, deteriorated, disclosed to unknown persons/organizations or is abused or handled in conflict with the law.
- Data Controller
3.1 The data controller for processing personal data is:
MuchMoreWater A/S
Staerkendevej 43, 4000 Roskilde, Denmark
Phone number: +45 8020 8020
Contact person: Jesper Ellegaard, jee@muchmorewater.com - Categories of personal information
4.1 We only collect and process the information that is relevant, adequate and necessary for us to fulfill our obligations and/or ensure our rights towards our customers and suppliers, and for the security of our employees, for human resource purposes including managing job applications.
4.2 As a rule we collect only general personal information, such as name, address, e-mail address, phone number, birthday and social security number.
4.3 If we gather data in relation to existing or potential employment and/or similar relationship, we may also collect and process sensitive personal information such as health information, information related to the person in relation to convictions, criminal history, union and unemployment information etc.
- Personal information received from other parties
5.1 For the purpose of fulfilling our obligations towards our customers, partners or employees, and ensuring our rights towards our customers and suppliers or duties as an employer, we can reserve the right to collect and process information from public authorities, employment services, recruitment offices etc. - Information about collected information data
6.1 The physical persons whose data we register will receive registration information etc. in accordance with the general data protection regulation article 13 and 14.
6.2 Secondary persons, (e.g. contact information etc. concerning contacts within an associated company, partners or suppliers) will not receive information by article 13 and 14. These persons are advised to make themselves familiar with the content of this personal data policy. Partners or suppliers are encouraged to inform their contacts to of the contents of this policy.
- Purpose of processing personal data
7.1 We only handle personal information that is relevant, necessary and sufficient in relation to the purposes described below.
7.2 We will take every reasonable step to ensure that personal data is correct in relation to the purposes for which they are processed.
7.3 The registered person may at any time contact the data controller for the purpose of correcting erroneous data processed, or misleading information.
- Basis for data processing
8.1 The data processing takes place in order to safeguard secure our legitimate interests or our performance of duties obligations as an employer, in reference to general personal data regulation article 6 including:
- to fulfill a contract with the registered person
- to comply with a legal obligation
- to protect the person’s vital interests, and/or
- to pursue a legitimate interest for us
8.2 If we use personal data for marketing, this will only be towards customers, suppliers and secondary entities. NOTE: Personal data will only be used for the purpose of marketing towards the registered party based on consent from the registered party.
8.3 Sensitive personal data can be processed to carry out tasks such as employers for the purpose of fulfilling our responsibilities as employers in accordance with the general data protection regulation article 9 and article 10:
– to comply with occupational, health and social obligations and specific rights and/or
– for legal requirements to be established, enforced or defended.
- Disclosure of personal data
9.1 Personal data can be transmitted to the following categories as of recipients:
9.2 Suppliers, subcontractors, customers, public authorities, courts, arbitration tribunals, advisors and similar, banks, insurance companies, tax offices, pension funds, unions and unemployment funds.
10.Transfer of personal data to countries outside the EU / EEA
10.1 Personal data will, as a basis of operation, not be transferred to countries outside EU / EEA. If this should occur, the data processor will comply with both the general data protection regulation rules as well as the rules of the home country concerned.
11.Personal data storage
11.1 Personal data is kept as long as necessary in order to meet the specified purpose of the information gathering and / or as required by applicable rules. Then the data are is deleted or anonymized.
11.2 Personal information related to customers or suppliers will be stored 5 years after the customer / supplier relationship has ceased.
11.3 Accounting materials are kept for maximum of 8 years after the expiration of the relevant financial year.
11.4 Employment contracts and other material relating to employees are stored for 5 years after the employment ends.
11.5 Applications and associated materials that do not involve recruitment are stored for 3 months after rejections are notified, unless an agreement of a longer storage period has been reached with the applicant.
11.6 If it can be deemed necessary, the information can be stored for longer time than stated above if there is a specific purpose that necessitates this.
- The data subjects’ rights
12.1 The registrant has a number of rights in relation to the personal data we have registered:
12.1.1 Right to objection:
Registered persons have the right to object to the processing of personal data. Objections may be addressed to the data controller as mentioned above under item 3. If the objection is justified, we will arrange to discontinue treatment and storage of that specific data.
12.1.2 Right to insight, correction, etc.:
Registered persons have the right to obtain information about if and what personal data is gathered about them and, if necessary, get further details/information about the registered personal data. We aim to answer such requests within 4 weeks after the request is made.
12.1.3 Rights to be removed/deleted:
Registered persons have the right to have their personal data deleted without undue delays if that person’s data for example is no longer necessary for the purposes to which it has been collected or otherwise processed or other reasons listed in the general data protection regulation article 17, to which reference is made.
12.1.4 Right to have the processing of personal data limited.
12.1.5 The right to receive the personal data which the registrants themselves have provided, in a structured, commonly used and machine-readable format (data portability).
12.1.6 The Right to file a complaint to a local data protection authority.
12.2 There may be situations where the legitimate rights of the registrant must yield to legitimate regards and this will depend on a concrete assessment in each case.
- Automated decisions and profiling
13.1 Automated decisions or profiling are not used. - Data processing on behalf of customers
14.1 If, as part of a customer relationship, data processing takes place. This is done only according to a data-processing agreement with the customer, where we are required to:
- Process personal data, using employees subject to professional secrecy, in agreement with and instructions from the data controller, including registration and storage.
- Not transfer personal data to third parties without the data controller’s prior written instructions.
- Take the necessary technical and organizational security measures to avoid that personal information is accidentally or illegally destroyed, lost, deteriorated, is exposed to unknown persons/organizations, or is abused or treated in conflict with the law.
- Provide the data controller with the necessary information to confirm this and the information which allows the data controller to check and enforce performance of claims, including with reasonable notice, to the data controller or relevant authorities access to inspection.
- If detecting or suspecting security breaches, inform the data controller immediately.
- To obtain the Data Responsible Acceptance, if subcontractors are to be used for the processing of personal data.
- To delete or correct personal data at the request of the Data Manager as well as to assist the Data Manager in fulfilling the rights of the data subject.
- Change of personal data policy
15.1 It may be necessary to update and change this policy. We reserve the right to do so.