DATA PROTECTION POLICY OF A&M ApS
1.1 This Data Protection Policy (“Policy”) applies to all Personal Data which you provide to us and/or which we collect about you, either in the course of your employment with A&M ApS (the “Company”) or because you are associated with the Company in another capacity, e.g. as a volunteer. We are the data controller for the Processing of your Personal Data.
1.2 In this Policy you can read more about the Personal Data we collect and how we handle your Personal Data.
1.3 Our general legal Processing framework is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and the attendant rules. In addition, the Danish act on supplementary provisions to the EU Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (Act No. 502 of 23 May 2018) will apply.
1.4 All questions concerning this Policy and any suspected non-compliance should initially be directed to Nadika Johansen at firstname.lastname@example.org.
- Purpose of Processing your Personal Data
2.1 When you work for us, whether as an employee or in another capacity, we will need to process your Personal Data for the following purposes:
- Documentation of educational background, experience, etc.
- Drafting of employment or engagement contract
- General HR management purposes, including recording of absence due to sickness, holiday, etc.
- General payroll and rights payment administration, including reporting of information to the Danish tax authorities
- Management of access rights to the Company’s IT systems
- Why are we permitted to process data about you (legal basis for Processing)?
3.1 When you are first employed with us or decide to volunteer for us, you enter into an agreement with us. For general HR management purposes, we need to process your Personal Data.
3.2 We may also process a number of general Personal Data about you in the course of your employment or association with us because of our legitimate interests in Processing such data.
3.3 In some cases we are also legally required to process Personal Data about you. By way of example, this could be for purposes of documenting salary payments etc. in accordance with the provisions of the Danish Bookkeeping Act (bogføringsloven). Among other things, we are required to keep our accounting records for five years after the end of the financial year which the records concern. Moreover, the Company is subject to a number of tax law obligations, including under the Danish Tax Audit Act (skattekontrolloven), for example in connection with withholding and reporting of tax, earned income, etc., which also means that we are required by law to process Personal Data about you. When reporting information to the Danish tax authorities, we are required to use your civil registration (CPR) number, and this requirement is therefore the legal basis for our collection and Processing of your civil registration (CPR) number.
3.4 Our Processing of any Special Categories of Personal Data (sensitive data) such as data about your health is subject to consent from you or necessary for the establishment, exercise or defence of legal claims.
- Personal Data we process about you
4.1 We collect the following Personal Data directly from you:
4.1.1 We collect the following general Personal Data: Name, address, postal code, city, mobile telephone number, email address, registration and account number. We also process data about your civil registration (CPR) number.
4.1.2 In general, we collect no special categories of data about you. However, occasionally, and with your consent, we may also collect health data, for example if you fall sick and inform us of the reason why or provide a medical certificate. Due to Covid-19 we currently collect and register test results from selected employees.
4.1.3 In connection with recruitment we may ask you to submit a copy of your criminal record. We will only process your criminal record if we have obtained consent from you. We will erase the criminal record immediately after we have read it and will not keep it.
- Sharing your Personal Data
5.1 We share your Personal Data with our third party providers of HR management services, including for example payroll services, IT hosting services, etc. This means that we may share your Personal Data with, for example, Data Processors, e.g. in the form of service providers and technical support.
5.2 We may also share your data with our group companies/entities to the extent that we are entitled to do so under the law.
5.3 In addition, we will share your data to the extent that we are required to do so, for example as a result of requirements to report information to public authorities such as the Danish tax authorities.
- Sharing your Personal Data with non-EU/EEA recipients
6.1 A few of our service providers and customers are located outside the EU/EEA. We may therefore sometimes share your Personal Data with non-EU/EEA recipients. However, this will require:
- that an adequacy decision has been issued by the European Commission for the level of protection offered by the country or the international company in question;
- that the standard contractual clauses on data protection adopted by the European Commission have been entered into between us and the recipient of your Personal Data;
- that the recipient in question is certified in accordance with Article 42 of the GDPR; or
- that the recipient in question has adopted a set of binding corporate rules.
6.2 We may also sometimes ask for your consent to transfer your Personal Data to non-EU/EEA recipients, or such transfer may sometimes be necessary for the performance of an agreement with you or the implementation of pre-contractual measures taken at your request.
6.3 You are entitled to information about or a copy of any appropriate safeguards which form the basis of the transfer of Personal Data to non-EU/EEA recipients or – in the case of exemptions provided under Article 49 of the GDPR – the exemptions which serve as the basis for such transfer.
- Retention and erasure of your Personal Data
7.1 The Personal Data that we process about you for HR management purposes such as data about your educational background, experience, absence records, management of employee benefits, insurance, pension, health, payroll as well as reporting of information to public authorities will be retained until it for legal or other reasons (e.g. rights issues) no longer is relevant to retain.
- Your rights
8.1.1 You have the right to access the Personal Data we process about you. By contacting the Company, you may request access to the Personal Data we hold about you, including the purposes for which the data were collected. We will comply with your request as soon as possible.
8.2 Rectification and erasure
8.2.1 You have the right to request rectification, supplementary Processing, erasure or blocking of the Personal Data we process about you. We will comply with your request as soon as possible, where necessary. If, for some reason, your request cannot be complied with, we will contact you.
8.3 Restriction of Processing
8.3.1 In certain circumstances, you have the right to restrict the Processing of your Personal Data. Please contact the company if you would like to restrict the Processing of your Personal Data.
8.4 Data portability
8.4.1 Subject to certain conditions you have the right to receive in a structured, commonly used and machine-readable format the Personal Data which you yourself have provided to us and only data about you yourself (data portability). Please contact company if you would like to exercise your rights concerning data portability.
8.5 Withdrawal of consent
8.5.1 If the Processing of your Personal Data is based on your consent, you have the right to withdraw consent. If you withdraw consent, this will not affect the legality of the Processing that was carried out before such withdrawal. Please contact the Company if you have any questions or queries as to whether you have given your consent to the Processing of your Personal Data or if you wish to withdraw consent.
8.6 Conditions and/or restrictions to your rights
8.6.1 Your exercise of the above rights may be subject to conditions or restrictions.
- Complaints to supervisory authority
9.1 Any complaint about our Processing of your Personal Data may be submitted to the Danish Data Protection Agency:
The Danish Data Protection Agency, Borgergade 28, 5th floor, 1300 Copenhagen K, Denmark,
tel.: +45 3319 3200, email: email@example.com
- Amendments and updates
We reserve the right to amend this Policy as and when needed. This version of the Policy is effective from December 2020.