Privacy Policy

Privacy Policy

Contents

1    Introduction
2    Data controller
3    How do we process personal data about you as part of our activities?
3.1    When you subscribe to our newsletter
3.2    Courses, webinars, and other events
3.3    When you communicate with us, e.g. by e-mail, phone, or use our contact form
3.4    When you visit our office
3.5    When we provide our Depositary Services
3.6    When we provide our Compliance Services
3.7    When we provide our Corporate Services
3.8    When we provide our Agency Services
3.9    When you engage with us as a supplier
3.10    If you apply for a job with us
3.11    When you visit our social media profiles
4    Disclosure of personal data to other controllers
5    Your rights
6    Making a complaint
7    Updating our privacy policy

 

Privacy Policy – Nordic Compliance

1 Introduction

Here you can read about how Nordic Compliance Services A/S (hereinafter “NCS”, "we," "us," and "our") collects, processes, and stores your personal data as part of our operations and the activities described in section 3 below.

handling of personal data is crucial to our business goals and reputation. Therefore, this privacy policy describes how and why we collect personal data about you, how the data is used, when it is deleted, and how you can, among other things, access your personal data.

2 Data controller

Nordic Compliance Services is the data controller for the processing activities described in this privacy policy, unless otherwise stated in the activities in section 3 below. If you have any questions about this privacy policy or our processing of your personal data as described in section 3 below, please contact us at:

Nordic Compliance Services A/S
VAT number: 40488316
Address: DOKK1, Hack Kampmanns Plads 2, Level 3, Denmark
E-mail: see Contact

3 How do we process personal data about you as part of our activities?

We collect and process personal data in different situations, and the purposes of the collection, what the personal data is used for and when it is deleted can vary. The individual activities where NCS (as data controller) can collect personal data about you are therefore described separately below.

3.1    When you subscribe to our newsletter
When you subscribe to our newsletter for direct marketing purposes, we process different per-sonal data about you.

3.1.1    What personal data is processed and where does it come from?

We process the following personal data about you in relation to our newsletter services:
•    Contact information (name, email) 
•    Marketing preferences, interests, and click behaviour on published content
•    Your consent and the date of your consent

3.1.2    Why do we process the personal data?

We process your personal data for the following purposes:
•    For direct marketing purposes, and to provide you with our newsletter service

3.1.3    What is the legal basis for our processing? 

Our processing of general personal data is based on the following legal bases:
•    Consent: When you subscribe to our newsletter, we ask for your consent for direct marketing purposes. This legal basis is found in the Danish Marketing Act s. 10. You can withdraw your consent at any time by contacting us (see section 2 above), or by unsub-scribing to our newsletters in the bottom of the email.

3.1.4    Who do we share your personal data with?

We may share your personal data and/or make them available to other suppliers and/or service providers in connection with the general operation of our business, e.g. in connection with the administration of our newsletter solution, analysis, and marketing tasks.

We may transfer your personal data to countries outside of the EU/EEA if necessary to carry out the relevant task. Any transfer will take place subject to valid legal grounds for such transfer (the GDPR Chapter 5), e.g. the Standard Contractual Clauses published by the EU Commission which can be found here: Standard contractual clauses for international transfers - European Commission (europa.eu). We may also rely on the EU-U.S Data Privacy Framework, if we transfer per-sonal data to the US which can be found here: Home (dataprivacyframework.gov).

3.1.5    For how long do we store your personal data?

Your personal data is stored as long as your consent to receive newsletters is active and for a period thereafter to document the validity of the consent.

In accordance with the recommendations of the Danish Consumer Ombudsman, we keep documentation of your marketing consent for at least two years after you have withdrawn your con-sent and in any case for as long as it is relevant for us to be able to document the validity of the consent.

The retention period is based on our legitimate interest in being able to demonstrate that direct marketing has taken place in accordance with applicable legislation (Article 6(1)(f) of the GDPR).  

We may store and process data for longer in anonymised form meaning we can no longer identify you, or if we are obliged to do so by law or as part of a specific case.

3.2    Courses, webinars, and other events
When you participate in our courses, events, seminars (online or in person) etc., we process different personal data about you to deliver these services.

3.2.1    What personal data is processed and where does it come from?

We process the following personal data about you:
•    Contact information (name, phone number, and email) 
•    Title and employer information
•    Video recordings if the event takes place online
•    Other information you may provide us with in connection with the event

3.2.2    Why do we process the personal data?

We process your personal data for the following purposes:
•    To analyse the use of our services and collect statistics to improve our services and products
•    For administration, maintenance, and development of our (existing or future) relationship
•    To communicate with you, such as providing service info and support
•    For marketing purposes, such as providing info about relevant topics and the events
•    For financial purposes

3.2.3    What is the legal basis for our processing? 

Our processing of general personal data is based on the following legal bases:
•    Contractual obligation: When you enter into a contract with us for our event services, we process your personal data in accordance with the rights and obligations agreed be-tween us and to offer you the services. This legal basis is found in Article 6(1)(b) of the GDPR.

•    Legitimate Interest: The personal data may also be processed based on the legitimate interests rule (GDPR Article 6(1)(f)) where the legitimate interest is to administer seminars, communicate, send out evaluation forms etc.

3.2.4    Who do we share your personal data with?

We may share your personal data and/or make them available to other suppliers and/or service providers in connection with the academy services, e.g. if external lecturers are included in the event.

We may also share your personal data with DLA Piper Denmark Law Firm P/S, VAT No. 35 20 93 52.
We may transfer your personal data to countries outside of the EU/EEA if necessary to carry out the relevant task. Any transfer will take place subject to valid legal grounds for such transfer (the GDPR Chapter 5), e.g. the Standard Contractual Clauses published by the EU Commission which can be found here: Standard contractual clauses for international transfers (europa.eu). We may also rely on the EU-U.S Data Privacy Framework, if we transfer personal data to the US which can be found here: Home (dataprivacyframework.gov).

3.2.5    For how long do we store your personal data?

Your personal data is stored as long as we are in a contractual relationship. Personal data is deleted no later than 3 years after the end of the event.

We may store and process data for longer in anonymised form meaning we can no longer identify you, or if we are obliged to do so by law or as part of a specific case.

Accounting material, including personal data, which we are obliged to store, is deleted no earlier than 5 years after the end of the financial year to which the information relates according to the Danish Bookkeeping Act.

3.3    When you communicate with us, e.g. by e-mail, phone, or use our contact form?

When you contact us for support, or otherwise communicate with us, we collect and process your personal data.
We urge you not to disclose any sensitive or confidential personal data to us unless it is strictly necessary for your inquiry. For security reasons, we encourage you to send the information in encrypted form if you submit confidential or sensitive personal data via email.

3.3.1    What personal data is processed and where does it come from?

We collect, process, and store the following types of personal data about you:
•    Contact information (name, email, and phone number)
•    The subject of your inquiry, including date, and any attachments you include
•    Communication history
•    Customer ID
•    Other personal data that you provide in connection with your inquiry

3.3.2    Why do we process the personal data?

We process your personal data for the following purposes:
•    To process your inquiry or request
•    Customer service and sales
•    General communication with you
•    Statistics and analysis to improve our products and services

3.3.3    What is the legal basis for our processing? 

Our processing of general personal data is based on the following legal bases:
•    Contractual obligations: If your enquiry concerns a (potential) agreement, we process your data to implement contractual measures or fulfil the agreement with you (Article 6(1)(b) of the GDPR).
•    Legitimate Interest: We may collect personal data about you to be able to handle your inquiry, communicate with you, provide customer service, and develop our products and services. This legal basis is found in Article 6(1)(f) of the GDPR. You can object to this processing at any time by contacting us (see section 2 above).

3.3.4    Who do we share your personal data with

The personal data may be shared with our IT suppliers (data processors) who process and store the personal data on our behalf and in accordance with our instructions and based on a data processing agreement.

We may also share your personal data with DLA Piper Denmark Law Firm P/S, VAT No. 35 20 93 52, if your request requires us to forward your inquiry.

We may transfer your personal data to countries outside of the EU/EEA if necessary to carry out the relevant task. Any transfer will take place subject to valid legal grounds for such transfer (the GDPR Chapter 5), e.g. the Standard Contractual Clauses published by the EU Commission which can be found here: Standard contractual clauses for international transfers (europa.eu). We may also rely on the EU-U.S Data Privacy Framework, if we transfer personal data to the US which can be found here: Home (dataprivacyframework.gov).

3.3.5    For how long do we store your personal data? 

Your personal data will be deleted when we no longer need to process it for the fulfilment of one or more of the above purposes. In most cases, we will delete your inquiry once we have handled and completed your inquiry.

Depending on the nature of the inquiry, we may retain your personal data for up to 3 years from the response to your inquiry for the purpose of documentation and with reference to the statute of limitations rules on the limitation of ordinary monetary claims.

Accounting material, including personal data, which we are obliged to store, is deleted no earlier than 5 years after the end of the financial year to which the information relates according to the Danish Bookkeeping Act

The personal data may be processed and stored for longer if we are obliged to do so by law.

We may store and process data for longer in anonymised form meaning we can no longer identify you.

3.4    When you visit our office

When you visit our office, we process your personal data for access control and guest registration purposes.

3.4.1    What personal data is processed and where does it come from?

We collect, process, and store the following types of personal data about you:
•    Contact information (name, email, and phone number)
•    Work information
•    License plate (if you arrived by car)
•    Visit history, including date, time, and purpose of visit
•    Other personal data that you provide in connection with your visit.

3.4.2    Why do we process the personal data?

We process your personal data for the following purposes:
•    To provide you access to our office facilities
•    To administer your visit with us
•    To ensure the safety of our employees.

3.4.3    What is the legal basis for our processing?
 
Our processing of personal data is based on the following legal bases:
•    Legitimate interest: Pursuing our or a third party's legitimate interests, which outweigh your fundamental rights and freedoms. This legal basis is found in Article 6(1)(f) of the GDPR. The legitimate interests referred to are our legitimate interests in providing you with access to our office and in protecting our employees. You can object to this processing at any time by contacting us (see section 2 above).

3.4.4    Who are the personal data shared with? 

The personal data may be shared with our IT suppliers (data processors) who process and store the personal data on our behalf and in accordance with our instructions and based on a data processing agreement.

3.4.5    For how long do we store your personal data?

Your personal data is deleted when we no longer need to process it to fulfil one or more of the above-mentioned purposes, for example, if we intend to enter into a collaboration with you or if we need to have follow-up meetings. However, personal data may be kept for up to 3 years after our latest interaction.

The information may be processed for a longer period in anonymized form, or if we are required to do so by law.

3.5    When we provide our Depositary Services

When we provide you with our Depositary services, we collect and process personal data. This may include data about you as our client, including and depending on the nature of your relationship with us, personal data about your employees, board members, corporate owners, ven-dors, consultants etc.

We do not process any sensitive personal data unless it is strictly necessary for our services. For security reasons, we encourage you to send the information in encrypted form if you submit confidential or sensitive personal data.

3.5.1    What personal data is processed and where does it come from?

We collect, process, and store the following types of personal data about you:
•    Contact information (name, email, and phone number)
•    Work, title, and employer information
•    Communication history
•    Financial information and ownership information related to financial assets, corporate shares, bonds, and other securities
•    National identification number, if relevant for the case, e.g. for financial reporting pur-poses
•    Other personal data that you provide us with during our professional relationship.

We usually collect this data directly from you, but we may collect data from public databases and government entities.

3.5.2    Why do we process the personal data?

We process your personal data for the following purposes:
•    To administer our contractual relationship and provide you with our Services, e.g. to per-form internal audits, complete financial reporting, funds administration etc.
•    To communicate with you
•    For customer service, support, and sales
•    To improve our products and services
•    To comply with any applicable law, court order, other judicial process, or the requirements of a regulator
•    To assert or defend legal claims in case of any disputes

3.5.3    What is the legal basis for our processing? 

Our processing of general personal data is based on the following legal bases:

  • Contractual obligations: We process your data to implement contractual measures or fulfil the agreement with you (if you are a privately owned company) when providing our Services (Article 6(1)(b) of the GDPR).
  • Legal obligation: We have to comply with a legal obligation to which we or you are subject to. This legal basis is found in Article 6(1)(c) of the GDPR. The legal obligations, among others, include, depending on our relationship:
    • the Danish Bookkeeping Act
    • the AIFM Act (Alternative Investment Fund Managers Act)
    • the Danish Anti-Money Laundering Act
    • the Danish Statute of Limitations Act
  • Legitimate Interest: We may collect personal data to be able to administer our relationship, defend or pursue legal claims, communicate with you, and develop our services. This legal basis is found in Article 6(1)(f) of the GDPR. You can object to this processing at any time by contacting us (see section 2 above).

Our legal basis for processing you national identification number is:

National identification number (CPR-no.): Data concerning national identification numbers are processed in compliance with the Danish Data Protection Act section 11.2(1)-(3).

3.5.4    Who do we share your personal data with

The personal data may be shared with our IT suppliers (data processors) who process and store the personal data on our behalf and in accordance with our instructions and based on a data processing agreement.
 
We may also share your personal data with government entities such as the Danish Business Authorities and Danish Courts. If a public authority, for example the Danish Financial Supervisory Authority or the Danish Public Prosecutor for Serious Economic and International Crime, takes an interest in certain transactions, we are obliged under the Anti-Money Laundering Act to dis-close such data to the authorities in question.

If you request legal services, we may share your personal data with DLA Piper Denmark Law Firm P/S, VAT No. 35 20 93 52.

We may transfer your personal data to countries outside of the EU/EEA if necessary to carry out the relevant task. Any transfer will take place subject to valid legal grounds for such transfer (the GDPR Chapter 5), e.g. the Standard Contractual Clauses published by the EU Commission which can be found here: Standard contractual clauses for international transfers (europa.eu). We may also rely on the EU-U.S Data Privacy Framework, if we transfer personal data to the US which can be found here: Home (dataprivacyframework.gov).

3.5.5    For how long do we store your personal data?

Your personal data will be deleted when we no longer need to process it for the fulfilment of one or more of the above purposes. In most cases, we retain your personal data for up to 5 years from the end of our contractual relationship and for the purpose of documentation and with reference to the statute of limitations rules on the limitation of ordinary monetary claims.

Accounting material, including personal data, which we are obliged to store, is deleted no earlier than 5 years after the end of the financial year to which the information relates according to the Danish Bookkeeping Act.

Information, documents, and registrations according to the Danish Anti Money Laundering Act are stored for at least 5 years after the end of the business relationship or completion of the single transaction. Personal data is deleted 5 years after the end of the business relationship or the completion of a single transaction, unless otherwise stipulated in other legislation.

Corporate documents are kept for 5 years after the corporate documents are dated.

The personal data may be processed and stored for longer if we are obliged to do so by law.

We may store and process data for longer in anonymised form meaning we can no longer identify you.

3.6    When we provide our Compliance Services

When we provide you with our Compliance Services (KYC, regulatory reporting, support, internal audits etc.), we collect and process personal data about you as our client and your employees.

We do not process any sensitive personal data unless it is strictly necessary for our services. For security reasons, we encourage you to send the information in encrypted form if you submit confidential or sensitive personal data.

3.6.1    What personal data is processed and where does it come from?

We collect, process, and store the following types of personal data about you:
•    Contact information (name, email, and phone number)
•    Work, title, and employer information
•    Communication history
•    Digital footsteps, such as user profile information related to relevant systems needed for our Services
•    For KYC procedures, contact information birthdate and nationality data must be con-firmed by presentation of a scanned copy of a driving license or a passport. When the beneficial owners are not Danish or do not have permanent residence in Denmark, additional data may be required
•    National identification number, if relevant
•    Financial information
•    Other personal data that you provide us with during our professional relationship.

We usually collect this data directly from you, but we may collect data from your employer, public databases, and government entities.

3.6.2    Why do we process the personal data?

We process your personal data for the following purposes:
•    To administer our contractual relationship and provide you with our Services, e.g. to per-form internal audits, complete financial reporting, etc.
•    To communicate with you
•    For customer service, support, and sales
•    To improve our products and services
•    To comply with any applicable law, court order, other judicial process, or the requirements of a regulator
•    To assert or defend legal claims in case of any disputes.

3.6.3    What is the legal basis for our processing?

Our processing of general personal data is based on the following legal bases:
•    Contractual obligations: We process your data to implement contractual measures or ful-fil the agreement with you (if you are a privately owned company) when providing our Services (Article 6(1)(b) of the GDPR).

•    Legal obligation: We have to comply with a legal obligation to which we or you are sub-ject to. This legal basis is found in Article 6(1)(c) of the GDPR. The legal obligations, among others, include, depending on our relationship:

o    the Danish Bookkeeping Act
o    the Danish Anti-Money Laundering Act
o    the Danish Statute of Limitations Act
o    Danish tax laws

•    Legitimate Interest: We may collect personal data to manage our professional relation-ship, to defend or pursue legal claims, communicate with you, and develop our services. This legal basis is found in Article 6(1)(f) of the GDPR. You can object to this processing at any time by contacting us (see section 2 above).

Our legal basis for processing you national identification number is:

•    National identification number (CPR-no.): Data concerning national identification numbers are processed in compliance with the Danish Data Protection Act section 11.2(1)-(3).

3.6.4    Who do we share your personal data with

The personal data may be shared with our IT suppliers (data processors) who process and store the personal data on our behalf and in accordance with our instructions and based on a data processing agreement. 

We may also share your personal data with government entities. If a public authority, for example the Danish Financial Supervisory Authority or the Danish Public Prosecutor for Serious Economic and International Crime, takes an interest in certain transactions, we are obliged under the Anti-Money Laundering Act to disclose such data to the authorities in question.

If you request legal services, we may share your personal data with DLA Piper Denmark Law Firm P/S, VAT No. 35 20 93 52.

We may transfer your personal data to countries outside of the EU/EEA if necessary to carry out the relevant task. Any transfer will take place subject to valid legal grounds for such transfer (the GDPR Chapter 5), e.g. the Standard Contractual Clauses published by the EU Commission which can be found here: Standard contractual clauses for international transfers (europa.eu). We may also rely on the EU-U.S Data Privacy Framework, if we transfer personal data to the US which can be found here: Home (dataprivacyframework.gov).

3.6.5    For how long do we store your personal data?

Your personal data will be deleted when we no longer need to process it for the fulfilment of one or more of the above purposes. In most cases, we retain your personal data for up to 5 years from the end of our contractual relationship and for the purpose of documentation and with reference to the statute of limitations rules on the limitation of ordinary monetary claims.

Accounting material, including personal data, which we are obliged to store, is deleted no earlier than 5 years after the end of the financial year to which the information relates according to the Danish Bookkeeping Act.

Information, documents, and registrations according to the Danish Anti Money Laundering Act and in relation to KYC procedures are stored for at least 5 years after the end of the business relationship or completion of the single transaction.

Personal data is deleted 5 years after the end of the business relationship or the completion of a single transaction, unless otherwise stipulated in other legislation.

Corporate documents are kept for 5 years after the corporate documents are dated.

The personal data may be processed and stored for longer if we are obliged to do so by law.

We may store and process data for longer in anonymised form meaning we can no longer identify you.

3.7    When we provide our Corporate Services

When we provide you with our Corporate Services (e.g. management of Danish subsidiaries, including administration of corporate documentation, storage, ownership administration, completing board meetings, communication with collaboration partners etc.), we collect and process personal data. This may include data about you as our client, data about counterparties and other third parties, depending on the nature of your relationship with us, such as data about your customers, employees, board members, corporate owners, vendors, consultants etc.

We do not process any sensitive personal data unless it is strictly necessary for our services. For security reasons, we encourage you to send the information in encrypted form if you submit confidential or sensitive personal data.

3.7.1    What personal data is processed and where does it come from?

We collect, process, and store the following types of personal data about you:
•    Contact information (name, email, and phone number)
•    Work, title, and employer information
•    Digital footsteps, such as user profile information related to relevant systems needed for our Services
•    Communication history
•    National identification number, if relevant for the case, e.g. if we have to proceed with registration in public databases
•    Financial information
•    Other personal data that you provide us with during our professional relationship

We usually collect this data directly through you, but we may collect data from your employer, public databases, and government entities.

3.7.2    Why do we process the personal data?

We process your personal data for the following purposes:
•    To administer our contractual relationship and provide you with our Services
•    To communicate with you
•    For customer service, support, and sales
•    To improve our products and services
•    To comply with any applicable law, court order, other judicial process, or the requirements of a regulator
•    To assert or defend legal claims in case of any disputes.

3.7.3    What is the legal basis for our processing? 

Our processing of general personal data is based on the following legal bases:
•    Contractual obligations: We process your data to implement contractual measures or ful-fil the agreement with you (if you are a privately owned company) when providing our Services (Article 6(1)(b) of the GDPR).

•    Legal obligation: We have to comply with a legal obligation to which we or you are subject to. This legal basis is found in Article 6(1)(c) of the GDPR. The legal obligations, among others, include, depending on our relationship:

o    the Danish Companies Act
o    the Danish Bookkeeping Act
o    the Danish Statute of Limitations Act
o    Danish tax laws

•    Legitimate Interest: We may collect personal data to manage our professional relation-ship, to defend or pursue legal claims, communicate with you, and develop our services. This legal basis is found in Article 6(1)(f) of the GDPR. You can object to this processing at any time by contacting us (see section 2 above).

Our legal basis for processing you national identification number is:

•    National identification number (CPR-no.): Data concerning national identification numbers are processed in compliance with the Danish Data Protection Act section 11.2(1)-(3).

3.7.4    Who do we share your personal data with

The personal data may be shared with our IT suppliers (data processors) who process and store the personal data on our behalf and in accordance with our instructions and based on a data processing agreement entered into.
 
We may also share your personal data with government entities such as the Danish Business Authority and Danish Courts. If a public authority, for example the Danish Public Prosecutor for Serious Economic and International Crime, takes an interest in certain transactions, we are obliged under the Anti-Money Laundering Act to disclose such data to the authorities in question.

If you request legal services, we may share your personal data with DLA Piper Denmark Law Firm P/S, VAT No. 35 20 93 52.

We may transfer your personal data to countries outside of the EU/EEA if necessary to carry out the relevant task. Any transfer will take place subject to valid legal grounds for such transfer (the GDPR Chapter 5), e.g. the Standard Contractual Clauses published by the EU Commission which can be found here: Standard contractual clauses for international transfers (europa.eu). We may also rely on the EU-U.S Data Privacy Framework, if we transfer personal data to the US which can be found here: Home (dataprivacyframework.gov).

3.7.5    For how long do we store your personal data? 

Your personal data will be deleted when we no longer need to process it for the fulfilment of one or more of the above purposes. In most cases, we retain your personal data for up to 5 years from the end of our contractual relationship and for the purpose of documentation and with reference to the statute of limitations rules on the limitation of ordinary monetary claims.

Accounting material, including personal data, which we are obliged to store, is deleted no earlier than 5 years after the end of the financial year to which the information relates according to the Danish Bookkeeping Act.

Corporate documents are kept for 5 years after the corporate documents are dated.

The personal data may be processed and stored for longer if we are obliged to do so by law.

We may store and process data for longer in anonymised form meaning we can no longer identify you.

3.8    When we provide our Agency Services

When we provide you with our Agency Services, we collect and process personal data. This may include data about you as our client, data about counterparties and other third parties, depending on the nature of your relationship with us.
We do not process any sensitive personal data unless it is strictly necessary for our services. For security reasons, we encourage you to send the information in encrypted form if you submit confidential or sensitive personal data.

3.8.1    What personal data is processed and where does it come from?

We collect, process, and store the following types of personal data about you:
•    Contact information (name, email, and phone number)
•    Communication history
•    Work, title, and employer information
•    Financial information and ownership information related to financial assets, corporate shares, bonds, and other securities
•    National identification number, if relevant for the case
•    Other personal data that you provide us with during our professional relationship.

We usually collect this data directly from you, but we may collect data from your employer, public databases, and government entities.

3.8.2    Why do we process the personal data?

We process your personal data for the following purposes:
•    To manage our contractual relationship and provide you with our Services
•    To communicate with you
•    For customer service, support, and sales
•    To improve our products and services
•    To comply with any applicable law, court order, other judicial process, or the requirements of a regulator
•    To assert or defend legal claims in case of any disputes.

3.8.3    What is the legal basis for our processing? 

Our processing of general personal data is based on the following legal bases:
•    Contractual obligations: We process your data to implement contractual measures or fulfil the agreement with you (if you are a privately owned company) when providing our le-gal services (Article 6(1)(b) of the GDPR).

•    Legal obligation: We have to comply with a legal obligation to which we or you are subject to. This legal basis is found in Article 6(1)(c) of the GDPR. The legal obligations, among others, include, depending on our relationship:

o    the Administration of Justice Act
o    the Danish Companies Act
o    the Danish Bookkeeping Act

•    Legitimate Interest: We may collect personal data to manage our professional relation-ship, personal data about counterparties and third parties to be able to handle cases, defend or pursue legal claims, communicate with you, and develop our services. This le-gal basis is found in Article 6(1)(f) of the GDPR. You can object to this processing at any time by contacting us (see section 2 above).
Our legal basis for processing you national identification number is:

•    National identification number (CPR-no.): Data concerning national identification numbers are processed in compliance with the Danish Data Protection Act section 11.2(1)-(3).

3.8.4    Who do we share your personal data with

The personal data may be shared with our IT suppliers (data processors) who process and store the personal data on our behalf and in accordance with our instructions and based on a data processing agreement entered into. 

We may also share your personal data with government entities. If you request legal services, we may share your personal data with DLA Piper Denmark Law Firm P/S, VAT No. 35 20 93 52.

We may transfer your personal data to countries outside of the EU/EEA if necessary to carry out the relevant task. Any transfer will take place subject to valid legal grounds for such transfer (the GDPR Chapter 5), e.g. the Standard Contractual Clauses published by the EU Commission which can be found here: Standard contractual clauses for international transfers (europa.eu). We may also rely on the EU-U.S Data Privacy Framework, if we transfer personal data to the US which can be found here: Home (dataprivacyframework.gov).

3.8.5    For how long do we store your personal data?
 

Your personal data will be deleted when we no longer need to process it for the fulfilment of one or more of the above purposes. In most cases, we retain your personal data for up to 5 years from the end of our contractual relationship and for the purpose of documentation and with reference to the statute of limitations rules on the limitation of ordinary monetary claims.

Accounting material, including personal data, which we are obliged to store, is deleted no earlier than 5 years after the end of the financial year to which the information relates according to the Danish Bookkeeping Act.

Corporate documents are kept for 5 years after the corporate documents are dated.

In case we handle any legal claims, the personal data may be kept according to the Danish Statute of Limitations Act, and up to 30 years, depending on the nature of claims.

The personal data may be processed and stored for longer if we are obliged to do so by law.

We may store and process data for longer in anonymised form meaning we can no longer identify you.

3.9    When you engage with us as a supplier

When you communicate with us, as a supplier, we process personal data about contact persons in your organisation, such as employees, interns, and other staff who communicates with us.

We urge you not to disclose any sensitive or confidential personal data to us unless it is strictly necessary. For security reasons, we encourage you to send the information in encrypted form if you submit confidential or sensitive personal data via email.

3.9.1    What personal data is processed and where does it come from?

We collect, process, and store the following types of personal data about you:
•    Contact information (name, work email, and phone number) when your employer enters into a contract with us
•    Communication history when you work, communicate with, and visits us at our office
•    Contractual relationship info, such as agreements, invoices etc.
•    Employer information, title, workplace, and area of expertise
•    Other personal data that you provide in connection with our relationship

3.9.2    Why do we process the personal data?

    We process your personal data for the following purposes:
•    To administer our contractual relationship
•    General communication with you
•    Financial purposes
•    To assert or defend legal claims in case of any disputes.

3.9.3    What is the legal basis for our processing? 

Our processing of general personal data is based on the following legal bases:
•    Legal obligation: We have to comply with a legal obligation to which we are subject. This legal basis is found in Article 6(1)(c) of the GDPR. The legal obligations may include the Danish Bookkeeping Act and local tax legislation.

•    Legitimate Interest: We may collect personal data about you to be able to administer our contractual relationship, communicate with you, or to defend or pursue any legal claims. This legal basis is found in Article 6(1)(f) of the GDPR. You can object to this processing at any time by contacting us (see section 2 above).

3.9.4    Who do we share your personal data with

The personal data may be shared with our IT suppliers (data processors) who process and store the personal data on our behalf and in accordance with our instructions and based on a data processing agreement.

We may also share your personal data with DLA Piper Denmark Law Firm P/S, VAT No. 35 20 93 52.

We may transfer your personal data to countries outside of the EU/EEA if necessary to carry out the relevant task. Any transfer will take place subject to valid legal grounds for such transfer (the GDPR Chapter 5), e.g. the Standard Contractual Clauses published by the EU Commission which can be found here: Standard contractual clauses for international transfers (europa.eu). We may also rely on the EU-U.S Data Privacy Framework, if we transfer personal data to the US which can be found here: Home (dataprivacyframework.gov).

3.9.5    For how long do we store your personal data?
 

Your personal data will be deleted when we no longer need to process it for the fulfilment of one or more of the above purposes. In most cases, we may retain your personal data for up to 5 years after the end of our contractual relationship.

Accounting material, including personal data, which we are obliged to store, is deleted no earlier than 5 years after the end of the financial year to which the information relates according to the Danish Bookkeeping Act

The personal data may be processed and stored for longer if we are obliged to do so by law, or for the purpose of documentation and with reference to the Danish Statute of Limitations rules on the limitation of ordinary monetary claims.

We may store and process data for longer in anonymised form.

3.10    If you apply for a job with us

If you apply for a job with us, we process your personal data in connection with the recruitment process.

We encourage you to not include any sensitive or confidential information, such as health data or social security number, unless this is a requirement or is explicitly requested for the position you are applying for.


3.10.1    What personal data is processed and where does it come from?

We process the following personal data about you during our recruitment process:
•    Contact information (name, email, phone number, address)
•    Information included in your resumé, application and any attachments you provide
•    Employment history, including experience, skills, performance, and general appearance
•    Publicly available information, e.g. on the internet and on social media
•    Results from tests, such as personality tests
•    Personal data collected via interviews (physically and online)
•    References you have listed, or you have consented for us to contact

Potentially health information if necessary for the position you have applied for, or if you are required to disclose this information due to any special health conditions that may affect your role and work performance, or which may be of special interest to us
•    Potentially your criminal record, if necessary for the position you have applied for
•    Other personal data you may share with us during the recruitment process

3.10.2    Why do we process the personal data?

We process your personal data for the following purposes:
•    To assess whether you are the right fit for a position at NCS

3.10.3    What is the legal basis for our processing?

Our processing of general personal data is based on the following legal bases:
•    Consent: We may ask for your consent to collect references from previous/current employers that you have not provided as references. If we cannot offer you employment, we may offer to save your application for later use based on your consent. This legal basis is found in Article 6(1)(a) of the GDPR. You can withdraw your consent at any time by contacting us (see section 2 above).

If it is necessary to see your criminal records or similar documentation, the processing is based on Section 8.3 of the Danish Data Protection Act.
If it becomes necessary for the position you have applied for and in exceptional circum-stances, we will ask for your explicit consent to process any health data (Article 9(2)(a) of the GDPR).

•    Legitimate Interest: We may process personal data about you to assess your eligibility and to offer you employment, based on the information you provide in your resumé, ap-plication and any attachments, publicly available information, results of personality tests, references you have provided in your application, and other information you provide to us in connection with the recruitment process. This legal basis is found in Article 6(1)(f) of the GDPR. You can object to this processing at any time by contacting us (see sec-tion 2 above).

•    Contractual obligation: If we offer you employment, the processing of your personal da-ta will be based on the employment agreement we enter with you (Article 6(1)(b) of the GDPR).
 

3.10.4    Who do we share your personal data with?

We may share your personal data with our data processors, and/or make them available to other suppliers and/or service providers in connection with the general operation of our business, e.g. in connection with the external administration of our IT systems and HR administration.

We may transfer your personal data to countries outside of the EU/EEA, including our affiliated companies. Any transfer will take place subject to valid legal grounds for such transfer (the GDPR Chapter 5), e.g. the Standard Contractual Clauses published by the EU Commission which can be found here: Standard contractual clauses for international transfers (europa.eu). We may also rely on the EU-U.S Data Privacy Framework, if we transfer personal data to the US which can be found here: Home (dataprivacyframework.gov).

3.10.5    For how long do we store your personal data? 

If you are offered a position with us, your application as well as additional relevant personal data collected in connection with the recruitment process will be stored in your personnel file with us.

If you are not offered a position, we will keep your application and any additional personal in-formation collected during the recruitment procedure for a period of six (6) months after our refusal, unless you have given your consent to for us to store your personal data for a longer period in case other employment opportunities arise.

Any criminal records and health data will be deleted immediately after review.

We may store and process data for longer in anonymised form meaning we can no longer identify you. We may also store your personal data in case of any disputes related to the recruitment activities.

3.11    When you visit our social media profiles

If you visit our social media profiles, we may process your personal data as the data controller. In some cases, we act as joint data controllers together with the provider of the social media platform and has entered into a joint data controller agreement. We refer you to the individual social media providers’ privacy policies for more information about their and our joint processing of your personal data.

We have the following social media profiles:
•    LinkedIn (LinkedIn Ireland Unlimited Company)
o    See LinkedIn’s privacy policy here: LinkedIn Privacy Policy
o    You can customise your privacy settings here: Manage your account and privacy settings | LinkedIn Help

3.11.1    What personal data is processed and where does it come from?

When you visit our social media profiles, we and the social media provider may process the fol-lowing personal data about you:
•    Publicly available information on the platform such as user information (name, email, phone number, address), gender, workplace, interests etc.
•    Any likes, comments, posts, messages, and other interactions with our social media profile page
•    Other personal data you may share with our profile

3.11.2    Why do we process the personal data?

We process your personal data for the following purposes:
•    For analysis and statistical purposes to improve and develop our business, services, and social media profile pages
•    To communicate with you and general marketing initiatives

The social media providers may process your personal data for their:
•    Adverting and sales initiatives
•    To provide us with statistics data about you visit to our social media profile
•    To improve their social media offerings, features, and products

3.11.3    What is the legal basis for our processing? 

Our processing of your personal data is based on the following legal bases:
•    Legitimate Interest: We may process your personal data to communicate with you, for marketing purposes on our social media profiles, and to improve our business, products, and services. This legal basis is found in Article 6(1)(f) of the GDPR. You can object to this processing at any time by contacting us (see section 2 above).

3.11.4    Who do we share your personal data with?

We may share your personal data and/or make them available to other suppliers and/or service providers in connection with the general operation of our business, e.g. in connection with the administration of our IT systems.

We may transfer your personal data to countries outside of the EU/EEA, including our affiliated companies. Any transfer will take place subject to valid legal grounds for such transfer (the GDPR Chapter 5), e.g. the Standard Contractual Clauses published by the EU Commission which can be found here: Standard contractual clauses for international transfers (europa.eu). We may also rely on the EU-U.S Data Privacy Framework, if we transfer personal data to the US which can be found here: Home (dataprivacyframework.gov).

3.11.5    For how long do we store your personal data? 

We store your personal data as long as they are active on our social media profiles, and until you delete any “likes”, shared posts, comments, messages etc. on our social media profiles.

The data can be stored for a longer period in anonymised form.
 

4 Disclosure of personal data to other controllers

Disclosures

In certain situations and in addition to above, it is necessary for us to disclose your personal da-ta to third parties. Under specific circumstances and in accordance with the law, it may be necessary to disclose your personal data to the following third parties (data controllers):
•    Lawyers, auditors, banks, insurance companies, and other consultants
•    Courts and other public authorities
•    Potential buyers of NCS.
    Our company structure may change as we develop, for example, through the complete or partial sale of NCS. In the event of the transfer of assets containing personal data, we disclose your personal data based on our legitimate interest in transferring parts of our assets and making commercial changes (Article 6(1)(f) of the GDPR).

5 Your rights

You are entitled to exercise your rights under the data protection legislation at any time and un-der certain conditions:
•    Access: You have the right to obtain access to and receive a copy of the personal data we process about you and several additional data. We respond within a reasonable time and no later than one month after receiving your request.
•    Right to object: In certain cases, you have the right to object to our collection and processing of your personal data.
•    Rectification: You have the right to have personal data about you rectified.
•    Erasure: In special circumstances, you have the right to have personal data about you erased before the time for our ordinary erasure.    
•    Restriction: In certain cases, you have the right to restriction of processing of your per-sonal data. If the right applies, we may then only process the data – except for retention – with your consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another person or for reasons of important public interest.
•    Data portability: In certain cases, you have the right to receive a copy of the personal data you have provided in a structured commonly used and machine-readable format.

If you wish to exercise your rights or have questions about our processing of your personal da-ta, please contact us at Contact. Your request will be processed in accordance with the legislation in force at the given time. To the extent necessary, we will contact you and ask for additional information required to handle your request correctly.

If you would like to learn more about your rights, please visit the website of the Danish Data Protection Agency, www.datatilsynet.dk.

6    Making a complaint

If you would like to make a complaint about our processing of your personal data, you are welcome to contact us. Our contact details are listed in Section 2 above.

You also have a right to file a complaint to the Danish Data Protection Agency, Carl Jacobsens Vej 35, DK-2500 Valby. A complaint may be filed by email to dt@datatilsynet.dk or through the website of the Danish Data Protection Agency www.datatilsynet.dk. 

7    Updating our privacy policy

NCS may update this privacy policy on an ongoing basis when this is necessary to provide a fair description of our processing of personal data.

In the event of material changes to our processing of your personal data already in our possession, you will be notified of the update (e.g. by email) or we will announce the update on our website.

 

This privacy policy was last updated in April 2024.