Cookie- and privacy policy

PRIVACY POLICY

Northern Survey (CVR-nr.: 37687596) is the data controller for the information we process about you. This means we are responsible for ensuring that your personal information will be processed in accordance with the law, including the principles of data protection in GDPR art. 5.

As data controller we also have a duty to provide you with information about what personal information we process, why and how we process it, for how long we retain it, as well as how you can contact us about it and exercise your rights.

This privacy policy covers that duty in several sets of circumstances. If your situation is not covered in this policy, such as if you are employed with us, we have separate documents available to you with all necessary information.

CONTACT INFORMATION

If you wish to contact us regarding our processing of your personal information, you can do so at:
Northern Survey ApS
Brundtvej 13, 8370 Hadsten
contact@northern-survey.com
+45 60 20 89 80

PROCESSING OF PERSONAL INFORMATION

Personal information are all types of information that can be connected to a person, directly or indirectly. This privacy policy describes how we process such information from the time we collect, store and use it, and until we delete it. We will only process personal information when necessary and for a specific purpose. Any personal information of yours will be processed with confidentiality.

Data protection

It is our responsibility to protect all personal information in our possession from being accidentally or unlawfully deleted, publicised, lost, corrupted, leaked, or misused. To do that we have taken a number of technical and organisational measures. We also ensure that processing only takes place when we can adhere to all our duties in data protection.

We keep your information up to date

As our services depend on our information about you being accurate, we ask that you keep us informed about relevant changes. You can always make use of the contact details above to let us know about any changes. We will update your information accordingly. If we find out on our own that our information about you is incorrect, e.g. spelling errors in your name or address, we will update it without further ado.

How did we get your information?

We gather personal information about you in a variety of ways, e.g.:
– By using cookies on our website.
– By receiving information from you, by way of questionnaires, contact forms or phone.
– From your comments and activities on social media, when you follow or like our pages and/or posts on Facebook, Instagram & LinkedIn.
Below, you can see our purposes for processing personal information. For every type of processing, you can also see our legal basis for the processing. The legal basis means we can point to a law, which allows our processing. You will also be able to see our retention periods for the information we process. We have sorted our processing activities into headlines, to make it easier for you to find the information that pertains to your specific situation.

SERVICES

When you are buying services

When you buy our service, we will collect and process the following information about you:
– Contact information: Name, address, email, phone etc.
Our purpose for processing your information is to deliver our service to you.
Our legal basis for processing your information is:
– Necessity for our fulfilment of a contract with you (GDPR art. 6(1)(b))
We will delete the information after a maximum of 5 years.

Transmission of personal information

We sometimes have third parties store and process information for us. That makes them a data processor for us. When we take on a data processor, we make sure to have a data processing agreement in place with them. They will only process the information on our behalf and will not be allowed to use the information for their own purposes.

We prioritise suppliers located within the EU or in third countries covered by adequacy decisions from the European Commission, cf. GDPR art. 45.

In some situations, your information will be passed on to other data controllers, such as banks, distributors, tax authorities.

Unsafe third countries

We make use of some data processors/suppliers in unsafe third countries. When legislation in those countries does not offer the same level of protection as we have here in the EU, we have stricter obligations to protect your personal information.

When we transfer personal information to recipients in USA, we do so based on e.g., The European Commissions standard contractual clauses (GDPR art. 46(2)(c)) or Data Privacy Framework (GDPR art. 45(9). If you wish to know more about whether your personal information is transferred and the steps we have taken to protect it, you can reach out to us to learn more as well as to receive our documentation for appropriate safeguards.

CUSTOMER SERVICE, SUPPORT, & SALES

When you reach out to us by mail, phone, website contact form, or ordinary post, we will process the following information about you:
– Any contact information pertaining to your chosen means of contact (e.g. number you were calling from, return address – email or post) as well as the contents of your inquiry.
Our purpose for processing this information is to respond to your inquiry and to uphold our customer service standards.
Our legal basis for the processing is:
– Necessity for pursuing our legitimate interest in being able to answer your questions as well as further communication to better identify issues or needs that should be addressed (GDPR art 6(1)(f))
We delete your information when it has served its purpose. Whether the purpose has been served is assessed based on the nature of each specific inquiry. We will process your information for as long as we have on-going correspondence with you. Once that correspondence is completed, any issues fixed, and if the contents require no further action, we will delete your information.

WHEN YOU FIND US ONLINE

Our website

Cookies

A cookie is a small text file, saved to your computer, tablet or phone. A cookie is not a program that can contain viruses or other harmful software.

Some cookies are necessary to make websites work at all. With cookies, a website owner can also build statistics for the use of the website, as well as map how visitors navigate the site. This way, they can continue to improve the site and customize it for specific needs and interests. Many websites use the information gathered to show content customised for the individual user.

When you first visited our website, you were met with a cookie banner, informing you about the cookies we use. We have chosen to use only strictly necessary cookies and have therefore not requested your consent for any others.

Strictly necessary cookies:
If cookies beyond the strictly necessary ones are active, we will only process the following personal information about you:
– IP-address.
Our purpose for this processing is:
– Managing the necessary content, functionality and security of our website.
Our legal basis for this processing is:
– Our legitimate interest in stable and secure management of our website (GDPR art. 6(1)(f))
The few types of personal information we process, when only strictly necessary cookies are in play, will be deleted either as your session on our website ends, or when you close your browser (session cookies), or when we have anonymised the information for analysis of security measures on the website.

OUR SOCIAL MEDIA

When you follow, like, or otherwise interact with our company page on social media, we get access to the following information about you:
– Your name, your likes, and your comments – including the contents of your comments
– Any backend statistics for our page, aggregated from user interactions. We only have access to this information after it has been pseudonymised, and only the Social Media platform could identify you. More info on this and how your personal information is used to aggregate statistics will be available to you on the social media platform in question.
Our purpose with this processing is to reach and potentially interact with followers and other interested parties on social media regarding activities relating to us.
Our legal basis for the processing is:
– Our legitimate interest in marketing our business/products (GDPR art. 6(1)(f))

LinkedIn

We have joint controllership with LinkedIn regarding the information collected about you, when you interact with our company profile. This means that we cooperate with LinkedIn, when it comes to establishing and delegating responsibilities for our compliance regarding the processing of your personal information.

We have an agreement regulating this joint controllership, which you can find here: https://legal.linkedin.com/pages-joint-controller-addendum

If you do not have a personal LinkedIn-profile, LinkedIn collects information about the device you use, when accessing LinkedIn, your location/geodata, and information about your activity on LinkedIn. Any information your cookie settings allow to be tracked as regards your visits to other websites, will also be collected.

If you do have a personal LinkedIn profile, LinkedIn collects the same information as above. In addition to this, LinkedIn also collects any information, you have consented to, through creating your user profile, ie. Your reactions, comments, shares and any other activities on LinkedIn connected to your profile.

Of all the information gathered by LinkedIn, we only receive that which you give us through direct interactions, e.g.: messages, likes/reactions, or comments. Beyond that, LinkedIn Page Analytics gives us access to anonymised statistics based on the information LinkedIn collects as described previously.

If you wish to delete the information LinkedIn has about you, you can delete your user profile. If you choose to do that, all of your posts, pictures and information will be deleted. If you have any questions regarding the inner workings of LinkedIn Page Analytics, please contact LinkedIn directly.

Facebook & Instagram

We have joint controllership with Meta regarding the information collected about you, when you interact with our company profiles on Facebook, Instagram, or Threads. This means that we cooperate with Meta, when it comes to establishing and delegating responsibilities for our compliance regarding the processing of your personal information.

We have an agreement regulating this joint controllership, which you can find here: https://www.facebook.com/legal/controller_addendum

Meta uses Insights on their platforms to collect and aggregate statistical data about user activities, these include age, gender, relationship status, work, lifestyle, interests, purchase information, and geodata. For this purpose, Meta places a cookie on your device, when you visit one of their platforms. Every cookie contains a unique identifier, which remains active for 2 years unless deleted before the end of that period. Meta collects your personal information by using these cookies, and they store and process your information for the mentioned statistics. We receive these statistics, but not the raw data, they are built on. You can read more about Meta’s use of cookies on Facebook here and on Instagram and Threads here.

We do not pass along any information about you that we receive from Meta. Meta may do so, however, and we encourage you to read more about their information exchange with third parties in their Privacy Policy.

If you wish to delete Meta’s cookies from your devices/browsers, you can see how in our cookie banner or you can contact Meta for further information.

Meta will process information about you even if you do not have an account on one of their platforms. You can read more about this in Meta’s policy here.

Pictures of you

We have an interest in portraying ourselves in a positive light, as business partner, place of employment, or otherwise. For this purpose, we publish pictures online, if we find them to be harmless to any persons depicted. We find this interest to be legitimate and to not go beyond any interests nor rights of the persons depicted. (GDPR art. 6(1)(f))

If you are going to appear in marketing materials, promotional videos, or similar things, we will make sure it happens based on your consent (GDPR art. 6(1)(a)) or on a signed modelling contract (GDPR art. 6(1)(b)).

We will always delete pictures that no longer serve their purpose. We will also delete them if our contract for the use of the pictures is voided, or if you revoke your consent for the use of the picture. You can always reach out to us, to object to our using pictures of you.

OUR ORGANISATION

Suppliers and business partners

When we enter contracts with suppliers or other business partners, it is necessary for us to collect and store information about their points of contact/account managers. We typically limit such processing to just:
– Name and e-mail, phone and title/role
Our purpose with this processing is to adhere to our obligations and commitments under our contracts as well as ensure efficient communication.
Our legal basis for this processing is:
– Our obligations and commitments under our contract (GDPR art. 6(1)(b))
Any information collected for this purpose will typically be deleted once a contract is fulfilled, unless we have specific reason to retain them for longer, e.g. a warranty period or to enable complaints.
We are required by law to retain our bookkeeping materials for 5 years from the end of the year they were filed. This may include some personal information, which will then be deleted along with the rest of the bookkeeping materials, once the retention period has passed – unless we have other reasons for keeping them, such as warranties or complaints.

Video surveillance

We make use of video surveillance at our warehouse. When you enter areas, where we have sign-posted such surveillance, you and any actions you take within view of the cameras will appear in it. The signs will be clear and in compliance with all relevant legislation.

Our purpose with this surveillance is crime prevention and physical security around our facilities.

Our legal basis for the processing is:
– Our legitimate interest in securing our facilities against criminal activities (GDPR art. 6(1)(f))
If any information about criminal offences is captured on surveillance, we will process them on the following basis:
– Our legitimate interest in protecting our facilities (Danish Data Protection Act § 8, stk. 3).
We may pass along surveillance videos to public authorities, including the police, in connection with investigations of criminal offences.
This transfer is permitted under the Danish Video Surveillance Act § 4c.
We have guidelines in place for deleting our recordings.
We store the recordings securely and for no longer than 30 days, unless specific circumstances necessitate longer retention.

Recruitment

If you apply for a position with us, we will process all the information included with your application, CV, and any other attached documents. We may choose to reach out to any references you have included with your application. Any information about you collected from those references will be processed with your application. Please note: We do not need you to include your national identification number / CPR-number with your application.

Our purpose with collecting information about you in the recruitment process is to assess, whether you are the right candidate for a position with us.

Our legal basis for this processing is:
– Our legitimate interest in assessing your qualifications and skills pertaining to the position we are seeking to fill (GDPR art. 6(1)(f)).
If, during the recruitment process, we collect and process your national identification number or any information about criminal convictions and offences, we do so in accordance with the following:
– If you are applying for a position, for which we require to see your diplomas or other papers and documentation, and if your national identification number / CPR-number appears in that documentation, we process it for the purpose of verifying the authenticity of your documents in order to establish, exercise, or defend against legal claims. The legal basis for this is (Danish Data Protection Act § 11, subsection 2, no. 4, cf. § 7, subsection 1 cf. GDPR art. 9(2)(f)).
– If we find it relevant for the position, you are applying for, we will require your certificate of criminal record/”straffeattest”. We do this for the purpose of ensuring your suitability for the position, and our legal basis is your consent (Danish Data Protection Act § 8, subsection 3).
If you include sensitive personal information with your application, we will process it based on the following legal basis:
– Our legitimate interest in assessing your potential future with us, and a necessity for assessing and establishing any legal claims related to the recruitment process. (GDPR 6(1) (f & c) and (GDRP art. 9(2)(f)).

We will keep your application with addendums for up to 6 months beyond recruitment being finalized. After that point, your information will be deleted. Our purpose for this retention is to protect ourselves against any legal claims resulting from the recruitment process. For As to the legal basis for this processing, please see the section above.

If we find your profile to be of interest, albeit not for any currently open position, we may wish to keep your application with addendums for potential future positions opening up. If this is the case, we will reach out to you, to get your consent for this continued retention. (GDPR art. 6(1)(a))

If you send us an unsolicited application, we will keep it for a maximum of 6 months, after which we will delete it.

According to data protection legislation, you have the right to be informed, whether giving us your personal information is a requirement by law, or a necessity for entering into a contract with us. You also have the right to be informed of any consequences of not giving us the information we ask of you.

Please note that according to the Danish Health Information Act, before an employee takes up a new position, they are required to divulge, whether they know they have a condition or symptoms of a condition that will have significant impact in their ability to carry out the tasks associated with the job. This means you must let us know of such conditions or symptoms, either when asked or by your own initiative, and if you do not, it may mean you cannot remain in the position.

Additionally, if we decided to offer you employment, we are required under the Danish Employment Contracts Act to ensure a fully compliant employment contract is signed between us. This requires your name and address. If you do not wish to give us the information needed for a legally compliant contract, we cannot sign you on for any position.

YOUR RIGHTS

By reaching out to us you can exercise your data subject rights. This means you can make a data subject request to:
– gain access to any personal information we have about you
– rectify any erroneous personal information about you
– request deletion of your personal information
– have the processing of your personal information restricted to only storage
– receive a copy of your personal information for the purpose of moving it to another data controller (data portability)
– object to our processing of your personal information. Please note: whether or not we can accommodate your objection depends on an assessment of e.g. legitimate interest (GDPR art. 6(1)(f)). You will receive an explanation of that assessment and its results.

Some processing activities are based on your consent (GDPR art. 6(1)(a)). If you give your consent for us to process your personal information, it must be freely given. It will have no negative consequences for you, if you do not give your consent, if you only consent to specific parts of the processing, or if you withdraw your previously given consent. Withdrawal of consent can happen at any given time by reaching out to the contacts above. If you choose to withdraw your consent, it will have no bearing on the lawfulness of our processing of your information in the period from when your consent was given and until you withdrew it.

If your personal information must be processed for purposes other than HR/management, we will notify you of this before we begin the processing.

When you reach out to us with a request to exercise your above-mentioned rights, we will get back to you within one month. If we cannot accommodate your request, we will let you know the reason why.

If you are not satisfied with our handling of your personal information or your data subject request, you have the right to lodge a complaint with the supervisory authority: Datatilsynet. You can do this at www.datatilsynet.dk/borger/klage