This Privacy Policy explains how Danspin A/S (also referred to as “We”) processes your personal information.

Data controller

The entity responsible for the processing of your personal information is:

Danspin A/S
Company No. 19641376
Jupitervej 6A
7430 Ikast
Denmark
info@danspin.dk
+45 96 60 51 00

Any contact regarding employee data can be made to our HR-department, financial manager or the administration.

Purpose and origin: This policy has been developed to disclose Danspins processing of personal data towards its employees and employee’s processing of personal data in relation to our customers and suppliers.

This policy and related documents to this policy, will undergo a systematic revision.

Danspin are collecting personal data on all its employees. The purpose of this collection and processing is personnel administration (e.g. contracts, wages, vacation, training etc.). All data are collected from the employees, through forms and/or interviews, or public records.

Information collected on partners are used to; make contracts and trade conditions.

The information is provided by our partners or our partners representatives.

Categories of data: The following categories of personal data are being processed on employees:

Regular personal information:

  • Identification information’s.
  • Information relating to the employment relationships for the use of personnel administration and case processing, including position, place of work, salary, other information relevant to salary retention, staff records, education, sick leave, seniority and birthday.
  • Criminal records.

Sensitive personal data:

  • Union representation, where relevant for the employment relationship
  • General health information, including genetically data
  • Information on smoking and intoxicants (e.g. alcohol and substance abuse), if this is important for the employment relationship

Basis for processing personal data: personal data are primarily processed on basis of the following:

Personal data regarding personnel: It´s necessary to process personal data, for Danspin to meet its legal obligations as an employer. No consent is needed to process this information, as long as the processing of this information are relevant for the objective of personnel administration etc. Sensitive personal data such as health information are only processed if relevant for the employment relationship, or required by law.

Using employee photos on the jobsite, Danspin doesn’t need a separate consent, since the picture are only available for the employees and company visitors (persons of interest) and is a step in strengthening social competences and information disclosure. A separate consent is needed if an employee photo actively is shared with persons/entities not part of the Danspin organization.

Employees can at anytime request, that their photo is removed.

Danspin uses CCTV to monitor internal processes, only personal with reasonable justification have access to the footage, there will not be collected separate consent for the use of CCTV, since its purpose is to optimized workflows, heighten work safety and internal security, this is in the best interest of the employees that Danspin obtains this data.

This is also a requirement to secure the workplace, and necessary for insurances companies.

Data subjects can at any time request data kept on the individual destroyed or deleted, if the data subject doesn’t want the data processed. This is only viable if there are no legal obligation for Danspin to process the data.

Personal data regarding partners: Personal data for marketing purposes is processed only after the information has been given to the company for contact, e.g. exchange of business card, online access etc.  the primary function for processing personal data relating to Danspin´s partners representatives (suppliers and customers employee or representative), is for the preparation of contracts and trade conditions.

Access to data: Access to personal data are limited, so only the following persons have access to the information:

Personal data regarding employee: Executive board, HR, Financial department, management and IT have access to this data

Personal data regarding partners: Data are limited to the employees serving the partner implicitly or explicitly.

Storage: Personal data must always be kept in a proper manner to minimize risk off data being compromised or in any other way exposed to security breaches. For more information on storage see section “Employee responsibility during data processing”.

Transfer of data:  Danspin exchanges personal data with the following:

  • Wage management bureaus
  • Employee´s bank
  • National authorities.
  • Trade unions and other employee representatives
  • MitID
  • Pension company
  • Insurance company
  •  Accountant, lawyer and consultants
  • IT company

Danspin doesn’t transfer any data to countries outside the EU/EEA, if some partners transfer data to countries outside the EU or EEA the conditions can be seen in the data processing agreements.

Employee responsibility during data processing: As part of the daily production and management, some data is processed on employee´s and partners. In relation to this Danspin have adopted the following guidelines, for all employees processing- or having access to personal data which they must abide to.

a. All employees must know what personal data is, and how to process it. The employee must follow the instructions and training provide by Danspin.

b. You are not allowed to leave a desk with personal data easily accessible either in physical or electronical form. Personal data that aren’t being processed must be stored in a way so, unauthorized persons doesn’t have easy access to it. Where it´s possible to data must be locked away in drawers or cabins. Sensitive personal data, person data with social security number or information on criminal records must be locked away, when the employees working with the data goes home. This could be in cabins, drawers or the office where the data is kept.

c. Computers with access to personal data must be locked or turned off when leaving the work station, either via sleep timer or manually. All media containing personal data are password protected. A clauses have been added to the IT policy so all PC are equipped with an auto-lock rule, so all PC auto lock after 10 minutes of inactivity.

d. Digital personal data are mainly kept in the system applied by Danspin, if an employee transfers data to a system not used by Danspin, the media and processing of the data must be done with extreme caution. Data transfers to a media outside the Danspins systems must be approved by either the management or IT manager. If sensitive personal data are shared via a media the data must be encrypted or password protected.

e. When printing personal data, the papers must be collected immediately after printing, to limit possible exposure. If possible, use printers where personnel have limited access.

Link to user manuals  Y:\Procedures\STEPS – Secure_print_manual – KONICA C250i.docx

f. If digital processing will cause a disadvantage for the employee, paper form may be used if the employee keeps the data under close observation and processes this with caution, to avoid unauthorized access to the personal data. The data must be discarded according to the internal standards.

g. Social security numbers may only be used if it´s vital to ensure the identity of the individual. Social security number, name or other data conceived* as private cannot be used as a header/subject in mails.

h. Mail containing sensitive personal data, social security numbers or criminal records, must be in an encrypted form. So only the intended receiver can open the email, a procedure on when and how to encrypt emails**, have been made and distributed to all relevant personal.

i. The employee must ensure that the applied personal data are accurate and ensure that no more data are recorded then what is deemed necessary.

j. Personal data which is no longer relevant or have been requested deleted by the data subject, must be deleted and physical data destroyed either via a shredder or a third party. Sensitive personal data in electronic from must be deleted from the system in which they are stored, and no backup must be made on the computer locally (for more information we refer to our IT policy).

  • Employee data must be deleted if there are no legal basis for storing them.
  • Personal data from applicant to vacant position must be deleted 6 months after a rejection is made.
  • Personal data regarding partners are deleted when there is no legal basis for storing them.
  • Mails and other correspondence containing personal data must be deleted when the demand for obtaining the data have been filled. Such mails must be deleted permanently.
  • If you are in doubt please contact Danspins financial department or IT responsible

Data shredding can happen using Danspins shredders or by putting the data in locked containers for shredding at a disposal company.

k. Reparation and service of digital units such as computers, smartphones or Ipads, access to personal data must to shut down. This also applies for Danspins outlook accounts.

l. If an employee finds out, that personal data have been compromised or in some other way exposed for a security breach, this must be reported to Danspin financial manager or IT responsible. This also applies if any media with access to company system have been lost (Phone, Company, Notebooks with sensitive information).

m. Danspin performs audits, to control that processing of personal data happens according to the internal guidelines. The employee processing the personal data must be present during the audit.

n. Employees processing personal data are underlined a professional secrecy concerning all the data accessible by the employee. This is also applicable to former employees.

o. All email containing sensitive information must be deleted after usage, it´s not allowed to store email with sensitive data for longer than justifiable necessary.

* Data to be conceived private are all personal sensitive data covered by the General Data Protection Regulation definitions.

** Description on how to encrypt email can be found here: L:\IT\IT Policy\ITINS-52-1-email encryption.docx

Right of access, correction and limitation: Data subjects have the right to access and correct the personal data collected processed and stored by Danspin concerning the data subject. Data requested by a data subject must be delivered no later than 4 weeks after the request have been received. Once the information has been delivered to the data subject, they can at the earliest request the same data after 6 months of receiving the personal data on the initial request. There can not be requested access to data, which should give way to public or private interest, including the interests of the person concerned. If any data are erroneous, processing of the data can be limited upon receival of a notice from the data subject or other entities, until it has been verified that the data are accurate. If this does not lead to clarification, a possible complaint can then be addressed to the national authority.

DK – Datatilsynet – www.datatilsynet.dk  

You can take steps to exercise your rights by reaching out to info@danspin.dk

This policy is complemented by Danspins IT policy.

English