Dataprocessing and storage
The data protection policy applies to Dataminds A/S, henceforth denoted as Dataminds.
The policy should help ensuring and documenting that Dataminds protects all personal data according to the conditions in the Danish and European data protection regulations. The policy informs of the handling and usage of the registered personal data too.
Dataminds handles personal data regarding:
We have produced a list of the treatment of personal data. The list provides an overview of the types of handling, Dataminds is responsible of. By request, we provide the lists to the supervision authority.
Registering personal data is necessary for Dataminds to be able to form employment-, customer-, and supplier contracts.
The personal data is handled and archived regarding:
- Administration of employee data, including recruitment, employment, retirement and payment of salaries
- Master data of customers and marketing, orders, sales and implementation of projects
- Master data of suppliers and requisitions and purchases
- Master data of our customer's customers and employees
We use personal data for the above purposes only and we only compile the data necessary to fulfil the objective.
Dataminds has introduced the following guiding principles for storage and deletion of personal data:
- Personal data is stored in physical folders.
- Personal data is stored in IT-systems and on server drives.
- Personal data is only stored as long as it is necessary for the purpose of the handling.
- Personal data of employees is deleted 5-6 years after retirement, depending on the time of the year for the ending of employment.
- Personal data of applicants is deleted 1-2 years after reception, depending on the time of the year for the receival of appliance.
- Personal data of our customer's customers and employees is deleted as agreed with our customer. If no agreement is signed, personal data of our customer's customers and employees is automatically deleted 1-2 years after the agreement of cooperation has ended, depending on the time of the year for this ending.
- Each year, in the first week of May, Dataminds deletes data that meets the above criteria for deletion.
Dataminds has completed the following safety measures for protection of personal data:
Only employees, who have an occupational need of access to the registered personal data, can access this, through either physical access or using IT-systems with control of access rights.
- All computers have a password and employees are not allowed to entrust their passwords to others.
- On each computer, a firewall and an antivirus program must be installed and regularly updated.
- Personal data is deleted responsibly when IT-equipment is phased out and maintained.
- USB-keys, external hard drives etc. with personal data must be stored in a locked drawer or closet.
- Physical folders are stored in locked offices or in locked closets.
- Personal data in physical folders is deleted by shredding.
- Personal data, that must be sent pr. email to an external receiver, is sent safely, for instance as encrypted and password-protected attachments.
- All employees must be instructed in handling and protecting personal data.
- Exchange of large amounts of personal data is offered through an SSL-secured web portal.
Personal data regarding employees can be passed on to public authorities, including tax authorities and pension funds.
Dataminds solely uses data processors who can guarantee that they will implement the appropriate technical and organisational safety measures for fulfilling the legal requirements of the personal data law.
Data processors being used:
|Data processor||Server placement||Type of basis for agreement|
|Microsoft Corporation||EU||Data processing agreement|
|Danløn||Denmark||Data processing agreement|
|Visma E-conomic||Denmark||Data processing agreement|
|Google Analytics||USA||EU model clause agreement|
|Pipedrive, Estonia||EU||Data processing agreement|
Dataminds handles the rights of the registered persons, including the right to gain insights, withdrawal of consent, rectification and deletion, and informs the registered persons about the handling of their personal data. Registered persons have the right to complain to the Danish data supervision authority ("Datatilsynet").
In case of violation of the personal data security, Dataminds reports the violation to the data supervision authority as soon as possible, but no more than 72 hours after the violation. Dataminds' DPO is responsible of reporting the violation. The report describes the violation, the groups affected and what consequences, the violation can have. Furthermore, Dataminds describes how it has remedied, or how it will remedy, the violation. In cases where the violation involves a high risk for the persons about whom Dataminds handles personal data, we will inform these people. Dataminds documents all violations of the personal data security.