(external personal data policy)
for Done by Deer A/S concerning the processing of personal data
It is important for us to protect and respect your privacy when you have chosen to use Done by Deer A/S as a business partner, have visited our website or otherwise have been in contact with us.
It is therefore important that we process your personal data securely and appropriately so that you can feel confident in the cooperation with us.
We have high ethical standards and have established strict internal procedures to ensure that we process your data in the best possible way.
Definition of personal data
Personal data can be many things.
It can be a name, an address and a telephone number. It can also be a picture or an IP address.
Personal data are all types of information that can be used to identify a person. Therefore, it is not the individual piece of information which determines if something can be called personal data.
How do we collect personal data?
We collect personal data about you in the following ways:
- When you deal with us as a customer, supplier or partner
- When you are in contact with our employees, e.g. our sales staff or our sales and purchase departments
- When you contact us by e-mail, letter, fax etc.
- When you create a profile on our website
- When you visit our website or social media
- When you subscribe to our newsletter
- When you participate in campaigns, competitions or surveys
- When you provide us with the personal data
- When you provide information to third parties with whom we cooperate
- When we buy services and data from other business
Below is stated why we do what and on which basis
How we use your personal data
- That we collect and use your personal data for specific purposes
- That we delete your personal data when it is no longer needed
- That we check and update your personal data on an ongoing basis
- That we disclose your personal data in certain cases
We collect and use your personal data for specific purposes
The purpose of collecting and using your personal data can be divided into the following categories:
The first category contains certain personal data we need to know about you in order to deliver our products and services to you. This could be your name, your address, your phone number and your e-mail address, i.e. necessary identification and contact information. This constitutes our lawful 'processing basis'. If we cannot process such personal data, we cannot deliver our products and services to you. We may also have another processing basis, e.g. if the law requires us to register and keep certain personal data. That is, for example, personal data to be used for our compliance with tax legislation and the Danish Bookkeeping Act.
If we want to use your personal data for any purpose other than the one for which we collected them because it was necessary, we will inform you that the initial purpose is to be exceeded. We do so before we start and inform you of the reason for it.
The second category contains certain personal data which we would like to know about you to allow us to improve our products and services, tailor our communication and marketing to you and otherwise optimise your relation to us, so that we can offer you precisely the products and services you need. That includes also collection of personal data about your activities on our website, including IP addresses and placing of cookies on your computer. It may be necessary for our website to function properly.
None of the personal data in category 2 are strictly necessary for us to provide our service to you. Therefore, you must give your express consent for us to collect and use this personal data.
In that respect, our processing basis is your consent.
We point out that under current Danish law, we have a right to contact you as a customer with offers for our own products like those you have previously purchased from us. This applies if we have received your e-mail address in connection with your purchase and whether or not you have given specific consent to this. If we contact you with such offers, we will clearly present you with the possibility of opting out of similar contacts in the future.
If we want to use your personal data in another way than for which we collected them based on your consent, we always ask for your renewed consent if the initial purpose is to be exceeded. We do so before we start and inform you of the reason for it.
The third category contains certain personal data that we keep in order for us to pursue our interests in the future if this is deemed necessary. In this case our processing basis is our 'legitimate interests' as understood in the current personal data legislation.
It means, among other things, that based on a specific assessment, we keep your personal data for a period. The period and the extent of the personal data in this processing are determined based on the criteria you can see in the section 'We delete your personal data when it is no longer needed' below
We delete your personal data when it is no longer needed
We delete your personal data when we no longer need it - according to the purpose for which we collected it. We attach importance to:
- How long time has passed since we had a permanent relation to you either as a customer, supplier or partner.
- Whether there has been any dialogue or correspondence since then
- Whether we have experienced that you have contacted us regularly, e.g. every three months to order new products as we want to give you the best possible service.
- Whether you have given us consent to store the personal data, for later sales promotion.
We must store some personal data for at least five years for the purpose of legislation, i.e. the Danish Bookkeeping Act. This could be personal data for issuing invoices so that we can settle tax and VAT correctly and provide documentation to the authorities.
We do so to safeguard our financial interests and legal position if someone would think that we have acted actionably. In such case we must be able to document what personal data we have received; which agreement was concluded with the customer and what we have done in relation to the customer so that we can safeguard our interests. We 'clean' the documents of the personal data which are not necessary for that purpose.
We check and update your personal data on an ongoing basis
We check on an ongoing basis that the personal data we process about you are not incorrect or misleading.
We do that by regularly asking you to confirm the personal data we have registered. You can, and we encourage you to, always use the contact information at the bottom to notify us of your changes, so that we consistently have the correct data about you.
We disclose your personal data in these cases
We do not sell, publish or otherwise disclose your personal data to others, unless:
• it is necessary for us to sell our products or perform our service to you, or
• it is necessary for us to comply with the law, or
• you have given us your consent, or
• it is as part of our use of processors, both inside and outside the EU
If it is necessary
We cooperate with selected and trusted partners to deliver our products and services to you, i.e. our own companies in the group, partners, sub-suppliers and processors.
We disclose the necessary personal data to them so that in overall terms we can provide our ser-vices to you.
This could be the delivery of products to your address, purchase of products or outsourcing of our IT systems. It may also be the Central Office of Civil Registration so that we can update any changes to names or addresses in databases about our customers.
If you have given your consent
We disclose personal data to businesses, organisations or individuals outside our business and group if we have your consent.
Your consent and thus the disclosure to our partners mean that our partners may contact you for the purpose of sales and marketing.
You can always object to this form of disclosure, and you can also opt out of contacts for marketing purposes in the Central Office of Civil Registration.
If required by law, or in order to protect ourselves, a partner or a third party
In certain cases, the law allows us to disclose your personal data without your consent. Sometimes we must do it. Sometimes we can do it.
To the extent permitted by law, we can disclose personal data for either protecting or enforcing our rights. The same applies to rights belonging to our partners and third parties.
Examples where it can be relevant include the prevention of fraud or other criminal acts.
Our use of processors, both within and outside the EU
We obtain your consent before we dis-close your personal data to partners in third countries unless the said partners serve as our proces-sors. A third country can be e.g. certain countries in Africa. The US is not a third country due to what is known as the Privacy-Shield agreement between the US and the EU if the company in the US has acceded to the Privacy-Shield agreement.
If we disclose your personal data to third countries, we have ensured that their level of protection of personal data matches the requirements made by us in this policy and the requirements we are subject to in relation to the law.
You have many rights
In this section, you can read that you have a number of rights in connection with our processing of your personal data, among other things that you have:
- The right to have incorrect personal data rectified
- The right to access your personal data and receive a copy
- The right to have your personal data erased
- The right to request limitation
- The right to object to processing
- The right to withdraw consent
- The right to request information about transfer to countries and organisations outside the EU
- The right to avoid profiling
- The right to file a complaint about our processing of your personal data
If you want to know more, or exercise your rights, we ask you to contact us via the contact info at the bottom.
The right to have incorrect personal data rectified
We check that the personal data we process about you are not incorrect or misleading. We do that by regularly asking you to confirm the personal data we have registered.
You have the right to have rectified (corrected) your personal data which we hold.
The right to access your personal data and receive a copy
You always have the right to access the personal data we have registered about you and receive a copy of the personal data.
You can also be informed of the purposes of the processing, for how long we keep your personal data, if we make automated decisions (including profiling), to whom we disclose the personal data and from where we have the personal data. However, this does not apply if you are already aware of the personal data.
We point out that the right to access may be limited by regard for the protection of the personal data of other persons and our trade secrets.
The right to have your personal data erased
You always have the right to require that your personal data kept by us be erased. If we no longer have a purpose for keeping the personal data, we will erase them as soon as possible after your request.
The right to request limitation of the processing
You are always entitled to request us to limit the processing of your personal data.
The right to object to processing
You are always entitled to object to our processing of your personal data. This covers the right to object to our use of the personal data for marketing purposes. We will consider your objection, as soon as possible.
The right to withdraw consent
You can always withdraw the consent(s) that you have given us.
The right to request information about transfer to countries and organisations outside the EU
Currently, we do not transfer personal data to a country outside the EU.
The right to avoid profiling and that we make automated decisions
You always have the right to avoid that we make profiles of you and your personal data or make automated decisions.
We make every effort to ensure that your personal data are processed safely and that your rights are protected optimally, and we regularly review our procedures and the handling of personal data.
If, against expectation, you think that we do not process your inquiry and your rights in compliance with the law, we ask you to contact us, either by e-mail with the text 'complaint' in the subject field. You can write to us at firstname.lastname@example.org.
We will then pass on your inquiry to a senior employee in our company, so that any misunderstandings and misconceptions can be clarified.
If you still think that we do not process your inquiry and your rights in compliance with the law, you can complain to the Danish Data Protection Agency:
Datatilsynet (the Danish Data Protection Agency)
DK-1300 Copenhagen K
Telephone: + 45 33 19 32 00
Even though we are indeed very fond of children at Done by Deer A/S, our business is aimed at businesses and adults. We do not intentionally collect personal data from and about children.
We realise that e.g. children’s use of electronic devices can never mean with 100% certainty that we do not receive personal data about children.
We have attempted to design our systems in the best possible way, so that we cannot receive personal data from children, and we erase the personal data immediately if we become aware that we have unintentionally received personal data about children.
If you are a parent or guardian and believe that your child has given personal data to us intentionally or unintentionally, we ask you to contact us as soon as possible via our contact person data at the bottom.
How we store your personal data
We are obliged to protect your personal data. Both because it follows from legislation, but also because our own internal ethical rules require us to take proper care of your personal data.
We use relevant and adequate technical and organisational security measures to ensure that no unauthorised access is created for the personal data which we keep. The purpose is to ensure that the personal data is not used, destroyed, changed, published or is otherwise misused.
In this section you can read that
- We have internal rules on data security relating to personal data
- We have implemented IT technical measures
- User conduct is important to ensure an adequately high security level
- We inform affected persons if a risk occurs of one or more actual personal data breaches
We have internal rules on data security that contain guidelines and procedures
That includes that personal data is only accessible to employees who need it.
We also ensure ongoing information and training of our employees in relation to correct handling of personal data and make sure that the employees adhere to the rules.
All our employees are covered by a general duty of non-disclosure, that extends to personal data, in our contracts of employment.
In terms of IT, we have implemented the following measures:
- Installed anti-virus programs on all IT systems that process personal data
- Installed passwords on computers with a demand for regular renewal
- Ongoing backup of all IT systems that process personal data
- Limitation of the access to personal data, so that only employees who need it have access, and only to the extent necessary
- An investigation into whether the personal data which we use can be used in an anonymised or pseudonymised form. We will do that if it does not adversely affect our service and obligations to you
- Entered into data processing agreements with suppliers who process personal data on our behalf, so that we ensure that the processing is made in compliance with the law and our own rules and ethical standards
Risks and disclaimer
The greatest risk of misuse of personal data is people's own conduct.
It is up to the individual person to take proper care of its own personal data (e.g. never disclose passwords to others), and it is up to our company to take into account human intervention.
Although we have taken the above measures to limit risks of processing personal data, it cannot be a 100% guarantee that unintended events do not occur.
Therefore, we disclaim liability for any loss resulting from unintended events relating to our use and processing of your personal data to the extent we can do so under current legislation.
Thus, we will not accept liability for losses of any kind that occur in relation to the use of our business, our products and services, our website, systems, apps and other software to the extent that we can do so under current legislation.
We recommend that you also initiate measures to protect your personal data.
You can do that by closing your browser after use, by logging out of all accounts after use, by installing anti-virus and anti-malware and other software that may improve the security on your computer.
We recommend that you update software, the apps you use, your computer and mobile devices on an ongoing basis and never disclose your password to others.
As mentioned, we have taken many measures to ensure the processing of your personal data.
Should our IT systems and other security measures nevertheless be compromised, we will inform you without undue delay if the compromising entails a high risk relating to your rights and freedoms.
Links to other service providers
On our website and in other communication from us, there may be links to the websites of other businesses that do not belong to our company.
We are not responsible for the contents of these websites, and our personal data policy does not apply to the websites of these businesses.
Our company is the controller and ensures that your personal data are processed in compliance with the law:
Done by Deer A/S
CVR no. 36 45 63 29
Telephone number: +45 4422 6603