Autoinnovation ApS – Data Protection Policy
1. Policy Statement
All individuals have rights with regard to how their personal information is handled. During the course of our business activities we may collect, store and process personal information about our employees, suppliers and customers and we recognize the need to treat it in an appropriate and lawful manner. This Data Protection Policy covers our treatment of data belonging to our suppliers, customers and other third parties who we engage with. Our position with regard to employee data is set out in our Fair Processing Notice (Employee Data).
The information which we may receive, hold and process in respect of suppliers, customers and other third parties is subject to certain legal safeguards specified in the Privacy Law (meaning all applicable law relating to the processing of personal data including the Data Protection Act 1998, the General Data Protection Regulation 2016/679, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any statutory instrument, order rule or regulation made, as amended, extended, re-enacted or consolidated from time to time). The Privacy Law imposes restrictions on how we may use that information and we shall comply with the provisions of the Privacy Law at all times.
2. Status of the policy
This policy sets out our rules on data protection and the legal conditions that we will satisfy in relation to the obtaining, handling, processing, storage, transportation and destruction of personal information.
The TjeKvik Data Protection Compliance Manager is responsible for ensuring compliance with Privacy Law and with this policy. Any questions or concerns about the operation of this policy should be referred in the first instance to the Data Protection Compliance Manager – Address: TjeKvik / Autoinnovation ApS, Otto Mønsteds gade 5, 1571 Copenhagen V, Denmark.
If you consider that this policy has not been followed in respect of personal data about yourself or others you should raise the matter with our Data Protection Compliance Manager.
3. Definition of data protection terms
Data is information that is stored electronically, on a computer, or in certain paper-based filing systems.
Data subjects for the purpose of this policy include all living individuals about whom we hold personal data. A data subject need not be a DK national or resident. All data subjects have legal rights in relation to their personal data.
Consent of the data subject, means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data controllers means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by union or member state law.
Data processors means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination restriction, erasure or destruction.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to that natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Sensitive personal data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data may include biometric data and genetic data. Sensitive personal data can only be processed under strict conditions, and will usually require the express consent of the person concerned.
4. Data protection principles
We will comply with the data protection principles in Privacy Law. Under Privacy Law, personal data must be:
(a) Processed fairly, lawfully and in a transparent manner.
(b) Processed for specified, legitimate and specified purposes and not further processed in a manner that is incompatible with those.
(c) Adequate, relevant and not limited to what is necessary for the purpose.
(d) Accurate and kept up to date. Personal data that is inaccurate will be erased or rectified without delay.
(e) Kept in a form that permits identification of the data subject for no longer than is necessary for the purpose.
(f) Processed in a manner which ensures appropriate security of personal data.
5. Fair, lawful and transparent processing
Privacy Law does not prevent the processing of personal data, but it ensures that it is done fairly and without adversely affecting the rights of the data subject. The data subject must be told who the data controller is, the purpose for which the data is to be processed by us, and the identities of anyone to whom the data may be disclosed or transferred. In dealing with suppliers, customers and other third party (excluding employees), typically we are acting as a data processor. We will inform you if we are to act as data controller.
For personal data to be processed lawfully under the applicable Privacy Law, certain conditions have to be met. These may include, among other things, requirements that the data subject has expressly consented to the processing, or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, more than one condition must be met. In most cases the data subject’s explicit consent to the processing of such data will be required.
6. Collected for specific, explicit and legitimate purposes
We will only process personal data may for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the applicable Privacy Law. This means that personal data will not be collected for one purpose and then used for another. Further processing for archiving in the public interest, scientific research or statistical purposes shall, in accordance with Privacy Law, not be considered incompatible with the initial purpose. If it becomes necessary for us to change the purpose for which the data is processed, we will inform the data subject of the new purpose before any processing occurs.
7. Adequate, relevant and non-excessive processing
We will only collect personal data to the extent that it is required for the specific purpose notified to the data subject. Any data that is not necessary for that purpose will not be collected.
8. Accurate Data
Personal data must be adequate, relevant and limited to what is necessary for the specific purpose. Personal data must be accurate and kept up to date. If we identify information that is incorrect, misleading or is not accurate we shall take steps to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data will be destroyed. If you identify any data that we are holding which is incorrect, misleading or inaccurate, please advise us and we will take the necessary action to correct this.
9. Timely Processing
Personal data will not be kept longer than is necessary for the purpose. This means that data will be destroyed or erased from our systems when it is no longer required. For guidance on how long certain data is likely to be kept before being destroyed, you can contact the Data Protection Compliance Manager – Address: TjeKvik / Autoinnovation ApS, Otto Mønsteds gade 5, 1571 Copenhagen V, Denmark..
10. Processing in line with data subject’s rights
Data will be processed in line with data subjects’ rights. Data subjects have rights to:
(a) Request access to data held about them.
(b) Prevent the processing of their data for direct-marketing purposes.
(c) Ask to have inaccurate data amended or deleted.
(d) Prevent processing that is likely to cause damage or distress to themselves or anyone else.
(e) Withdraw their consent to processing at any time.
(f) Request individual personal data in a portable form.
(g) Lodge a complaint with a supervisory authority.
(h) Request information regarding the existence of automated decision-making, including profiling (including meaningful information about the logic involved).
(i) Information regarding the retention period of personal data or, as a minimum, the criteria used to determine that period.
We shall maintain a record of all categories of processing activities that we undertake including, the nature of processing and, where applicable and where permitted, details of transfers of personal data to a third party (sub-processors).
If applicable under Privacy Law, we shall make such records available to a supervisory authority upon request.
12. Data Security
We will ensure that appropriate security measures are taken against unlawful or unauthorized processing of personal data, and against the accidental loss of, or damage to, personal data, including taking reasonable steps to ensure the reliability of our employees who may have access to personal data and will ensure that such employees are subject to appropriate confidentiality undertakings. Data subjects may apply to the courts for compensation if they have suffered damage from such a loss.
Security measure shall, amongst other things, include:
(a) the pseudonymization and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of physical or technical incident;
(d) processes for regularly testing, assessing and evaluating the effectiveness of technical and organizations measures to ensure the security of the processing.
(a) provide reasonable cooperation to a data controller in relation to any individuals exercising their rights under Privacy Law, including but not limited to subject access requests.
(b) Save as where prohibited by law and as soon as reasonably practical, notify the data controller of any legal obligation which requires us to disclose personal data to a third party.
(c) Notify the data controller, not later than seventy-two (72) hours of becoming aware of it, of any personal data breach and provide reasonable assistance to the data controller with any investigation into and any remediation of the personal data breach.
(d) Notify the supervisory authority without undue delay after becoming aware of a personal data breach.
(e) Provide reasonable assistance with any notifications made to any relevant authorities and/or individuals in relation to a personal data breach and assistance to appropriate security measures are adhered to.
(f) Make available to the data controller all reasonable information to demonstrate compliance with the obligations set out in this policy.
14. Dealing with subject access requests
Any data subject may make a formal request for information that we hold about them in writing. We will not charge a fee for provision of this information; however, we may charge a nominal admin fee for further copies or access.
Data subjects have the right to receive personal data concerning him/her in a structured, commonly used and machine-readable format. In exercising his or her right to data portability the data subject shall have the right to have the personal data transmitted from one controller to another where technically feasible.
We will respond to written subject access requests within a reasonable period, but in any event no longer than thirty (30) days from the date of receipt.
All employees who receive a written request from a data subject will forward the request to the Data Protection Compliance Manager.
15. Providing information over the telephone
All employees dealing with telephone enquiries will be careful about disclosing any personal information held by us. In particular they will:
(a) Check the caller’s identity to make sure that information is only given to a person who is entitled to it.
(b) Suggest that the caller put their request in writing if they are not sure about the caller’s identity and where their identity cannot be checked.
(c) Refer to the Data Protection Compliance Manager for assistance in difficult situations. No one should be bullied into disclosing personal information.
16. Monitoring and review of the policy
This policy is reviewed annually by the Data Protection Compliance Manager.
We will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.
In addition to our obligations set out in this policy, Our data protection position specifically relating to the provision of TjeKvik is set out in our GDPR Statement for TjeKvik Dealers.