Policy for processing and protection of personal data
At Poul Johansen Maskiner A/S, we respect the right to privacy of our customers, employees and business partners, and we acknowledge the need to implement sufficient security measures for the processing of personal data.
1.1 The management of Poul Johansen Maskiner A/S (hereinafter referred to as PJM) owns and approves this policy.
1.2 At PJM, we respect the right to privacy of our customers, employees and business partners, and we acknowledge the need to implement sufficient security measures for the processing of personal data.
1.3 Privacy legislation regulates all matters related to companies’ use of information about physical persons, including customers, employees and suppliers, and protects these persons against unauthorised storage and processing of their personal data.
1.4 This policy describes PJM’s overall strategic goals for processing and protection of personal data. The policy also includes guidelines for reporting lacking compliance with this policy to management. Violating this policy could have consequences for your employment.
2 PURPOSE AND FIELD OF APPLICATION
2.1 It is PJM’s goal to secure and protect personal data. Among other things, PJM will do this by:
(i) ensuring that all processing of personal data takes place in compliance with the principles regarding legal processing of personal data,
(Ii) adhering to the instructions and the practice regularly being published by relevant players, including the Danish Data Protection Agency, and
(iii) ensuring that employees receive relevant training in the processing of personal data.
2.2 PJM processes personal data about customers, supplier and employees at the company, among others. The purpose of this policy is to ensure that PJM ensures the security of personal data and always complies with current legislation for the purpose of protecting all personal data that the company has in its possession.
3.1 PJM uses definitions of concepts related to personal data that are used in current legislation.
3.2 Personal data is defined as any type of information about an identified or identifiable physical person. An identifiable physical person is a physical person who can be directly or indirectly identified, particularly through an identifier or on or more elements that (when seen as a whole) are specific to a physical person’s physical, physiological, genetic, psychological, financial, cultural or social identity.
3.3 Sensitive personal data is defined as personal data regarding race or ethnical origin, political, religious or philosophical persuasion or union affiliation as well as processing of genetic data, biometric data for the purpose of precisely identifying a physical person, information about health or information about a physical person’s sexual relations or sexual orientation.
3.4 The term registered persons refers to the physical persons to which the personal data being processed by the company are related.
3.5 A data controller is a physical or legal person, a public authority, an institution or another agency that determines alone or with others for which purposes and with which aids it is permitted to process personal data. PJM is the data controller regarding the processing of personal data and determines for which purposes and with which aids it is permitted to process the relevant personal data. Typically, this will be the case in connection with processing of employee data as part of staff management, among other things. The data controller is responsible for the processing of personal data living up to the rules of the data privacy legislation and can therefore at worst be liable to pay fines.
3.6 A data processor is a physical or legal person, a public authority, an institution or another agency that processes personal data on behalf of the data controller.
3.7 A third country is a country that is not a member of the European Union (EU) or an EEA country. An unsafe third country is a third country where the European Commission has not made a decision as to whether the third country has a sufficient protection level.
3.8 When this policy refers to “data protection”, it means all the technical as well as organisational security precautions that aim to protect the confidentiality, availability and reliability of personal data.
4 PRINCIPLES FOR PROCESSING OF PERSONAL DATA
4.1 All employees of PJM must adhere to the principles for processing of personal data. Among other things, this means that personal data must be processed legally, fairly and in a transparent way, and the personal data may only be collected for explicitly stated and legitimate purposes.
4.2 Correspondingly, the processing of personal data may only take place if this is relevant and limited to what is necessary regarding the purposes for which the data is being processed. There must be procedures that – in addition to contributing to the personal data being correct and up to date – ensure that personal data is stored in a way that makes it impossible to identify the registered persons for any longer that what is necessary for the purposes for which the personal data in question has been collected and processed.
4.3 Furthermore, there must be procedures that make sure that personal data is processed in a way that ensures sufficient security for the personal data in question, including protection against unauthorised or illegal processing and against accidental loss, destruction or damage, with the use of appropriate technical or organisational precautions.
5 FOUNDATION FOR PROCESSING INCLUDING CONSENT
5.1 All processing of personal data at PJM must be carried out on the basis of a legal foundation for processing. Therefore, it should always be taken into account which legal foundation for processing that applies to the processing.
5.2 Consent is one of the foundations for processing that can be used when PJM processes personal data regarding physical persons.
5.3 When PJM obtains consent for processing of personal data, it is important to ensure that the consent has been given voluntarily, specifically and on an informed basis and constitutes an explicit declaration of the fact that the physical person consents to the processing of personal data regarding the person in question.
5.4 If a person has given his/her consent to PJM processing data regarding this person, the registered person can always withdraw his/her consent. It is important to PJM that it is always respected when a registered person chooses to withdraw his/her consent to processing.
5.5 If a registered person withdraws his/her consent to an express purpose, this means that there cannot be any subsequent processing of personal data regarding the registered person for this purpose.
6 THE RIGHTS OF REGISTERED PERSONS
6.1 It is important to PJM that all registered persons are informed of their rights regarding processing of personal data.
6.2 Furthermore, it is an important focus for PJM to ensure compliance with the rights of all registered persons. All employees that work with processing of personal data at PJM must therefore be informed of the extent of the registered persons’ rights and how they are supposed to handle requests from the registered persons. This is described in specific guidelines.
6.3 All registered persons have the right of access to the processing of their personal data, if they request this. As a rule, the registered persons have the right to be informed of the purpose for which the personal data is being processed, the categories of personal data that are being processed about them, and who will receive the personal data. However, there may be exceptions, which means that there may be limitations to this right in specific situations.
7 USE OF DATA PROCESSORS
7.1 PJM uses a number of subcontractors, and sometimes, personal data is transferred to our subcontractors as part of their delivery of services to PJM. If the subcontractors process personal data on behalf of PJM, this must always take place in accordance with PJM’s instructions, as these subcontractors thus function as data processors. When we let subcontractors process personal data as a data processors, this will not take place until a written processor agreement has been entered into in accordance with current legislation and in accordance with the procedures determined for this at PJM. In this way, we can ensure a high level of protection of personal data that matches the requirements in these guidelines.
7.2 Prior investigation of a new data processor entails a risk assessment that takes the risks associated with the processing into account, specifically in connection with accidental or illegal destruction, loss, change, unauthorised disclosure of or access to personal data.
8 TRANSFER TO THIRD COUNTRIES
8.1 Special rules apply if personal data is to be processed in an unsafe third country. If PJM uses a data processor in an unsafe third country or needs to disclose personal data to a recipient in an unsafe third country, it must therefore always be ensured that the necessary transfer basis exists before the transfer takes place.
8.2 It is important for PJM to ensure that the recipient of the personal data provides the necessary guarantees as to how personal data for which PJM is the data controller is processed when transfer to a recipient in an unsafe third country takes place.
9 RISK ASSESSMENT AND SECURITY
9.1 Management is responsible for an overall risk assessment of threats related to the personal data area for PJM being carried out.
9.2 In connection with this risk assessment, PJM must assess which risks regarding the rights of registered persons – including freedom rights – that are associated with the processing of personal data, and must assess the probability of occurrence of the risk and the seriousness of the risk. The risk is assessed based on the nature, extent, context and purpose of the processing and is evaluated based on objective criteria, after which it is determined whether the processing of personal data involves a low risk or a high risk.
9.3 When assessing the risk, the risks associated with processing of personal data should be taken into account, such as accidental or illegal destruction, loss, change, or unauthorised disclosure of – or access to – personal data that has been transferred, stored or otherwise processed, and which can lead to physical, material or non-material damage.
9.4 The overall risk assessment should result in statement of specific steps that can be implemented at PJM in order to ensure a sufficient security level for data protection. The specific steps can have the purpose of avoiding that the risk in question occurs as well as reducing the consequences of the risk occurring.
9.5 The overall risk assessment must be updated at least once a year and include all significant areas of personal data protection, including specifically:
- System capabilities
• Data governance
• Critical processes for processing of personal data
• Policies and procedures
• Management of data processor agreements
• Management of statements of consent and basis for contracts
• Management of data privacy breach
• Knowledge of personal data area of the organisation
9.6 This risk assessment should function as the basis of reassessment of the effort in the personal data area.
10 FURTHER SPECIFIC GUIDELINES AND PROCEDURES
10.1 Apart from this policy, PJM has drawn up specific guidelines and procedures for processing of personal data, including but not limited to the following:
(i) Instructions for employees
(ii) Erasure policy
(iii) Compliance with duties of disclosure in the HR area
(iv) Record of personal data processing activities
(v) Procedures for handling of requests for access and compliance with other rights
(vi) Procedures for handling of security breaches
(vii) Technical security measures, including guidelines for the way employees use IT
11 COMPLIANCE WITH POLICY AND CONTACT PERSONS
11.1 This policy is to ensure that PJM establishes clear guidelines as stated in section 10.1 regarding the processing and protection of personal data, and the purpose of the use of personal data must be clearly defined in all processing situations.
11.2 In order to ensure support and implementation of this policy, PJM has appointed a unit responsible for ensuring that the guidelines are complied with in the individual company:
HR, IT and Finance
11.3 If questions occur regarding the content of or compliance with the guidelines, the unit shall be obligated to inform management of this.
11.4 Furthermore, lacking compliance with specific guidelines and policies may result in sanctions towards the individual employees.
12.1 Management must be informed if the guidelines in this policy are not complied with and if matters occur regarding this policy that are of significance to PJM’s risk profile in the personal data area.
12.2 The board of directors must be informed at the ordinary directors’ meeting if the guidelines of this policy are not complied with and if matters occur regarding this policy that are of significance to the board’s overall assessment of PJM’s risk profile in the personal data area.
13.1 Management is obligated to revise this policy when it is found relevant and at least once a year.
Personal data about customers
1.1.1 Poul Johansen Maskiner A/S (hereinafter referred to as “the Company”) will continuously be processing various personal data about you electronically/automatically. Therefore, we are obligated to inform you of the data about you that we collect, register, transfer or otherwise process.
1.1.2 When you use the Company’s website or otherwise contact or interact with us, the Company will as the data controller process various personal data about you.
1.1.3 The purpose of the processing of your data is generally administration of your customer relationship, including delivery of agreed services, obligations, etc.
1.1.6 You are always welcome to contact us on firstname.lastname@example.org if you have any questions about our processing of personal data. See section 8 below as well in which we describe your rights and have provided further contact information.
2.1 Representative of a company
2.1.1 When you enter into a contract with us or are an existing customer, business partner, supplier, etc. of the Company, we will create a case regarding you and the company you represent in our IT system. Here, we register various personal data, generally provided by you.
2.1.2 Among other things, we register identification data, including your name, position, latest employer, contact role, department, as well as your contact information, including work telephone numbers, work e-mail addresses, activity history, or other personal data that you provide.
2.1.3 The legal basis for processing your data is our legitimate interest in being able to honour the contract that we have entered with the company that you represent, including being able to contact you and deliver the products/services agreed upon. Furthermore, we can use your contact information when we need to invoice the company that you represent. The legal basis is the data protection legislation, cf. the General Data Protection Regulation (regulation (EU) 2016/679 of the 27 April 2016), article 6:1(f).
2.1.4 We may combine the data in the system with data about other customers, business partners, suppliers, website visitors, etc. in order to produce various types of statistics and statements, among other things.
2.1.5 The legal basis is the Danish data protection act, S 6(1), cf. the General Data Protection Regulation, article 6:1(f). Our legitimate interest is the potential optimisation of our current services or development of new services which the processing is attempting to achieve.
3.1.1 When you contact us, your enquiry may sometimes contain personal data, such as contact information, your association with a specific company or other personal data that you provide. We process this information in order to be able to deal with and respond to your enquiry, among other things.
3.1.2 The legal basis is the Danish data protection act, S 6(1), cf. the General Data Protection Regulation, article 6:1(f). Our legitimate interest is our administration of and reply to your enquiry.
3.2 If you contact us as a private person as part of an existing customer relationship with us, the legal basis may instead be compliance with the agreement we have entered into, cf. the Danish data protection act, S 6(1), cf. the General Data Protection Regulation, article 6:1(b).
3.2.1 If , in your enquiry, you show an interest in one of our products, or if you contact us on behalf a company, we may also register you and the information you give us in our IT system as a potential lead or as a representative of a company in order to be able to contact you with information about and special offers for our products. Then, you will be registered as a contact person for the company you represent.
3.2.2 The legal basis is the Danish data protection act, S 6(1), cf. the General Data Protection Regulation, article 6:1(f). Our legitimate interests are (i) the potential sale of our products that we may achieve by using the data later to contact you about our products, and/or (ii) our interest in being able to contact you as a contact person of the company you represent.
3.2.3 We may also use your enquiry, and thus the personal data it contains, as part of the optimisation of our current services or for the development of new services, for example by producing statistics of enquiries received or by carrying out anonymisation of enquiries received in order to be able to use them later.
3.2.4 The legal basis is the Danish data protection act, S 6(1), cf. the General Data Protection Regulation, article 6:1(f). Our legitimate interest is the potential optimisation of our current services or development of new services which the processing is attempting to achieve.
4.1.1 Sometimes, we may receive personal data about you from third parties, such as your employer or your colleagues. This can for example be your contact information and information about your association with your employer. Sometimes, we may register the data we receive from a third party about you in our IT system or somewhere else as a potential lead or as a representative of a company in order to be able to contact you with information about and special offers for our services as well as to contact you regarding our continuous customer relationship with the company you represent.
4.1.2 Our legal basis for processing data as described in section 4.1.1 is the pursuit of our legitimate interests. Our legitimate interests are (i) the potential sale of our products and/or services, as well as (ii) our interest in being able to contact you, possibly in your capacity as a contact person for the company that you represent. The legal basis is the Danish data protection act, S 6(1), cf. the General Data Protection Regulation, article 6:1(f).
4.1.3 We may also use data received from third parties, and thus the personal data it contains, as part of the optimisation of our current services or for the development of new services, for example by producing statistics of enquiries received or by carrying out anonymisation of enquiries received in order to be able to use them later.
4.1.4 Our legal basis for processing data as described in section 4.1.3 is the pursuit of our legitimate interest. Our legitimate interest is the potential optimisation of our current services or development of new services which the processing attempts to achieve. The legal basis is the Danish data protection act, S 6(1), cf. the General Data Protection Regulation, article 6:1(f).
5.1.1 Some information is stored with our data processors in connection with the operation and IT security tasks (such as backup, hosting of website etc.) we outsource. Storage of data with external business partners (our data processors) is subject to the rules of the General Data Protection Regulation and the Danish data protection act, and data processor agreements have been entered with the data processors, ensuring that your data is not disclosed to unauthorised persons.
5.1.2 Generally, we do not transfer personal data covered by this policy to a third party without your consent, unless we are obligated to do this in accordance with the law, or unless this is necessary to pursue the objectives described above. In that connection, our legal basis for this transfer is the same as described above in connection with our own processing.
5.1.3 Your personal data may in specific cases be disclosed to our external attorneys in order to handle a specific task. This could for example be if the Company needs legal assistance in a case where you are involved and where the relevant personal data is therefore needed by our attorney.
6.1 Erasure policy
6.1.1 At the Company, we have adopted a policy that describes how and when we erase personal data. If you would like to find out more about our erasure deadlines, you are always welcome to contact us in accordance with section 8.
6.2 Request for erasure
6.2.1 When you contact us with the request that your personal data be edited or erased, we will investigate whether the conditions are met, and if that is the case, we will edit or erase the data as quickly as possible.
7.1 In accordance with data protection legislation, you have some rights in connection with our processing of your personal data.
7.2 In that connection, you have the right to:
request access to the data we process about you (in accordance with the General Data Protection Regulation, article 15),
request that we rectify the personal data we process about you (in accordance with the General Data Protection Regulation, article 16),
request that we erase the personal data we process about you (in accordance with the General Data Protection Regulation, article 17),
request that we restrict our processing of your personal data (in accordance with the General Data Protection Regulation, article 18),
request data portability to the extent that this is relevant (in accordance with the General Data Protection Regulation, article 20), as well as
object to our processing of your personal data (in accordance with the General Data Protection Regulation, article 21).
8.1 If you have questions to the above information or your rights in accordance with the data protection legislation, you can contact the Company on: email@example.com.
You can read more about the data protection legislation and your rights on the website belonging to the Danish Data Protection Agency, www.datatilsynet.dk. The Danish Data Protection Agency is the authority that can ultimately decide whether your personal data is being processed legally – for example in connection with a complaint case.
The Danish Data Protection Agency has the following contact information: Datatilsynet, Borgergade 28, 5., DK-1300 Copenhagen K, telephone +45 3319 3200, firstname.lastname@example.org.
How long are cookies stored?
How do I delete cookies?
How can I avoid cookies?
The link shows how you can avoid cookies in the majority of browsers. If you have a browser that is not mentioned in the link, please inform us so we can contact FDIM, the Association of Danish Interactive Media so they can add it to the list. You can always use the help function in your browser to get more information about cookie settings.
What are cookies used for on this website?
Website (user settings)
This website uses first-part cookies to store information about your settings. This could be to manage your shopping basket or remember settings in a search form.
Google Analytics (traffic analysis)
Fårevejle date. maj 25-2018