Data protection and privacy policy

 

Data controller
ComplyCloud ApS
Vesterbrogade 6 D, 3.
1620 København V
Denmark
Company Registration Number: 35813764

 

1. Introduction

1.1 This data protection and privacy policy (hereinafter the “Policy“) describes how ComplyCloud ApS (hereinafter “us“, “we” or “our“) as data controller(s) collect and process personal data about you in connection with your use of our website and our services.

1.2 The Policy is formulated and made available to you in order for us to comply with the EU General Data Protection Regulation (2016/679 of 27 April 2016) (hereinafter ”GDPR”).

 

2. Gathering of data via use of cookies

2.1 When you visit our website(s), we collect information and data about you via the use of cookies after collecting your consent hereto. These information and data include browser type, IP address (hereinafter “Cookie Data”).We use Cookie Data to improvement of the website(s) and the user experience.We disclose and/or share Cookie Data with Google Analytics.

2.2 Irrespective of the above, the collection of personal data via cookies will be done in accordance with the cookie order (no. 1148 of 9 December 2011), § 3.

 

3. Personal data we collect about you

3.1 When you purchase our services or products, use our websites or sign up for newsletters or the like, we may, depending on the specific circumstances, collect and process a number of personal data about you to complete your use or order of our services or products. These personal data include the following: name, address, telephone number, e-mail, username, password, purchasing history, invoicing and book keeping data and documentation, account status (customer points, payments etc.), payment card details. If you disclose or send us other personal data voluntarily, we will also process such data in accordance with this Policy.

3.2 We do not process your personal data for other purposes than what is indicated in section 3.1 and 3.3.

3.3 We do not process personal data about children under 13 years old.

3.4 We do not collect or process sensitive personal data (so-called “special categories of personal data”) about you.

 

4. Legal basis for processing

4.1 We only collect and process your information and data in accordance with applicable law, including GDPR. Our collection and processing of your personal data is done based on the following legal basis:

4.1.1 if we have asked for your consent, when you have given consent hereto, cf. GDPR, article 6 (1) (a);

4.1.2 when the processing is necessary for the performance of a contract you have with us, cf. GDPR, article 6 (1) (b);

4.1.3 when the processing is necessary for our compliance with applicable legal obligations, cf. GDPR, article 6 (1) (c); and

4.1.4 when the processing is necessary for the purposes of our legitimate interests, cf. GDPR, article 6 (1) (f), including the following legitimate interests: prevention of fraud and improper use of our products, services or websites and to improve our products, services and websites.

4.2 If we process sensitive personal data (so-called “special categories of personal data”) about you, the processing will only take place if it is permitted by GDPR, including but not limited to the following instances:

4.2.1 the processing is based on your explicit consent in accordance with the GDPR, article 9 (2) (a);

4.2.2 the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of us or you in the field of employment and social security and social protection law in so far as it is authorized by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of you, cf. GDPR, article 9 (2) (b);

4.2.3 the processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity, cf. GDPR, article 9 (2) (f); or

4.2.4 if you have on your own initiative disclosed the information to us, cf. GDPR,
article (9) (2) (e).

4.3 If we send direct marketing to you, including by e-mail, we will ask for your prior consent in accordance with the applicable Marketing Act.

4.4 If we process your personal data based on your consent, you can always withdraw your consent by contacting us at the contact details listed at the bottom of this policy. If you withdraw your consent, we will delete the personal data we processed on the basis of your consent unless they can or must be processed, for example, to comply with a legal obligation.

 

5. Disclosure and transfer of your personal data

5.1 From time to time we use external companies as suppliers to deliver and assist us in delivering our services. The external suppliers will not receive or process your personal data unless the applicable law allows for such transfer and processing.

5.2 Where the external parties are data processors, the processing is always performed on the basis of a data processor agreement in accordance with the requirements hereto under GDPR.

5.3 Where the external parties are data controllers, the processing of your personal data will be performed based on said external parties’ own data privacy policy and legal basis that you will be informed on unless the applicable legislation allows otherwise.

5.4 We transfer personal data to suppliers and/or partners in USA. These transfers of personal data are done on the basis of the recipients’ certification under the “EU-U.S. Privacy Shield” and/or the “Swiss-U.S. Privacy Shield”. You can read more about Privacy Shield at the website of the Danish Data Protection Authority or on www.privacyshield.gov. We transfer your personal data to the following third countries outside the EU/EEA: We use Google Analytics, which can transfer, store or process personal data in the United States of America and can transfer the personal data to third parties.. The transfers are done on the basis of our entering into the standard contractual clauses adopted by the EU Commission with the relevant third-parties, under which an adequate level of data protection and security is established.

5.5 We only pass your personal data to others if the law allows it or requires it. We are part of a concern and have subsidiary companies in several countries. Within the concern, the companies will from time to time and when relevant share personal data across the concern in other EU/EEA countries and process the personal data as data processors or data controllers, depending on the specific circumstances.

5.6 If you have any questions about our use of data processors, cooperation with other data controllers, including subsidiary companies, or transferring of data to third countries, please contact us for more information or documentation of our legal basis for said transfers.

 

6. Deletion and retention

6.1 We ensure on an ongoing basis that your personal data is deleted once the personal data is no longer relevant for us to follow our legitimate purposes. We do, however, retain your personal data to the extent that the applicable law obliges us hereto, as is the case with for example accounting and bookkeeping materials and records. If you have any questions about our retention of your personal data, please contact the email mentioned at the bottom of this Policy.

 

7. Your rights as a data subject

7.1 As a data subject under GDPR, you have number of rights that we can assist you with. Your rights include the following:

7.1.1 You have the right to access into what personal data we process about you, for what purposes we process the personal data and whether we disclose or transfer your personal data to others.

7.1.2 You have the right to have incorrect information rectified.

7.1.3 In certain cases, you have the right to deletion of certain of your personal data.

7.1.4 You may, in certain cases, have the right to restriction of our processing of your personal data.

7.1.5 You are under certain circumstances entitled to so-called data portability of the personal data you have provided to us.

7.1.6 You may, in certain cases, have the right to object to our processing of your personal data based on reasons and circumstances that pertain to your particular situation.

7.2  If you wish to make use of your rights as described above, please use the contact details provided at the end of this Policy.

7.3 We strive to do everything to meet your wishes regarding our processing of personal data and your rights as a data subject. If you despite our endeavors wish to file a complaint, you can do so by contacting the national Data Protection Agency.

 

8. Changes to this Policy

8.1 The rapid development of the internet and available technology means that changes in our processing of personal data may become necessary. We therefore reserve the right to update and amend this Policy. If we do, we correct the date and the version at the bottom of the page. In case of significant changes, we will notify you in the form of a visible notice on our website or by direct message.

 

9. Contact

9.1 If you have questions or comments about this Policy or if you would like to invoke one or more of your rights as a data subject, please contact us at info(at)complycloud.com.

 

This is version 1, last updated 24.09.2018 10:37.

 

Yours sincerely,
ComplyCloud ApS