GDPR Privacy Policy
What terms do we use in Privacy Policy?
Personal data – data of a person who can be identified by the use of such data. This Privacy Policy explains how we use the personal information you provide to us.
xrNORD/We – xrNORD, cvr : 43396323, Hægvej 11 8250, Denmark
You, Yours – any natural person whose Personal data we process and to whom this Privacy Policy applies.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
Website – our website and its subpages: https://www.xrnord.com/
Recipients – entities to whom we may transfer a part of your personal data, in connection with the performance of certain activities or services by them on our behalf. They may not do anything about your personal data until we have instructed them to do so, and only to the extent we have indicated. They will store your personal data securely and only for as long as we indicate or as required by applicable law.
Cookies – the so-called Internet cookies, i.e. tiny information recorded by the server on your computer disc in the form of small text files. Cookies make it possible to recognize the User’s device during the next visit, providing access to certain functions and allow us to understand how he navigated the site.
Privacy Policy – this policy sets forth the principles governing cookies and processing and protection of personal data.
Whose data does the privacy policy apply to?
Privacy Policy defines the method of collecting, processing and storing personal data of:
-
job candidates
-
employees
-
contractors
-
clients/suppliers
-
employees or persons representing clients
-
newsletter subscribers
-
correspondents
-
participants of meetup events
Who will be your data controller?
The controller of your Personal data: xrNORD with registered office in Aarhus, Denmark (hereinafter referred to as “xrNORD” or “we”) at Hægvej 11, 8250. This means that we decide for what purpose the personal data you have provided to us are processed. We want you to know that we make every effort to keep your personal data safe. We do not provide personal data entrusted to us for a fee. You can contact us directly for information regarding the protection of your personal data at: sw@xrnord.com
How do we process personal data?
Personal data is processed in accordance with the GDPR. The Personal data collected by xrNORD will be:
-
processed in accordance with the law
-
collected for specified, lawful purposes and not subjected to further processing incompatible with these purposes
-
factually correct and adequate in relation to the purposes for which they are processed
-
stored no longer than it is necessary to achieve the purpose of processing.
Detailed information on how we process your data in specific processes can be found in the section: “For what purposes, on what legal grounds and for how long do we process your Personal data?”
What data are we talking about?
We collect information about you when you provide it to us yourself or when you use our services, including the services and other functionalities provided by xrNORD on the Website and stored in cookies that are installed on our website, as well as the data we have obtained from publicly available sources, such as social media or through third parties that have suggested that we contact you. If you then decide to cooperate with us, additionally there will be all personal data you provide us with.
For what purposes, on what legal grounds and for how long do we process your personal data?
Information for job applicant
Providing personal data is mandatory based on the law, and in the remaining scope is voluntary. Without providing mandatory data, it is not possible to conclude an employment contract.
Information for job employee
Conclusion and performance of an employment contract
article 6 sec. 1 pt. b) GDPR and article 221 of the Labor Code
The data will be processed for the time necessary to perform the concluded contract, the limitation period for claims arising from it and the period of storage of related settlement documents
Period of processing
Legal basis
Purpose of processing
The data will be processed for the time necessary to perform the concluded contract, the limitation period for claims arising from it and the period of storage of related settlement documents
article 6 sec. 1 pt. c) GDPR and article 74 of the Accounting Act and others concerning taxpayers (processing is necessary for compliance with a legal obligation to which the controller is subject)
Keeping accounting and tax documentation
The data will be processed for the period of limitation of potential claims (3 years from the date on which the claim became due)
article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller)
Pursuing claims and protection against claims
The data will be processed until an effective objection is raised by the data subject
article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller)
Ensuring the safety of employees, protection of property, as well as maintaining the secrecy of information, the disclosure of which could expose the employer to damage
The data will be processed until an effective objection is raised by the data subject;until the consent is withdrawn, until the terms of the contract expire, and then for the period of limitation of potential claims (3 years from the date on which the claim became due)
article 6 sec. 1 pt. a) GDPR (consent)
article 6 sec. 1 pt. b) GDPR (processing is necessary for the performance of a contract of employment)
article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller)
Organization of training for employees
The data will be processed for the period resulting from the provisions of law, i.e. for a period of 10 years, counting from the end of the calendar year in which the employment relationship was terminated or expired.
article 6 sec. 1 pt. c) GDPR (processing is necessary for compliance with a legal obligation to which the controller is subject)
Performance of obligations arising from health and safety regulations, i.e. on determining the circumstances and causes of accidents at work
Providing personal data is mandatory based on the law, and in the remaining scope is voluntary. Without providing mandatory data, it is not possible to conclude a contract.
Carrying out the recruitment procedure in the scope of data indicated by the provisions of the labor law and taking the necessary actions to conclude a contract with the selected candidate
article 6 sec. 1 pt. b) GDPR
The data will be processed:
– for the time necessary to perform the concluded contract, the limitation period for claims arising from it and the period of storage of related settlement documents,
– for the period required by law in order to fulfill the obligations arising from the regulations until these obligations are fulfilled
Period of processing
Legal basis
Purpose of processing
The data will be processed:
– for the time necessary to perform the concluded contract, the limitation period for claims arising from it and the period of storage of related settlement documents,
– for the period required by law in order to fulfill the obligations arising from the regulations until these obligations are fulfilled
article 6 sec. 1 pt. c) GDPR and others concerning taxpayers article 6 sec. 1 pt. c) GDPR (processing is necessary for compliance with a legal obligation to which the controller is subject)
Keeping accounting and tax documentation
The data will be processed until the end of the recruitment process, no longer than 12 months from the receipt of the candidate’s application by the Controller or for the period indicated in the possible consent for future recruitments (no longer than one year from the end of the recruitment process).
Pursuing claims and protection against claims
Information for contractors
Providing personal data is mandatory based on the law, and in the remaining scope is voluntary. Without providing mandatory data, it is not possible to conclude an contract.
Information for clients & suppliers
Establishment of commercial contacts – sales
article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller)
Until an effective objection is raised in connection with a special situation of the data subject
Period of processing
Legal basis
Purpose of processing
Until the termination/expiry of the agreement subject to the time limits for any claims (6 years after the date of termination)
article 6 sec. 1 pt. b) GDPR
Conclusion and performance of the sales agreement
Until the termination/expiry of the agreement subject to the time limits for any claims (6 years after the date of termination)
article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller))
Handling the enquiries of prospective and existing Clients, including claims/complaints
5 years after the end of the calendar year in which the tax was due
article 6 sec. 1 pt. c) GDPR and others concerning taxpayers (processing is necessary for compliance with a legal obligation to which the controller is subject)
Maintenance of accounting and tax documentation
Respectively for the period of limitation/expiry of claims inherent in the legal relationship, 6 years after the date of issue of the order
article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller)
Debt collection
Respectively for the period of limitation/extinction of claims inherent in the legal relationship (at least 6 years after the date of termination of cooperation)
article 6 sec. 1 pt. f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller)
Investigation of claims and protection against claims
until withdrawal of consent.
article 6 par. 1 item a of GDPR in connection with Article 10 of the Act on the provision of electronic services and Article 6 par. 1 item f of GDPR)
Direct marketing of own products and services
Providing personal data is voluntary but without providing data, it is not possible to conclude an contract.
If the data were not obtained directly from you, this means that the source of origin of the data is your employer or an entity represented by you.
article 6 sec. 1 pt. f) GDPR
The data will be processed for the term of the agreement
Period of processing
Legal basis
Purpose of processing
For the period of limitation of potential claims (6 years after the end of cooperation)
article 6 sec. 1 pt. f) GDPR
Establishment and investigation of claims and damages, defence against possible claims
Ongoing handling of the agreement concluded
Information for employees or persons representing clients
Providing personal data is voluntary but without providing data, it is not possible to send a newsletter.
article 6 sec. 1 pt. a) GDPR
Until withdrawal of consent by the data subject.
Withdrawal of the consent does not affect lawfulness of processing performed prior to the withdrawal.
Period of processing
Legal basis
Purpose of processing
Sending messages from various fields in the form of a newsletter which is a form of direct marketing of the Controller’s products or services
Information for newsletter subscribers
article 6 sec. 1 pt. f) GDPR
Until an effective objection is raised, with due observance of the time limits for possible claims (6 years from the date of termination of contact)
Period of processing
Legal basis
Purpose of processing
Recording of correspondence and responding – processing is necessary for legitimate purposes of the Controller consisting in fulfilling timely responses to letters, ensuring the quality of cooperation with contractors and other stakeholders
Information for correspondents
article 6 sec. 1 pt. a) GDPR
Until withdrawal of consent by the data subject.
Withdrawal of the consent does not affect lawfulness of processing performed prior to the withdrawal.
Period of processing
Legal basis
Purpose of processing
Organization and running of meetups
Information for participants of meetup events
To whom can we share the data?
Your personal data may be transferred to processing entities that provide services to the Controller on the basis of entrustment agreements concluded with them (IT service providers, including hosting and services supporting HR processes, as well as operators of recruitment portals).Subject to applicable law, we may also transfer your data to other controllers entitled to obtain data under applicable law, such as courts or law enforcement agencies, only if they make a request on an appropriate legal basis, of course.
Is providing personal data voluntary?
Providing your data is mainly voluntary. We require you to provide personal data only at the stage of entering into an agreement with us (e.g. in the scope of sending a newsletter or e-book), and then in connection with the need to settle it (i.e. for accounting, tax or protection against claims). Detailed information in this regard is indicated above in the information for specific categories of persons.
What are your rights regarding your data?
In connection with the processing of personal data, pursuant to the principles set forth in the provisions on the protection of personal data, including the GDPR, you are entitled to certain rights, including:
-
The right to access your data, i.e. the right to obtain confirmation from the xrNORD as to whether or not your personal data is being processed by us, or to obtain a copy of your personal data. This is to ensure that you are aware of and able to check how the xrNORD uses your personal data. We may refuse to provide a copy of your personal information where this could adversely affect the rights of another person;
-
The right to rectification, i.e. the right to request the xrNORD to rectify any personal data that is inaccurate or incomplete without delay (e.g. where the xrNORD processes your incorrect name or address);
-
The right to delete your data (also known as the “right to be forgotten”) – it enables you to request the deletion of your personal data if, for example, your data was used illegally, or your consent was withdrawn (if it was the only reason for processing your data). However, the “right to be forgotten” does not constitute an absolute right to erasure of personal data as there are certain exceptions to this right, e.g. where we still need to use the data to establish, pursue or defend legal claims or to fulfill a legal obligation (e.g. under accounting or tax law);
-
The right to restrict processing – you have the right to prevent us from further using your personal data if, for example, the xrNORD is in the process of evaluating a request for rectification of your data. If the processing of personal data is restricted, xrNORD may still store your personal data, but may not further actively use it (e.g. for the purpose of fulfilling a contract);
-
The right to data portability – you have the right to receive the personal data concerning you, which you had provided to a us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the us, provided: a) the processing is based on consent or on a contract and b) the processing is carried out by automated means.
To the extent that the processing of your personal data is based on a legitimate interest, you have the right to object to the processing of such data. However, the xrNORD may continue to process personal data where it is able to demonstrate valid and legitimate grounds for processing overriding your interests, rights and freedoms or where necessary to establish, pursue or defend a claim.
To the extent that the processing of your personal data is based on consent, you have the right to withdraw your consent at any time. The consent withdrawal shall not affect the lawfulness of the processing that has been carried out on the basis of the consent prior to the withdrawal.
If you would like to exercise any of these rights, simply email us at: sw@xrnord.com
Do we transfer your data to countries outside the European Economic Area?
As a rule, your personal data will not be transferred outside the EEA or made available to international organizations. However, if the controller uses service providers from outside the EEA area, which have not been recognized by the European Commission as ensuring an adequate level of personal data protection, the transfer of personal data to the above-mentioned entities is carried out ̨ on the basis of standard data protection clauses which ensure appropriate safeguards in the field of protection of privacy and rights and freedoms people whom applies to. A copy of the Standard Contractual Clauses can be obtained from the controller.
Do we process your data automatically?
Please be advised that we do not make automated decisions, including those based on profiling.
What about Cookies?
We use Cookies on the end device of the User (e.g. computer, tablet, smartphone). Cookies may be read by the xrNORD IT system. We gain access to the information contained in Cookies for statistical purposes and to ensure the proper functioning of the website, in particular to maintain the session after logging in.
Importantly, we want you to know that:
-
The internet browser configuration is possible to prevents storage of cookies on the User’s end device.
-
The User may delete Cookies after they are saved by the xrNORD through: relevant features of the web browser, software intended for that purpose or using appropriate tools available under the operating system of the User.
Please be notified however that change to the web browser configuration that prevents or limits the Cookies storage on the User’s end device may impair the functionality of the services provided. Similar effects may occur when deleting the Cookies in the course of the service provision.
Information on how to delete Cookies in the most popular web browsers are included in the following links:
Use of Google Analytics for website analysis
This website operator notifies that in order to collect and analyze aggregated information on the portal use, it uses the Google Analytics service. Please visit this location to learn more about how this service collects and processes data.
Using Disqus for comments
The data is transferred to Disqus on the basis of your agreement with Disqus, which allows you to use Disqus. The purposes and duration of data processing in Disqus are determined by Disqus itself which we cannot influence.
In this case, your data is processed on the basis of your consent resulting from a comment addition. The data is processed solely for the purpose of publishing the comment on the blog. Some of the data (name and surname, profile photo) will be publicly available on the blog next to your comment.
Use of Hubspot for form management, website analysis and users tracking
This website operator notifies that they use the Hubspot platform to collect and analyze aggregated information about website users. Please visit this location to learn more about how this service collects and processes data.
Should I still know something?
For matters not covered by these Policy, provisions of law and particularly of the Act on provision of services by electronic means, the Act on personal data protection, the Civil Code and GDPR shall apply. xrNORD reserves the right to modify the Policy due to significant reasons. The following shall be deemed significant reasons: introduction of new, amendments to the existing legislation, adaptation to changes introduced by xrNORD. xrNORD notifies of the content of the changes by publishing a notice on the change of Policy at www.xrnord.com
The competent court for any disputes arising from the application of this Policy shall be the competent court under the applicable laws.
The date of the last version of the policy is March 15th, 2023.
Carrying out the recruitment procedure in the scope of data indicated by the provisions of the labor law and taking the necessary actions to conclude a contract with the selected candidate
article 6 sec. 1 pt. b) GDPR;
The data will be processed until the end of the recruitment process, no longer than 12 months from the receipt of the candidate’s application by the Controller or for the period indicated in the possible consent for future recruitments (no longer than one year from the end of the recruitment process).
Period of processing
Legal basis
Purpose of processing
The data will be processed until the end of the recruitment process, no longer than 12 months from the receipt of the candidate’s application by the Controller or for the period indicated in the possible consent for future recruitments (no longer than one year from the end of the recruitment process).
article 6 sec. 1 pt. a) GDPR (ordinary data) or in accordance with article 9 sec. 2 pt. a) GDPR (data of a special category, e.g. data on health or degree of disbility)(consent);
Including additional data in the recruitment process based on your consents, including personal data provided other than those resulting from legal provisions
The data will be processed until the end of the recruitment process, no longer than 12 months from the receipt of the candidate’s application by the Controller or for the period indicated in the possible consent for future recruitments (no longer than one year from the end of the recruitment process).
article 6 sec. 1 pt. a) GDPR (consent);
Participation in future recruitment processes, based on the expressed consent
Providing personal data is mandatory based on the law, and in the remaining scope is voluntary.