GDPR – Personal data

Addendum to customer agreement regarding personal data

Duty of disclosure – GDPR

Identity and contact details of the company as data controller: DB360.dk

/ Bilagseksperten IVS
Hærvejen 8
DK-6230 Rødekro

CVR no. 36 68 67 07

Tel. (+45) 88 70 70 49 / (+45) 74 74 74 76
E-mail: info@db360.dk / info@bilagseksperten.dk

The use of a data protection officer is not relevant.

The purpose of registering the company’s personal data is to assess whether the data controller can enter into an agreement/contract with the company for the service requested by the company and subsequently fulfil the agreement and also for the data controller to keep the company informed of other services that may be of interest to the company (marketing). The information may include name, e-mail, civil registration number, address, gender, age, interests, education, results of internet searches, trade union affiliation, etc. The basis for the registration is the customer agreement, the company’s consent and legislation, including the Danish Bookkeeping Act, the Danish Money Laundering Act, etc. The recipients of the information are the customer managers with the data controller and staff in the bookkeeping company which will resolve the tasks. The data will not be transferred to countries outside the EU/EEA or to international organisations. The data controller transfers certain statutory data to the Danish Tax Agency, the Danish Business Authority, payroll agencies, banks and data processors. The data controller may obtain information from authorities (the Danish Tax Agency, the Danish Business Authority, payroll agencies, etc.).

The company shall be entitled to gain insight into the data that is stored. The company shall be entitled to request rectification of data. The company shall be entitled to object to processing. The company shall be entitled to data portability. The data controller shall only use the necessary cookies for technical reasons o the user’s equipment in connection with using the data controller’s homepage. The information is stored until any potential legal asset claims have expired. After this, the data controller shall store the information for marketing purposes unless the company notifies the data controller that the company does not want to be contacted by the data controller and then the information shall be deleted as soon as possible. However, the information shall at minimum be stored for five years after the end of the customer relationship plus the current year due to the provisions of the Danish Bookkeeping Act, etc. The company shall be entitled to revoke its consent. The company shall be entitled to submit a complaint to the Danish Data Protection Agency. There are no automated decisions, including the use of profiling. The company shall be entitled to request that personal data be deleted. The company shall be entitled to request a limiting of the processing of personal data.

Duty of disclosure – The Danish Money Laundering Act

The data controller is obliged to collect information in accordance with the provisions of the Danish Money Laundering Act and in this context:

• There is retrieved identity and control information and copies of shown identification documents when establishing the customer relationship.
• There is retrieved documentation for and registrations of transactions that are completed as part of a business connection or an one-off transaction. In the event that there is a suspicion that the company is laundering money, there will be retrieved documents and registrations regarding completed investigations.
• The company is notified that the retrieved information about the company will solely be used to fulfil the data controller’s obligations pursuant to the Danish Money Laundering Act and not, for example, for marketing purposes.
• The company will be notified that information may be passed on to SØIK (State Prosecutor for Special Crime) in the event that there are suspicions of the company being involved in money laundering. The company shall be entitled to insight into the information that is registered. The information shall be stored for five years and will be deleted five years after the last engagement with the company.

Data processor

To the extent that the data controller processes personal data on behalf of the company in connection with the performance of tasks for the company, the data controller is a data processor, cf. the applicable personal data regulation, if the data controller processes the data solely on behalf of the company. Where applicable, the data controller as data processor shall only process the personal data in accordance with the data controller’s instructions.

The information may include, among other things, civil registration numbers, names, addresses, position, salary, tax and pension information, union affiliations and account numbers. The data controller shall, at the data controller’s request, provide the data controller with sufficient information to enable the data controller to ensure that the data controller has taken the necessary technical and organisational security measures to prevent the data from being accidentally or illegally destroyed, lost or impaired, becoming known to unauthorised persons or otherwise processed in violation of the personal data legislation in force at any given time. The data controller shall, as far as possible, assist the company, if required, in fulfilling the data controller’s obligation to respond to requests to exercise the rights of data subjects. The data controller shall keep a copy of the data and services provided in accordance with the Danish Data Protection Act.

Use of sub-processors
Before transferring personal data to a sub-processor, the data controller must have entered into a data processing agreement that binds the sub-processor according to the provisions of this agreement. The data controller is not entitled to transfer or disclose personal data to third parties without the prior authorisation from the company unless such disclosure or transfer is required by law. The data controller or a sub-processor may not process personal data outside the EU/EEA without written consent from the company.

Backup copies
The data controller makes backups of all data, which the company consents to by entering into this agreement. The above section on data processing and sub-processors also applies. The data controller is obliged to ensure that a data processing agreement has been entered into with the sub-processor responsible for the backup, which obliges the sub-processor to comply with the provisions of this agreement.

Authorisation/consent for the collection of personal data

I confirm on behalf of the company and the owners that the data controller may collect information about the company and the owners that is necessary for the data controller to assess whether an agreement/contract can be concluded for the service requested by the company, and that the data controller regularly informs the company about other services that may be of interest to the company (marketing). The information may include names, civil registration numbers, addresses, email, gender, age, interests, education, internet search results, union affiliations, etc.

The company is aware that the company can withdraw its consent. The company is aware of its entitlement to have inaccurate information rectified. The company is aware of its entitlement to gain insight into what data is processed. The company is aware of its entitlement to have registered information deleted and that the company must contact the data controller to exercise this entitlement. The company is aware that giving consent to this is voluntary.

The company accepts the above concerning the duty of disclosure, the data processor and the Danish Money Laundering Act and that the data controller shall store data, including sensitive data.