1. Data responsibility
It is our ambition to minimize the processing of your personal data as much as possible and to establish as high a degree of transparency as possible regarding the data processed.
In this policy, we will explain what personal data of yours we process, how the processing takes place and what rights you may exercise in this connection.
Please feel free to contact us if you have questions or other queries relating to the processing of your personal data. Our contact details are included in the last section of this policy.
The processing of your personal data takes place in compliance with the principles and as prescribed in the rules of the General Data Protection Regulation in force from time to time, including as implemented and supplemented in the data protection legislation.
2. Processing operations
We only collect, process and store the personal data that are necessary for the agreed purpose. In addition, we may be obliged by legislation to collect and store certain data, or it may be necessary to collect the data with a view to performing a contract or meeting another legal obligation.
2.1 Processing of customer data
We collect, process and store personal data regarding the cooperation with our customers. We only collect the personal data that are necessary for the agreed purpose and we only ask our customers to share personal data if necessary for the purpose.
What data do we collect?
General personal data, including details concerning name, address, telephone number and email address for personal customers as well as name, title, telephone number and email of any contact persons with the customer. In addition, we might collect information about our personal customers, e.g. in the form of a copy of their passport, national health insurance card or driving license.
Purpose of and basis for collecting the data
We process general personal data with the purpose of performing the contract with our customers, including supplying the agreed goods and services and invoicing them.
Tomex is subject to the rules in the Danish Act on Measures to Prevent Money Laundering and Financing of Terrorism (the Danish Anti-Money Laundering Act). Therefore, we process data appearing from passports, national health insurance cards and/or driving licences, e.g. civil registration number (CPR), in compliance with the customer-knowledge procedures of the Danish Anti-Money Laundering Act to the extent necessary for Tomex to meet the legal obligations to which Tomex is subject.
2.2 Suppliers and business partners
We collect, process and store personal data about our supplies and business partners, including personal data about persons employed with suppliers and business partners.
What data do we collect?
We only process general data, including contact details.
Purpose of and basis for collecting the data
We process the data for use in our contract management and to receive goods and services from our suppliers and, where relevant, to deliver the agreed goods and services to our customers. Our basis is to perform the contract to which the data subject is a party. If the data subject is not a party to the contract, our basis for processing the data is an objective requirement for being able to perform the contract with a supplier or business partner.
2.3 Visitors at www.tomex.dk
2.4 Applicants for jobs with Tomex
When you apply for a job with Tomex, the data you have provided to Tomex regarding your application will be processed. Such data will typically be general personal data such as name, address, telephone number and email address, information about educational background and information about present and previous employments.
We use this information to assess whether we wish to offer you a job, and to communicate with you regarding the recruitment process. Your data are stored in our HR system. Only relevant managers, the HR department and IT administrators have access to your data.
Applications from candidates who are not offered a job will be erased 6 months, at the latest, after we have turned down your application.
In certain cases, we may disclose your personal data if required according to a court ruling or applicable legislation.
The Company protects your personal data and has adopted internal rules on data security, which include instructions and measures to protect your personal data against unauthorized disclosure and unauthorized access.
The Company has established procedures for granting access rights to those of our employees who process sensitive personal data. The actual access is controlled through logging and supervision.
To prevent data loss, our data are regularly backed up.
In several cases, the Company uses external suppliers, e.g. IT suppliers, insurance companies, payment solutions etc. with whom we share personal data. We have concluded data processing agreements with these suppliers. This way, we ensure a high level of protection of your personal data.
4. Disclosure of personal data
We only disclose personal data when we have a legitimate basis for doing so.
4.1 Third parties i.a. comprise:
- Group companies
- IT suppliers
- Insurance companies
- Accountants and auditors regarding audit engagements and/or consulting
- Lawyers regarding consulting
- Public authorities
Any disclosure of personal data must be based on professional requirements and generally be necessary in order to safeguard a legitimate interest on your or the Company’s part. Disclosure for purposes that are incompatible with the purposes on which the Company’s processing is based may not take place.
In certain cases, the Company may be obliged to disclose personal data according to legislation or a decision made by a public authority. We only disclose personal data when we are obliged to do so.
5. Period for processing of personal data
We store your personal data until there is no longer any purpose thereof and the Company no longer has any legitimate basis for or legitimate interest in continuing to store the data. The storage period is determined according to the obligations to which Tomex is subject pursuant to other legislation and other public authorities and to secure documentation.
You have several rights according to the General Data Protection Regulation.
These rights are:
- You have a right of access to the personal data we process about you.
- You have a right to have the personal data we have registered about you rectified and updated.
- You have a right to have the personal data we have registered about you erased. If you wish to have your personal data erased, we erase all data which we are not required to store according to other legislation.
- If the processing of personal data is based on your consent, you have a right to withdraw the consent, which means that the processing will subsequently cease, unless we are required to process the personal data under other legislation.
- You have a right to data portability to a third party.
Your access to exercising the above rights may, however, be limited by the consideration for the protection of other persons’ privacy, of trade secrets and intellectual property rights.
You may submit a written request to Tomex, requesting either a transcript of your personal data, an updating of your personal data or the erasure of your personal data. The request must be signed by you and include your name, address, telephone number, email address and identify the company in the group you have dealt with, including state any project or other purpose of the processing of your data, e.g. mailing list, job applicant etc.).
Within 1 month after receiving your request for a transcript, we will forward the transcript to your postal address.
If you request a rectification and/or erasure of your personal data, we will examine whether the conditions are met and in such case effect the rectification or erasure as soon as possible.
Tomex can be contacted as per the contact details below with regard to the personal data of which the Company is the controller:
Tomex Danmark A/S
Telephone: +45 96313131
If you wish to complain about our processing of personal data, you may send an email specifying your complaint to firstname.lastname@example.org. We will then consider your complaint and contact you.
You may also lodge a complaint with the Danish Data Protection Agency regarding your rights and about the Company’s processing of your personal data. See the website of the Danish Data Protection Agency for further information on how to lodge a complaint with the Danish Data Protection Agency www.datatilsynet.dk.
Last updated on 25 May 2018