Approved by DIRECTOR 2021 04 12
1. Purpose and Scope
It is one of the fundamental principles of NORDIC HEAT AB and its subsidiaries (together “NORDIC HEAT” or “the Company”) to strictly observe all national and international laws and regulations under which NORDIC HEAT is operating and to maintain high ethical standards in conducting its business. It is the strong belief of NORDIC HEAT’s management that not only the interest of NORDIC HEAT, its employees and various stakeholders, but also the interest of society, is best served by a conduct in adherence with a policy which ensures protection of personal data. Therefore, it is the policy of NORDIC HEAT to strictly comply in all respects with the General Data Protection Regulation (“GDPR”), including all national Data laws and regulations which strive to protect the individual’s personal data which in any way are
controlled, owned or processed by NORDIC HEAT. The GDPR is mandatory rules of law, which must be complied with at all times – also prior to the adoption of the first NORDIC HEAT Personal Data Protection Policy. This Personal Data Protection Policy (“Policy”) comes into effect as per the date stated above and is binding on all board members, directors, officers and employees of NORDIC HEAT.
2. Personal Data Protection Policy
a. Data Protection Officer
NORDIC HEAT is both considered Data Controller and Data Processor, and in that regard responsible for ensuring that personal data is processed in accordance with the applicable laws and regulations. NORDIC HEAT has internally appointed a Data Protection Officer (“DPO”), who is globally responsible for ensuring and supporting locally that rules and procedures regarding processing of personal data are observed in the daily business. Any questions in relation to the processing of personal data within the Company, can be directed at the DPO.
b. Processing of personal data
NORDIC HEAT is solely processing personal data in a business-to-business setup, and does not in any way process consumer data. NORDIC HEAT process two categories of data subjects, (1) any and all business partners, customers, suppliers and the like for which this Policy is applicable, (2) employees for which an internal policy is applicable.
c. Types of personal data
As described above this Policy concerns the processing of personal data of data subject category (1). In this regard NORDIC HEAT will process personal data, which
include amongst other: Name, contact information, email address, telephone numbers, company where employed, job title, certification of skills.
d. Purpose of processing personal data
NORDIC HEAT collect, store, process and delete personal data for legitimate business purposes in general. For example, when we need to: Register in CRM, keep record of certification of skills, send newsletters, have correspondence in relation to projects, distribute technical information / updates in order to identify and comply with our obligations, in order to determine to sue or defend NORDIC HEAT against legal requirements, handle claims.
e. The extent of data
NORDIC HEAT ensures that only personal data necessary for particular purposes are processed. Therefore, only the amount of data needed for each specific purpose is
collected. It is ensured that the amount of processed data is not unnecessarily large, the storage time is not too long and only the relevant and necessary employees has access hereto. NORDIC HEAT will before the processing of personal data, investigate whether it is possible to minimise the amount of personal data. NORDIC HEAT also
investigate whether some of the data types we use may be used in anonymous or pseudonymised form. This will be done for all processing, unless NORDIC HEAT’s
obligations to public authorities or to daily business operations does not allow it. NORDIC HEAT will only collect, process and store the personal data needed to meet
the intended purpose. In addition, it may be decided by law what type of data it is necessary to collect and store for our business operations. The type and extent of the personal data NORDIC HEAT process may also be required to fulfil a contract or other legal obligation.
f. Control
NORDIC HEAT verify that the personal data we control, own or process are to the best of our knowledge not incorrect or misleading. NORDIC HEAT also make sure to
update the personal data continuously. NORDIC HEAT’s administration of personal data is dependent on the personal date being correct and up to date, why it is
important that business contacts, customers, suppliers or the like notifies when personal data in these relations should be edited, updated or deleted.
3. Rights of the registered
Anyone whose personal data NORDIC HEAT process (the “Registered”) have a right of access to the personal data. Furthermore, the Registered have the right to object to the collection and further processing of personal data. Moreover, the Registered have the right to rectification of personal data, or to require NORDIC HEAT to restrict the processing of the personal data. If requested, NORDIC HEAT will delete the personal data which we store and process without undue delay, unless we may continue the processing on another legal basis, e.g. if the processing is necessary to defend a legal claim or to comply with a request from the registered. Under certain circumstances, the Registered may also request that NORDIC HEAT provide an overview of the personal data in a structured, commonly used and machine-readable format and request to transmit such data to another data controller. If the Registered wishes to exercise the rights as described above, please contact the DPO. If the
Registered disagree with how NORDIC HEAT process personal data or the purposes for which we process personal data, the Registered may either contact us, take legal actions at the ordinary courts or lodge a complaint with the local Data Authorities.
4. Security
To protect the access to personal data by unauthorised persons, NORDIC HEAT uses IT solutions that automatically ensure that data is only available to relevant employees. There is also embedded protection against unlimited access to data. NORDIC HEAT have also adopted internal rules on information security in our IT Policy that contain instructions and measures which protect your data against being destroyed, lost or modified, from unauthorised
disclosure, and against unauthorised access or knowledge hereof.
5. Transfer
a. Transfer to third parties
As part of NORDIC HEAT’s business, we are required to disclose personal data to third parties. Third parties include amongst other: IT suppliers, Sub-suppliers,
Customers, Project managers, Insurance company, Couriers. The disclosure of personal data must be substantively justified and, moreover, necessary for the
provision of a legitimate interest of the employee, business partner, customer, supplier or the Company. Processing of personal data incompatible with the
purposes which is the basis of the Company's processing must not occur. Regardless of whether NORDIC HEAT transfer personal data to partners’ resident in countries inside or outside the EU or EEA, we must always ensure that our level of privacy protection will comply with the requirements we have set in this policy and under applicable laws and regulations. Amongst other, we ask for data processing agreements, information security and documentation of fulfilment of rights. NORDIC
HEAT is aware of the requirements for the content of data processing agreements and we always ensure that the necessary agreements are in place to secure personal
data rights.
b. Transfer intercompany
As part of NORDIC HEAT’s business, the disclosure of personal data between the NORDIC HEAT affiliates is a necessity for running the daily business. In order to
ensure to highest level of security possible, intercompany data processing agreements are made between all NORDIC HEAT affiliates. Each legal entity being
both data controller and data processor means that the agreements are mutual in the obligations of both roles, ensuring that the GDPR and all national data laws and
regulations are complied with.
6. Retention
NORDIC HEAT is required to retain certain records of personal data, for a specific amount of time. The accidental or intentional destruction of these records during their specified retention periods could result in the following consequences: Fines and penalties, loss of rights, obstruction of justice charges, contempt of court charges, serious disadvantages in litigation.
We must retain certain records because they contain information that: Serves as NORDIC HEAT’s corporate memory, have enduring business value (for example, they provide a record of a business transaction, evidence NORDIC HEAT’s rights or obligations, protect our legal interests or ensure operational continuity), must be kept in order to satisfy legal, accounting or other regulatory requirements. We must balance these requirements with our statutory obligation to only keep records for the period required and to comply with data minimisation principles of only keeping data as long as necessary.
7. Storage and deletion records of personal data
a. Storage
NORDIC HEAT’s records of personal data must be stored in a safe, secure and accessible manner. Any documents and financial files that are essential to our
business operations during an emergency must be duplicated and/or backed up at least once a day and maintained off site.
b. Deletion
NORDIC HEAT is responsible for the continuing process of identifying the records that have met their required retention period and supervising their deletion. The deletion
of personal data, confidential, financial and personnel-related records must be conducted by shredding. The deletion of electronic records must be coordinated
with the IT Department / Manager.
8. Implementation and Compliance
Where a NORDIC HEAT company is a participant in any joint venture or commercial sharing arrangement, NORDIC HEAT seeks, as far as practicable, to ensure that the combined service complies with our Policies. In order to ensure that all relevant Employees are trained in the content of this Policy, hereunder measures to ensure compliance with this Policy, NORDIC HEAT have implemented training. If you become aware of any suspected or actual breaches of our Policy, please inform the DPO. All reports are treated confidentially and investigated properly and promptly. In case of any questions about this Policy, or the applicable legislation you should contact the DPO. Disregard or breach of the Group Policy by an employee may result in disciplinary action.
9. Amendments
We reserve the right to amend this privacy policy based on substantial changes in thelegislation, new technical solutions, new or improved functions and to improve the website
