Purpose

Recruitment

Categories of personal data

Identification and contact information, general information in CV and job application.

Legal ground

Information about the applicant in the application, CV, etc. is processed to assess the applicant’s suitability for the job for which he or she has applied for, prior to the conclusion of a possible employment contract under art. 6(1)(b) GDPR.

No criminal records, personality or cognitive tests nor references from earlier employes are processed.

Retention

Unsolicited job applications and accompanying material will be deleted after they have been read or no later than 3 months from receipt, unless consent is obtained for longer storage, e.g., in connection with future positions.

Requested applications and accompanying material will be deleted after the recruitment round is completed or no later than 3 months after, unless consent is obtained for longer storage, e.g., in connection with future positions.

It may be necessary to keep applications longer than 3 months if, based on the job interview, the correspondence with the applicant or other circumstances, there is a concrete or imminent risk that FORNAV will be met with a claim as a result of the application process, e.g., if an applicant might think that he or she has been rejected due to his or her age or health.

Recipients and potential transfers to third countries

We use Microsoft Office to process job applications and communicate with applicants. The service is provided by Microsoft Ireland Operations Ltd. and configured so that all data is hosted either on FORNAV’s own server or on Microsoft’s EU servers.

Microsoft’s parent company, Microsoft Inc., is located in the United States, and therefore there is a risk that personal data will be transferred to the United States in response to law enforcement requests. However, as Microsoft has certified itself under the EU-U.S. Data Privacy Framework (DPF), such any transfer will be subject to the appropriate safeguards under article 45 GDPR. See https://www.dataprivacyframework.gov/s/.

Purpose

Customer and supplier relationships

Categories of personal data

Licensees: Contact information (registered by partner), MS license no. (registered by partner), information on which partner has registered them, the amount of licenses for FORNAV purchased and the number of licenses for Microsoft Business Central purchased, and information provided through the free text comment field.

Information on use of FORNAV software (both Report Pack and DirectPrint) is gathered and used for technical purposes for instance load balancing, deciding if additional server space/power are needed and to ensure compliance with license terms, as well as more general commercial purposes, ie performance optimization and product improvement.

FORNAV PEPPOL licensees: Contact information, payment information (only with respect to sole proprietorships and small partnerships).

Partners: Contact information, payment information (only with respect to sole proprietorships and small partnerships), and information provided through the free text comment field.

Suppliers: Contact information, payment information (only with respect to sole proprietorships and small partnerships), and information provided through the free text comment field.

Support requesters, either through our website https://support.fornav.com/helpdesk/Tickets/New or through support@fornav.com): contact information, information about support requests (free text field and upload of files)

Legal ground

The personal data is processed under either

Article 6(1)(f) GDPR because it is our legitimate interest to be able to contact customers and suppliers and fulfil contractual relationships, answer support queries, etc

or

Article 6(1)(b) GDPR to the extent necessary to enter into or fulfill a contract with them, and in such case only to the extent the customer or supplier are natural persons or sole proprietorships or smaller partnerships.

Retention

Information on licensees, partners and suppliers is stored for up to 3 years after the end of the licensee, partner or supplier relationship unless longer storage is necessary, for example the rules of the Danish Bookeeping Act according to which accounting material must be stored for 5 years after the financial year following that where the transaction was carried out, or if the information is necessary for a claim that expires later than 3 years.

Personal data about contact persons at potential partners (leads) or suppliers is anonymized (ie deleting personal details on the Contact card in BC and deleting e-mail and other relevant correspondence, ie LinkedIn) where there has been no contact during three consecutive years.

Recipients and potential transfers to third countries

We transfer contact information and information about the customer’s product and payment to the partner through which the customer has purchased FORNAV solutions. This is for billing purposes and to adhere to the agreement between us and the partner. In addition, customer contact information is transferred to our German partner company, FORNAV Deutschland GmbH to keep a central record of group customers. Also, customer information may be transferred to our external consultants located in the EU when servicing support requests.

The above transfers are carried out because it is in our legitimate interest to adhere to the agreements with our partners, to maintain customer records to track sales progress within the FORNAV group and to best possible service support requests made by our customers, pursuant to Article 6(1)(f) GDPR.

Upon registration for FORNAV PEPPOL, company name, VAT-no. or GLN-number and country of incorporation is registered and transferred to the local PEPPOL Authority in the country where the customer is from. This activity only constitutes processing of personal data when the customer is a sole proprietorship or smaller partnership. The transfer is necessary to provide the PEPPOL-service under article 6(1)(b) GDPR.

Finally, we use Microsoft Office 365 and Microsoft Dynamics 365 Business Central for communication and handling customer/supplier relationships and finances. The services are provided by Microsoft Ireland Operations Ltd. and configured so that all data is hosted either on FORNAV’s own server or on Microsoft’s EU servers. As for Microsoft Ireland Operation Ltd.’s relationship with its US parent company, Microsoft Inc., please see above under ‘Recruitment’. For directing support requests, we use a data processor located in the UK which is acknowledged as a safe third country in relation to data protection by the EU Commission under Article 45(3) GDPR.

Purpose

Marketing (website, newsletters and courses)

Categories of personal data

Recipients of newsletters and product updates: Identification information, including IP address, contact information, position with partner and unstructured information from the free text field. If you have signed up for product updates when downloading our toolbox, we will only process your contact information.

Website visitors: Identification information (IP address, browser type, operating system and geographical location (if enabled)) and information about behavior on and use of the website (including which pages you visit and how long you stay on them).

Course and web training registrants: contact information, including e-mail address and passwords (in hashed form), and billing information.

People in testimonial pictures/videos: photo and video material and identification information.

Legal ground

Recipients of newsletters and product updates: In respect to processing of data for newsletters and product updates, this is done because it is necessary to comply with your request to receive the relevant newsletters and/or product updates under art. 6(1)(b) GDPR.

Website visitors: Data about website visitors is processed according to art. 6(1)(f) GDPR because it is our legitimate interest to market our business and the information is not sufficiently intrusive that consent is required. As for cookies set and information obtained through use of technologies subject to the Danish Order on Cookies, consent is obtained under the applicable rules in the cookie order and article 6(1)(a) GDPR.

Course and web training registrants: Contact and billing information is processed because it is necessary to comply with the agreement to provide the course material or web training requested under art. 6(1)(b) GDPR.

Testimonials: processing of photo and video material and identification information on identifiable persons participating in our testimonial material, consent will be obtained from the participant under Article 6(1)(a) GDPR.

Retention

Personal data processed for sending out newsletters and product updates is stored until consent is withdrawn or the consent has not been used for one consecutive year in line with practice from the Danish Consumer Ombudsman. Documentation of withdrawn consents is stored for up to 2 years after withdrawal, in order to be able to defend us against any claims made for violation of the section 37(3) of the Danish Marketing Practices Act and section 93(1)(1) of the Danish Penal Code, however only if there is an actual risk that such a claim will be made from the data subject.

Website analytics: Personal data contained in cookies is deleted when the cookie expires or is deleted by the user (see cookie policy). We anonymize user and event level data according to the strictest possible settings available in Google Analytics (https://support.google.com/analytics/answer/7667196?hl=en), ie. currently within two months.

Course registration data: After three years of no activity, course registrant’s data is anonymized.

Testimonial pictures/videos and information: Until consent is withdrawn or processing is stopped by a successful legitimate interest complaint under article 21 GDPR.

Recipients and potential transfers to third countries

Microsoft Outlook is used for sending out newsletters and product updates, and thus Microsoft Ireland Operations Ltd. is data processor in relation hereto. See above under ‘Recruitment’.

Google Analytics is used for website analytics. There is a risk that Google Ireland Ltd. transfers personal data to the United States even if the data is hosted on EU servers as Google Ireland Ltd. is a subsidiary of Google LLC and that this company discloses personal data to the United States in connection with law enforcement requests for information. However, Google is certified under the DPF, which is why the transfer is subject to the appropriate safeguards in article 45 GDPR. See https://www.dataprivacyframework.gov/s/

The Rocket Science Group, supplier of our newsletter software, is located in the US. SCCs have been concluded, and since Intuit Inc (parent company of The Rocket Science Group) has self-certified under the DPF (including its services provided by its subsidiary, The Rocket Science Group Inc.), the transfer is covered by appropriate safeguards under Article 45 GDPR. Thinkific Labs Inc., providing software we for e-learning, is located in the US and has not certified itself under DPF. SCC’s has been concluded. However, since only name, e-mail and a hashed password is being processed, FORNAV assess that the risks to the rights and freedoms of the data subjects are so low that the transfer ensures a materially equivalent level of data protection as that of the EU and that the transfer can happen anyways.

You have the rights outlined below which you can exercise by contacting us using the details provided above. Your request will be processed free of charge and as quickly as possible, and no later than one month after we receive it, except if the request is complex or numerous, then it may take up to two months.

• Withdraw consent. If we process your data based on your consent, you can withdraw it at any time by contacting us. This will not affect the processing that happened before the withdrawal.

• Right of access. You have the right to access your personal data and certain details about how we process it. However, access may be restricted if it involves information that must remain confidential due to public or private interests.

• Right to rectification. You have the right to correct any inaccurate personal data or to complete any incomplete information about you.

• Right to erasure. You can request the deletion of your personal data in certain situations, such as when the data is no longer needed or when you withdraw consent for processing.

• Right to restrict processing. Under certain conditions (e.g., if you contest the accuracy of your data), you can request that the processing of your data be restricted while we verify its accuracy.

• Right to object. You have the right to object to the processing of your personal data if it is based on our legitimate interests (Article 6(1)(f) of the GDPR). You can also object to processing for direct marketing purposes at any time.

• Data portability. If the processing is based on consent or a contract, you have the right to receive your data in a structured, commonly used format, and to transfer it to another controller. If you prefer, we can transfer it directly, provided it is technically feasible.

• Automated decision-making. You have the right not to be subject to decisions made solely by automated processes, including profiling, if these decisions have legal or similarly significant effects on you.

• Right to lodge a complaint. You can file a complaint about our processing of your personal data at any time. Additionally, you may lodge a complaint with the Danish Data Protection Agency (dt@datatilsynet.dk) or the supervisory authority in your country of residence or where the data breach occurred.