Policy for Process and Protection of Personal Data
This policy shall help ensure and document that BTX Group protects all personal data according to obligations relating to the General Data Protection Regulation. The policy also informs about the process and use of the collected personal data.
- Records of process of personal data
BTX Group will deal with personal data about:
We have made records of the treatment of personal data, which give an overview of the processes, for which BTX Group is responsible.
The personal data is a precondition for BTX Group being able to enter into contracts of employment and customer and supplier contracts.
- Purpose and legitimacy of the processes
Personal data is treated and registered in connection with:
- Personnel administration, including recruitment, employment, retirement and payment of salary
- Master data of customers as well as marketing, orders and sale
- Master data of suppliers as well as requests and purchase
We will use personal data only for the purposes listed above, and we will only collect data that are necessary to fulfil the purpose.
- Registration and deletion
BTX Group has adopted the following general guidelines for registration and deletion of personal data:
- Personal data is kept in binders.
- Personal data is kept in it systems and on server drives.
- Personal data is kept only as long as needed for the purpose of the process.
- Personal data of employees is deleted five years after the employment has ended, and personal information about applicants is deleted after six months.
- A few employee data, e.g. name, title, time of employment, salary and contact information, are stored without time limit for determining and documenting the company’s history and possible invitation to anniversaries, etc.
- Data security
We have adopted the following security measures in order to protect personal data:
- Access to the personal data, whether physically or through it systems with controlled access, is restricted to the employees who require this as part of their work.
- All computers have password, and employees may never share their passwords with anybody else.
- Computers must have firewall and antivirus programme installed, which are updated regularly.
- Personal information is deleted completely safely in connection with phase-out and repair of it equipment.
- USB keys, external hard discs etc. with personal data must be kept in locked drawers or cupboards.
- Binders are kept in locked offices or in locked cupboards.
- When personal information in binders is deleted, the documents are destructed.
- Personal data, which needs to be sent by email to external addressees, must be sent as secure email.
- All employees must be instructed in the process and protection of personal data.
Personal data about employees may be transferred to public authorities like e.g. tax authorities and pension funds.
- Data Processors
BTX Group will only use data processors, who can guarantee that they will implement suitable technical and organisational measures to fulfil the requirements of the General Data Protection Regulation.
BTX Group handles the rights of data subjects, including the right to insight, withdrawal of consent, amendment and deletion, and informs the data subjects about BTX Group’s treatment of personal data. Data subjects have a right to file a complaint with The Danish Data Protection Agency.
- Breach of personal data security
In case of breach of the personal data security, BTX Group will report the breach to The Danish Data Protection Agency as soon as possible and within 72 hours. The CFO is responsible for this. In the report the breach is described, which groups of people are affected, what consequences the breach may have for these people, and how BTX Group has remedied or will remedy the breach. If the breach implies a high risk to the data subjects, we will notify them. BTX Group provides documentation of all breaches of the personal data security.