Data protection policy

Introduction

Security and confidentiality are a prerequisite of and an obligation of ours in our work at inforevision and we are continuously working to update our data protection guidelines, including for protection of personal data.

As a firm of auditors and consultants, we offer a wide range of services, including statutory audits and other assurance engagements as well as consultancy and advisory services. We regard ourselves as independent data controllers when we perform statutory audits and other assurance engagements for our customers and when we perform other services where inforevision determines the purposes and relevant means of processing.

When we perform consultancy and advisory services, including, for example, business services and payroll administration, hosting services, etc., we regard ourselves as a data processor as we process data on behalf of our customers and according to their instructions. In these situations, the customer must enter into a data processor agreement with us defining the instructions and terms of our processing of personal data.

The below data protection policy provides information on inforevision’s processing of personal data in a data controller capacity.

We use this type of data on our customers

We use the data supplied to us by the customer in order for us to perform the agreed services and to manage, control and develop of our business and services.

Where necessary in order to perform the services, we may also use data about the customer’s financial, tax and business affairs, including, for example, data contained in the customer’s online tax folder, provided that access has been granted by the customer.

Where necessary in order to perform the agreed services, we may also use personal data about the customer’s employees, customers and contractors.

We only process the necessary personal data

We only collect, process and store the personal data necessary for performing the agreed services. In principle, this means the Register of Marriage Contracts, the Register of Mortgages, the Danish Business Authority, the Central Business Register, the Danish Tax Agency and the Public Register of Shareholders.

Moreover, we may be required by law to collect and store specific data for business purposes, eg. under the Danish Bookkeeping Act (bogføringsloven) and the Danish Anti-Money Laundering Act (hvidvaskloven) (for more details, see the last paragraph below).

We erase personal data when no longer needed

We erase personal data when they are no longer needed in relation to the purpose for which they were collected, which usually means after the customer relationship has ended. However, customer data used for accounting record purposes will be stored for at least five years due to the provisions of the Bookkeeping Act and the Anti-Money Laundering Act.

Disclosing and making personal data available

We disclose and make personal data available to business partners and other parties if necessary for the performance of the agreement entered into with the customer.
Sometimes we choose to use data processors, including providers of software, webhosting, backup, security and storage services. If data processors are used, we only do so for specific purposes, and it remains our responsibility to ensure that the customer’s information is processed in accordance with current legislation and this data protection policy.
We will not disclose personal data for purposes other than as provided under the agreement – eg. disclosure to third parties for their marketing use – unless otherwise agreed with the customer in connection with the collection or the customer’s consent is obtained after the customer has been informed about what his or her data will be used for. The customer may at any time ask us to stop the disclosure of personal data, regardless of any agreement to the contrary or consent in any other way from the customer.
However, we will not obtain the customer’s consent if we are legally obliged to disclose personal data, eg. as part of a statutory notification to the authorities.

The customer is entitled to access his or her personal data

The customer always has the right to know which of his or her personal data we process, where they come from and what we use them for. The customer may also be informed for how long we store personal data and who will receive data about the customer. However, this right may be subject to restrictions to protect the privacy, business secrets and IPR of others. To exercise his or her rights, the customer is requested to contact us.

The customer has the right to have incorrect personal data rectified or erased

If the customer believes that the personal data we process about the customer are inaccurate or incorrect, the customer is, of course, free to contact us and have the data rectified.
In some cases, we have a duty to erase personal data, eg. if the customer withdraws his or her consent. If the customer believes that data are no longer needed in relation to the purpose for which they were collected, the customer may request to have them erased. The customer may also contact us if the customer believes that personal data are being processed in violation of Danish legislation or other legal obligations.

The customer has the right to object to our processing of personal data

The customer has the right to object to our processing of personal data. The customer may also object to our disclosure of data for marketing purposes. If the customer’s objection is justified, we will cease our processing and erase the customer’s data, unless we are required under the law to retain them.

If the customer wishes to exercise his or her right to data portability, the customer will receive personal data from us in a commonly used format.

The customer is entitled to receive the personal data made available by the customer to us and the data about the customer obtained by us from other parties on the basis of the customer’s consent.

Generally about the customer’s exercise of his or her rights

If the customer requests access to data, rectification or erasure of data or objects to our data processing, we will look into whether this is possible and respond to the customer’s request as soon as possible and no later than one month after our receipt of the request.

Right to complain to the Danish Data Protection Agency

The customer has the right to complain to the Danish Data Protection Agency if the customer does not believe that we process his or her personal data in accordance with the relevant statutory requirements.

Collection of information under the Anti-Money Laundering Act

We are obliged to collect information under the Anti-Money Laundering Act and in that connection:

  • Identification and verification information as well as a copy of the identity documents presented will be obtained on establishment of the customer relationship.
  • Documentation and registrations of transactions that are carried out during the course of a business relationship or as a single transaction will be obtained.
  • On suspicion of any money-laundering activities on the part of the customer, documents and registrations relating to investigations carried out will be obtained.
  • The customer will be informed that the information obtained about the customer will be used solely for purposes of fulfilling the auditors’ obligations under the Anti-Money Laundering Act and not, for example, for marketing purposes.
  • The attention of the customer will be drawn to the fact that the information may be disclosed to the Danish State Prosecutor for Serious Economic and International Crime (SØIK) if the customer is under suspicion of being involved in money laundering activities.
  • The customer is entitled to access the information on record.
  • The information is stored for five years and is usually erased five years after the last engagement with the customer.
  • The customer is entitled to have incorrect information corrected.

Customers wishing to complain about our processing of their personal data can contact:

The Danish Data Protection Agency
Borgergade 28, 5th floor
1300 Copenhagen
Denmark

Contact details of the data controller:

inforevision A/S
Buddingevej 312
DK – 2860 Søborg

Tel: +45 39 53 50 00
Fax: +45 39 53 50 99
Email: info@inforevision.dk