We process your personal data when you have provided it to us yourself or when we have received it from another party (a so-called “third party”) in the manner described in this Policy As a starting point, we process your personal data in the capacity of Personal Data Controller and we therefore have an obligation to ensure that the processing takes place in accordance with this Policy and with the personal data legislation in force at any given time.
We care about your privacy and take data protection matters very seriously. This Policy therefore provides details on aspects such as the categories of personal data we process, the purpose for which we process it and the legal grounds on which we base the processing. We also provide details on who may access and process the data, the principles for thinning the data, the third parties we may share the personal data with, where the personal data is processed and your rights as a data subject consisting of rights to information, correction and erasure, etc. We ask you to read the Policy carefully and familiarise yourself with its contents since it applies to all our personal data processing.
We may occasionally need to update or amend the Policy. In that case, we will inform you in an appropriate manner and ask you to take note of the amendments. You will always find the latest version of the Policy on our website.
We hope this Policy answers your questions about our processing and the protection of your personal data. If you have any further questions or concerns, you are always welcome to contact our Data Protection Officer Maria Åkerlund at the above address or via firstname.lastname@example.org.
2. How we process your personal data
This section describes the categories of personal data we process, the purposes for which we process it, what processing is carried out, the legal grounds on which we base the processing and the period of time for which data is stored.
2.1 GDQ consultants
The following processing applies to Trainer of Trainers, certified GDQ consultants and persons that express interest in undergoing training with us to become a certified GDQ consultant.
2.2 Persons who respond to GDQ questionnaires
The following processing applies to persons who respond to GDQ questionnaires on-line.
2.3 Contact persons at customers and other partners
The following applies to contact persons at customers and other partners.
2.4 People visiting our website
The following applies to people who visit our website and who do not receive the treatment set out in paragraphs 2.1 – 2.3 above.
3. Which third parties may we receive personal data from?
We may receive personal data from third parties when we provide our services. It may, for example, be a question of contact details of group members provided by the GDQ consultant who registers a particular group. It may also be a question of personal data provided by individual group members when responding to the GDQ questionnaire.
We process personal data provided by third parties on the basis of our legitimate interest in being able to offer our services, manage our training courses and analyse GDQ questionnaire responses.
4. Protection of your personal data
We have adopted a series of security measures to ensure that our processing of personal data takes place securely and in order to protect the personal data we process against unauthorised access, unauthorised processing and misuse. For example, access to the systems in which the personal data is stored is restricted to our employees and service providers who need to access the data within the context of their work. They are also informed about how important it is for the security of the personal data to be maintained. We also continually monitor our systems to detect vulnerabilities and protect your personal data.
5. Who could we share your personal data with?
We share your personal data with third parties to enable us to offer our services, manage our training courses and manage contact with you. The following applies in that regard.
- a) Service providers we use in some parts of our business, including processing of personal data: we share personal data with these suppliers mainly for operational IT services (such as data storage, support, maintenance and development).
- b) IT security providers: we share personal data with IT security providers whenever necessary in accordance with law to protect you or our customers and partners or to protect our services.
- c) Our partners Alaric and Skillnad; For GDQ consultants resident in Norway, we share names and contact details with Alaric as supporting data for invoices. We also share names and contact details with Skillnad as supporting data for invoices relating to GDQ consultants using Skillnad’s other services.
The third parties with which we share personal data in accordance with points a) and b) above are so-called personal data processors in relation to us.They may only process the transferred data on our behalf and in accordance with our express instructions. We only transfer your personal data to those personal data processors for purposes that are compatible with the purposes for which we have collected the data and we ensure by means of agreements in writing with the personal data processors that they undertake to comply with our security requirements and restrictions and requirements regarding international transfer of personal data.
Alaric and Skillnad are personal data processors in relation to us for the personal data they receive and they are solely liable for ensuring that the personal data is processed in accordance with the personal data legislation applicable at any given time.
6. Where we process your personal data
Our objective is to always process your personal data within the EU/EEA, where our IT systems are located. Nevertheless, it may be the case that your personal data is shared with personal data processors that, either themselves or through subcontractors, are established or store information in a country outside the EU/EEA. In that case, we will adopt all reasonable legal, organisational and technical measures required to ensure that the level of protection for the processing is equivalent to the level in the EU/EEA. This will take place either through a decision by the European Commission that the country in question guarantees an adequate level of protection or through the use of appropriate protection measures such as standard contractual clauses or approved codes of conduct in our agreements with such personal data processors.
You can read more about which third countries the EU Commission has classified as guaranteeing an adequate level of data protection at https://ec.europa.eu/info/law/law-topic/data-protection_sv.
7. Your rights as a data subject
This section describes what rights you have as a data subject. You can exercise these rights at any time by sending an e-mail to: email@example.com
7.1 Right to access
If you wish to obtain information on what personal data we process on you, you can ask to be given access to the data. The information will then be provided in the form of an extract from a register that specifies what personal data we process, the purposes for which we process it, where the data was obtained, what third parties the data has been transferred to and for how long the data will be stored. If your request is issued in electronic form, the information will be provided in a widely-used electronic format, unless you request otherwise.
7.2 Right of correction
You have a right to have inaccurate data on you corrected without delay. You also have a right to complete incomplete data.
7.3 The right to erasure
You have a right to have your personal data erased without delay in any of the following circumstances:
- a) the personal data is no longer necessary for the purposes for which it was collected or is being processed in another way;
- b) you withdraw your consent for processing based on consent and there is no other legal basis for the processing;
- c) you object to processing based on a balancing of interests and your reason for objecting outweighs our legitimate interest;
- d) the personal data has been processed in an unlawful manner;
- e) the personal data must be erased to enable us to fulfil a legal obligation.
7.4 Right to restriction of processing
You have a right to request that the processing of your personal data be restricted if any of the following options apply:
- a) you dispute the accuracy of the personal data for a period that gives us an opportunity to check the accuracy of the data;
- b) the processing is unlawful and you oppose the erasure of the data and instead request that its use be restricted;
- c) we no longer require the personal data for the purposes for which it is processed but you require it to enable you to establish, file or defend a legal claim;
- d) you have objected to processing based on a balancing of interests and we check whether our legitimate interest outweighs your legitimate reason.
If the processing has been restricted in accordance with this paragraph, the personal data to which the restriction on processing must apply, with the exception of storage, may only be processed to establish, file or defend a legal claim or to protect the rights of a third party or for a reason relating to an important public interest for the EU or an EU Member State.
7.5 The right to data portability
In cases in which our processing of personal data is based on your consent or on fulfilment of an agreement, you have a right to request that the data concerning you and that you have provided to us be transferred to another personal data controller. However, as a condition for this, the transfer must be technically feasible and must be able to be automated.
7.6 Withdrawal of consent
In cases in which our processing of your personal data is based on your consent, you have a right to withdraw that consent at any time. Such a withdrawal of consent will not affect the legality of the processing that took place on the basis of your consent before it was withdrawn. If you withdraw your consent, we will no longer process the personal data that is based on consent, unless we are required to continue processing it for legal reasons. If our legal obligations prevent us from erasing your data, we will instead mark it so that it is no longer actively used in our system.
You can send an e-mail to firstname.lastname@example.org to withdraw your consent at any time. We will respond promptly to your request.
7.7 The right to file a complaint
If you consider that we are processing your personal data in an incorrect manner you can, in addition to contacting us, file a complaint with the competent supervisory authority in the country in which you reside.