1 Statement of intent

1.1 Goal of the data protection policy
It is of great importance that information and data we may store or use to fulfil our contractual obligations is done in accordance with applicable legal requirements and data protection laws.

We are committed to the lawful and correct treatment of personal information.

1.2 Related documents
This policy should be read in conjunction with the Privacy policy and any other policies that relate to personal data.

2 Principles of Data protection

2.1 Committment
The organisation is committed to processing personal data in accordance with the responsibilities under Data protection laws, including GDPR.

2.2 Lawful, fair and transparent
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals.

We must have legitimate grounds for collecting and using the personal data and be transparent about how we intend to use the personal data. We must further give data subjects appropriate and fair processing notices when we collect personal data. We need to ensure that individual’s personal data is only used and processed as they would reasonably expect.

2.3 Lawful purposes
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with such purposes. We must be clear about why we are collecting personal data and what we intend to do with it.

We may however process the personal data for archiving or statistical purposes since such purposes and compatible with the initial purposes.

We may also anonymize the personal data and use such data for research. Once personal data is anonymized, it does no longer constitute personal data.

2.4 Data minimization
Personal data shall be adequate, relevant and limited to what is necessary in relation to purposes they were collected for.

We only process personal data that is relevant in relation to the specific registered person.

2.5 Accuracy
Personal data shall be accurate and kept up to date. We must ensure that inaccurate personal data is erased or corrected without delay.

2.6 Storage and archiving
Personal data may only be stored as long as it is necessary for the purposes of which the personal data was collected. After that, the personal data may be kept in a form that does not allow identification of the data subject.

We will consider the purpose in deciding how long to retain the personal data. We will also securely delete, update, archive and anonymize the information accordingly.

2.7 Security and breach
Personal data must be processed in a manner that ensures security of the data. We shall futher secure that the personal data is protected against unauthorized or unlawful processing and against accidental loss, destruction, disclosure or damage.

3 Data collection

3.1 Gaining consent
We will ensure that the personal data is collected in accordance with this policy and applicable data protection laws.

The rules and principles for collection shall apply regardless if the data is collected in person, in telephone, electronically or by completing a form or questionnaire.

When collecting data, we will ensure that there is a processing notice in place and that the registered person understands why the information is needed, what it will be used for and who the data may be shared with and why.

The registered person must also understand that he or she has the possibility to agree to share the data and cancel his or her approval at any time. We will further ensure that the consent is provided explicitly and that the registered person has enough information to give informed consent. Consent shall be provided by active choice electronically (accept button), by e-mail or otherwise in writing.

4 Data storage

4.1 Secure storage
Personal information shall be stored securely. Information may only be accessed by authorized personnel.

5 Security policy and responsibilities of the company

5.1 Data protection goals
We have defined and documented our data protection goals in a data protection policy.

Such policies are based on the data protection principles and are reviewed annually.

We have following data protection practices:

Data encryption: All data transfers that enter or leave our environments are encrypted and any sensitive data is encrypted at rest.

Frequent back-ups: All of our Production instances have volumes snapshots performed every night. All databases have full backups nightly and transaction log backups every 10 mins.

Access authorization: Access to all environments is authenticated and all users must have Multi-factor Authentication enabled. Access to to environments is roles dependent.

5.2 Roles and responsibilities
Data protection goals are managed by data protection team that consist of IT infrastructure management team members and members of the management team.

We will restrict and monitor access to sensitive data, use transparent data collection routines, train employees in privacy and security measures, build secure networks to protect online data from attacks, establish procedures for reporting incidents and communicate how we handle data.

The data protection team has the responsibility to continuously improve the data protection management and to ensure that employees and consultants are properly trained and are aware of the procedures to report any incidents and proposals for improvement.

5.3 Data protection breach reporting procedure
In the event of breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data, we will promptly assess the risk to individuals rights and freedoms and if appropriate report it to supervisory authorities.

6 Data access and accuracy

6.1 Retention, archiving and destruction
We will ensure that the personal data is stored securely using modern software that is kept up-to-date.

Access to personal data shall be limited to employees who need access. We will have appropriate security measures to avoid unauthorised sharing of information.

When personal data is deleted is will be dome safely such that the data is irrevocable.

6.2 Disclosure of information
We will share personal data with others only if it necessary for intended purposes.

The registered will be made aware how and with whom their information will be shared through use of clear processing notices located on the website.

7 Existing technical and organizational measures

7.1 Guideline for the rights of data subjects
We shall fulfill our obligations towards registered persons by informing them which of their personal data is collected, how we will process their data and who has access to their information.

We will have procedures for handling lost, corrupted and compromised data.

We shall always process personal data in accordance with the rights of registered persons under applicable data protection laws.

The registered has a right to; access a copy of the information comprised in their personal data, object to processing that is likely to cause damage, prevent processing for direct marketing, object to decisions being taken by automated means, have accurate data rectified, blocked, erased or destroyed. The registered has also right to claim compensation for damages caused by breach of applicable data protection laws.

7.2 Subject access request procedure
Upon receiving a request from a registered person for access to his or hers personal data, we will extract that data and provide to the requestor.

7.3 Physical security
Data is not stored physically.

Information is transferred via secure digital means.

While using mobile devices, data is secured via multi-factor authentication methods.

7.4 Data back-up
Data will be backed-up in anonymized format.

7.5 Information transfer and Communications security
Information shall be transferred in a secure manner. If information is transferred to countries outside EU/EES, then we ensure that such country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to processing of personal information.

In doing so, we observe the fact that European Commission has decided that certain countries have an adequate level of protection of personal data.

Our communications are secured using technology that requires MFA supported by strict data sharing policies enforced on our internal technology infrastructure.

7.6 Sub-processors

We will perform regular inspections and evaluation of data processing performed by our sub-processors to ensure that personal data is processed in accordance with applicable data laws and this data protection policy.

8 Documentation
We will perform regular inspections and evaluation of data processing performed by our sub-processors to ensure that personal data is processed in accordance with applicable data laws and this data protection policy.

8.1 We shall ensure that, when necessary or deemed suitable, our efforts and needs are documented by internal and external inspections.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
CONSENT	16 years 4 months 12 days 23 minutes	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-6918723-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.