This Privacy Notice explains how NNIT processes your personal data. Please see the NNIT website under "Data Privacy Policy" for further information.

Transcription

1 This Privacy Notice explains how NNIT processes your personal. Please see the NNIT website under " Privacy Policy" for further. 1. Controller The legal entities responsible ( controllers) for processing your personal are the following companies in the : NNIT A/S CVR: Østmarken 3A DK-2860 Søborg Denmark Phone: NNIT Czech Republic, s.r.o. ID no.: Explora Jupiter Bucharova 2641/14 2.NP CZ Prague 5 Czech Republic Phone: NNIT Schweiz AG NNIT Germany GmbH NNIT UK Limited Bändliweg 20 CH-8048 Zurich Switzerland Phone: c/o Regus Herriotstraße 1, Frankfurt am Mai Germany Phone: c/o MOFO Notices Limited Citypoint One Ropemaker Street London, EC2Y 9AW UK NNIT Inc. 4 Research Way Third Floor Princeton, New Jersey USA Phone: +1 (609) NNIT (Tianjin) Technology Co., Ltd 20th floor, Building A, Jin Wan Mansion Nanjing Road 358 CN Tianjin Phone: +86 (22) NNIT Philippines Inc. 10/F, 2251 IT Hub 2251 Chino Roces Avenue Makati City 1233 Philippines Phone: 诺和诺德 ( 天津 ) 科技有限公司南开区南京路 358 号今晚大厦 A 座 20 层 , 天津, 中国传真 : Version Page 1 of 5

2 2. Processing Activities In NNIT we engage in the following processing activities as Controllers. Recruitment Information related to recruitment, such as: Address Educational background CVs Salary The applicant ( GDPR Article 6(1)(a) 6 months after subject itself) consent to recruitment Third party service completion of Third parties such as process providers (recruitment recruitment process or references and GDPR Article 6(1)(b) services and bases). longer if consent is publicly available necessary renewed by the to enter into an subject to be retained in recruitment systems. GDPR Article 6(1)(f) legitimate interests (recruitment). Employee management Employee administration Information related to management and administration of employees, such as: Location, Education Employment terms Performance management Warnings Terminations Resignations Insurance Working hours Information on relatives ("emergency contacts") Work injury. Salary, Pension, Bonus subject) The employee (for about employee relatives). subject) GDPR Article 6(1)(b) necessary to fulfill and GDPR Article 6(1)(f) interests in general employment management. GDPR Article 6(1)(b) necessary to fulfill and Third party Service providers (such as about former about former Version Page 2 of 5

3 Bank accounts Company credit card salary services companies). GDPR Article 6(1)(c) to process the (e.g. tax ) GDPR Article 6(1)(f) interests in general employment management. Third party Controllers, such as tax authorities, pension Health, such as: Handicap Medical diagnosis subject) Public authorities Health care professionals (medical records) GDPR Article 9(2)(b) necessary for NNIT to fulfill and exercise its rights under employment legislation, such as reimbursement for medical leave of absence. Public authorities about former Accounting (administration, accounts payables and receivables) Invoice details Addresses Credit card and expense receipts Accounting and bookkeeping The subject itself (employees or invoice contacts) GDPR Article 6(1)(c) to process financial records, e.g. according to bookkeeping legislation. GDPR Article 6(1)(f) interests in general for company and accounts management- Third party service providers (budget tools) Third party controllers (such financial audit companies). is retained in accordance with applicable financial legislation requirement, such as bookkeeping legislation. Marketing and sales Address Cookies Website statistics (NNIT websites) The subject itself (recipients of marketing material) gathered by NNIT system (e.g. traffic on NNIT websites). GDPR Article 6(1)(a) consent for marketing purposes and cookies. GDPR Article 6(1)(f) legitimate interests for NNIT for optimization of website. Contact is held during a continued business relationship. Version Page 3 of 5

4 Corporate management and governance (shareholders and insider registries) Address Identification numbers (e.g. CPRnumbers and social security numbers) Passport The subject GDPR Article 6(2)(c) is held for the itself. duration of the gathered by to gather specific types relationship between the NNIT systems. of about subject and NNIT. shareholders and Deleted according to insiders. statutory requirements. GDPR Article 86 and the Danish Protection Act ("beskyttelsesloven") 11. Customer relations, contract and service management IT Service Management/Service Desk used for the provision of services to customers s Addresses UserIDs (such as initials) Issues or errors Physical security Video surveillance recordings Log entries at access points (doors) Head scans and/or fingerprints The subject itself (e.g. when receiving s or letters) gathered/created by NNIT systems (e.g. mails)- Customers' systems (e.g. AD or employee bases). Customers' endusers ( subjects themselves). GDPR Article 6(1)(f) legitimate interest of NNIT in general contact with our customers and their representatives. GDPR Article 6(1)(f) legitimate interest of NNIT in general contact with our customers and their representatives. NNIT systems GDPR Article 6(1)(f) legitimate interest in ensuring security in office premises. NNIT Systems GDPR Article 9(2)(a) (consent). Third party controllers (customers or business relations). Third party controllers (customers or business relations). Third party controllers (customers) Third party service provider ( Processors such as ITSM and tool service providers. is retained for the relationship. is is retained for the relationship. is is deleted after 30 days as main rule. IT administration System administration such as: Logs NNIT Systems GDPR Article 6(1)(f) interests in ensuring logical IT security is retained for the relationship. is Version Page 4 of 5

5 Audit trails AD (employee bases) Initials s primarily as part of customer contracts. 3. transfers to countries outside the EU/EEA NNIT will transfer your to countries outside the EU/EEA. NNIT shares internally with our affiliates in China, The Philippines and Thailand. transfers will only be for specific purposes as specified in section 2, and NNIT will always make sure that there are adequate guarantees and safeguards for transfers outside the EU/EEA: The countries outside the EU/EEA have been assessed by EU Commission to not have an adequate level of protection of personal in the national legislation of the said countries; NNIT will therefore ensure the adequate level of security by using the standard contractual clauses adopted by the EU Commission. You can request further about such specific agreements by contacting 4. Your rights As Subjects you have certain rights. These are described in further detail in our Privacy Policy (available at the NNIT website under " Privacy"). You can exercise your rights by contacting the NNIT DPO (contact is available at the NNIT website under " Privacy"). Version Page 5 of 5