The Reward Firm ApS
Data Privacy Policy
Version: 1.01 – 28th March 2024
Intro
The Reward Firm ApS ("TRF", "we", "us" or "our") is committed to protecting the confidentiality, integrity and availability of information about our clients and other relations. We are strongly committed to protecting personal data and continuously strive to ensure ongoing compliance with data protection law.
This privacy policy provides information about TRF's processing of personal data when TRF is acting as data controller.
For certain services, TRF acts as data processor. This applies, for example, to certain assistance services and administration of data management and analytics on behalf of clients. In cases where TRF acts as a data processor, TRF acts on instructions from the data controller and in accordance with a data processor agreement, therefore this privacy policy does not apply in these cases.
1. Data controller
The legal entity responsible for the processing of personal data undertaken by TRF is:
The Reward Firm ApS
CVR-no. 44 51 92 32
Axel Heides Vej 50
2970 Hørsholm
Danmark.
Contact information:
Att: dataprotection@rewardfirm.com
Axel Heides Vej 50
2970 Hørsholm
Denmark
2. Our processing activities
In the sections below, you can read more about which categories of personal data we process, for what purposes, and on which legal basis, with reference to the General Data Protection Regulation (GDPR) and/or the Danish Data Protection Act (DPA).
2.1. Administration of our client relationships
Purpose
The purpose is to manage our engagements with our clients, this includes establishing the client relationship, to communicate with the client, its management and employees as well as invoicing.
Furthermore, the purpose is to be able to manage and develop our business and services, operate and maintain our IT systems made available to or used as part of the servicing of the client, and carry out statistical processing.
Data subject
The client, its owners, management, and/or its employees, if any.
Categories of personal data
We process general personal data about all data subjects, including contact information, job title, company name, company address, and information about the data subjects' relation to TRF.
Legal basis
The processing of personal data about the client is necessary in order to perform the agreement with the client or in order to take steps at the request of the client prior to entering into the agreement, see Art. 6(1)(b) of the GDPR.
Furthermore, the processing of personal data about the client, its owners, management and/or its employees, if any, is necessary in order for us to pursue a legitimate interest in managing the client cooperation, managing and developing our business and services, operating and maintaining IT systems made available or used as part of our servicing of the client, and processing data for statistical purposes, see Art. 6(1)(f) of the GDPR.
Source
The client, the client’s owners, the management, and/or the client’s employees, if any.
Duration of processing
We process the personal data for 5 years, counting from the end of the calendar year in which the last job/engagement is completed, unless special circumstances require longer periods of processing, e.g. if a case is pending or we are legally required to do so.
Recipients, including third country transfers
We engage with data processors, including IT suppliers, to whom we make personal data available. TRF enters into data processing agreements with all data processors to ensure appropriate security.
TRF discloses personal data to professional advisers, including accountants and public authorities, in the event that TRF is required to do so, see GDPR Art. 6(1)(c).
2.2. Advisory & consulting services
Purpose
The purpose is to provide consulting and assistance to the client within TRF’s business area, including Management advice and consultant services within Human Resources and Total Reward specialist area.
Data subject
We process personal data about the client, the owners, management, and employees of the client.
Categories of personal data
We process general personal data, including contact information about all data subjects.
In regard to advice within the HR and Reward area, we process general confidential personal data about the client, its management and employees, including information about salary and employment as well as other financial information.
Legal basis
The processing of general personal data about the client is necessary in order to perform the agreement with the client, see Art 6(1)(b) of the GDPR. The processing of general personal data about other data subjects is necessary in order for TRF to perform the services to the client, see Art 6(1)(f) of the GDPR.
Source
We receive personal data from the client or the management and/or employees of the client.
Duration of the processing
Generally, the personal data is processed for five years, counting from the end of the calendar year in which the client relationship is terminated, unless special circumstances require a longer period of processing, e.g. if a case is pending or we are legally required to do so.
We engage with data processors, including IT suppliers, to whom we make personal data available. TRF enters into data processing agreements with all data processors to ensure appropriate security.
2.3. Client Engagement Activities
Purpose
The purpose is to launch client engagement initiatives, including target communication to potential clients. Additionally, the purpose is to build and manage strong relationships with our existing and potential clients.
Data subject
Our relation with an existing or potential client.
Categories of personal data
We process general personal data, including contact information, job title, and company name.
Legal basis
The processing is necessary to pursue our legitimate interest, including our interest in branding our firm, as well as our interest in targeting material distributed by TRF, see Art. 6(1)(f) of the GDPR.
Source
The relation, e.g. via auto signature, business card etc. We may also collect information from our employees or via publicly available sources, such as the central business register (cvr.dk) or LinkedIn.
Duration of the processing
We process personal data for five years, counting from our most recent dialogue with the relation.
Recipients, including third country transfers
We engage with data processors, including IT suppliers, to whom we make personal data available. TRF enters into data processing agreements with all data processors to ensure appropriate security.
2.4. Newsletter’s
Purpose
We process personal data in order to deliver newsletters. When signing up for TRF's newsletter, personal data is collected for use in profiling and analysis, which will help targeting and organize the content of newsletters, for example, in which order the news should be presented in the newsletter. We carry out profiling by compiling information about the recipient's behavior on our website and in newsletters, enabling us to ensure that the content is always relevant for the individual recipient.
Data subject
The recipient of TRF's newsletters.
Categories of personal data
We process general personal data, including contact information, company name, company address, job title, information about who opens the newsletter and when (date and time), which links are clicked on and when (date and time), whether it is done from a mobile device, operating system, browser, email client, IP address and location (city).
Legal basis
We process the information based on the recipient's consent, which was given when signing up for the newsletter, see Art. 6(1)(a) of the GDPR.
Source
The recipient of TRF's newsletters and TRF's supplier.
Duration of processing
We process the information from the time the recipient gives consent and until it is revoked. We process information about the consent for two years, counting from the time of revocation in order to document the consent.
Recipients, including third country transfers
TRF uses an external service for sending newsletters. We thus engage data processors, including IT suppliers, to whom we make personal data available. TRF enters into data processing agreements with all data processors to ensure appropriate security.
2.5. Visitors to TRF’s social media
TRF and the provider of the social media platforms are joint data controllers for the personal data that is collected. In regard to the provider's further processing, please refer to the privacy policy of the social media providers for more information on how these providers process personal data about visitors.
Purpose
The purpose of processing personal data about visitors to TRF's sites on social media is marketing in general, statistics and analysis in order to improve and target the content on our social media, campaigns, and in connection with competitions.
Data subject
The visitor of TRF social media.
Categories of personal data
We process general personal data about the visitor, including the information that appears in the profile of the visitor who participates in competitions on social media, this includes images and videos. We also process information about visitor interaction on TRF's posts such as likes and comments.
Legal basis
If the visitor uses one of our forms on social media to, e.g. sign up for our newsletter, download a publication, or be contacted by our experts, the personal data is processed on the basis of the visitor's consent, see Art. 6(1)(a) of the GDPR.
TRF's processing of personal data on social media is also based on TRF's legitimate interest in communicating and branding TRF, as a company on social media, see Art 6(1)(f) of the GDPR.
Source
The visitor and social media providers.
Duration of the processing
We process personal data collected on the basis of the visitor’s consent until the consent is withdrawn. In addition, we process information about the consent for two years, counting from the withdrawal of the consent in order to document the consent.
In regard to processing of personal data based on legitimate interests, the duration of the processing follows the erasure deadlines stated in the privacy policies of the social media providers.
Recipients, including third country transfers
In connection with visits to our sites on social media, personal data is disclosed to the providers of the social media. We refer to the privacy policy of the social media providers for more information on how these providers process personal data about visitors.
2.6. Administration of suppliers and business partners
Purpose
The purpose is to manage contracts, communicate, receive goods and services from our suppliers and business partners, and to provide professional services to our clients when relevant.
Data subject
The supplier or business partner, including any of their employees.
Categories of personal data
TRF processes general personal data about the supplier and/or the business partner, including contact information as well as any bank account information.
Additionally, TRF processes general personal data, including contact information and job title of any employees indicated as contact persons of suppliers and business partners.
Legal basis
The processing of personal data about the supplier and/or business partner is necessary in order to perform the agreement with the supplier and the business partner, see Art. 6(1)(b) of the GDPR.
The processing of personal data relating to employees indicated as contact persons of a supplier and its business partners is necessary to enable us to pursue our legitimate interest in administering and performing the agreement with the business partner, see Art. 6(1)(f) of the GDPR.
Source
The supplier, business partner, or their contacts.
Duration of the processing
We process personal data for five years, counting from termination of the supplier relationship or business partnering, unless special circumstances require a longer period of processing, e.g. if a case is pending or we are legally required to do so.
Recipients, including third country transfers
We engage data processors, including IT suppliers, to whom we make personal data available. TRF enters into data processing agreements with all data processors to ensure appropriate security.
3. Security of processing
Information security is a business risk given top priority at TRF. We take the security of all the data we hold very seriously. We have security measures in place to ensure data protection of client information, personal data, and other confidential information. We regularly perform internal follow-up in order to ensure compliance.
4. The data subject’s rights
As a data subject, you have certain rights, which TRF as data controller shall fulfil if the conditions are met.
Right to access
You are generally entitled to be informed as to whether or not TRF is processing personal data about you and if so, you are entitled to be informed what types of personal data we process, and to which purpose we process them. Additionally, you are entitled to receive a copy of such data.
Right to rectification
You are entitled to have any incorrect or incomplete personal data rectified.
Right to erasure
You may be entitled to have your personal data that TRF is processing deleted.
Right to restriction of processing
You may be entitled to have the processing of your personal data restricted so that the data can only be stored by TRF.
Right to data portability
In certain cases, you are entitled to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format and to transmit those data to another controller.
Right to object to TRF’s processing
In certain cases, you are entitled to object to our processing of your personal data.
5. Withdrawal of consent
In cases where our processing of your personal data is based on your consent, you are entitled to withdraw such consent at any time. In order to withdraw your consent to our processing of your personal data, we ask that you contact us.
If you have signed up for a newsletter from TRF and you no longer wish to receive emails containing information and marketing materials from TRF, you can easily unsubscribe from the newsletter by clicking “unsubscribe” in the email received from TRF.
However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
6. Balancing of interests
When processing general personal data based on legitimate interest in GDPR Art. 6(1)(f), the data subject has the right to object at any given time, see GDPR Art. 21(4).
7. Changes to this privacy policy
We recognize that transparency is an ongoing responsibility, hence we will keep this data privacy policy under regular review. This privacy policy was last updated on 2 April 2024.
8. Contact information and complaints
If you want to exercise your rights as described above, or if you have any questions about our processing of your personal data or this privacy policy, please contact us at:
The Reward Firm ApS (TRF)
Att.: databeskyttelse@rewardfirm.com
Axel Heides Vej 50
2970 Hørsholm
Denmark
If you want to complain about our processing of personal data, please send an email with the details of your complaint to databeskyttelse@rewardfirm.com. We will consider the complaint and get back to you.
You also have the right to lodge a complaint with the Danish Data Protection Agency in relation to your rights and to TRF’s processing of your personal data. For further information about how to complain to the Danish Data Protection Agency, please refer to the Danish Data Protection Agency’s website www.datatilsynet.dk.