GDPR -
data protection policy

We are under an obligation to protect the confidentiality, integrity and accessibility of our customers’, suppliers’, partners’ and employees’ data, including personal data. Protecting personal data is essential to us, and we are continuously working on ensuring compliance with applicable data protection legislation, including the General Data Protection Regulation (GDPR).

When Implement processes personal data in connection with delivering consultancy services, we consider ourselves a data processor, as we process personal data on behalf of our customers and in accordance with customer instructions. The customer and Implement enter into a data processing agreement containing instructions, terms and conditions for Implement’s processing of personal data.
This data protection policy contains information on Implement’s processing of personal data, when we are the data controller. More information on this may be found below.

Below, you can read more on the categories of personal data that we process for which purposes and on which legal grounds.

2.1 Customer collaboration
We collect and process personal data in the context of collaboration with our customers. We only collect personal data that are necessary for the agreed purposes, and we ask our customers only to share personal data with us that are necessary for these purposes.

In general, we only process general – non-sensitive – personal data including name, address, telephone number and email address of customers and customers’ owners, as well as name, title, telephone number and email address of any contacts with the customer.

In addition, we collect data on our customers, as well as our customers’ managerial relations for the purposes of general customer contact and administration.
We process personal data for the purpose of being able to fulfil our agreement with our customer, including:

• to carry out work assignments necessary for us to provide the agreed services to the customer
• to register the time used and issue an invoice
• to ensure quality and supervise the progress of projects

In addition, processing is necessary in order for Implement to pursue a legitimate interest in administering, managing and developing our business and services, including:

• strengthening our relationship with customers
• developing our business and services (e.g. identifying customer needs and improvements in service delivery)
• managing operations and maintenance of IT systems that are provided for or used as part of servicing the customer, as well as hosting systems
• administering and managing our website, systems and applications
• conducting statistical processing and business development.

2.2 Suppliers and partners
We collect and process personal data on our suppliers and partners, including personal data on their employees.

We process data for contract management and in order to receive goods and services.

2.3 Visitors at our offices
We collect and process personal data on visitors, including customers and other guests (Outlook calendar information).

In the areas where we use video surveillance, we inform about such surveillance in accordance with the Danish TV Surveillance Act (Section 3(1)). All recordings are stored securely and are only viewed if there are reasonable grounds for doing so, e.g. in case of an incident, and in such case only by selected persons. The recordings are automatically overwritten after 5 days, unless a problem is identified which requires investigation.

2.4 Visitors to Implement Consulting Group’s websites
We process personal data if a registration to an event or newsletter is submitted via Implement’s website. Only the data (name, company name, job title, email address and telephone number) that Implement needs in order to give the participants/subscribers the best possible experience in connection with their interaction with Implement are required.

The data are stored on an internal server behind Implement’s firewall and are only accessible to persons who have a work-related need to access these data. The data are stored as long as they are commercially relevant to Implement or until the data subject requests a deletion of the data.

Use of cookies on our websites
We use cookies on our websites in order to optimise the user experience. In doing so, some of your previous selections and entries on the website are saved to ensure that your experience will be more personalised and user-friendly. We use Google Analytics to analyse how you use our website. We receive reports on your activity on our websites from Google Analytics.

Google Analytics sets two types of cookies:

• A permanent cookie, which indicates whether the user is recurring, the site the user comes from, the search engine used etc. Permanent cookies are saved on your hard drive until they expire or until you manually delete them.
• Session cookies, which are used to show when and how long a user is on a site. Session cookies expire after each session, in other words, when you close the tab or browser. Google Analytics does not correlate your IP address with other data it holds.

How to disable cookies

You may disable cookies on your computer by changing the relevant settings in your browser. Only you can see, change or delete these cookies, since they are stored on your device. However, we hope that you will enable the cookies we set, as they help us make your experience on our website better and more personalised.

2.5 Registration for courses via Implement Learning Institute
We use your personal data, when you register for one of our courses.
We use your personal data in order to ensure good service and quality in our services. This occurs in accordance with applicable legislation.

We only process data that are necessary in relation to our work as a training programme and course provider. The purpose plays an essential role in determining the type of personal data that is relevant, as well as the scope of personal data. We use only the necessary amount of data.

In order to ensure that we only process personal data that are necessary for registration to courses, we have prepared data security work procedures that ensure the protection of your data. In order to protect your data against unauthorised use, we use solutions that ensure that data are only accessible to employees who have a work-related need to access your data.

When signing up for a course, you consent to our processing of the personal data that you provide in connection with the course and registration. Your personal data will be deleted when we no longer have a legitimate reason to store them.

Data security is a high priority at Implement. We work seriously and professionally with information security, and we base our work on internationally recognised security standards. We have implemented security measures to ensure data protection of customer data, personal data and other confidential data. We conduct regular internal follow-ups in relation to the adequacy and compliance of policies and measures.

Implement collects personal data directly from you and/or third parties, such as our customers, or from public authorities.

We only disclose personal data when there are legal grounds for doing so.

5.1 Other third parties who provide goods or services
We occasionally use other third parties, such as subcontractors, in connection with provision of our services. Such third parties may be granted access to personal data in order for them to be able to provide the agreed service. Implement enters into data protection agreements that are necessary in order to ensure that security is in place to protect data and comply with our data protection obligations.

Implement also uses sub data processors as part of our day-to-day IT operations. This means that personal data are processed by Implement’s sub data processors. These sub data processors are located within the EU. There are data processing agreements in place between Implement and all sub data processors to ensure that all processing takes place in accordance with Implement’s instructions and is subject to the necessary security requirements.

5.2 Public authorities or third parties, as required by and in accordance with applicable legislation or regulations
As part of our work, it may be necessary to share personal data with public authorities etc. This will only occur if and to the extent required by applicable legislation and will always take place within the framework of the applicable personal data legislation

Personal data are stored in accordance with appropriate technical and organisational measures that ensure an adequate level of security. In general, we delete personal data five years after the completion of a project, unless there are specific circumstances that make it relevant to continue to store the personal data. Data on customers are only stored as long as a customer relationship exists. Customer data will be deleted three years after completion of the latest project for the customer.

As a data subject, you have certain rights pursuant to the General Data Protection Regulation. Your rights may be summarised as follows.

The right of access by the data subject. You have the right to gain access to the personal data concerning you that we process.

1. The right to have incorrect personal data rectified. You have the right to have incorrect personal data about yourself rectified without undue delay.
2. The right to have personal data erased. You have the right to have your personal data erased at an earlier point in time than when our ordinary erasure takes place, where appropriate.
3. The right to restriction of data processing. You have the right to restrict our processing of your personal data, where appropriate. In such cases, we may only process your data with your consent or in some very specific situations as outlined in the General Data Protection Regulation.
4. The right to object to personal data processing, if our processing is based on Article 6(1)(e) and (f). In such cases, we may only process your personal data if we are able to demonstrate compelling legitimate grounds for doing so.
5. The right to data portability. You have the right to receive your personal data in a structured, commonly used and machine-readable format. You may also request that we transmit your personal data to another data controller without hindrance.

For further information on your rights as a data subject, please refer to the Danish Data Protection Agency’s website (www.datatilsynet.dk), where you will find further guidelines.

When we process personal data based on your consent, you have the right to withdraw your consent at any time. Please contact us to withdraw consent for our processing of your personal data.

We recognise that transparency is an ongoing responsibility. Therefore, we will continually review and update this data protection policy.
The data protection policy was updated in May 2018.

Please contact us if you would like to exercise your rights as described above, or if you have questions about our processing of your personal data or this data protection policy.

The data controller is:
Implement Consulting Group P/S
CBR: 32767788
Attn.: learn@implement.dk
Strandvejen 56, 2900 Hellerup

You may also get in touch with your contact person at Implement, who will be able to help you contact the right person.

If you wish to complain about our processing of personal data, please send an email with the details of your complaint to privacy@implement.dk. We will handle your complaint and get back to you.

You also have the right to lodge a complaint about your rights and Implement’s processing of your personal data to the Danish Data Protection Agency. For further information on how to lodge a complaint to the Danish Data Protection Agency, please consult their website: www.datatilsynet.dk.

The applicable statutory rules for Implement’s processing of your personal data may be found in:

• The Danish Personal Data Processing Act (until 25 May 2018)
• The General Data Protection Regulation (GDPR) (after 25 May 2018)
• The Danish Data Protection Act (after 25 May 2018)