Employee personal data protection policy - Danish Technological Institute 2019 by Teknologisk Institut

Employee personal data protection policy

THE DANISH TECHNOLOGICAL INSTITUTE

Table of contents 1 Introductory comments 4 1.1 Objects 4 1.2 Data control 5 2 Processing personal data for HR purposes 6 2.1 Personnel file 6 2.2 Absence/holidays 10 2.3 Pregnancy and maternity leave etc. 11 2.4 Jobs with subsidised pay, including flex jobs 12 2.5 Time records 12 2.6 Pay, tax and atp 13 2.7 Pensions, group life and health insurance 14 2.8 Bonus schemes 16 2.9 Images 16 2.10 Data on our intranet 17

3 Processing personal data in other contexts 19 3.1 Use of the internet 19 3.2 E-mails/skype for business 20 3.3 Calendar system/ microsoft outlook 20 3.4 It systems 21 3.5 Telephones and tablets 21 3.6 Keycards 22 3.7 Video surveillance 23 3.8 Company cars 23 3.9 Lunch programme 24 3.10 Staff association, art association and fitness centre 24 4 Storage, transfer, disclosure etc. 25 4.1 Storing personal data 25 4.2 Transfers to third countries 26 4.3 Disclosure 26 4.4 Publication 28

5 Termination 29 5.1 Information on termination of employment 29 5.2 Specific information about e-mail accounts 30 5.3 Specific information about mobile telephones, tablets etc. 30 6 Storage limitation 31 6.1 Erasure 31 7 7.1 7.2 7.3

Your rights 33 Information to be provided 33 Access, rectification etc. 34 Additional information 35

1 Introductory comments 1.1 Objects 1.1.1 The Danish Technological Institute will regularly process various personal data about you, either electronically or automatically. We are therefore obliged to inform you of the data about you that we collect, register and disclose or otherwise process. 1.1.2 The overall purpose of processing your data is administration of your conditions of employment or association, both during and after your employment ends, for example with respect to benefits you are entitled to and any obligations you may have.

1.2 Data control 1.2.1 The Danish Technological Institute is the data controller of any information we process in connection with your employment, and the Danish Technological Institute is therefore responsible for processing your data in accordance with data protection law. 1.2.2 The Danish Technological Institute has appointed a special contact person who has the day-to-day responsibility for our processing of personal data. Our contact person is Andras Splidt; his e-mail address is asp@dti.dk, and his telephone number is: +45 7220 2006. You must contact Mr Splidt if you have any questions about the manner in which we process your personal data or if you wish to exercise your rights under data protection law. 1.2.3 If you have any questions related to personnel administration, please contact Annette Holst Vinther, on e-mail ahv@dti.dk.

2 Processing personal data for HR purposes 2.1 Personnel file 2.1.1 When you start your employment or association, we create a personnel file for you in our IT system. In consultation with you, we record certain personal data that, as a rule, you yourself provide. 2.1.2 We record ID information, including name, civil registration number [CPR-number], private address, private and work telephone numbers, private and work e-mail addresses, date of birth, gender, initials and employee ID number. 2.1.3 We also register relevant data about your background and work, including your educational background, position, employment date and status, internal and external work history, seniority, continuing professional development, skills, duties and working hours, what centre and division you work for, the name of your immediate superior, whether or not you have changed positions within the Danish Technological Institute, and whether or not you have been on leave or otherwise absent for any period of time. We may also register duty rosters and lists showing the employees that have access to specific clients, projects, facilities, training programmes etc. As regards employees outside Denmark or employees who are on secondment or work on projects abroad, we may hold on file a copy of their passport and work and/or residence permit. 6

2.1.4 In addition, we register data such as salary or wages, sickness absences, sickness periods, pension schemes, tax information and account numbers. 2.1.5 Information relating to other employment conditions is also recorded, such as any reprimands and warnings, records of performance and development reviews, interviews about sickness absences, and other interviews, conversations and meetings. Employee assessments of managers, directors and executive vice presidents are also registerede

We process the information set out in clauses 2.1.2â&#x20AC;&#x201C;2.1.5 because such processing is necessary in order to fulfil the employment contract you have with us and on the basis of the balance of interests rule. The legal basis for our information processing is section 6(1) of the Danish Data Protection Act (Act No. [502]); see also points (b) and (f) of article 6(1) of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016). The basis for processing the type of data described in the last sentence of clause 2.1.3 is either that such processing is necessary in order to fulfil our obligations pursuant to other statutory rules or in order to pursue our legitimate interests arising from another statute; see section 12(1) and (2) of the Danish Data Protection Act.

2.1.6 In this connection, we may also keep on file medical certificates, declarations of work capacity and other documentation of sickness. We process health-related data to the extent that such processing is necessary in order to fulfil any obligations that are either laid down in or arise from law and/or are otherwise imposed on us under employment law.

In such cases, we process your data because such processing is necessary in order to ful-fil our obligations pursuant to other statutes etc. or to pursue our legitimate interests 7

arising from other statutes etc.; see section 12(1) and (2) of the Danish Data Protection Act. Such other statutes may include the provisions of the Danish Sickness Benefits Act or the Danish Health Information Act. 2.1.7 In addition, we register information on trade union representatives and other protected employees insofar as this is necessary to fulfil our obligations under existing collective agreements.

We process data relating to trade union representatives and other protected employees because such processing is necessary in order to fulfil our obligations pursuant to other statutes or collective agreements. The legal basis for this is section 12(1) and (2) of the Danish Data Protection Act.

2.1.8 We also register data you have provided relating to your next-of-kin so we can notify them if you become ill or have an accident.

The basis for processing data about your next-of-kin is the balance of interests rule, since we deem such processing necessary in order to pursue our legitimate interests of being able to contact your next-of-kin if necessary, for example if you become ill or something else happens while you are at work. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (f) of article 6(1) of the GDPR.

2.1.9 We may merge data in the system with data relating to other employees, for example to produce various types of statistics and statements. These data may include statistics on sickness absences, staff age distribution in units and areas, frequency of changes in job position etc.

2.1.10 Some of the data may be registered in several places, for example data on absence due to sickness, leave, holidays, birthdays etc. 2.1.11 We incorporate some of the information into your employment contract. The signed contract is stored in your personnel file, and it will be sent to you via e-Boks. We also keep the data electronically in our IT system, and some of the data are also posted on the Intranet. For more details, please see below. 2.1.12 Our electronic personnel administration is kept separate from other types of data handling, and only specially authorised employees have access to personnel files. As a rule, authorised employees include members of staff in the Personnel & Development department, your immediate superior and vice presidents to the extent relevant; see the current organisation chart of the Danish Technological Institute. 2.1.13 All personal data mentioned above will be processed within the framework of data protection law and in compliance with its provisions.

2.2 Absence/Holidays 2.2.1 We record your absences due to sickness, your childâ&#x20AC;&#x2122;s sickness, maternity or other type of leave or absence so that we can receive a refund for the hours you have been absent, if necessary. We also use the records to produce sickness absence statistics. If we are eligible for a refund under the law, we will forward the relevant data about you, including your civil registration number, to the authorities handling the task, including Udbetaling Danmark and your local authority. The same applies to any relevant insurance schemes.

We process information about your absences because such processing is necessary in order to fulfil the employment contract you have with us or in order to fulfil our obligations pursuant to other statutes etc. or to pursue a legitimate interest arising out of other statutes etc. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (b) of article 6(1) of the GDPR and section 12(1) and (2) of the Danish Data Protection Act. Such other statutes may include the Danish Maternity Act (Part 10) and the Danish Sickness Benefits Act (Part 19).

2.2.2 We also record how many of your statutory holidays and additional days off that you take. If you are a new employee and are therefore not yet entitled to holiday with pay, we register your holidays for the purpose of making deductions from your pay. Holiday entitlement and pay is handled by our payroll administrator, to whom any information about your holidays will thus be disclosed.

In such cases, we disclose your data in order to be able to fulfil our obligations pursuant to other statutes etc. or to pursue our legitimate interests arising from other statutes etc.; see section 12(1) and (2) of the Danish Data Protection Act. Such other statutes may include the Danish Holiday with Pay Act.

2.2.3 If you are paid by the hour or are owed holiday pay upon your resignation, information about your holiday entitlement and pay will be passed on to FerieKonto.

2.3 Pregnancy and maternity leave etc. 2.3.1 In compliance with the provisions on maternity, paternity and childcare leave, we register information about the estimated date of delivery (EDD), the birth itself, leaves of absence etc. As documentation for the EDD, we process a copy of the maternity notes or a certificate from the physician stating this date. 2.3.2 We also disclose information about the birth, pay, working hours, leaves etc. to Udbetaling Danmark for the purpose of receiving maternity pay and other benefits. This applies to all types of leave mentioned in clause 2.3.1.

In such cases, we register and disclose your data in order to fulfil our obligations pursuant to other statutes etc. or to pursue our legitimate interests arising from other statutes etc.; see section 12(1) and (2) of the Danish Data Protection Act. Such other statutes may include the Danish Maternity Act (Part 10).

2.4 Jobs with subsidised pay, including flex jobs 2.4.1 If you are employed in a position that includes a subsidised pay scheme, e.g. a flex job, we will record this. In order to obtain a refund, we will contact your local authority or other government authorities who in that connection may gain access to relevant information on your employment.

In such cases, we process your data because such processing is necessary in order to ful-fil our obligations pursuant to other statutes etc. or to pursue our legitimate interests arising from other statutes etc.; see section 12(1) and (2) of the Danish Data Protection Act. Such other statutes may include the act on active job searching.

2.5 Time records 2.5.1 In our time records system, we register your working hours and attendance, the days you take off and why, and when you are off sick and for how long. 2.5.2 You must use this same system yourself to record when you start and finish your workday. If you have requested holidays, full flex days or other days off and had them approved, this information will be recorded in our time records system. Days off will be recorded in the system when you take them. You must also register any absence due to sickness in the system. However, in the case of longterm illness or leave, we will record the information for you, and we will also record information on the date your absence due to sickness or sick leave ends.

We process this information because such processing is necessary in order to fulfil the employment contract you have with us. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (b) of article 6(1) of the GDPR.

2.6 Pay, tax and ATP 2.6.1 The Danish Technological Institute uses a payroll system that is handled by our external payroll administrator. 2.6.2 For payment of wages or salary, your data will be entered in the payroll system, and the payment itself will be handled by our external payroll administrator. When we authorise your pay, we use your civil registration number. Through our payroll system, the total payroll is transferred to our bankers, who ensure that your pay is deposited in your bank account. An electronic copy of your payslips will be sent to your e-Boks, and then you will be able to access them through the e-Boks system. We also have access to payslips, which we can pull up electronically using the payroll system. 2.6.3 If we have to pay you an amount unrelated to your monthly pay, the procedure will be the same.

2.6.4 We receive your tax details directly from SKAT (the Central Tax Administration in Denmark). We are automatically notified if changes to your tax card are made. Every month, your A-taxes (tax deducted from income at source) and special contribution to the labour market will be transferred to SKAT via our payroll system. At the same time, SKAT is also provided with certain data about you: name, address, civil registration number, place of employment, gross pay and information about staff benefits. SKAT also receives information of the total amount you have earned for the year.

2.6.5 Your monthly contributions to ATP (the Danish Labour Market Supplementary Pension Scheme) are also paid through the payroll system. Each year, we inform SKAT how much you have paid into the ATP scheme.

We process this data because such processing is necessary in order to fulfil our obligations pursuant to other statutes or to pursue our legitimate interests arising from other statutes; see section 12(1) and (2) of the Danish Data Protection Act. Such other statutes may include the act on special contributions to labour market funds and the Danish Tax at Source Act (Title IV).

2.6.6 If you have a pension scheme, SKAT and our external payroll administrator will be notified of the amount you pay and the pension fund you pay it to. Your name, civil registration number and the amount will be disclosed on transfer. For more details, please refer to the section about pensions below. For tax purposes, SKAT will be informed if you have a health insurance policy or a group life policy. 2.7 Pensions, group life and health insurance 2.7.1 Danish Technological Institute employees are covered by either a compulsory or a voluntary pension scheme, depending on the collective agreement your employment contract is governed by. Whether you pay into a voluntary or compulsory pension scheme, contributions paid by you and/or the Danish Technological Institute will always be made monthly through the payroll system. For more details about pension schemes, please consult the section on pensions in the staff manual.

We process details of your pension scheme on the basis of the balance of interests rule or because such processing is necessary in order to fulfil our obligations pursuant to other statutes or collective agreements. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (f) of article 6(1) of the GDPR or section 12(1) and (2) of the Danish Data Protection Act.

2.7.2 All employees with more than one year of seniority with the Danish Technological Institute are covered by a group life policy that includes wholelife and critical illness coverage: a compulsory scheme paid for by the Danish Technological Institute. The Danish Technological Institute forwards to the insurance company the names and civil registration numbers of all employees covered under the scheme. The Danish Technological Institute receives no personal data concerning the use of the group life policy; only statistical data.

We process personal data relating to the group life policy because such processing is necessary to fulfil the employment contract you have with us. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (b) of article 6(1) of the GDPR.

2.7.3 Danish Technological Institute employees are covered by a health insurance policy that includes treatment for various illnesses, injuries and other medical conditions. When an employee is hired, his or her civil registration number, name and work e-mail address are disclosed to the insurance company. The insurance company then contacts the employee with a view to registration. The Danish Technological Institute receives information on what employees are covered by the insurance so that we can pay the relevant premium. The Danish Technological Institute receives no personal data concerning the use of the health insurance policy; only statistical data.

We process personal data relating to the health insurance policy because such processing is necessary in order to fulfil the employment contract you have with us. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (b) of article 6(1) of the GDPR.

2.8 Bonus schemes 2.8.1 If you are covered by a bonus scheme, the Danish Technological Institute will also process data about you to determine whether or not you are eligible for a bonus: for example, information about your performance. For more information, please see the current bonus scheme. If a bonus is payable, payment will be handled by our external payroll administrator in accordance with the above-mentioned principles.

2.9 Images 2.9.1 In connection with your employment, we store portrait and situation images of you, either in the form of photographs or video recordings. The images will be posted on our intranet, internally in Outlook, in Skype for Business, and in the list of contacts in your mobile phone. The images may also be used on our website and in external information material in both printed and digital media. You will find a more detailed description under the relevant sections below.

We store portrait and situation images of you on the basis of the balance of interests rule or of your possible consent to our storing portrait and situation images of you. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (a) and (f) of article 6(1) of the GDPR.

2.10 Data on our intranet 2.10.1 On our intranet, we register information on your name, position, function, placement in the organisational hierarchy, physical location, telephone number and e-mail address.

We also post a picture of you on the intranet to make it easier for your colleagues to locate you if they need to contact you.

2.10.2 Information about the administrative duties you have and other tasks you are in charge of or a contact person for will also be posted on the intranet. We may also post information about your skills and areas you are responsible for or similar information.

The basis for publishing your data on the intranet is the balance of interests rule, since we deem such processing to be necessary in order to pursue our legitimate interests of enabling your colleagues and others to have easy access to information about you if they need to contact you. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (f) of article 6(1) of the GDPR.

3 Processing personal data in other contexts 3.1 Use of the Internet 3.1.1 We keep a centralised record of the webpages you visit. This information will also be automatically registered on your PC in your temporary internet files and overview folders. 3.1.2 Please see our guidelines on IT security for users, which is available in Danish (â&#x20AC;&#x153;IT-sikkerhed for brugereâ&#x20AC;?) on the intranet, where you will find more details on control and monitoring of webpage views.

We register your visits to webpages on the basis of the balance of interests rule, since we deem such registration to be necessary in order to pursue our legitimate interests of registration for technical and security purposes and to check whether you have been using the Internet in contravention of our guidelines. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (f) of article 6(1) of the GDPR.

3.2 E-mails/Skype for Business 3.2.1 E-mail messages sent to and from your e-mail address at the Danish Technological Institute are logged centrally. In other words, we register the sender and recipient of each e-mail message, whether it was sent to or by you, the time it was sent and received, the subject line, and the contents of the messages you receive and send. Similarly, we register your use of Skype for Business, i.e. with whom and when you communicate and the content of the communication. 3.2.2 We refer to our guidelines, available in Danish only (â&#x20AC;&#x153;IT-sikkerhed for brugereâ&#x20AC;?) and posted on the intranet. It describes in more detail how we check, monitor etc. e-mail messages and communications via Skype for Business.

We log your e-mail messages on the basis of the balance of interests rule, since we deem such logging to be necessary in order to pursue our legitimate interests of ensuring operations, security, data recovery, and documentation and to check whether you have been sending e-mail messages in contravention of our guidelines. The legal basis is section 6(1) of the Danish Data Protection Act; see also point (f) of article 6(1) of the GDPR.

3.3 Calendar system/Microsoft Outlook 3.3.1 You are expected to record your appointments, meetings, absences etc. in your electronic calendar in Outlook. Other employees can send you invitations to meetings and other events that will be temporarily registered in your calendar until you have accepted or rejected them. Employees who have been given access to your calendar can also set up appointments etc. 3.3.2 As a rule, the contents of your calendar are visible to all employees at the Danish Technological Institute, Dancert A/S and Danfysik A/S. However, it is possible to mark appointments as private, meaning that only you can see the contents. Others can only see that you are booked. Infor20

mation recorded in the calendar is saved in Outlook, but can be changed or deleted by you or anyone to whom you have given access.

The basis for registering your data in the electronic calendar is the balance of interests rule, since we deem such registration to be necessary in order to pursue our legitimate interests of being able to organise and plan on the basis of the information recorded by you. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (f) of article 6(1) of the GDPR.

3.4 IT systems 3.4.1 In principle, our IT systems log all instances of use. In other words, we can see your movements in the system, e.g. if you have created a project or a document or changed a project title or document description.

We log your use of our IT systems on the basis of the balance of interests rule, since we deem such logging to be necessary in order to pursue our legitimate interests of monitoring compliance with the requirements of having sufficient security measures in place under data protection law, for technical and security purposes, and to check whether you have been using the IT systems in contravention of our guidelines. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (f) of article 6(1) of the GDPR.

3.5 Telephones and tablets 3.5.1 We do not log your telephone calls (neither outgoing nor incoming calls), but your mobile phone keeps a local record of the times and numbers you call and you receive calls from. You can delete the call lists in your telephone at any time.

3.5.2 Your mobile phone and tablet will record and store data in e-mail messages, texts, multimedia messages, apps, images etc. that you yourself write, install or take. You can also delete such data and images at any time. 3.5.3 When you hand in your mobile telephone, tablet etc. – for example because you are no longer employed by us or because you need a replacement – all data are reset so that previous calls, e-mails, texts, multimedia messages, app data, images etc. are erased. 3.5.4 Please see the guidelines regarding iPhone security (“IT-sikkerhed – Sikring af din iPhone”) available in Danish on our intranet. 3.6 Keycards 3.6.1 Staff in some parts of the Danish Technological Institute have been given keycards that activate electronic door locks. These locks are connected to an alarm system. Your keycard has a number that will be logged electronically when you open a door secured by an electronic lock. The log shows how and when your card has been used. We only use it in very special cases, e.g. if there has been a burglary. This electronic log is overwritten at regular intervals and thus not permanent. If you use your keycard to stop an alarm that has gone off, this information will also be logged. 3.6.2 We register your keycard use on the basis of the balance of interests rule, since we deem such registration to be necessary in order to pursue our legitimate interests of preventing crime, ensuring that our employees are safe and securing evidence and thus information to be used in police crime investigations. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (f) of article 6(1) of the GDPR.

3.7 Video surveillance 3.7.1 We have installed video surveillance, primarily located in the outdoor areas of the Danish Technological Institute. Camera positions are marked by signs. 3.7.2 The purpose of such video surveillance is to prevent and solve crime and ensure that our employees are safe. We refer to the section of our staff manual entitled “Videoovervågning”, which is posted in Danish on the intranet. 3.7.3 We have installed video surveillance on the basis of the balance of interests rule, since we deem such surveillance to be necessary in order to pursue our legitimate interests of preventing crime, ensuring that our employees are safe, and securing evidence and thus information to be used in police investigations of crime. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (f) of article 6(1) of the GDPR. 3.8 Company cars 3.8.1 In connection with the use of company cars, we may register who uses each car, when and for how long, along with the project name, purpose of the trip and the geographical location of the car. 3.8.2 Please see the memorandum on “Rejser, kørsel og udlæg - Kørsel i Instituttets biler” (“Travel, mileage and expenses: Use of Institute cars”), which is posted on the intranet under “Økonomi” (“Finances”). 3.8.3 We register your use of company cars on the basis of the balance of interests rule, since we deem such registration to be necessary in order to pursue our legitimate interests of monitoring the location of our company cars and who is using them and at what time in order to check

whether company cars are being used in contravention of our guidelines. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (f) of article 6(1) of the GDPR. 3.9 Lunch programme 3.9.1 We register information on whether or not you have signed up for our lunch programme at Skejby so that we can pay our part of the lunch programme at this location.

We record information about your use of this lunch programme because such processing is necessary to fulfil the agreement you have with us about using the programme. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (b) of article 6(1) of the GDPR.

3.10 Staff association, art association and fitness centre 3.10.1 We register whether or not you are a member of our staff association, art association and/or fitness centre so that we can deduct the relevant fees from your pay.

We register the information about your use of our staff association, art association and/or fitness centre because such registration is necessary in order to fulfil the agreement you have with us about association and/ or centre membership. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (b) of article 6(1) of the GDPR.

4 Storage, transfer, disclosure etc. 4.1 Storing personal data 4.1.1 Information about you is stored and processed at our office address and/or on our own servers. 4.1.2 Certain information is also stored and processed by our data processors in connection with our external payroll administration; external on-boarding system; external dispatch of employment contracts; external handling of our personality test, employee satisfaction surveys, and workplace assessments; and in connection with the operational and IT security tasks (e.g. backups and website hosting) that we have outsourced. The storage of data by external collaborators (our data processors) is subject to data protection law, and we have data processor agreements with these collaborators to ensure that your data will not, for example, be disclosed to unauthorised persons or organisations.

4.2 Transfers to third countries 4.2.1 Some of your data will be transferred to countries outside the EU and EEA because some of our data processors are located outside the EU and EEA. 4.2.2 Transfer of personal data to data processors outside the EU or EEA will either take place on the basis of EUâ&#x20AC;&#x2122;s standard contractual clauses on the transfer of personal data to third countries or on the basis of the requirements of the Privacy Shield scheme or similar safeguards, and this will guarantee an adequate level of data protection. 4.3 Disclosure 4.3.1 In connection with payroll administration, reimbursement of salaries and wages, industrial injury cases etc. the necessary information will be disclosed to the relevant public authorities, e.g. the tax authorities, local authorities, Udbetaling Danmark and Arbejdsmarkedets Erhvervssikring, as described above. In addition, we may disclose information about you to our industrial injury insurers or other insurance companies if this is relevant and necessary for their processing of claims etc.

We will disclose your data either because such disclosure is necessary in order to fulfil a legal obligation towards the authorities in question or in order to fulfil our obligations pursuant to other statutes or collective agreements. The legal basis for this is section 6(1) of the Danish Data Protection Act: see point (c) of article 6(1) of the GDPR and section 12(1) of the Danish Data Protection Act; see also the Danish Tax at Source Act, the Maternity Act, the Sickness Benefits Act and the Industrial Injury Act.

4.3.2 We will also disclose information about you to your pension fund for the purpose of calculating and remitting your pay, taxes and pension fund contributions. For more information about pensions etc., please see below.

We disclose information to your pension fund because such disclosure is necessary in order to fulfil the contract you have with the pension fund. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (b) of Article 6(1) of the GDPR.

4.3.3 We may also disclose your personal data to our external legal advisers with a view to handling a specific task. The Danish Technological Institute may, for example, require legal assistance in a matter involving you for which our legal adviser needs the relevant personal data.

In such cases, the basis for disclosing information to our legal adviser would be the balance of interests rule, since we deem such disclosure to be necessary in order to pursue our legitimate interests of receiving legal assistance in a matter in which you are involved and in order to determine, submit and defend legal claims. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (f) of article 6(1) of the GDPR, section 7(1) of the Danish Data Protection Act and point (f) of article 9(2) of the GDPR.

4.4 Publication 4.4.1 We post information online on your name, position, work telephone number and e-mail address. If you give your consent, we also post a picture of you online in order to make it easier for our clients and others to locate you when they need to contact you.

We publish information about you online on the basis of the balance of interests rule, since we deem such publication to be necessary in order to pursue our legitimate interests of publishing the information so that our clients can contact you. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (f) of article 6(1) of the GDPR.

4.4.2 If you have given your consent, images or video recordings may also be used in external information material in both printed and digital media. The legal basis for this is section 6(1) of the Danish Data Protection Act; see also point (a) of article 6(1) of the GDPR.

5 Termination 5.1 Information on termination of employment 5.1.1 If your employment is terminated, information will be registered relating to the termination, including possibly also your leaving date, resignation, dismissal or summary dismissal, and any relevant related information, e.g. the reason(s) that you are no longer employed by us and any reprimands, warnings or references. We register such information in order to fulfil our legal obligations, e.g. so that we can inform you of the cause if you were dismissed.

We register information about the termination of your employment in connection with the termination because such information may be required to determine, submit or defend a legal claim, or it may be necessary for us in order to fulfil a legal obligation pursuant to other statutes etc. or to pursue our legitimate interests arising from other statutes etc. The legal basis is for this section 7(1) of the Danish Data Protection Act; see also point (f) of article 9(2) of the GDPR and section 12(1) and (2) of the Danish Data Protection Act. Such other statutes may include the Danish Salaried Employees Act.

5.2 Specific information about e-mail accounts 5.2.1 When your employment is terminated – or if you are released from your obligation to attend work during the period of notice – your network access to all systems will be disabled, including access to your personal e-mail account, Skype for Business, calendar, task management system and Dynamics. We refer to our guidelines entitled “IT-sikkerhed for brugere” (“IT security for users”), which are posted on the intranet and contain more information on this subject. 5.3 Specific information about mobile telephones, tablets etc. 5.3.1 When your employment with us ends, you must delete private e-mails, texts, multimedia messages, pictures and other private material from the phone and/or tablet you have been provided with, and you must log out of your Apple ID. We refer to our guidelines “IT-sikkerhed for brugere” (“IT- security for users”), which contain more information on this subject.

6 Storage limitation 6.1 Erasure 6.1.1 Throughout your entire period of employment and, as a rule, for up to five years after the end of your employment relationship, but subject to our obligations to public authorities, we will store your personal data for the purpose of any legal disputes that may arise. Your personal data will only be stored beyond the said five-year period if necessary for a specific and substantive purpose. 6.1.2 However, in some cases we will be obliged to delete your personal data before the period stated above has ended. This would apply, for example, if you withdraw your consent to processing specific data or if you believe that your data are no longer necessary for the purpose for which we collected them. 6.1.3 When you contact us to request that your personal data be rectified or erased, we will check whether the conditions are fulfilled and, if so, we will make the relevant changes or deletions as soon as possible. 6.1.4 We also refer to our policy on data processing and erasure related to recruitment and personnel administration.

7 Your rights 7.1 Information to be provided 7.1.1 You have various rights under data protection law when we process your personal data electronically. The law imposes certain obligations on us, e.g. the obligation to inform you when we have collected or will collect personal data about you. 7.1.2 If, in specific cases, we process other personal data about you or perform a type of processing other than what is described here, you will be notified separately. Specific cases may include, for example, our imposing on you an employment law sanction such as a warning or dismissal.

7.2 Access, rectification etc. 7.2.1 You also have the right to know what information we have collected in connection with your employment or associative relationship, and you have the right to access to such information. You have the right to request that we rectify or erase information or to restrict the processing of your data, for example if you believe that the data are incorrect or give the wrong impression. You also have the right to object to the processing we perform based on the balance of interests rule. We are obliged to react to your request. 7.2.2 In certain circumstances you have the right to data portability, which means that you have the right to receive the personal data that you have given us in a structured, commonly used and machine-readable format. 7.2.3 If you have given your consent to the processing of your personal data, you may withdraw your consent at any time. However, we may continue to process any personal data whose collection was not based on your consent.

7.3 Additional information 7.3.1 If you have any questions to the above or your rights under data protection law, you are welcome to contact the contact person at the Danish Technological Institute by e-mail on asp@dti.dk or by telephone on +45 7220 2006. You can read more about data protection law and your rights on the website of the Danish Data Protection Agency at www.datatilsynet.dk. The Danish Data Protection Agency is the authority that can ultimately evaluate whether your personal data are being processed lawfully. You can thus complain to the Danish Data Protection Agency if you disagree with the manner in which we process your personal data.

Contact details for the Danish Data Protection Agency are as follows: Danish Data Protection Agency, Borgergade 28, 5., 1300 Copenhagen K, telephone +45 3319 3200, dt@datatilsynet.dk.

If you have any questions relating to HR, please contact Annette Holst Vinther, on e-mail: ahv@dti.dk.

7.3.2 We also refer to our other policies that also include a description of special types of processing of personal data, including our staff manual, recruitment policy, IT security for users, and deletion and processing policy on recruitment and personnel administration.

This Danish Technological Institute Employee Personal Data Protection Policy was last updated on 24 May 2018.

Employee personal data protection policy THE DANISH TECHNOLOGICAL INSTITUTE