Privacy Policy
This Privacy Policy explains how QBIS Consulting ApS ("We", "Us") processes your personal information.
1. Data Controller
The entity responsible for the processing of your personal information is:
QBIS Consulting ApS
Bredgade 25D
1260 Copenhagen
Denmark
CVR no. 36690860
+45 53707035
2. Description of processing
The processing activities of QBIS Consulting ApS is outlined below.
2.1 Employees of customers, customers of customers and organisations
2.1.1 Purpose
Personal data regarding employees of customers, customers of customers and organisations is processed to perform the contract(s) we enter into with customers related to conducting, providing and disseminating socio-economic impact and feasibility studies and evaluations.
2.1.2 Categories of personal data
We process the following categories of ordinary personal data about you: Name, email address, telephone number, employer, company address, job position.
2.1.3 Sources
We collect your personal data from the following sources:
i) Customers.
ii) Customers' customers.
iii) Organisations.
iv) Websites.
v) News articles.
vi) Reports and studies.
2.1.4 Legal basis
We process your personal data on the following legal basis: The processing of personal data is necessary for the pursuit of our legitimate interest in performance of the contract(s) with our customers, cf. Article 6.1.f of the GDPR.
2.1.5 Recipients
We share your personal data with:
i) Customers.
ii) Companies other than customers.
iii) Organisations other than customers.
iv) IT-suppliers, including Microsoft Ireland Operations Limited. For information on Microsoft's sub-processors, please refer to the list of sub-processors
which is accessible here:
2.1.6 Retention
We will retain personal data processed for this purpose for:
i) Information will be deleted 12 months after the last activity in the case, unless there are special reasons to retain it longer, such as for statistical and professional purposes.
ii) Information regarding customer complaints will be retained for a minimum of 24 months after the provision of the product and/or services.
iii) Dispute-related material which includes personal data will be stored for 10 years after the case is closed, unless there are special reasons to retain it longer.
2.2 Contact persons at customers and suppliers
2.2.1 Purpose
Personal data regarding contact persons at customers and suppliers is processed to conclude and perform the contract(s) we enter into with customers.
2.2.2 Categories of personal data
We process the following categories of ordinary personal data about you: Name, email address, telephone number, employer, company address, job position.
2.2.3 Sources
We collect your personal data from the following sources:
i) Customers.
ii) Suppliers.
iii) Websites.
2.2.4 Legal basis
We process your personal data on the following legal basis: The processing of personal data is necessary for the pursuit of our legitimate interest in carrying out pre-contractual steps and performance of the contract(s) with our customers, cf. Article 6.1.f of the GDPR.
2.2.5 Recipients
We share your personal data with:
i) Customers.
ii) IT-suppliers, including Microsoft Ireland Operations Limited. For information on Microsoft's sub-processors, please refer to the list of sub-processors which is accessible here:
2.2.6 Retention
We will retain personal data processed for this purpose as follows:
i) Information will be deleted 12 months after the last activity in the case, unless there are special reasons to retain it longer.
ii) Information regarding customer complaints will be retained for a minimum of 24 months after the provision of the product and/or services.
iii) Accounting material will be retained for a minimum of 5 years from the end of the pertinent financial year, cf. the Danish Bookkeeping Act, Section 12.
iv) Dispute-related material which includes personal data will be stored for 10 years after the case is closed, unless there are special reasons to retain it longer.
2.3 Employees of companies in scope of socio-economic impact and feasibility studies and evaluations, including studies of public interest
2.3.1 Joint data controllership
For processing of personal data regarding employees of companies in scope of socio-economic impact and feasibility studies and evaluations, including studies of public interest, QBIS Consulting ApS and Danske Advokater (a "Party" and the "Parties") act as joint data controllers.
This entails that the Parties jointly determine the purposes and the means of the processing and have agreed on each Party's respective responsibilities to ensure compliance with applicable data protection laws.
Each Party is individually responsible for ensuring the rights of the data subjects by complying with the rules of the GDPR. However, Danske Advokater is responsible for handling requests or inquiries from data subjects regarding the right of access. This does not affect the data subject's right to submit requests or inquiries regarding the right of access to QBIS Consulting ApS directly.
Data controller one:
QBIS Consulting ApS
Bredgade 25D
1260 Copenhagen
Denmark
CVR no. 36690860
+45 53707035
Data controller two:
Danske Advokater
Vesterbrogade 32
1620 København V
Denmark
CVR no. 30974972
2.3.2 Purpose
Personal data regarding employees of companies in scope of studies is processed to conduct socio-economic impact and feasibility studies and evaluations, including studies of public interest.
2.3.3 Categories of personal data
We process the following categories of ordinary personal data about you: Name, employer, job position.
2.3.4 Sources
We collect your personal data from the following source: Websites.
2.3.5 Legal basis
We process your personal data on the following legal basis: The processing of personal data is necessary for the pursuit of our legitimate interest in performance of the contract(s) with our customers, cf. Article 6.1.f of the GDPR. The contract between QBIS ApS and Danske Advokater concerns QBIS ApS' provision of consultancy services for conducting analyses of the state's procurement of legal services.
2.3.6 Recipients
We share your personal data with:
i) Customers.
ii) IT-suppliers, including Microsoft Ireland Operations Limited. For information on Microsoft's sub-processors, please refer to the list of sub-processors which is accessible here:
2.2.7 Retention
We will retain personal data processed for this purpose for:
i) Information will be deleted 12 months after the last activity in the case, unless there are special reasons to retain it longer, such as for statistical and professional purposes.
ii) Information regarding customer complaints will be retained for a minimum of 24 months after the provision of the product and/or services.
iii) Dispute-related material which includes personal data will be stored for 10 years after the case is closed, unless there are special reasons to retain it longer.
3 Transfers to countries outside the EU/EEA
As part of the processing activities outlined above, we may transfer personal data to customers, data processors and subprocessors in third countries (countries outside the EU/EEA). We generally process personal data within the EU/EEA, but may receive support from subprocessors in third countries. This includes transfer of personal data to Microsoft Ireland Operations Limited and its subprocessors. We take significant measures to protect the data.
The third countries we may transfer personal data to include:
-
Hong Kong
-
India
-
Israel (adequacy decision)
-
Japan (adequacy decision for recipients covered by the APPI)
-
Korea, republic of (adequacy decision)
-
Malaysia
-
Mexico
-
New Zealand (adequacy decision)
-
Qatar
-
Singapore
-
South Africa
-
Taiwan
-
United Arab Emirates
-
United Kingdom (adequacy decision)
-
Australia
-
Brazil
-
Canada (adequacy decision for recipients covered by the PIPEDA)
-
Chile
-
China
-
United States (adequacy decision for recipients covered by the EU-U.S. Data Privacy Framework)
-
Serbia
-
Cambodia
-
Sri Lanka
-
Oman
-
Bahrain
-
Kenya
-
Angola
-
Nigeria
-
Ghana
-
Liberia
-
Senegal
-
Morocco
-
Egypt
-
Colombia
-
Costa Rica
-
Guatemala
-
Thailand
Transfer of personal data to recipients in the countries above is based on the European Commission's standard contractual clauses under art. 46 of the GDPR if the European Commission has not made an adequacy decision. You may request a copy by emailing twk@qbis-consulting.com.
4. Your rights
You have the following rights:
-
You have the right to request access to, rectification or erasure of your personal data.
-
You also have the right to have the processing of your personal data restricted.
-
If processing of your personal information is based on your consent, you have the right to withdraw your consent at any time. Your withdrawal will not affect the lawfulness of the processing carried out before you withdrew your consent. You may withdraw your consent by contacting us by email on twk@qbis-consulting.com.
-
You have the right to receive your personal information in a structured, commonly used and machine-readable format (data portability).
-
You may always lodge a complaint with a data protection supervisory authority, e.g. the Danish Data Protection Agency.
Furthermore, you have the right to object to processing of your personal data as follows.
-
If processing of your personal data is based on article 6(1)(e) or article 6(1)(f), see above regarding legal basis, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data.
-
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data about you for such marketing.
You can take steps to exercise your rights by contacting us by email on twk@qbis-consulting.com.
There may be conditions or limitations on these rights. It is therefore not certain for example you have the right of data portability in the specific case - this depends on the specific circumstances of the processing activity.
Last updated: 23 December 2024.