ONE Marketing A/S (“ONE” or “we”) is committed to protecting the confidentiality, integrity and availability of information, including personal data about our clients, suppliers, collaborators, applicants and employees. We are strongly committed to protecting personal data and continuously strive to ensure ongoing compliance with data protection law, including the General Data Protection Regulation(“GDPR”).
When we process personal data on behalf of our clients and in accordance with our client’s instructions in connection with our services, ONE is the data processor, and our client is the data controller. Consequently, we enter into a written data processing agreement with our client, setting out instructions and terms and conditions for ONE’s processing of personal data.
ONE obtains an ISAE 3000 (GDPR) audit statement in its capacity as data processor. Latest Audit report is available by contacting the DPO.
If you have any questions regarding your data processing agreement or the audit statement, please contact either your normal contact at ONE or theDPO.
When processing personal data in connection with e.g., our client engagement, recruitment and administration, we consider ourselves as data controller.
This privacy notice provides information about ONE’s processing of personal data when ONE is acting as a data controller. Read more about this below.
The data controller is
ONE Marketing A/S
CVR no. 28850123
Borgergade 14, 3. Th.
1300 Copenhagen
If you want to exercise your rights as described below, or if you have any questions about this privacy statement or how and why we process personal data, please contact our DPO:
Camilla Thøgersen
E-mail: dpo@marketing.dk
To learn more about the specific categories of data that ONE is processing, and the purposes and legal basis of the processing, please see the relevant sections below.
The purpose is to manage the engagements with our clients, including providing consultancy services and invoice, and administer and manage our business and services.
The client, its owners and contacts, if any.
ONE processes non-sensitive personal data, including names, addresses, telephone numbers and e-mail addresses of our clients and their owners, and names, job titles, telephone numbers and e-mail addresses of the clients’ contacts.
The processing of personal data is necessary in order for us to perform the agreement with the client or implement measures at the client’s request prior to the conclusion of the agreement, see Article 6(1)(b) of the General Data Protection Regulation.
Furthermore, processing is necessary in order for us to pursue our legitimate interest in managing the client cooperation, administering and managing our business and services, operating and maintaining IT systems made available to or used as part of our servicing of the client, as well as hosting, administering and managing our website, systems and applications, see Article 6(1)(f) of the General Data Protection Regulation.
The client, its owners and contacts, if any.
ONE retains personal data for ten years, counted from the end of the calendar year of the last engagement, unless special circumstances require shorter or longer periods of storage.
Contacts are deleted as soon as possible after ONE becomes aware that such contacts are no longer employed with the client.
ONE discloses personal data to public authorities, in the event that ONE is required to do so. Besides this, ONE does not disclose information to third parties, but we engage data processors, including IT suppliers, to whom we make personal data available. ONE enters into data processing agreements with all data processors to ensure appropriate security.
We process personal data about visitors for administrative purposes, including meeting management and for security and access control purposes.
Visitors.
ONE processes non-sensitive personal data, including names, job titles, email, company names and the names of the ONE hosts. In addition, we process personal data through video surveillance.
The processing of personal data is necessary in order to pursue our legitimate interest in ensuring a high level of security, see Article 6(1)(f) of the General Data Protection Regulation.
ONE’s processing of personal data is carried out in accordance with s. 3(1) of the Danish Act on Television Surveillance (tv-overvågningsloven). There are signs in our office showing that CCTV is in operation.
Visitors.
Recordings of visitors by the reception are stored for up to one year.
Both recordings and CCTV are securely stored and reviewed only on a need-to-know basis (e.g., to look into a security incident) and only by persons with a work-related need for this. CCTV footage is typically overwritten automatically after 30 days unless an issue that requires investigation (such as a theft) has been identified.
Personal data will be disclosed to the police only where a security incident requiring investigation (e.g., theft).
ONE engages data processors, including IT suppliers, to whom we make personal data available. ONE enters into data processing agreements with all data processors to ensure appropriate security.
We record no data on visitors to our website.
The purpose is to launch marketing initiatives, including target communication to our relations.
The relation.
ONE processes non-sensitive personal data, including names, job positions, company names, telephone numbers and e-mail addresses.
Processing is necessary for us to pursue our legitimate interest, including our interest in marketing our firm and our interest in targeting the material distributed by ONE, see Article 6(1)(f) of the General Data Protection Regulation.
Processing of personal data as part of the delivery of our newsletters and other likely communication is based on the consent of the relation, see Article 6(1)(a) of the General Data Protection Regulation.
The relation, employees of ONE or via publicly available sources, such as the central business register (cvr.dk) or LinkedIn.
ONE retains personal data as long the data is necessary for the purpose for which the personal data are processed.
If the subscriber has signed up to our newsletter, ONE will process his/her personal data until consent is revoked.
ONE retains documentation of the consumer’s consent as long as ONE wants to contact the consumer and until two years after the company has last contacted the consumer or sent marketing. This is because to a possible criminal liability expires after two years.
It is the opinion of the Consumer Ombudsman that a consumer is not entitled to have the personal data about the consent deleted, which is necessary for the company to document that is has had a valid consent from the consumer to receive marketing.
ONE does not disclose personal data, but we engage data processors, including IT suppliers, marketing agencies, etc., to whom we make personal data available. ONE enters into data processing agreements with all data processors to ensure appropriate security.
The purpose is to administer registration, arrange events and courses, sending invitations, lists of participants, surveys regarding the event and to keep in touch with participants before, during and after the events and courses.
The purpose is also to administer and manage the network activities, including identify participants, distribute invitations and conduct events.
The participant and the client.
ONE processes non-sensitive data, including names, job titles and positions, company names, addresses, telephone numbers and e-mail addresses.
The processing of personal data is necessary in order for us to perform an agreement with the participant and client and to implement measures at the client’s request prior to the conclusion of the agreement, see Article 6(1)(b) of the General Data Protection Regulation.
Furthermore, the processing is necessary in order to pursue our legitimate interest in carrying out events and subsequently evaluating them and administering and managing the network activities, see Article 6(1)(f) of the General Data Protection Regulation.
The participant and the client.
ONE retains personal data as long the data is necessary for the purpose for which the personal data are processed. ONE assesses whether special circumstances require shorter or longer periods of storage.
ONE does not disclose information to third parties except lists of participants which are disclosed to other network participants.
The purpose is to carry out contract management, receive goods and services from our suppliers and business partners.
The supplier or business partner, including any contacts employed with them.
ONE processes non-sensitive personal data, including names, addresses, e-mail addresses and phone numbers, as well as any bank account information on suppliers and business partners.
In addition, ONE processes names, job titles, e-mail addresses and telephone numbers of any contacts employed with suppliers and business partners.
The processing of personal data is necessary in order for us to perform the agreement with the supplier and the business partner, see Article 6(1)(b) of the General Data Protection Regulation.
The processing of personal data relating to the contacts of a supplier and its business partners is necessary to enable us to pursue our legitimate interest in administering and performing the agreement with the business partner, see Article 6(1)(f) of the General Data Protection Regulation.
The supplier, business partner or their contacts.
ONE retains personal data for five years, counting from termination of the supplier relationship or business partnering, unless special circumstances require shorter or longer periods of storage.
We disclose personal data to the auditor in connection with the audit, but we engage data processors, including IT suppliers, to whom we make personal data available. ONE enters into data processing agreements with all data processors to ensure appropriate security.
The purpose is to be able to recruit, including to process and assess candidates in relation to current or future positions with ONE.
The candidate and any references specified by the candidate.
ONE processes non-sensitive personal data forwarded by candidates or any external recruitment agencies, including names, telephone numbers and e-mail addresses, curriculum vitae, references, exam papers, photos, information about salary, and other supporting documents.
If a candidate is invited to an interview, ONE collects and processes personal data in connection with personality and proficiency tests and any references.
ONE may also ask candidates to present their criminal records, if relevant to the current position.
We do not need to process the candidate’s CPR number and therefore request that such information not be sent to ONE. In exceptional cases, we may process sensitive personal data received from the candidate if these are relevant to the candidate’s position with ONE.
The processing of personal data is necessary in order for us to pursue our legitimate interest in processing and assessing the candidate, filling the position with an appropriate candidate and storing the personal data for subsequent recruitment processes, see Article 6(1)(f) of the GDPR.
ONE processes data from tests, collection of references and criminal records on the basis of the candidate’s consent, see Article 6(1)(a) of the GDPR.
ONE processes sensitive data, including health data, on the basis of the candidate’s consent, see Article 9(2)(b) of the GDPR, and section 12(1) of the Danish Act of the Processing of Personal Data.
The candidate, external recruitment agencies and any references.
During the selection process, ONE may search for relevant information published on the Internet, for example LinkedIn, Facebook and similar social media.
If the candidate is not offered a position, we delete the information six months after the candidate has been informed that he or she was not selected, unless the candidate has consented to us storing it for a longer period of time, for example in connection with the recruitment for other or future positions, or if special circumstances warrant a longer period of storage.
If a candidate wants to have data concerning him or her erased sooner the candidate may request ONE to do so at dpo@marketing.dk.
ONE does not disclose the candidate’s personal data to third parties, but in some cases, ONE makes them available to data processors, such as test providers, recruitment agencies, etc., which provide services to us in connection with a recruitment process. In that case, we will enter into the necessary agreement to ensure, inter alia, that personal data are processed properly and securely in accordance with the obligations set out in the GDPR.
If the candidate consents to ONE collecting references, the declaration of consent will be forwarded to the enterprise(s) and contact person(s) provided by the candidate as references in order to serve as documentation of the candidate’s consent to ONE obtaining reference information about the candidate.
As individual, you have certain rights over your personal data, which ONE as data controller are obligated to fulfill.
You have a right of access to personal data held by us as a data controller. Similarly, you are entitled to have any inaccurate or incomplete personal data rectified. Please contact ONE if you want to have your personal deleted, to have ONE’s processing of such data restricted, to exploit your right to data portability or object to ONE’s processing of such data.
When we process personal data based on consent, individuals have a right to withdraw consent at any time. To withdraw consent to our processing of your personal data please contact us. If you no longer wish to receive e-mails with information or marketing material about ONE, please notify us at dpo@onemarketing.dk.
In case you are an employee of a client, or have a relation to one of our clients’, who we process personal data on behalf of, we advise you to contact the client in order to exercise your rights as a data subject. This is because the client is the data controller of the processing of personal data concerning you.
Below you can read more about your rights as a data subject if you want to exercise your rights regarding one or more processing activities carried out by ONE as the data controller.
You have the right to obtain from us confirmation as to whether personal data concerning you are being processed.
You have the right to have inaccurate personal data concerning you rectified and to have incomplete personal data completed.
In certain situations you have the right to have personal data concerning you erased.
In certain situations you have the right to obtain from us restriction of processing of personal data concerning you. ONE does not carry out automated individual decision-making, including profiling.
You have the right to make objections against our processing of personal data concerning you which is based on our legitimate interests. We do not continue the processing of personal data concerning you, unless we are able to demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of you or for the establishment, exercise or defense of legal claims.
You are welcome to contact us if you want to learn more about your right to data portability.
In case our processing of personal data concerning you is based on your consent, you have the right to withdraw your consent at any time.
The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Information security is the business risk given top priority at ONE. We take the security of all the data we hold very seriously, and we adhere to internationally recognized security standards. We have security measures in place to ensure data protection of client information, personal data and other confidential information. We regularly perform internal follow-up in relation to the appropriateness of and compliance with policies and measures.
We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an e-mail with the details of your complaint to dpo@onemarketing.dk. We will review the complaint and return.
You also have the right to lodge a complaint with the Danish Data Protection Agency in relation to your rights and to ONE’s processing of personal data. For further information about how to complain to the Danish Data Protection Agency, please refer to the Danish Data Protection Agency website https://www.datatilsynet.dk/borger/klage.
We recognize that transparency is an ongoing responsibility so we will keep this privacy statement under regular review.
This privacy statement was last updated on September 30th, 2022.
