PRIVACY POLICY

1. Introduction

 

1.1 To facilitate our Client services, hereafter referred to as "Kroxio" or "we," it is imperative to collect personal data from our clients and/or potential clients, as well as contact persons at suppliers and other business partners. Kroxio is also engaged in the processing of personal data pertaining to employees for the explicit purpose of personnel administration. 

 

In cognisance of the aforementioned, Kroxio is committed to upholding a robust standard of data protection. Recognising privacy as a fundamental tenet, we acknowledge its pivotal role in fostering and sustaining the trust of our clients, potential clients, contact persons at suppliers, and other business partners. This commitment serves as a linchpin in securing Kroxio's standing and future business prospects. These principles are equally applicable to the processing of personal data concerning our employees.

The safeguarding of personal data necessitates the implementation of comprehensive technical and organisational measures to demonstrate an elevated level of data protection. Kroxio has enacted a suite of internal and external data protection policies, which demand strict adherence from all Kroxio employees.

Furthermore, Kroxio is dedicated to actively monitoring, auditing, and meticulously documenting internal compliance with our data protection policies, as well as adhering to pertinent statutory data protection requirements, including the General Data Protection Regulation (“GDPR”).

In addition, Kroxio is committed to undertaking requisite measures aimed at fortifying data protection compliance within the organisational framework. These measures encompass the delineation of responsibilities, heightened awareness, and targeted training initiatives within the realm of data protection for staff involved in processing operations. It is imperative to note that this data protection guideline shall undergo periodic reviews to accommodate emerging obligations. The retention of personal data is subject to governance by our most recent retention policy.

This data protection guideline, in conjunction with protocols governing the processing of personal data, establishes the overarching framework for personal data processing within the ambit of Kroxio.

 

1.2 "Personal data" refers to any information related to an identified or identifiable natural person ("data subject"). An identifiable natural person is someone who can be directly or indirectly identified, typically by reference to an identifier such as a name, location data, phone number, age, gender, etc. Such personal data may pertain to various individuals, including but not limited to employees, job applicants, clients/potential clients, suppliers, and other business partners.

 

1.3 Personal data is categorised into ordinary non-sensitive personal data or special categories of personal data (sensitive personal data). Special categories, exhaustively outlined in the GDPR, encompass information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation. Ordinary non-sensitive personal data comprises all information not falling within these special categories, such as names, addresses, telephone numbers, employee IDs, and educational information. Some ordinary non-sensitive personal data, particularly those related to income, wealth, and internal family matters, may be deemed confidential and subject to additional security measures.

The categorisation of personal data influences the legal basis for its processing. Specific rules govern the processing of data related to criminal offences and CPR numbers, with detailed legal bases outlined in clause 2.

 

1.4 While information regarding companies/businesses may not inherently qualify as personal data, it is crucial to note that details concerning contact persons within such entities, including names, titles, work email, work phone numbers, etc., are considered personal data. Personal data pertaining to a personally owned and operated business are also regarded as personal data, even if the information concerns the business itself, as it relates to an identified or identifiable natural person.

 

1.5 Kroxio collects and utilises personal data for various legitimate business purposes, including the establishment and management of Client and supplier relationships, completion of sales agreements, recruitment, employment terms, communication, fulfilment of legal obligations, contract performance, and client service provision. In all such processing activities, adherence to the general principles governing personal data processing is paramount.

 

1.6 In accordance with the general principles, personal data shall always be:

• Processed lawfully, fairly, and transparently in relation to the data subject (the principle of lawfulness, fairness, and transparency).
• Collected for specified, explicit, and legitimate purposes, not further processed in a manner incompatible with those purposes (the principle of purpose limitation).
• Adequate, relevant, and limited to what is necessary for the intended purposes (the principle of data minimisation).
• Accurate and, where necessary, kept up to date; any inaccuracies must be promptly rectified (the principle of accuracy).
• Retained only for as long as necessary for the processing purposes (the principle of storage limitation).
• Processed with appropriate security measures to ensure integrity and confidentiality, guarding against unauthorised or unlawful processing, accidental loss, destruction, or damage (the principle of integrity and confidentiality).

 

1.7 Kroxio assumes responsibility for and must demonstrate compliance with the aforementioned principles (the principle of accountability). This principle underscores the necessity of this data protection guideline and emphasises the importance of thorough comprehension by all concerned parties.

2. Legal Basis for the Processing of Personal Data

2.1 In addition to adhering to the general principles governing the processing of personal data, it is imperative that the processing of such data is grounded in a legal basis, contingent upon the category of personal data being processed.

For ordinary non-sensitive personal data within Kroxio, encompassing information such as names, addresses, email addresses, telephone numbers, credit card information, etc., the primary legal bases include:

• The performance of a contract to which the data subject is a party.
• A legal obligation or requirement to which Kroxio is obligated.
• Legitimate interests pursued by Kroxio or a third party.

In instances where none of the legal bases above are applicable, Kroxio shall seek the consent of the data subjects for the processing.

For processing special categories of personal data within Kroxio, the predominant legal bases include:

• Explicit consent from the data subject(s) for one or more specific purpose(s).
• Compliance with obligations and the exercising of specific rights of Kroxio or the data subject in the realm of employment, social security, and social protection law.
• Processing necessary data for the establishment, exercise, or defence of legal claims.

2.2 Performance of a Contract

2.2.1 It is considered legitimate to collect and process personal data relevant to the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to executing a contract. This applies to all contractual obligations and agreements signed with Kroxio, including the pre-contractual phase, irrespective of the success of the contract negotiation.

2.3 Compliance with a Legal Obligation

2.3.1 Kroxio must adhere to various legal obligations and requirements based on Union or Member State Law. Such legal obligations, to which Kroxio is subject, may serve as a legitimate basis for the processing of personal data.

2.3.2 These legal obligations include the necessity to collect, register, and/or make available certain types of information relating to employees, clients, etc. The legal requirements shall, in turn, form the basis for processing personal data. It is crucial to note whether the provisions allowing or requiring Kroxio to process certain personal data also outline requirements regarding storage, disclosure, and deletion.

2.4 Legitimate Interests

2.4.1 Personal data shall only be processed if necessary for the legitimate interests pursued by Kroxio, provided these interests or fundamental rights are not overridden by the interests of the data subject. Kroxio, in deciding to process personal data, ensures that legitimate interests do not compromise the rights and freedoms of the individual, and the processing does not cause unwarranted harm. An example of a legitimate interest of Kroxio is processing personal data on potential clients to expand the business and develop new business relations. Data subjects are provided information on specific legitimate interests pursued by Kroxio when processing is based on this legal basis.

2.5 Consent

2.5.1 If the collection, registration, and further processing of personal data on clients, suppliers, other business relations, and employees are based on a person’s consent, Kroxio must demonstrate that the data subject has consented to the processing of their personal data.

2.5.2 Consent must be freely given, specific, informed, and an unambiguous indication of the data subject's wishes. The data subject must actively consent to the processing of personal data through a statement or clear affirmative action.

2.5.3 A request for consent must be presented in a manner that is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.

2.5.4 To process special categories of personal data (sensitive personal data), the consent must also be explicit.

2.5.5 The data subject is entitled to withdraw consent at any time, and upon such withdrawal, Kroxio shall cease collecting and/or processing personal data about that person unless obligated or entitled to do so based on another legal basis.

2.6 Obligations and Exercising Specific Rights of Kroxio or the Data Subject

2.6.1 This legal basis is relevant when Kroxio processes health data about employees to comply with the rules pursuant to employment law or collective agreements, e.g., reimbursement of sickness benefits, etc.

2.7 Legal Claims

2.7.1 This legal basis becomes relevant when it is imperative for Kroxio to process personal data in order to establish, exercise, or defend a legal claim against a third party, such as a client or an employee. In these circumstances, the processing of personal data is paramount for legal proceedings, ensuring the protection of Kroxio's rights and interests in legal matters. This may encompass situations where legal action is necessary for contractual disputes, employee-related issues, or other legal challenges that require the use of personal data for evidentiary or defence purposes. The processing under this legal basis is executed with the utmost consideration for applicable data protection laws and ethical standards, solely serving the purpose of safeguarding Kroxio's legal rights and ensuring fair and just legal proceedings.

3. Processing and Transfer of Personal Data

3.1 Kroxio as Data Controller

3.1.1 In the majority of cases, Kroxio functions as the data controller when processing personal data. As the data controller, Kroxio determines the purposes and methods of processing personal data, particularly in situations involving Kroxio's clients, other business partners, and employees.

3.2 Use of Data Processors

3.2.1 An external data processor refers to a company that processes personal data on behalf of Kroxio, strictly adhering to Kroxio’s documented instructions and purposes, such as providers of HR systems and third-party IT providers. When outsourcing the processing of personal data to data processors, Kroxio ensures that these entities implement a minimum level of security measures equivalent to those enforced by Kroxio. If such assurances cannot be guaranteed, Kroxio shall select an alternative data processor. The processing by a data processor is formalised through a comprehensive data processing agreement.

3.3 Data Processing Agreements

3.3.1 Prior to the transfer of personal data to a data processor, Kroxio evaluates whether the processor offers sufficient guarantees to implement appropriate technical and organisational measures in compliance with GDPR requirements, ensuring the protection of the rights of data subjects. Upon confirming that the data processor meets these criteria, Kroxio establishes a written data processing agreement with the processor. This agreement ensures that Kroxio maintains control over the processing of personal data, despite occurring beyond the immediate purview of Kroxio's jurisdictional authority where Kroxio holds the position of data controller and is thereby responsible.

3.3.2 If the data processor or sub-data processor is situated outside the European Union (EU) or the European Economic Area (EEA), the conditions outlined in clause 3.4.2 below shall be applicable.

3.4 Disclosure of Personal Data to Other Independent Data Controllers

3.4.1 Prior to disclosing personal data to other independent data controllers, Kroxio assumes the responsibility to ensure compliance with the general principles governing the processing of personal data. Additionally, Kroxio is accountable for ensuring that the disclosure of personal data is founded on a legal basis.

3.4.2 If the third-party recipient is located outside the European Union (EU) or the European Economic Area (EEA), in a third country lacking adequate personal data protection, the transfer may only proceed if Kroxio establishes appropriate safeguards. This is achieved through the execution of a transfer agreement between Kroxio and the third party, based on the EU Standard Contractual Clauses.

4. Rights of the Data Subjects

Subject to various terms, conditions, and exceptions, data subjects are endowed with the following rights:

4.1 Duty of Information When Personal Data are Obtained from the Data Subject

4.1.1 When Kroxio processes data, including the collection and registration of personal data about data subjects, Kroxio is obligated to inform individuals about the following:

• The intended purposes of the personal data processing, as well as the legal basis for the processing.
• The categories of personal data concerned.
• The legitimate interests pursued by Kroxio, if the processing is based on a balancing of interests.
• The recipients or categories of the personal data’s recipient, if any.
• Where applicable, information on Kroxio's intention to transfer personal data to a third country and the legal basis for such transfer.
• The period for which the personal data shall be stored, or if that is not possible, the criteria used to determine that period.
• The existence of the right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject, or to object to processing, as well as the right to data portability. 
• Where the processing is contingent upon the data subject’s consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• The right to lodge a complaint with Kroxio via the correct procedure or with a supervisory authority.
• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to execute a contract, and whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data.
• The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

4.1.2 Kroxio has crafted a privacy notice containing a more detailed description of the aforementioned information obligation.

4.1.3 If the personal data are not obtained from the data subject, he/she must also be informed about the source from which the personal data originate, and if applicable, whether it comes from publicly accessible sources.

4.2 Right to Access

4.2.1 Any individual whose personal data Kroxio is processing, including but not limited to Kroxio employees, job applicants, external suppliers, clients, potential clients, and contact persons employed at business partners, has the right to obtain confirmation from Kroxio as to whether or not personal data concerning them are being processed. If such processing is confirmed, the individual has the right to request access to the personal data that Kroxio processes about them, along with the information outlined in clause 4.1.1 above.

4.3 Right to Rectification

4.3.1 The data subject has the right to request from Kroxio, without undue delay, the rectification of inaccurate personal data concerning them.

4.4 Right to Erasure (Right to Be Forgotten)

4.4.1 The data subject has the right to request from Kroxio the erasure of personal data concerning them, and Kroxio has the obligation to erase personal data without undue delay. However, this obligation may be overridden if required by law to retain certain information for a prescribed period, as mandated by financial regulators or tax authorities.

4.5 Right to Restriction of Processing

4.5.1 The data subject has the right to obtain from Kroxio a restriction of processing, if applicable.

4.6 Right to Data Portability

4.6.1 The data subject has the right to receive the personal data registered in a structured, commonly used, and machine-readable format. This right empowers individuals to securely and easily transfer their personal data between different service providers or organisations.

4.7 Right to Objection

4.7.1 The data subject holds the right to object, at any time and on grounds relating to their particular situation, to the processing of personal data concerning them. This objection applies specifically to processing based on a balancing of interests, including profiling.

4.8 Any requests received from a data subject to exercise the rights outlined in this clause shall be addressed as promptly and as reasonably as possible, and in no case later than 30 days from receipt. Requests shall be promptly forwarded to Kroxio’s Service Center, where the Data Protection Officer of Kroxio shall assist in processing the request, ensuring compliance with the response deadline. 

5. Data Protection by Design and Data Protection by Default

5.1 New products, services, technical solutions, etc., must be designed to adhere to the principles of data protection by design and default settings. Kroxio has implemented the following guiding principles within its organisation:

1. Privacy as the Default Setting: Ensure that personal data is automatically protected in any IT system or business practice, making privacy the default setting.
2. Privacy Embedded into Design: Integrate privacy into business processes, software design, and development. Privacy should be an integral part of the core functionality and services without compromising functionality.
3. End-to-End Security — Full Lifecycle Protection: Guarantee that personal data is automatically protected throughout any IT system or business practice, utilising appropriate encryption and authentication measures until the data is deleted.
4. Respect for Clients' Privacy — Keep it Client-Centric: Acknowledge that users own their data. Consumers have the right to make corrections, including the right to be forgotten. This client-centric approach is fundamental to how Kroxio fulfils its responsibility to ensure clients' privacy rights.

These guiding principles inform and support Kroxio in upholding its commitment to safeguarding clients' privacy rights throughout the development and implementation of new products, services, and technical solutions.

5.1.1 Data Protection by Design

Data protection by design entails that, in the creation of new products or services, key considerations for data protection must be evident. Kroxio shall incorporate the following factors when acquiring or developing new products, services, technical solutions, etc.:

• State of the Art: Consideration of the latest technological advancements.
• Cost of Implementation: Evaluation of the financial implications.
• Nature, Scope, Context, and Purposes of Processing: Understanding the specifics of the processing involved.
• Risks to Rights and Freedoms: Assessment of potential risks to individuals' rights and freedoms resulting from the processing of personal data.

Kroxio shall, during the determination of the means for processing and the processing itself, implement appropriate technical and organisational measures. These measures, including pseudonymisation where appropriate, are designed to effectively implement data protection principles such as data minimisation. They aim to integrate necessary safeguards into the processing to meet data protection requirements and protect the rights and freedoms of data subjects, as further detailed in clause 8 below.

5.1.2 Data Protection by Default

Data protection by default necessitates the implementation of relevant data minimisation techniques. Kroxio shall:

• Implement appropriate technical and organisational measures to ensure that, by default, only personal data necessary for each specific purpose of processing is processed.
• Apply this minimisation requirement to the amount of personal data collected, the extent of their processing, the duration of their storage, and their accessibility.
• Ensure that, by default, personal data are not made accessible without careful consideration.

These measures are instituted to embed data protection principles seamlessly into the design and default settings of systems, promoting privacy and compliance with data protection requirements.

6. Records of Processing Activities

6.1 As a data controller, Kroxio is obligated to maintain records of processing activities within its purview. These records should include the following information:

• Name and Contact Details: Identification of the entity responsible for processing and relevant contact information.
• Purposes of the Processing: Clear articulation of the intended goals of the data processing activities.
• Description of Categories: Specification of the categories of data subjects and personal data involved.
• Recipients of Personal Data: Documentation of individuals or entities to whom the personal data have been or shall be disclosed, including those in third countries or international organisations.
• Transfers to Third Countries: If applicable, details of personal data transfers to a third country, including identification of the third country and, if relevant, documentation of suitable safeguards.
• Envisaged Time Limits for Erasure: Where possible, indication of the anticipated timeframes for the deletion of different categories of data.
• Technical and Organisational Security Measures: Where feasible, a general description of the applied technical and organisational security measures.

6.1.1 Kroxio is committed to making the records of processing activities available to relevant data protection authorities upon request. Several of these records have already been prepared by Kroxio to ensure transparency and compliance with regulatory requirements.

7. Deletion of Personal Data

7.1 Personal data shall be deleted by Kroxio when there is no longer a legitimate purpose for its continuous storage or other processing, or when it is no longer necessary to retain the personal data in compliance with applicable legal requirements.

7.2 Specific retention periods for various categories of personal data are outlined in Kroxio’s Data Retention and Information Sharing Policy. This policy provides detailed guidance on the duration for which different types of personal data shall be retained, ensuring adherence to legal requirements and data protection principles.

8. Security of Processing (Risk Assessments)

8.1 Kroxio is committed to implementing suitable technical and organisational measures to ensure a level of security appropriate to the risks involved. These measures include, but are not limited to: 

• Pseudonymisation and Encryption: Applying techniques such as pseudonymisation and encryption to enhance the protection of personal data.
• Confidentiality, Integrity, Availability, and Resilience: Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
• Data Restoration Capability: Establishing the ability to restore the availability and access to personal data promptly in the event of a physical or technical incident.
• Regular Testing and Evaluation: Conducting regular testing, assessment, and evaluation of the effectiveness of technical and organisational measures to ensure the security of the processing.

8.2 In assessing the appropriate level of security, Kroxio takes into account the risks associated with processing. This includes potential risks arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data transmitted, stored, or otherwise processed. Kroxio has prepared written risk assessments pertaining to its processing activities, demonstrating a proactive approach to identifying and mitigating potential security risks.

9. Data Protection Impact Assessment

9.1 If Kroxio engages in the processing of personal data that is likely to result in a high risk for the individuals whose personal data is being processed, a Data Protection Impact Assessment (“DPIA”) shall be conducted.

9.1.1 A DPIA entails that Kroxio, considering the nature, scope, context, and purposes of processing, along with the risks of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organisational measures. These measures ensure and demonstrate that processing is carried out in accordance with data protection requirements.

9.2 The technical and organisational measures identified in the DPIA shall be subject to regular review and updates when necessary, with a minimum frequency of no later than every six months.

9.2.1 Adherence to approved codes of conduct or certified mechanisms may serve as elements to demonstrate compliance with the appropriate technical and organisational measures, as outlined in this clause. This approach ensures that Kroxio consistently assesses and adapts its measures to address potential risks and uphold data protection requirements.

10. Profiling

10.1 Pursuant to the GDPR, profiling is defined as "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements."

10.2 In the context of this data protection guideline, "profiling" refers to the use of an automated process to analyse personal data for assessing or predicting aspects of a person’s behaviour. Kroxio may engage in profiling under the following circumstances:

• Identifying Financial Crime: Utilising profiling to identify potential cases of financial crime.
• Client and Leads Engagement: Using profiling to provide clients and leads with information on Kroxio products and services that are likely to be of interest to them.
• Creditworthiness Assessment: Employing profiling to assess the creditworthiness of individuals.

Kroxio ensures that any profiling activities are conducted in compliance with data protection regulations, taking into consideration the rights and freedoms of individuals and implementing appropriate safeguards to mitigate potential risks.

11. National Requirements

11.1 Kroxio is committed to complying with the General Data Protection Regulation (GDPR) in its internal processes and procedures.

12.2 In cases where national legislation demands a higher level of protection for personal data than stipulated by the GDPR, Kroxio is obligated to adhere to the more stringent requirements. If Kroxio’s policies or guidelines impose stricter standards than the local legislation, compliance with the company's policies and guidelines is mandatory, particularly when applicable to the services provided or the processing undertaken. This commitment ensures that Kroxio consistently upholds the highest standards of data protection, taking into account both international and national regulatory requirements.

12. Contact

12.1 For any inquiries concerning the content of this data protection guideline or if you wish to file a complaint regarding Kroxio's processing activities, please feel free to contact Kroxio at [email protected]. Your concerns shall be addressed promptly and professionally by our dedicated privacy team. We appreciate your commitment to data protection, and your feedback is valuable to ensuring the highest standards of compliance and accountability.