Zenegy Trust Center

Personal data policy for Zenegy’s payroll system

1. INTRODUCTION

 

The personal data policy describes how Zenegy Danmark ApS (“Zenegy”), to the extent that Zenegy is data responsible, processes your personal information obtained via the cloud-based software system called ZENEGY, which can be used for payroll administration, HR administration, financial administration, etc. (“The Application”), which is available to users via Zenegy’s website and or Zenegy’s apps, as well as any optional modules that may be made available to the user.

When Zenegy processes your personal information in connection with the Application, it basically takes place as a data processor for the companies that have entered into a subscription agreement with Zenegy (the “Customers”), and only on the instructions of the data controller. For more information about the processing of personal data carried out on behalf of the Customers, please refer to the Customers’ privacy policies. This will usually be your employer.

Zenegy is data responsible for the processing of personal data, which takes place for Zenegy’s own purposes, including in regards to Zenegy entrance into special data storage agreements, see 2.4.

Zenegy has the following contact information:

Zenegy Danmark ApS
Slotsmarken 16
2970 Hørsholm
CVR-nr.: 38366041
Tlf. 70 22 22 16
e-mail: info@Zenegy.com
Website: www.Zenegy.com

 

2. THE PROCESSING OF PERSONAL INFORMATION

 

2.1 Categories of personal information and where the information comes from

The personal data that is normally processed by Zenegy as a data controller is listed in the attached Appendix 1. This is general information such as name and address, CPR numbers and sensitive information about e.g. health and trade union affiliation.

The Application is a cloud-based subscription-based self-service solution, where customers and / or their employees essentially load the data that is necessary for use of the Application.

The Application may exchange information with, for example, social media such as Facebook, Instagram and LinkedIn, provided that users choose to use their profile on such media as identification when accessing the Application. In addition, users may choose to integrate data from third-party software systems with the Application.

2.2 The purpose and legal basis for the processing of personal data

Zenegy processes your personal information for the following purposes:

        • Contact with customers and invoicing
          Zenegy processes general information such as username, password, contact information and bank account of the Customers as well as contact persons at the Customers, as the processing is necessary for the fulfilment of a contract, in reference to Article 6 (1). 1, letter b in the GDPR, see § 6, para. 1 of the Data Protection Act, and since Zenegy has a legitimate interest in being able to get in touch with Customers and invoice, see Article 6, para. 1, letter f in the GDPR, see § 6, para. 1 of the Data Protection Act.
        • Fulfilment of an agreement with you after the end of the customer relationship or upon your resignation from the customer
          If the Customer you are associated with, e.g. your employer, terminates the subscription agreement with Zenegy or decides to delete your personal information in the Application, Zenegy will offer you to continue to store your personal information in the Application and possibly pass on the personal information to a new data controller appointed by you. Retention of your data requires that you enter into a Data Retention Agreement with Zenegy through your profile, and that you are 15 years of age or older.If the Customer decides to delete your personal information in the Application, Zenegy will offer you that you can continue to store your personal information in the Application and possibly pass on the personal information to a new data controller appointed by you. Retention of your data requires that you enter into a Data Retention Agreement with Zenegy through your profile, and that you are 15 years of age or older.

          Our legal basis for carrying out this treatment is Article 6 (1). 1, letter b in the Data Protection Regulation (“GDPR”), see section 6, subsection 1 of the Data Protection Act, regarding processing necessary for the fulfilment of a contract with you.

          If the processing includes sensitive information or your CPR number, we will obtain your consent in accordance with Article 9 (1). 1, letters a and 6, para. 1, letter a of the GDPR, see §§ 6, para. 1 and 7, para. 1 of the Data Protection Act, as well as section 11, subsection 2 of the Data Protection Act.

          You must be aware that withdrawal or failure to give consent to our processing of your personal data may affect or make impossible the use of the Application, as the processing of certain personal data is necessary for the use of the Application.

          If the data processing includes contact information on secondary persons, including spouses / registered partners or children, our legal basis is the balancing of interests rule in Article 6 (1). 1, letter f, see § 6, para. 1 of the Data Protection Act, as we have a legitimate interest in processing this information through your use of the Application.

          Personal information about children is only processed to the extent that the Customer or you have entered information about children in the Application.

        • Anonymising your personal information for statistical purposes.
          The anonymization of your personal data is based on Zenegy’s legitimate interest in using anonymised data for statistical purposes pursuant to Article 6 (1). 1, letter f in the GDPR, see § 6, para. 1 of the Data Protection Act.
        • Sending out newsletters and notification of new mattersZenegy processes your general personal information, see Appendix 1, if you have signed up for Zenegy’s newsletter and / or magazines or if you have requested information about, for example, new functionalities in applications, new partners with whom Zenegy has entered into a cooperation agreement or opening of new third party apps that can be integrated with the application.

          Zenegy obtains this consent for this processing in accordance with Article 6 (2). 1, letter a of the GDPR, see § 6, para. 1 of the Data Protection Act.

        • Statistics, user experience and functionalityZenegy obtains IP addresses and other general information, see Appendix 1, via cookies for the purpose of compiling statistics on the use of Zenegy’s website and / or apps and for improving the user experience of the website or apps.

          Zenegy obtains consent before the information is obtained via cookies, see Article 6 (1). 1, letter a of the GDPR, see § 6, para. 1 of the Data Protection Act.

          Personal information obtained via necessary cookies to ensure functionality and settings when using the Application is obtained without consent in accordance with Article 6 (1). 1, letter b in the GDPR, see § 6, para. 1 of the Data Protection Act.

          For more information about Zenegy’s use of cookie please refer to Zenegy’s Cookie policy.

Zenegy collects, processes and stores only personal data that is relevant, sufficient and necessary for the purposes described above or that are otherwise required by the law under Article 6 (1). 1, letter c in the GDPR, see § 6, para. 1 of the Data Protection Act.

 

2.3 Recipients of personal information

In regards with your use of the Application, Zenegy passes on or leaves your personal information to the following recipients:

        • Authorities to which Zenegy is legally obliged to disclose personal data, e.g. as part of tax filing, or if Zenegy is required to disclose by a court decision;
        • Third-party apps and companies where you have specifically requested or given them access to your personal information stored in the Application, for example if you have installed an app that can communicate with the Application via an open API.
        • Zenegy’s data processors; and
        • If you have entered into a Data Retention Agreement with Zenegy, Zenegy will only perform the data processing agreed in the Data Retention Agreement, which will typically be the sole storage of your data, but without disclosure or reporting thereof to authorities, except if Zenegy is required to disclose legal decision, or if you yourself decide that data must be passed on to a third party.

 

2.4 Storage period

Zenegy only stores your personal information for as long as necessary to fulfil its purpose, unless otherwise required by law, including in particular the rules of the Accounting Act on the storage of accounting material for 5 years.

Upon termination of a Customer’s subscription with Zenegy or the Customer’s decision to delete your data in the Application, you will – if you are over 15 years old – be offered to continue to store your data with Zenegy, in exchange for entering into a separate “Data Retention Agreement”. The processing of personal data under a Data Retention Agreement continues until the agreement terminates.

 

2.5 Transfer to third countries

In certain situations related to the processing of personal data, Zenegy will transfer your personal data to recipients outside the EU and the EEA (“third countries”). This will typically be the case when we use a data processor in a third country.

We only transfer personal data to organisations in so-called unsafe third countries that have provided the necessary guarantees that the recipient’s level of personal data protection is in accordance with this privacy policy and applicable law.

The transfers therefore take place on one of the following transfer bases:

EU-U.S. Data Privacy Framework, or on the basis that we have entered into standard agreements on data protection with the recipient, which, according to the EU Commission’s assessment, offer sufficient guarantees for the protection of privacy, fundamental rights and freedoms, as well as for the exercise of the associated right

 

 

3. YOUR RIGHTS

According to the GDPR, you have a number of rights in relation to Zenegy’s processing of information about you. If you wish to make use of these rights, which are described in more detail below, you must contact us through the contact information listed at the top of the personal data policy.

Zenegy will process and respond to your inquiry as soon as possible and no later than one month after we receive your inquiry, unless the complexity and scope of the request means that we are unable to respond within one month. In that case, the deadline for reply may be up to 3 months in total, in accordance with Article 12 of the GDPR.

3.1 Right to insight

Upon request, you can gain insight into what personal data Zenegy processes about you and what processing takes place, in accordance with Article 15 of the GDPR.

It includes among other things how long Zenegy stores personal information, and who receives data about you to the extent that Zenegy discloses personal information, in accordance to 2.3 and 2.5.

However, your access to information about it may be restricted for the sake of other people’s privacy to trade secrets and for the sake of protecting intellectual property rights.

You can contact Zenegy or make use of this right by self-service in the Application, where with your personal login you can extract an overview of what information Zenegy is in possession of in the Application.

You can also receive a digital copy of the personal information that is processed.

You have the option of downloading electronic copies and / or making physical transcripts of the documents generated via or stored in the Application, for example pay slips, employment contracts, etc. However, given that the access here up til acts in accordance with the requirements in part 2.4, unless you have agreed to a Data storage agreement with Zenegy.

 

3.2 Right to rectification

You have the right to have incorrect personal information about yourself corrected, in accordance with Article 16 of the GDPR.

You can contact Zenegy and find out what the inaccuracies are and what they need to be corrected.

 

3.3 Right to remove data

You have the right to have personal information about yourself deleted in accordance with Article 17 of the GDPR, provided that:

  • The personal data is no longer necessary to fulfil the purposes for which they were collected or otherwise processed;
  • You have withdrawn your consent and there is no other legal basis for the processing;
  • You object to the processing and there are no legitimate reasons for the processing that precede the opposition;
  • The personal data has been processed illegally; or
  • The personal data must be deleted in order to comply with a legal obligation to which we are subject.

However, the removal may be limited in some cases. In particular, removal may not take place if Zenegy is legally obliged to retain all or part of the personal data or it is necessary to keep the personal data in order for a legal claim to be established, asserted or defended. In that case, we will only store the information to which we are legally obliged or entitled and will delete other personal information.

 

3.4 Right to revoke consent

To the extent that Zenegy’s processing of your personal data is based on a consent given by you, you have the right to withdraw your consent to Zenegy’s processing of all your personal data or in parts at any time, in accordance with Article 7 of the GDPR.

If you withdraw your consent, Zenegy will cease to process the personal data to which you have revoked your consent. In practice, this will result in all your information being deleted.

Your withdrawal of your consent does not affect the lawfulness of the processing that Zenegy has conducted until your withdrawal.

 

3.5 Right to object

You have the right at any time to object to Zenegy’s processing of your personal data for reasons relating to your particular situation, provided that the processing is based on Article 6 (1). 1, letter f on balancing of interests, in accordance to GDPR Article 21.

In that case, we may no longer process the personal data unless we demonstrate compelling legitimate reasons for the processing that take precedence over your interests, rights and freedoms, or the processing is necessary for legal claims to be established, asserted or defended.

 

3.6 Right to limitation

You have the right to have Zenegy’s processing of your personal data restricted in the following cases, in accordance with Article 18 of the GDPR:

  • While Zenegy is processing an objection made against the accuracy of the personal data we process or against the legality of the processing. The limitation of the processing applies until we have finished processing the objection.
  • Zenegy’s processing is illegal, but you do not want the deletion of personal data, but only that the use of personal data is restricted.
  • Zenegy no longer needs the personal data for the processing, but it is necessary for a legal claim to be determined, asserted or defended.
  • You have objected to the treatment pursuant to Article 21 (1). 1 of the GDPR during the period while checking whether Zenegy’s legitimate interests take precedence over your legitimate interests.

 

3.7 Right to data portability

When our processing of your personal data is based on consent or a contract, and our processing is carried out automatically, you have the right to data portability.

The right to data portability means that you have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format, which you have the right to transfer to another service provider, in accordance with Article 20 of the GDPR.

 

3.8 Complaint

If you wish to complain about the processing of your personal data, you have the right to submit a complaint to the Danish Data Protection Agency, which has the following contact information:

The Data Inspectorate
Adresse: Borgergade 28, 5, 1300 København K
E-mail: dt@datatilsynet.dk
Telefonnr.: 33193200
Hjemmeside: www.datatilsynet.dk

 

ANNEX 1

OVERVIEW OF THE TYPICAL CATEGORIES OF PERSONAL INFORMATION COLLECTED AND PROCESSED USING THE APPLICATION

 

This overview contains the categories of information that will normally be transferred to and processed and stored by Zenegy as the data controller in the Application and by others’ visits to the website.

    • The customer:
      • Name
      • Address
      • CVR-number
      • Contact information
      • Contact persons at the Customer, including their contact information
      • Bank accounts for use in the Application
      • Bank accounts or credit cards for use in payments to the Zenegy Group
      • Member of employers’ association
      • Member of holiday schemes
    • Customer employees:
      • Name
      • Address
      • CPR-number
      • Contact information
      • Pay
      • Tax and tax deductions
      • Labor market contributions
      • ATP-contribution
      • Social contributions
      • Pension contributions
      • Absence (e.g. due to illness, maternity, military service, civil representative, periodic periods of employment, etc.)
      • Inventory of holidays
      • Supplements (eg employee’s travel expenses, travel allowance, etc.)
      • Deductions (including the Customer’s expenses, trade union dues, unemployment insurance contributions, early retirement contributions, etc.)
      • Name and contact information for employees’ relatives
      • Hours / hour registrations
      • Registration of items and accesses assigned to the employee
      • Overview of courses the employee has participated in
      • Bank accounts for use in payroll
      • Uploaded documents (eg employment contract, performance related interviews, criminal record, etc.)
    • Website visitors:
      • Which pages the visitor has looked at and when – the visitor’s “electronic footprint”
      • Which browser the visitor uses
      • What IP address the visitor has
    • Subscribed to Zenegy’s Newsletter and / or News Magazine:
      • Name
      • Address
      • Company
      • Contact information
      • Special areas of interest
    • Parties that have entered into a Data Retention Agreement:
      • Name
      • Address
      • CPR-number
      • Contact information, including phone, email, title, department, address
      • Name and contact information for employees’ relatives
      • Historical personal information that is loaded into or generated by the Application while the Application was used under the subscription agreement