Privacy Policy

What personal data and why? We send out newsletters with GDPR-related information and news to those who have subscribed to our newsletter service.

• Email address: Used to send newsletters straight to you.

Legal basis and your rights: We process your personal data based on the consent you provide when you fill out the form to subscribe to our newsletter. You have the right to withdraw your consent at any time, in which case we will stop sending you newsletters and no longer process your data for this purpose. Read more about the legal basis consent.

Retention period: We retain your email address for as long as you are subscribed to our newsletter. You can unsubscribe at any time by clicking the link at the end of each newsletter. We will then delete your information from our newsletter subscriber list.

Recipients: Your email address is shared with our email provider, who acts as a data processor and helps us distribute the newsletters.

What personal data and why? You can always book a meeting with us to discuss how we can help you with a GDPR-related question or larger project. We receive meeting requests, send booking confirmations and schedule demos, to schowcase our GDPR Hero Records tool and provide information about our other services (such as legal advice, DPO-services, courses, and other parts of our offering). We look forward to meeting you!

• First name: Used to make the meeting more personal and create a better experience.
• Email address: Used to communicate meeting suggestions and to send booking confirmations before a meeting or demo.
• Business name: Helps us tailor the meeting to your organisation, for example by preparing material based on the type and size of organisation.
• Availability: As a rule, we propose suitable meeting times, and you are welcome to suggest alternatives to fit everyone’s schedule.

Lawful basis and your rights: We process this data based on our legitimate interest in responding to the interest in our services you have demonstrated. You have the right to object to the processing at any time. We will then stop processing your data for this purpose. You can read more about your legal rights here.

Retention period: The personal data is deleted or anonymised one (1) year after the meeting or demo has taken place.

Recipients: The personal data is shared with our email system, video meeting platform and CRM-system, who each help us administer the meeting in their role as data processors.

What personal data and why? We are happy to answer your questions, and when it comes to larger inquiries (or when you specifically request it) we may send out price quotes to provide you, as the representative of a potential customer, with information about our services.

• Name: To able to address you personally in our communication.
• Email address: To answer your questions, and to send you price quotes and other information.
• Phone number: Used if you have provided one, for further follow-ups or faster contact.
• Business name and business address: This information is often apparent from your e-mail signature or e-mail domain, and is used to provide relevant information and tailor price quotes to your organisation. If you do not actively provide this information, we will not seek it out ourselves, unless our contact progresses to an engagement.

Lawful basis and your rights: We process this data to be able to respond to your requests, which we consider to be in both your interest and ours. This is known as a legitimate interest under the GDPR. If you wish to object to this processing, you have the right to do so, and we will stop processing your data unless we have strong reasons to continue – in which case we will also explain why. You can read more about your legal rights here.

Retention period: The personal data is retained for up to one (1) year after communication has ended. If your inquiry leads to a price quotation or further dialogue, the data may be transferred to a new processing activity in accordance with that purpose.

Recipients: Your data may be shared with technical service providers (data processors) who help us manage email communication. If we have to share your information with other external parties, who act as data controllers, we will inform you of this in advance. Read more about this in our section on recipients.

What personal data and why? Our chat is open to anyone who wants to know more about how we work and our services (a lot of content is available for free on our website, but we also provide legal advice, offer a digital platform for all your GDPR-related needs, run specialised courses, and take on projects or roles as Data Protection Officers. There is a lot to cover, and our goal is to ensure that the information provided is helpful to you specifically and can be revisted if you have follow-up questions or issues that are not resolved immediately.

• Location information: Determines the language we use and who within our team responds to the inquiry.
• Browser version and operating system version: Needed for the chat to be displayed correctly and function smoothly.
• Name: Voluntary to provide, used to create a personal connection.
• Email address: Voluntary to provide, used if the chat is interrupted or transitions to a more extensive inquiry via e-mail.
• Potential data within your message: Voluntary to provide, is used within the processing that becomes relevant. Deleted if no purpose can be identified.
• Business name: Visible if you are currently signed into our GDPR Hero Records-tool and, if not, often apparent from your inquiry and/or email address. This information is used, when relevant, to help us determine if you are a current customer (who may have an add-on service agreement) or potential customer, and to ensure that the inquiry has been sent by an organisation and not a private individual (which affects how we can respond, in relation to potential conflicts of interest and liability insurance).

Lawful basis and your rights: We process this data to provide quick and effective service, which we consider to be both in your interest and ours. This is known as a legitimate interest under the GDPR. If you wish to object to this processing, you have the right to do so, and we will stop processing your data unless we have strong reasons to continue – in which case we will also explain why.  You can read more about your legal rights here.

The chat feauture is voluntary to use, and you can use it anonymously, but it may be easier to respond to your inquiry if you choose to identify yourself.

Retention period: The personal data is retained for one (1) year after the communication has concluded. If your inquiry leads to a continued dialogue, such as a price quote request, the data may be transferred to a new processing in accordance with that purpose.

Recipients: We share your data with Zendesk, our technical service provider (data processor) for the chat. In some cases, we may share your data with other technical service providers (data processors) that support the operation of our services. If we need to share your data with an external party that independently determines how they process the data, they will be acting as data controllers, and we will inform you of this in advance. Read more about this in our section on recipients.

You are a webinar participant if you have registered for our webinar series.

What personal data and why? We need certain information to invite you to our webinars, send reminders and join links, stream the webinar to your device, and inform you of upcoming webinars. You can participate anonymously with respect to other participants by using an alies when joining (more infromation is available through the join link). However, we do require your company name upon registration to tailor the content to your organisation (we are also happy to receive suggestions on what you would like to see in upcoming webinars in the series).

• Email address: To send invitations, reminders, the join link and any updates on changes to the webinar.
• Business name: To tailor webinar content to participants’ needs and to identify the organisation you represent, which is often evident from your e-mail address.

Lawful basis and your rights: We process this data to provide you with relevant webinars, which we consider to be in the interest of you, your organisation, and us. This is known as a legitimate interest under the GDPR. If you object to this processing, you will be unsubscribed from upcoming webinars, and we will no longer process your personal data for this purpose. The simplest way to object is to click the link to unsubscribe, which is included in all emails concerning our webinars. You can read more about your rights here. You can read more about your rights here..

Retention period: We retain your personal data as long as you are subscribed to our webinar series. You can unsubscribe at any time by clicking the link at the bottom of each email invite, and we will remove your information from our subcriber list.

Recipients: Your personal data is shared with out technical service providers (data processors), who help manage the administration and operation of our webinars. If we need to share your data with other external parties, we will inform you of this in advance. For more information, please see our section on recipients.

Sending promotional emails without prior request, for marketing purposes.

What personal data and why? We may occasionally send emails to individuals who we believe could benefit from our GDPR-related services or products in their professional role and position, based on our assessment that these may add value and be of interest to the recipient.

• Name: To adress you personally and ensure relevance based on your position within your organisation.
• Email address: To send information directly to you.
• Title: To ensure that we provide the right information to the right person and avoid unnecessary contact.
• Company name: To identify key players within relevant sectors.
• Identified need: Typically not personal data, but may occasionally include it indirectly in cases of sole proprietorships.

Lawful basis and your rights: We process this data based on our legitimate interest in offering our services to individuals within companies that may benefit from them. You have the right to object to this processing at any time. If you object or no longer wish to receive emails from us, you can easily unsubscribe through the link at the bottom of each email. We will then stop processing your personal data for this specific purpose. You can read more about your rights here.

Retention period: We process your personal data for this purpose until you object or until we no longer consider this to be of interest to you, which in most cases occurs after three emails without a response.

How we collect your personal data and recipients of the data: We gather data from public sources, and emails are sent manually once one of our team members has identified a significant need within a particular sector, or even at the level of a particular company. We always explain in our email how we obtained your contact details. 

Your information is not shared with any external parties (data controllers), but we do use technical service providers (data processors) who manage email distribution according to our instructions. If we ever need to share your personal data with external parties, we will inform you of this in advance. Read more in our section on recipients.

What personal data and why? We process your personal data to determine whether there is a potential conflict of interest between your engagement and our clients, including the prospective client you represent. The aim is to ensure that our work is not affected by other relationships or business interests that may compromise our objectivity or loyalty. This protects our clients from potential negative consequences.

• Name: To identify and distinguish individuals in the context of our engagements.
• Business name: To link the individual’s interests to the relevant organisation for evaluating potential conflicts of interest.
• Business relationships: To identify possible overlaps or areas of interest that could lead to a conflict. The data is limited to information relevant for this assessment.
• Role or tasks within the organisation: To understand the individual’s role and assess whether there is a risk of conflict within the organisation, for example, when a data protection officer and an advisor act in potentially conflicting interests.
• Links to other businesses: To identify external relationships, such as ties to third parties, that may lead to conflicts of interest, particularly if the individual concerned acts on behalf of an external organisation that has an ongoing relationship with one of our clients.

Lawful basis and your rights: We process this data based on our legitimate interest in ensuring a sustainable and correct business relationship with loyalty to our clients. You have the right to access and object to the interest assessment on which our legitimate interest is based. You can read more about your rights here.

Retention period: Only the data deemed relevant to determine whether a conflict of interest may arise is retained. This information may be retained for up to ten (10) years, to respond to legitimate inquiries and defend ourselves in the event of a legal dispute. 

How we collect your data and recipients of the data: The data is collected from you, as well as from public and internal sources. Your contact information may be shared with current clients to identify potential conflicts of interest. Read more in our section on recipients.

What personal data and why? We perform an internal risk assessment before entering into a client contract to ensure that our collaboration is financially sustainable and that we can fulfil our commitments. This risk assessment includes an analysis of financial risk, payment capacity, and other relevant factors that may affect our relationship. This helps us minimise business risks and ensure a long-term, stable partnership.

• For sole proprietorships, closely held companies or other organisational structures where the data is linked to you as an individual:
  • Organisation number: Used to identify the company and connect it to financial reports and history.
  • Financial information: Used to assess the company’s ability to pay and financial stability, such as creditworthiness, payment history, and financial reports.
• For other types of companies:
  • We may request information that could constitute personal data, such as details about your level of access and position, to understand your role and authority within the organisation. This is always done openly and directly with you to ensure transparency and accuracy.

Lawful basis and your rights: We process this data based on our legitimate interest in assessing and managing risk. Financial information is processed strictly for this purpose and is deleted once a decision has been made. You have the right to access and object to the interest assessment upon which our legitimate interest is based. You can read more about your rights here.

Retention period: Financial data is deleted once a decision regarding the contract has been made, while other relevant information, such as discussion materials, may be retained for evidentiary purposes until final compensation has been settled.

How we collect your data and recipients of the data: The data is collected from you or from publicly available sources. Read more about this in our section on recipients.

What personal data and why? We process your personal data to verify that you are authorised to sign contracts on behalf of your organisation. This verification is necessary to ensure that we enter into contracts with duly authorised representatives.

• Name: Used to identify the individual acting on behalf of the organisation, so that we can ensure the correct person is managing the contract
• Business name: Links the individual to the correct organisation to confirm that the assignment is carried out on behalf of the business.
• Authority based on position or other explicit authorisation: Used to confirm that the individual is authorised to enter into contracts on behalf of the organisation and represent the organisation in contract matters.
• Information regarding your role within the organisation: Used to confirm that the individual’s position aligns with the authority to enter into contracts on behalf of the business.

Lawful basis and your rights: We process this data based on our legitimate interest in ensuring that contracts are properly entered into by authorised individuals. Read more about your legal rights here.

Retention period: The data is retained during the verification process and may be kept for evidentiary purposes until final compensation has been received and the right to dispute the claim has expired.

How we collect your data and recipients of the data: The data is collected from you and from publicly available sources, such as business registers or the business’s website. Read more about this in our section on recipients.

What personal data and why? We process your personal data to manage and administer the contract between your organisation and us. This includes the contract document itself, the signing process, information about who is authorised to sign for additional services, as well as communcation regarding the contract, including incident reports if we are acting as data processor on your behalf.

• Name: Used to identify individuals who act as contact persons or are involed in the contract process, such as those who sign the contract.
• Business name: Linked to the indiviudal to confirm that they represent a specific organisation and that the contract applies to that organisation.
• Information about authorisations (for example, related to additional services): Used to ensure that the appropriate individual is authorised to enter into contracts or approve additional services on behalf of the organisation.
• Email address: Used to communicate about the contract, such as sending signature requests, contract copies, incident alerts, and other relevant information. 
• Role within the organisation: Used to verify that the individual’s role is consistent with entering into contracts or performing other tasks related to the contract.
• Signature: Proof that the individual has formally approved the contract on behalf of the organisation and that this has been properly recorded.

Lawful basis and your rights: We process this data based on our legitimate interest in administering and fulfilling the contract. Read more about your rights here.

Retention period: The data is retained for the duration of the contract and up to ten (10) years after its termination to address any potential claims that may arise during this time. 

How we collect your data and recipients of the data: The data is collected when the contract is signed. Often, the contract is signed through our digital signature service, Qnova. The data is shared with technical service providers (data processors) who assist us in managing contract administration. Read more about this in our section on recipients.

What personal data and why? We process your personal data to manage the delivery of the service or product you have ordered. This includes handling delivery, follow-ups, and communication during the contract period to ensure that the services or products meet the customer’s expectations and contractual requirements.

• Name: Used for delivery and contact.
• Business name: Used for customer identification.
• Email address: Used for  communcation and follow-ups.
• Phone number: Used for contact in case of delivery issues.
• Delivery information: Includes address and any special requests or requirements for delivery.

Lawful basis and your rights: We process this data based on our legitimate interest in delivering and managing orders. Read more about your rights here.

Retention period: The personal data is retained during the contract period, after which relevant data is transferred to our processing for Long-term Customer Care and Archiving of Delivery Records.

How we collect your data and recipients of the data: The data is collected when an order is placed and continuously during the delivery process. The data is shared with technical service providers (data processors) who assist us in delivering and administering services. For events and in other situations where we need to share data with other data controllers to fulfil our delivery (for example, food preferences for catering or co-organisers at business fairs), we inform you of this in advance. Read more about this in our section on recipients.

What personal data and why? We process your data to handle support requests and give you the assistance you need related to our services. This may include troubleshooting issues, answering questions, and providing guidance on the use of our products and services.

• Name: Used to address you personally during our communcation.
• Email address: Used to follow up and reply to your request.
• Business name: Used to identify your organisation and provide relevant assistance.
• Content of the support request: Used to understand the issue and provide appropriate assistance.
• Any technical data: For example, login details or error reports. Used to provide appropriate assistance.

Lawful basis and your rights: We process this data based on our legitimate interest in providing support and customer service. You have the right to object to this processing at any time. Any objection will be evaluated against our legitimate interest in resolving reported issues, our contractual obligations to the organisation you represent, and our responsibility to other customers in the event of a general issue. Read more about your rights here.

Retention period: The data is retained for as long as necessary to resolve the support request, and for up to one (1) year after the conclusion of the request. If the request results in an additional service or further investigation related to our contractual obligations, the data may be retained for a longer period and processed in accordance with this new purpose.

How we collect your data and recipients of the data: The data is collected from you when you contact us requesting support, and is shared with technical service providers who assist us in managing support requests. Read more in our section on recipients.

What personal data and why? We process your personal data to send newsletters with GDPR-related information and the latest news about GDPR Hero that may be relevant to you as a current customer.

• Email address: Used to send newsletters straight to you.
• Business name: Used to verify that you represent a current customer.

Lawful basis and your rights: We process this data based on our legitimate interested in informing you of relevant news. You have the right to object to the processing or choose to unsubscribe at any time using the link provided in our newsletters. Read more about your rights here.

Retention period: We process your data for as long as you are subscribed to our newsletter. You can unsubscribe at any time, in which case we will delete your information from our subscriber list.

How we collect your data and recipients of the data: Users and contact persons are added to our newsletter subscriber list when they order our services. The data is shared with our email provider, who acts as a data processor and helps us distribute the newsletters. Read more in our section on recipients.

What personal data and why? We process your personal data to manage billing and payments for the products and servicess we provide. This includes issuing invoices, following up on payments, and handling outstanding customer invoices accurately and efficiently.

• Name: Used to identify the individual registered as the customer’s contact person or invoice reference, so that we can ensure that invoices are delivered to the correct recipient.
• Email address: Used to issue invoices, send payment reminders, and communicate about invoice-related matters.
• Invoice information: Includes details such as billing address, organisation number and payment information, which is needed to issue and manage invoices correctly.
• Business name: Linked to the individual to ensure that the invoice is for the correct organisation and matches the contract.
• Role as invoice reference: Used to verify that the individual is responsible for, or authorised to manage, invoices and payment matters within the organisation, and to help both us and the customer quickly identify the correct contact person for any invoicing-related questions or clarifications. 

Lawful basis and your rights: We process this data based on our legitimate interest in fulfilling our contract with your organisation. You have the right to object to this processing. Read more about your rights here.

Retention period: The data is retained until payment has been received and any necessary follow-ups have been completed. Data required by the Swedish Accounting Act is retained for up to seven (7) years to fulfil our legal obligations, in accordance with the processing Bookkeeping and accounts.

How we collect your data and recipients of the data: The data is collected when an order is placed and shared with our payment service providers and technical service providers (data processors), who assist us with invoicing and payments. Read more in our section on recipients.

What personal data and why? We process your personal data to fulfil our legal obligations under the Swedish Accounting Act (1999:1078) and in accordance with proper accounting practices. This includes managing invoices, verifications, and other necessary accounting documents that are required to ensure accurate and legally compliant accounting.

• Name: Used to identify the individual associated with a transaction, such as the recipient of an invoice or payment, to ensure that accurate personal data is captured in our accounting records. 
• Invoice reference: Used to link invoices to the correct individual and transaction, which is necessary to ensure traceability and accurate accounting.
• Business information: Includes details regarding the organisation involved in a transaction, to ensure that our accounting records are linked to the correct legal entity.
• Invoice documentation: Includes information about the specific transaction, such as the invoice amount, date, and specifications, to document what was invoiced and when, in accordance with accounting requirements.  
• Other accounting records: Includes, for example, receipts, payment verifications, and other supporting documents required under the Swedish Accounting Act (1999:1078) and proper accounting practices, depending on the nature of the transaction, to ensure that all financial activities are properly documented.

Lawful basis and your rights: We process this data based on our legal obligations under the Swedish Accounting Act (1999:1078), in particular chapter 5, sections 7 and 8, and chapter 7, section 2, which govern what information must be retained and for how long. This means that we are required to process this data, and you can read more about your rights here.

Retention period: The personal data is collected when the contract with us is entered into and continuously throughout its term. The data is retained for seven (7) years after the end of the fiscal year, in accordance with Chapter 7, Section 2 of the Swedish Accounting Act and proper accounting practices.

How we collect your data and recipients of the data: The personal data is collected when the contract is entered into and is subsequently handled according to our accounting procedures. The data may be shared with our accounting partner and other external service providers (data processors) who assist us in fulfilling our legal obligations. Read more about this in our section on recipients.

What personal data and why? We process your personal data to collect feedback following the performance of our services, ranging from courses to legal advice or software. This helps us improve our services. Feedback containing personal data is only used internally, but aggregated or anonymised results may be shared with potential future clients (for example: “78% of all demo participants felt they learned something new and important about the GDPR”).

• Name (if you choose to provide it)
• Feedback: Your opinion of us and our services.
• Rating: The rating you give us in a given context. 

Legal basis and your rights: We process this data based on our legitimate interest in improving our services and your interest in participating. You have the right object to the processing at any time. Read more about your rights here.

Retention period: The data is retained for as long as necessary to analyse feedback, and may be anonymised immediatly after submission.

How we collect your data and recipients of the data: The data is collected when you fill out the feedback form, and is not shared with any third party.

What personal data and why? We process your personal data to collect references and testimonials following courses, legal consultations, or the use of our software. These testimonials and references may be used in our marketing, either anonymously or with your name. Please note that even if you wish to remain anonymous, your statement may still reveal your identity through its content.

• Name: Used to identify you, unless you wish to remain anonymous within your testimonial or reference.
• Title: Provides background on your role and expertise within your organisation, enhancing the credibility and relevance of your testimonial or reference.
• Email address (used internally only): Used to contact you if your testimonial or referebce requires clarification or updating.
• Business name: Links your testimonial or reference to the organisation you represent, enhancing credibility.
• Testimonial content: Your feedback or comments about our services, used in our marketing to showcase how we have assisted our clients.
• Photograph (optional): Used to provide a visual representation of you as the person giving the testimonial or reference, which may be included in our marketing materials if you give your consent.

Please note: This data will be processed internally by us, even if you have chosen to remain anonymous externally, for quality control of our testimonials and references.

Legal basis and your rights: We process this data based the consent you give when providing a testimonial or reference. You have the right to withdraw your consent at any time. Read more about your rights here.

Retention period: References and testimonials are retained until you request their removal.

How we collect your data and recipients of the data: The data is collected when you provide your reference or testimonial and may be shared in the intended manner with potential future customers, depending on the consent you have given. For example, through specific sales materials or more broadly through display on our website.

What personal data and why? We process your personal data to manage participation in our courses, both in-person and digital. This includes registration, payment, administration, access to course materials, as well as follow-ups and course evaluation.

• Name: To identify participants.
• Email address: For course-related communication.
• Business name: To link each participant to their organisation.
• Invoice details: To manage payments.
• Course participation: Which course you participate in and any results or evaluations.
• Specific course-related requests: For example, food preferences during in-person courses.*

Legal basis and your rights: We process your personal data based on our legitimate interest in delivering the requested courses to you as a customer or an employee of a customer. You can read more about your rights here.
*We will request your consent before processing special categories of personal data (for example, dietary preferences due to allergies).

Retention period: Your personal data is retained for the duration of the course and for up to one (1) year after the course has ended, to manage follow-ups and any support requests. After this, certain information may be retained as part of a processing you can read more about below, 3.1 Long-term customer care, where we consider you a valued customer and provide reminders about relevant updates and services, as well as in 3.2 Archiving of delivery records.
*This does not include dietary preferences or other special categories of personal data, which are deleted immediately once their purpose has been fulfilled (for example, once your meal has been served).

How we collect your data and recipients of the data: The personal data is collected when you or someone within your organisation registers you for a course through our registration systems. The data is shared with our technical service providers (data processors), who assist us in course administration. Read more about this in our section on recipients.

How we collect your data and recipients of the data: The data is collected at the start of the engagement, from you or from one of your colleagues, and is updated continuously. It is shared only with technical service providers (data processors) who assist us in administration. Read more about this in our section on recipients.

What personal data and why? We process your personal data to administer user accounts in our GDPR-tool. This includes handling super-admins for each account, who are responsible for inviting other users from their organisation and assigning them different permissions. We also process personal data for technical administration, security, and to comply with our contract with your ogranisation.

• Name: Used to identify and distinguish users, particularly super-admins, to ensure proper management of accounts and user permissions.
• Email address: Used to send messages related to account management, security updates, and software access invitations.
• Business name: Used to link users to the correct organisation and ensure that account administration aligns with the contractual terms agreed with the customer.
• User activities: Logs information such as log-ins and changes to user permissions to ensure traceability and security.
• Communication history: Stored to manage inquiries and follow up on technical issues or contract-related matters.

Legal basis and your rights: We process this data based on our legitimate interest in administering user accounts, and ensuring that they function correctly and comply with the user contract. You have the right to object to this processing. Read more about your legal rights here. 

Retention period: GDPR Hero assists your organisation in fulfilling specific legal requirements, and our task includes providing evidence of fulfilled obligations. Therefore, we retain data while the account is active and up to ten (10) years after the contract ends.

How we collect your data and recipients of the data: Data is collected upon registration and use of the account, and is only shared with technical service providers who support the operation and administration of the platform.

What personal data and why? We process contact details and an overview of transaction history to stay in touch with long-term customers and provide them with updated information on our services and any changes to relevant law. We also send reminders when it may be time to update or renew training courses or legal advice.

• Name: Used to personally address and establish direct contact with you as a representative of our customer.
• Email address: To send updates and reminders about relevant services and changes.
• Business name: Linked to customer history to tailor information and offers.
• Previous purchase history: To identify services that may need to be updated or renewed, and to provide tailored recommendations based on past usage.
• Areas of importance to the organisation: Are noted to tailor information and services, but this information is not linked to a specific person.

Legal basis and your rights: We process this data based on our legitimate interest in maintaining and nurturing customer relationships with clients who have previously purchased our services. You can object to this processing or end this communication at any time. This is most easily done by contacting us directly or by replying to the email you have received. Read more about your legal rights here.

Retention period: Your data is retained for as long as we consider there to be a relevant customer relationship, up to a maximum of three (3) years after your last purchase or interaction with us, so that we can keep you informed about relevant developments, our services, and current offers.

How we collect your data and recipients of the data: Personal data is collected from your previous purchases or interactions with us. The data might be shared with our technical service providers (data processors) who support our administration of this long-term customer care. Read more about this in our section on recipients.

What personal data and why? We retain engagement descriptions, working materials and delivery copies that may contain information about you, in order to establish, assert, and defend against legal claims. This may include documentation from legal advisory services, training courses, or project management.

• Correspondence: To maintain documentation of our communication and commitments.
• Payment information: To substantiate financial transactions and agreed-upon compensations.
• Chronology of events: Descriptions of key events or interactions to provide context in the event of possible disputes.
• Working materials and meeting notes: To substantiate how and why decisions were made during the engagement.
• Delivery documentation: Copies what has been delivered, to ensure that we have fulfilled our commitments.

Lawful basis and your rights: We process this data based on our legitimate intererst in defending ourselves against legal claims and in fulfilling our contractual obligations. Our assessment is that this interest outweighs any opposing interests, but you have the right to object to this assessment. If you object, we will conduct a new assessment based on your specific circumstances. Read more about your legal rights here.

Retention period: The data is retained for ten (10) years from the day the engagement was completed, or longer if required by the nature of the client relationship or engagement.

How we collect your data and recipients of the data: Data is collected from you, other parties involved in the engagement, and from correspondance and documentation created during the course of the engagement. The data might be shared with our technical service providers (data processors) who support our operations. Read more about this in our section on recipients.

What personal data and why? The purpose of this processing is to manage incoming inquiries about becoming a reseller, respond to questions, send proposals for collaboration agreements, and schedule meetings.

Categories of personal data: Name, job title, email address, phone number, and business name.

Lawful basis and your rights: We process this data based on our legitimate interest in responding to inquiries from potential resellers. Read more about your legal rights here.

Retention period: Personal data is collected when you email us or submit a form on our website and is deleted no later than one (1) year after our last communication, unless we enter into a collaboration. If a collaboration is established, the data is retained for longer; see the processing description below.

What personal data and why? The purpose of this processing is to maintain a fixed point of contact with our customers, collaboration partners, and resellers, with whom we communicate important information regarding our services.

Categories of personal data: Name, job title/role, address, email address, phone number, and business details.

Lawful basis and your rights: We process this data based on the lawful basis legitimate interest. Read more about your legal rights here.

Retention period: Personal data is collected when the contact person first gets in touch with us and is retained for a maximum of ten (10) years after our relationship ends.

What personal data and why? The purpose of this processing is to receive and communicate with individuals who wish to work at GDPR Hero.

Categories of personal data: Name, address, email address, phone number, date of birth, list of merits and qualifications, education, skills, previous employers, personal statement, and CV.

Lawful basis and your rights: This processing is based on the lawful basis legitimate interest. GDPR Hero has a legitimate interest in processing your personal data for your unsolicited job application, to accommodate your wishes and keep the door open to potential future colleagues. Read more about your legal rights here.

Retention period: We always respond with information about our current recruitment needs and ask if you would like us to keep your application for up to two (2) years so that we can notify you about upcoming recruitment processes.

Further information: At this stage, GDPR Hero will not request further information. Therefore, please refrain from submitting your personal identification number and/or other sensitive information.

What personal data and why? The purpose of this processing is to receive, respond to, and evaluate job applications for an advertised position.

Categories of personal data: Name, address, email address, phone number, date of birth, list of merits and qualifications, skills, education, previous employers, personal statement, and CV.

Lawful basis and your rights: We process this personal data based on our legitimate interest in collecting and evaluating information relevant to both the job tasks and alignment with our business culture, values, and goals. Read more about your legal rights here.

Retention period: Your application and the documentation of our decision-making process are retained for two (2) years after the position has been filled.

Further information: At this stage, GDPR Hero will not request further information. Therefore, please refrain from submitting your personal identification number and/or other sensitive information.

You are a reference contact if a person who is applying for a position with us has listed you as a reference during the recruitment process. We collect your personal data from the candidate. 

What personal data and why? The purpose of this processing is to reach out to the listed reference contact, who has previously worked with the job applicant or can otherwise speak to their skills, personality, and work experience (obtain a reference).

• Name
• Contact details: to verify the reference by contacting you
• Business/organisation
• Title or role, current and at the time relevant to the reference
• Reference for the person who has applied for a position with us

Lawful basis and your rights: The processing is necessary to fulfil our legitimate interest in contacting you to obtain or verify a reference for a candidate during a recruitment process. Read more about your legal rights here.

Rention period: The personal data will be processed during the relevant ongoing recruitment process and then retained for two (2) years.

What personal data and why? We process your personal data to administer the recruitment process. We evaluate your experiences in relation to our business, culture and past success factors. Your CV and your list of merits are reviewed based on our current and future needs. We verify your academic results to ensure a high minimum level of formal qualifications, but our focus is on finding candidates with a genuine interest, an understanding of the legal process, and a problem-solving mindset. The broader, relevant knowledge is developed through comprehensive internal training.

• Identifying information: Name, personal identity number (if applicable), and contact details (email address and phone number).
• Professional information: CV, merits and qualifications, previous employment, references, and academic results.
• Interview data: Notes from interviews, evaluations of skills, and test results.
• Scheduling information: Bookings for interviews and meetings.
• Information from tests and verifications: Recruitment tests and verification of merits and qualifications.

Lawful basis:

• Legitimate interest: We process your personal data based on our legitimate intereste in administering the recruitment process and ensuring that we find the right candidate. Our assessment is that this interest outweighs any opposing interests, but you have the right to object to this assessment, in which case we will consider your specific circumstances. Read more about your legal rights here.
• Consent: When processing sensitive personal data (for example, health-related information or background checks), we obtain your consent as a candidate.

Retention period:

• Data from the application and interviews: Are retained for up to two (2) years after the recruitment process is completed to address any potential questions or disputes.
• Sensitive data: Is deleted immediately once the purpose of processing the data has been fulfilled.

How we collect your data and recipients of the data:

• Internal recipients: The HR department and recruitment managers, who handle and evaluate applications.
• Technical service providers (data processors): Systems and platforms that are used to manage the recruitment process, such as application systems, interview booking systems, and testing tools.
• External parties: Reference contacts and companies that perform background checks, but only after obtaining the candidate’s consent.

What personal data and why? Your personal data may be processed on the different kinds of social media that we use, if you choose to contact us through these channels. For example, we use Facebook, Instagram and LinkedIn. We process your data to receive and communicate with existing and potential customers, stakeholders, resellers, job applicants, and others interested in GDPR Hero through our social media channels.

• Name
• User name/profile information (depending on the platform)
• Messages or questions you share with us
• Email address (if you share it)

Lawful basis and your rights: We process this data based on our legitimate interest in communicating with customers and stakeholders. The platform we use may also have its own purposes for processing and legal bases, which we cannot control. We recommend that you review their terms of use for more information. Our assessment is that our interest outweighs any opposing interests, but you have the right to object to this assessment, in which case we will consider your specific circumstances. Read more about your legal rights here.

Retention period: Collected data is retained for as long as necessary to manage your inquiry or request. If the inquiry transitions to another processing activity (for example, recruitment), the specific retention period for that processing will apply. Please note that the platform we use may have its own retention periods and processing purposes according to its terms of use, which we do not control.

How we collect your data and recipients of the data: Data is collected when you contact us via one of our social media channels. We share this data only with the social media provider, and we may be joint data controllers. If you have concerns about the social media platform’s processing of your data, we recommend reviewing their terms of use or contacting us via email or chat.

What personal data and why? GDPR Hero strives to increase knowledge about the GDPR and to create technical solutions that simplify and streamline manual processes within the legal field to the greatest extent possible. Put simply, we aim to help as many organisations as possible benefit from new technology to address legal challenges. To ensure that we direct our efforts and resources toward the areas with greatest perceived challenges, we occasionally send out surveys to data protection officers, data protection managers, or other key personnel (or, in fact, to any role where we suspect a common GDPR challenge exists). We process your personal data to send out inquiries and administer surveys or competitions to enhance our understanding of organisations’ current challenges with the GDPR. This helps us develop relevant solutions and technical tools that can facilitate legal work.

• Name
• Email address
  
• Title and role within your organisation
• Your responses to the questions posed within the survey or test.

Lawful basis and your rights: We process this data based on our legitimate interest in gaining insight and developing solutions to GDPR-related challenges. We hope that you share our view of this legitimate interest, but please do not hesitate to ask questions about the setup or contact us if you prefer not to participate. We will of course make sure not to involve you if you do not wish to participate. Read more about your legal rights here.

Retention period: Data is retained only as long as necessary to manage invites and any follow-up reminders. After that, the personal data is deleted, and the results of the survey or test are anonymised for statistical use.

How we collect your data and recipients of the data: We collect contact details through publicly available registers, by advertising the opportunity to participate on social media, or information published on your organisation’s website. Our goal is to identify, to the greatest extent possible, those most interested in collaborating with us to find new solutions to these challenges. We do not share this data with any external parties.

What personal data and why? We process personal data of our suppliers’ contact persons to manage and maintain business relationships, ensure smooth communication, and fulfil agreed services and deliveries. This includes providing information about delivery status, coordinating assignments and invoicing, and, when necessary, resolving any issues or questions related to the collaboration.

To achieve this, we may also process personal data to follow up on supplier agreements, handle quotation requests, or update our internal systems with relevant contact details. Our aim is to ensure that the collaboration with our suppliers runs efficiently and that we can provide the best possible service to our customers.

• Name
• Email address
• Phone/mobile number
• Job title and role within the company
• Company name
• Other relevant contact details provided by you or the supplier

Lawful basis and your rights: The processing of personal data is based on our legitimate interest in maintaining and administering supplier collaborations. This includes ensuring that deliveries and agreements are fulfilled and that business operations run efficiently. We believe that this legitimate interest balances the right to data protection; however, if you have any questions or objections, you are always welcome to contact us. Learn more about your rights.

Retention period: Personal data is stored as long as the business relationship is active. Once the collaboration has ended, the data will be deleted within two (2) years unless there are legal requirements (such as accounting regulations) that require longer retention.

How we collect your data and recipients of the data: We collect contact details directly from you, either through agreements, email correspondence, or other channels such as your organisation’s website. The data is recorded in our business system. Read more in our section on recipients.