In order to process your application, we will process the information appearing from your application, your CV and any enclosed documents.

This typically includes the following information (the list is non-exhaustive): Name, address, date of birth, gender, phone number, email address, marital status, educational background, professional qualifications, career history, language qualifications and other relevant qualifications and written recommendations/references.

In general, we use Article 6(1)(b) and Article 6(1)(f) of the General Data Protection Regulation as the legal basis for processing, because we need to process this information in order to determine whether you are the right candidate for the position.

We specifically consider each applicant's qualifications in relation to the open position. This is done manually. Once we have read the applications, we will select candidates for job interviews. The candidates that are not selected for an interview will be notified.

If we agree on a job offer, we will register your name, address, date of birth, phone number, email address, national identification number, marital status, education(s), professional qualifications, career history, language qualifications and other relevant qualifications and if you have provided it, written recommendations/references.

In general, our legal basis for processing is Article 6(1)(b), 6(1)(c) and 6(1)(f) of the General Data Protection Regulation. We may also, depending on the circumstances, use Article 6(1)(a) or Article (9)(2)(a).

For the processing of information about your national identification number we use national regulation, cf. Article 87 of the General Data Protection Regulation as the legal basis for processing.

Diversity at the Company

We can also register information about your gender and nationality. It is optional, whether you want to provide that information. We process such information in order to comply with our diversity policy. Our legal basis for processing is our legitimate interests in complying with diversity requirements and preserving a culture of diversity, cf. Article 6 (1)(f).

During the recruitment process, we conduct job interviews focusing on both your professional and your personal qualifications, the job content and our business as a workplace. We will make a note of some of the information disclosed during the interview(s) for the purpose of the final evaluation of the applicants for the position. We will only use relevant information when determining whether to offer you a job.

In general, we use Article 6(1)(b) and Article 6(1)(f) of the General Data Processing Regulation as the legal basis for processing. It is necessary for us to process such information in order to determine whether you are the right candidate for the position.

When recruiting for positions with us, it may be relevant to obtain additional information from the Internet, including social media, e.g. LinkedIn, Facebook, Instagram, Twitter, etc. We do that in order to determine if your profile suits our business and the specific position.

We use Article 6(1)(f) or Article 9(2)(e) of the General Data Protection Regulation as the legal basis for processing when we obtain information about applicants from social media. It is necessary for us to process such information in order to determine whether you are the right candidate for the position.

When recruiting for certain positions, you may be invited to take a personality analysis and/or a logical test. We will always consider whether it is relevant that you take such test in relation to the relevant position. The purpose of the test is to evaluate your qualifications as a potential employee and to consider whether your profile suits our business and the specific position. The test will never stand alone but will be part of the general basis for selecting the right person for the position.

The legal basis for processing is our legitimate interests in assessing whether you are the right candidate for the position, cf. Article 6(1)(f) of the General Data Protection Regulation. We may also, depending on the circumstances, use your consent, cf. Article 6(1)(a) and Article (9)(2)(a) of the General Data Protection Regulation. If so, you will be asked to give your consent before such test is made.

For employees with another citizenship than the country you apply for a job in, it is a requirement for the employment that the Company have a valid work and residence permit. In order to ensure this, we may ask for a copy of your passport in connection with the employment.

If your citizenship requires you to have a valid work and residence permit, or other necessary documents which legalize your stay and work legally in Europe, in order to work legally in the country, we will also request a copy of your work and residence permit from you. We will obtain it both when you are employed and when it is to be extended.

Our processing of information in connection with our checking of your work and residence permit is based on Article 6(1)(c) of the General Data Protection Regulation, as we are obliged to ensure that you have a valid work and residence permit.

2.7            Credit information

To the extent where you are to undertake a position of trust, including if you are to undertake a position as a manager with financial responsibility or accounting and bookkeeping tasks, we may obtain information about your credit rating from a credit rating agency. If, during the recruitment process, information is obtained about your credit rating, we will notify you separately.

The legal basis for processing is our legitimate interests in determining whether you are the right candidate for the position, cf. Article 6(1)(f) of the General Data Protection Regulation.

2.8            References

For some positions, it is necessary to obtain references from former employers. We do that in order to check that the information you have provided to us during the employment process is correct and true. If we obtain references from one or several of your former employers, we might register that we have talked with a referee.

If we want to obtain information about you from your current or former employer, we will ask for your consent before obtaining such information. If you do not give your consent, we will not obtain such information.

The legal basis for processing is your consent, cf. Article 6(1)(a) or Article 9(2)(a) of the General Data Protection Regulation.

3                 Storage and erasure of information processed during the recruitment process

If you are not offered the position you applied for, we will delete any information registered about you within 6 months. The purpose of the storage is to document the recruitment process and the reason for not offering you the position.

If you are employed with us, we will retain the information from the recruitment process as part of your employee portfolio during your employment in order to document your employment history. You will receive separate information in this regard in connection with your employment with us.

4                 Storage for the purpose of recruitment at a later time (CV-database)

In certain situations, we would like to keep your application even though it has been turned down for the purpose of recruitment at a later time. If we want to keep your application, we will ask for your consent.

We will keep your application for 6 months for this purpose.

The legal basis for processing is your consent, cf. Article 6(1)(a) of the General Data Protection Regulation.

5                 Recipients of your personal data

Company can transfer your personal data to other suppliers and/or service providers in connection with the normal operation of our business as well as to our group companies.

Company can also transfer your personal information to a public authority in situations where we are specifically obliged to disclose your personal information pursuant to legislation and notification obligations to which we are subject.

In connection with your employment with us, other parties may process your personal data. It may for instance be necessary to disclose information about you to the following recipients i.e.:

• TalogyTech
• Gavdi

We will not disclose your personal data to other recipients unless required.

We try to limit the disclosure of personally identifiable information and thus the disclosure of information that can be attributed to you personally.

Company also discloses your personal data to data processors. Our data processors only process your personal data for our purposes and under our instructions.

6                 Transfer of personal data to countries outside the EU/EEA

In connection with our processing of your personal data we may transfer such information to countries outside the EU/EEA.

The data protection legislation in these countries may be less strict than the legislation applying in Denmark and other parts of the EU/EEA.

We only transfer personal data to third countries where the EU Commission has determined that the level of data protection is equivalent to the level of protection in the EU/EEA.

7                 Retention period, data integrity and security

Your personal data will not be kept longer than necessary to fulfil the purposes for which it was collected. When your personal data is no longer needed, we will ensure that it is deleted in a secure manner.

It is our policy to protect personal data by taking adequate technical and organisational security measures.

We have implemented security measures to ensure data protection for all personal data that we process. We conduct regular internal follow-ups on the adequacy of and compliance with policies and measures.

8                 Your Rights

As a data subject, you have certain rights under the General Data Protection Regulation. If you want to exercise your rights, please contact us.

You may – unconditionally and at any time – withdraw your consent. You can do so by sending us an email (see email above). Withdrawal of your consent will not have any negative impact. However, this may mean that we cannot meet specific requests from you in the future. Withdrawal of your consent will not affect the lawfulness of the processing based on consent before it is withdrawn. Furthermore, it will not affect any processing carried out on another lawful basis.

You can also – unconditionally and at any time – object to our processing when such processing is based on our legitimate interests.

Your rights also include the following:

• Right of access: You have a right to access the personal data we process about you.
• Right to rectification: You have the right to obtain rectification of any inaccurate and incomplete personal data about you.
• Right to erasure (right to be forgotten): In exceptional cases, you have the right to obtain erasure of information about you before the time when we would normally delete your personal data.
• Right to restriction of processing: In certain situations, you have the right to restrict the processing of your personal data. If you have the right to restrict the processing of your personal data, we may only process personal data in the future – apart from storage – with your consent, or for the establishment, exercise or defence of legal claims, or to protect an individual or important public interests.
• Right to object: In certain situations, you have the right to object to our processing of your personal data, and always if the processing is for direct marketing purposes.
• Right to data portability: In certain situations, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to have those personal data transferred from one data controller to another.
• Right to lodge a complaint: You can lodge a complaint at any time with the competent supervisory authority. For more information about the competent supervisory authority, see more at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

9                 Approval – amendments and exceptions

This Privacy Policy is approved by Group VP, HR.

Amendments and changes to this Privacy Policy are only to be carried out if approved by the SVP, CFO in collaboration with the Chief Executive Officer.