Privacy Notice

 Version:                        1.0
Date: September 2023

PRIVACY POLICY FOR CONTURA INTERNATIONAL A/S

In this policy you can read how we process your personal data. Any kind of information that in some way is attributable to you is personal data. We process personal data that we have either received from you or others. We process personal data in relation to our job applicants and employees, suppliers, users of our products, social media, participants in our clinical trials, and website.

1. Data controller
Contura International A/S is responsible for the processing of the personal data collected about job applicants, employees, users of our products, business partners, participants in clinical trials, other parties, and visitors on our website. We ensure that the processing of personal data is in accordance with existing legislation.

Our contact information:

Contura International A/S
Company Registration No.: 27050832
Sydmarken 23
2860 Søborg
Telephone number: +45 81 100 901
[email protected]

In instances where Contura functions as a data processor, we will in addition to the legislation always be subject to a written data processing agreement that describes how we protect personal data.

2. The various types of processing
Our processing activities and the purposes of our processing activities are described below.

2.1. Job applicants and employees
If you apply for a job with us, we process ordinary personal data that we have either received from you or from others you have agreed we can contact. We do so to evaluate your job application and you. We store job applications for a period of up 6 months after the end of the recruitment process if we decide not to offer you a job.

We process your personal data based on article 6(1)(a) in the General Data Protection Regulation (“GDPR”) about consent and article 6(1)(f) in the GDPR about legitimate interest. Our legitimate interests are to read you application and assess whether you are the right candidate for the job position, to offer our job applicants other possible job positions within our company as well as to be able to refer to and document the hiring process.

When employed with us, we process ordinary personal data about you such as your contact details, salary information, bank account information and contact details of relatives. Furthermore, we process confidential personal data about you such as your civil registration number. Additionally, we process sensitive personal data about you such as data concerning health.

We process your ordinary personal data based on article 6(1)(b) in the GDPR as our processing is necessary to fulfill the employment contract with you as well as article 6(1)(f) in the GDPR about legitimate interest. Our legitimate interest is amongst other things to be able to contact you in order to communicate with you about work-related matters and to provide information.

We process your confidential personal data based on section 11(2)(1) in the Danish Data Protection Act as we are legally obligated to give the Danish Tax Authorities certain data about you, including your social security number.

We process your sensitive personal data based on article 9(2)(f) in the GDPR as our processing of your data concerning health is necessary to enforce or defend a legal claim related to for example a work-related injury or other work-related matters.

When you are no longer employed with us, we generally store your personal data for a period of 10 years after your resignation, although there can be special circumstance obligating us to store the personal data for a longer period.

We store your ordinary personal data based on article 6(1)(f) in the GDPR about legitimate interest. Our legitimate interest is to be able to refer to as well as document the history of the employment.

We store your sensitive personal data and confidential personal data based on article 9(2)(f) in the GDPR as well as section 7(1) and section 11(2)(4) in the Danish Data Protection Act. We store the data in order to ensure that possible legal claims arising from the employment can be established, exercised and defended.

2.2. Purchase of our products
When you are one of our customers, we process ordinary personal data about you or your employees in the form of name, address, email address, workplace, job title, telephone number and payment information. The purpose of our processing of the personal data is to handle and complete our contract concerning the purchase of goods and matters related to the purchase of goods such as exchanges, returns and claims.

If you are a direct customer, we process your personal data based on article 6(1)(b) in the GDPR on performance of a contract.

If you represent a company or organization that is our customer, we process your personal data based on article 6(1)(f) in the GDPR about legitimate interest. Our legitimate interest is to fulfill the contract that we have entered into with the company or organization that you represent.

We store your personal data as long as the customer relationship exists. We delete your personal data no later than 5 years after the end of the financial year where the customer relationship expires. Our storing of the data is based on article 6(1)(c) in the GDPR as we are legally obligated to store accounting material for 5 years in accordance with the Danish Bookkeeping Act. We also store the data based on article 6(1)(f) in the GDPR about legitimate interest. Our legitimate interests are to have an overview of and to be able to refer to as well as document your purchases.

2.3. Inquiries
If you contact us via an email address or a contact form on our website or in connection with other inquiries, we process ordinary personal data about you in the form of name, e-mail address and any other personal data provided by you in your inquiry.

We process and store your personal data based on article 6(1)(f) in the GDPR about legitimate interest. Our purposes with and legitimate interests in processing your personal data are to be able to receive, handle and answer your inquiry.

Generally, we store your inquiry for 6 months. However, there can be special circumstances that entitle or obligate us to store the inquiries for a longer period of time. In these instances, you can always read more in this policy about our processing of your personal data.

2.4. Posts on website and social media
We make posts on our website and social media such as LinkedIn with the purpose of informing about our company and our goods. In connection with this, we process ordinary personal data about participants in the posts in the form of pictures, audio, and video recordings as well as name.

We process and store the personal data based on article 6(1)(a) in the GDPR about consent or article 6(1)(b) in the GDPR as our processing of the personal data is necessary for the performance of the contract to which the participant is party.

If we process the personal data based on your consent, you can withdraw your consent at any time. Read more about this in section 7 of the policy.

We delete your personal data no later than 5 years after the publication of the post. However, there can be special circumstances that entitle or obligate us to store the data for a longer period of time. In these instances, you can always read more in this policy about our processing of your personal data.

2.5. Clinical Trials
When you participate in one of our clinical trials, we process ordinary personal data about you in the form of name, address and telephone number and sensitive personal data in the form of health information.

The purpose of our processing of your personal data is to carry out the clinical trial, to monitor the clinical trial and adverse events.

We store your personal data for 25 years after the clinical trial has been concluded.

We process and store your personal data based on article 6(1)(c) in the GDPR on legal obligation. Our legal obligation is to store the clinical trial master file.

2.6. Vigilance
When we receive reports of adverse events in connection with our vigilance work, we process your ordinary personal data such as name, title, workplace, name of hospital and e-mail address. In some cases, we receive sensitive personal data in the form of pseudonymized health information. We only collect the personal data directly from you, your doctor, or our clinical research investigators.

The purpose of our processing is to monitor and report any adverse events in connection with our products.

We process your personal data based on Article 6(1)(c) in the GDPR as we are legally obligated to monitor and report any adverse events in connection with our products.

As a main rule, we store the personal data for 80 years. However, we assess whether certain information can be deleted on an ongoing basis.

2.7. Our website

When you visit our website, www.contura.dk, we process ordinary personal data about you for the purpose of preparing statistics, optimizing the website, making use of remembering features and targeting marketing. Amongst other things, we process the following information:

• Your IP address for statistical purposes and remarketing.
• Your operating system and browser version for optimizing the future user experience on the website.
• Date and time of the visit on the website for statistical purposes only.
• We place cookies on your device including cookies from third parties that optimize the website by securing functionality, generating statistics, and remembering preferences. Click https://contura.dk/cookie-policy/ to read more about cookies in our cookie policy.

We process your personal data based on article 6(1)(f) in the GDPR about legitimate interest. Our legitimate interest is to secure functionality of the website, keep statistics about visits on the website as well as remember preferences for the purpose of optimizing the website. Furthermore, we process your personal data based on article 6(1)(a) in the GDPR about consent.

You can withdraw your consent at any time by deactivating cookies on your device or by changing the settings directly.

3. How
In order to be able to offer you amongst other things our goods, jobs and a good website, it is necessary for us to process your personal data by collecting, registering, organizing, systemizing, storing, using, deleting, transferring and passing on personal data.

4. Recipients or categories of recipients
We can disclose or hand over your personal data to our data processors, external suppliers, cooperating companies as well as business partners that assist us with our operational performance and the like.

5. Transfer of personal data to third countries
In some cases, we transfer your personal data to recipients outside the EU/EEA. This happens when we use data processors in countries outside the EU/EEA. Such transfers will always take place in accordance with the GDPR, which means that the third countries that we transfer personal data to either have an adequate level of protection or that we use the European Commission’s standard contractual clauses or other appropriate safeguards for our transfers.

If you want information on how to receive a copy of the relevant legal basis for the transfers of personal data to third countries or information on where this information is available, you can contact us by using the contact details below.

6. Security
Information we receive about people are stored securely and confidentially. Technically, we always make sure to use data processors that have the same level of security concerning your personal data as we have. Furthermore, internally in our organization we focus on educating and teaching our employees about high data security. In the situations where it is appropriate, we make sure to encrypt, pseudonymize or anonymize your personal data. Additionally, we always ensure to follow the existing regulation regarding personal data.

7. Right to withdraw your consent
You are at any time entitled to withdraw your consent to our processing of your personal data. You can withdraw your consent by sending an email to [email protected].

If you choose to withdraw your consent, this does not affect the lawfulness of our processing of your personal data based on your previous given consent and up to the time of your withdrawal. Thus, if you withdraw your consent, the withdrawal will take effect from this time on.

8. Your rights
According to chapter III in the GDPR, you have several rights in relation to our processing of your personal data. If you want to make use of these rights, you can contact us via email at [email protected].

Firstly, you have the right to obtain access to the personal data that we process about you.

Secondly, you have the right to get inaccurate personal data that we process about you rectified.

In some instances, you also have the right to have your personal data deleted and to get the processing of your personal data restricted.

Furthermore, in some cases you have the right to object to our processing of your personal data.

Lastly, you in some cases have the right to receive your personal data in a structured, commonly used, and machine-readable format.

9. Right to file a complaint
If you want to complain about our processing of your personal data, you may file a complaint to the Danish Data Protection Agency, which you can find at: Carl Jacobsens Vej 35, 2500 Valby, Denmark, via telephone number: +45 33193200 or via email: [email protected].

10. Do you have any questions?
If you have any questions about our privacy policy, you are welcome to contact us at any time via email at [email protected].

11. Whistleblower channel
If you have any concerns regarding unethical behavior within Contura International A/S, you can report it here, in a safe and confidential way.

*