CanopyLAB is the data controller, and we ensure that your Personal Data is processed in accordance with the applicable laws.
When you convey information relating to an identified or identifiable natural person (“Personal Data”) on the CanopyLAB website and/or on the CanopyLAB learning platform (the “Service”) we collect and process that information. The protection of your Personal Data is important to us and we wish to explain how we handle your Personal Data.
In order to protect your Personal Data as best possible, we continuously assess the level of risk that our data processing affects your rights. We are particularly aware of the risk of you being subject to discrimination or ID theft, or to suffer financial loss, loss of reputation or data privacy.
1. What kind of Personal Data do we collect?
1.1 We collect the following Personal Data when you sign up for the Service:
Training program history and progression.
2. For which purpose do we use your Personal Data?
2.1 We use your Personal Data to create a data-driven health platform in order to combat long-term sickness leave and improve the general health and well-being on your place of work. The information may also be used for statistics about the use of the Service.
3. We only process relevant Personal Data
3.1 We only process Personal Data about you that are relevant and sufficient in relation to the purposes defined above. The purpose is crucial for the kind of data that are relevant to us. The same applies to the amount of Personal Data we process - we do not process more Personal Data than needed for the specific purpose.
4. We process only the required Personal Data
4.1 We collect, process and store only the Personal Data acquired to meet the already established purposes. Additionally, it may be decided by law which data we are required to collect and store to run our business. The type and extent of the Personal Data we process may also be required to fulfil a contract or other legal obligation.
4.2 We want to ensure that we process only the Personal Data necessary for each of our specific purposes. Therefore, our IT systems collect only the Personal Data necessary by default. It is also automatically ensured that the amount of processing is not unnecessarily large and the storage time is not too extensive.
4.3 To protect you from unauthorized persons accessing your Personal Data, we use IT solutions that automatically ensure that your data are only available to the relevant employees. There is furthermore embedded protection against an unlimited number of persons receiving access to your data.
5. We amend any inaccurate Personal Data about you
5.1 As the Services are dependent on your Personal Data being accurate and up to date, we ask that you provide us with relevant changes to your Personal Data so we can alter our register accordingly. You can use the contact details above to notify us of any changes.
6. For how long do we keep your Personal Data?
6.1 We delete your Personal Data, when they are no longer necessary to meet the purpose for which we gathered, processed and stored it. We delete your Personal Data at your request according to section 12, or upon termination of your subscription to the Services.
7. We will obtain your consent before processing your Personal Data
7.1 We obtain your consent before processing your Personal Data for the purposes described above unless we have a legal basis for collecting them. If we collect your Personal Data on such a legal basis, we will inform you of such a basis as well as any legitimate interest in processing this Personal Data.
7.2 Your consent is voluntary and can be withdrawn at any time by contacting us. We make sure that it shall be as easy to withdraw as to give your consent. Please contact us on the following address, if you would like to withdraw your consent or have any questions concerning the above: email@example.com.
7.3 If we wish to process your Personal Data for another purpose, we will inform you and obtain your consent before we begin the processing of your Personal Data. If we have other legal grounds for processing your Personal Data than your consent, we will inform you accordingly.
8. We do not disclose your Personal Data without your consent
8.1 In some cases, we will pass on the Personal Data to others. The passing on of Personal Data will take place to the extent and to whom it is necessary in order for us to provide you with the Service.
8.2 Your Personal Data may be passed on to: (i) suppliers with whom we cooperate to support our company (e.g. suppliers of services and technical support); or (ii) if it is required by law, court order or by prevailing legislation.
8.3 In order to protect your rights, your Personal Data will be rendered irreversibly anonymous in such a manner that you are no longer identifiable, before we disclose any data to your place of employment.
8.4 If we transfer your Personal Data to collaborators or other parties, including for marketing purposes, we obtain your consent and inform you of how your data will be used. You may object to this kind of disclosure at any time and you can exclude yourself from marketing requests in the CPR registry.
8.5 We will not obtain your consent if we are legally required to disclose your Personal Data, for example, as part of reporting to an authority.
9. Data Security – what measures do we take?
9.1 We take precautionary measures of technical and organizational nature to protect your Personal Data from manipulation, loss, destruction or access from unauthorized persons. Our precautionary measures are revised on a regular basis in order for us to meet the legislative requirements for a suitable data security system.
9.2 However, we cannot guarantee that the data are completely protected against individuals who want to and succeed in breaking our precautionary measures and gain access to transfer information on the Internet, e.g. via e-mail.
9.3 In case of a security breach that results in high risks of discrimination, ID theft, financial loss, loss of reputation or other significant inconvenience, we will notify you of the security breach without undue delay.
10. Cookies – we obtain your consent before installing Cookies
10.1 Before we install cookies on your equipment, we ask for your consent. However, cookies required to ensure functionality and settings can be used without your consent.
11. Access – you are entitled to access your Personal Data
11.1 You are entitled to know which Personal Data we process about you, from where they originate, and for which purpose we use them. We will let you know for how long we store them and who receives them.
11.2 At your request, we will disclose what data we process about you. Access may, however, be limited for the protection of other persons' privacy, trade secrets and intellectual property rights.
You can exercise these rights by contacting us by e-mail at firstname.lastname@example.org.
12. Rectification or Deletion – you are entitled to have inaccurate Personal Data corrected or deleted
12.1 If you believe that the Personal Data we treat about you are inaccurate, you are entitled to have them corrected. You can contact us and inform us of the inaccuracies and how they can be corrected.
12.2 In some cases, we will have an obligation to delete your Personal Data. This applies, for example, if you withdraw your consent. If you believe your Personal Data are no longer necessary for the purpose for which we obtained them, you may want to have them deleted. You may also contact us if you believe your Personal Data are being processed in violation of the law or other legal obligations.
12.3 When you convey a request to correct or delete your Personal Data to us, we will investigate whether the conditions are met and, if so, make changes or deletions as soon as possible.
13. Complaints – you are entitled to object to the processing of your Personal Data
13.1 You have the right to object to the processing of your Personal Data. You can also object to our disclosure of your data for marketing purposes. You can object by e-mail at email@example.com. If your opposition is justified, we will stop processing your Personal Data.
14. Data portability – you are entitled to retrieve your Personal Data
14.1 You are entitled to receive the Personal Data you have made available to us and those, if any, we have collected from a third party based on your consent. If we process Personal Data about you as part of a contract to which you are a party, you have the right to receive these Personal Data as well. You also have the right to transfer these Personal Data to another service provider. If you wish to exercise your right to data portability, we will transfer your Personal Data to you, or to the service provider of your choice, in a commonly used format.
15. Contact us, if you want to exercise you rights
15.1 Please contact us by e-mail firstname.lastname@example.org.
15.2 If you wish to access your data, have them corrected or deleted, or object to our data processing, we will investigate and respond to your request as soon as possible and no later than one month after we receive your request.
15.3 If we do not fully comply with your objection, you have the right to file a complaint with the Danish Data Protection Agency by following the instructions on the Danish Data Protection Agency’s website (in Danish): https://www.datatilsynet.dk/english/the-danish-data-protection-agency/contact/
Version 10 April 2018