1

Privacy policy

1.1

In this privacy policy you can read more about how we process your personal data when you apply for a position at Momentum Energy Group A/S or Momentum Energy Wind Services ApS.

1.2

The Privacy Policy has been prepared with reference to the rules of the General Data Protection Regulation (Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (EU) 2016/679 (also known as “GDPR”)) and the Danish Data Protection Act (Act no. 502 of 23/05/2018 with later amendments) (the “Data Protection Act”).

1.3

You will receive this privacy policy as a link in an email when you apply for employment at Momentum. The privacy policy can also be found on Momentum’s website

2

Who we are (We are the data controllers)

2.1

We are the Company responsible for processing your personal data in accordance with this Privacy Policy. This means that we are the data controller.
The privacy policy applies to the two companies listed below and the responsibility for handling your personal data lies with the company you apply to.

2.2

Our contact information: Momentum Energy Group A/S
Roskilde department (head office)
CVR number 28888430
Københavnsvej 81
DK-4000 Roskilde
Denmark
+45 46 33 70 10
compliance@momentumgreenenergy.com

or

Momentum Energy Wind Services ApS
CVR number 28324022
Københavnsvej 81
DK-4000 Roskilde
Denmark
+45 46 33 70 10
compliance@momentumgreenenergy.com

2.3

To make the policy more user-friendly, we use the terms “we”, “us”, “our” or similar. to describe our business. When we refer to “you”, we mean you as an applicant for a position with us.

3

We process the following categories of data:

3.1

General personal information:

• General personal data (e.g. name and/or username, address, email, date of birth, gender, address, etc.)
• Qualifications (education, training and internships).
• Your profile information (if you log in to your profile via your LinkedIn profile or other social media).
• Relevant feedback about you from our staff or from a third party.
• Your feedback (if you give feedback about others).
• Results of personality and skills tests, etc.
• Identity papers and work permit (To the extent that identity papers are required to determine whether you have a valid residence or work permit).
• Job ID.
• Other information that appears on your CV or in your application.
• Please do not include a civil registration number or other special categories of personal data in your CV or application, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. If any of the above documents contain sensitive personal data, e.g. civil registration number, trade union affiliation, etc. please cross it out before sending it to us.

3.2

Confidential or sensitive personal information

• Information about any disabilities and the accommodations we need to make in the workplace (if you have informed us).
• Criminal record or child certificate (to the extent that the job you have applied for or the category of job you have applied for requires a criminal record or child certificate).
• Additional information.

3.3

We process personal data about the following categories of persons:

• Applicants.

4

Where your personal data originates from

4.1

We only process personal data about you that we receive directly from you, your former employers or from public authorities.

5

Purpose

5.1

The purpose of processing your data:

• We process your personal data in order to process your application and allow you to be registered in our recruitment system.
• In order to secure Momentum Energy Group legal claims or defend ourselves against such claims.

6

Legal basis

6.1

We process your personal data in accordance with the following legal basis for processing.

• The processing is necessary for the performance of a contract to which you are party or for the implementation of pre-contractual measures taken at your request prior to the conclusion of a contract, cf. GDPR, Article 6(1)(b).
• The processing is carried out to ensure that documentation of a correct re-employment process has taken place in accordance with Article 6(1)(e) of the General Data Protection Regulation, Article 9(2)(f) and Section 11 of the Danish Data Protection Act.
• The processing is necessary for the establishment, exercise or defense of legal claims, cf. GDPR, Article 9(2)(f).
• The processing is necessary in order to comply with a legal obligation incumbent on Momentum Energy Group, cf. GDPR, Article 6(1)(c) and Article 9(2)(b), cf. Section 7 of the Danish Data Protection Act.
• The processing is necessary for us or a third party to pursue a legitimate interest, unless your interests or fundamental rights and freedoms override this, cf. GDPR. GDPR, Article 6(1)(f).
• In these situations, the legitimate interests will often be Momentum Energy Group’s interest in being able to manage and document the recruitment process.
• You have given your consent to the processing of your personal data for one or more specific purposes, cf. GDPR, Article 6(1)(a) and Article 9(2)(a), cf. Section 7(1) of the Danish Data Protection Act.

6.2

If you would like more information about our legal basis for processing your data, please contact us.

7

General principles of data processing

7.1

We want to protect your personal data and we process it in a responsible, transparent and secure manner.

7.2

We adhere to the following principles when processing personal data:

• Lawfulness: We always process your personal data lawfully, fairly and in a transparent manner with respect to you as the data subject.
• Data minimization: We limit the processing of your personal data to what is necessary and relevant for the purposes for which the data has been collected.
• Purpose limitation: We only collect your personal data for specific, explicit and legitimate purposes and we do not further process it in a way that is incompatible with those purposes.
• Accuracy: We ensure that your personal data is accurate and – if necessary – updated.
• Integrity and confidentiality: We use technical and organizational measures to ensure appropriate data protection, taking into account, among other things, the nature of the personal data concerned. Such measures protect against unauthorized disclosure and access, accidental or unlawful destruction, accidental loss or alteration, and against other unlawful forms of processing.
• Access and rectification: We respect your rights in relation to the processing of your personal data.
• Limitation of retention: We retain your personal data in accordance with applicable laws and regulations and no longer than necessary for the purposes for which the personal data has been collected.
• Protection of international transfers: We ensure the adequate protection of your personal data in connection with transfers outside the EEA.
• Protection in relation to third parties: We ensure that third parties only access (and are only allowed to transfer) personal data in accordance with applicable data protection laws and with the necessary contractual protections.
• Lawful use of direct marketing and cookies: We will only send you promotional material or place cookies on your computer in accordance with applicable data protection and other relevant legislation.

8

Risk analysis

8.1

We implement technical and organizational measures to maintain a level of security appropriate to the risks specifically associated with our processing of personal data.

8.2

We have performed a risk analysis, which forms the basis of this privacy policy.

9

Data Protection Impact Assessments (DPIA)

9.1

Article 35 of the GDPR requires that where the processing of personal data, in particular when using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a significant risk of breaching the rights and freedoms of natural persons, the controller must carry out an assessment of the impact of the envisaged processing activities on the protection of personal data before the start of the processing.

9.2

The obligation to conduct an impact assessment only applies in exceptional cases where there is a high risk to the rights and freedoms of individuals.

9.3

It is our assessment that we will rarely perform a treatment that meets any of the above criteria. It must therefore be assumed that the impact assessment rules will have a relatively limited scope of application in relation to our processing of your personal data.

9.4

If an impact assessment is carried out anyway, the results of the assessment will be taken into account when taking appropriate measures.

10

Data Protection Officer (DPO)

10.1

It is our assessment that Momentum Energy Group does not process personal data to the extent mentioned. We have therefore chosen not to appoint a data protection officer.

11

Data Controller

11.1

When it comes to your personal data, we will operate independently. This includes independently assessing whether there is a valid reason for collecting/processing your personal data, identifying relevant and necessary data and determining the retention period. In this context, Momentum Energy Group will act as data controller.

12

Data processors

12.1

In some cases, we use external companies to handle the technical operation of Momentum Energy Group’s IT systems, etc. In such cases, these companies may act as data processors for Momentum Energy Group.

12.2

The data processor acts solely on our instructions and the data processor has taken the necessary technical and organizational security measures against accidental or unlawful destruction, loss or deterioration of personal data and against disclosure to unauthorized persons, misrepresentation or other processing in violation of the GDPR.

12.3

In certain cases, our data processors use other data processors to process personal data where Momentum Energy Group is the data controller. Other processors may be established inside and outside the EU/EEA.

12.4

A data processing agreement must be concluded between us (the controller) and the other party (the processor) and must comply with the applicable requirements for data processing agreements as mentioned in GDPR Article 28(3). This involves drawing up a contract or other legal document that is binding on the processor. It is also a requirement that the data processing agreement is in writing, including electronically.

12.5

In addition, the GDPR has several specific requirements for the content of the data processing agreement. The agreement must contain information about the status and duration of the processing, the nature and purpose of the processing, the type of personal data, the categorization of the data subjects and our obligations and rights as data controller and the data processor’s obligations in relation to performing the task. The requirements are specifically described in GDPR Article 28(3)(a-h).

13

Transfer of personal data to third countries

13.1

Momentum Energy Group’s processing of personal data will predominantly take place within the EU.

13.2

If your personal data is transferred to countries outside the European Economic Area (EEA), we make sure that the necessary safeguards are in place, including

• The transfer is within the framework of a decision on required safeguards by the European Commission in accordance with Article 45 GDPR.
• That standard contractual clauses for data protection, as approved by the European Commission or a data protection authority in accordance with Article 46(2)(c) or (d) GDPR, are fulfilled.
• That the requirements for approval of Binding Corporate Rules by a data protection supervisory authority in accordance with GDPR Article 46(2)(b) are met if Binding Corporate Rules are used as the legal basis for the transfer of such personal data outside the EU/EEA.

13.3

13.3 Please see the following link: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/rules-international-data-transfers_en for further information on how the transfer of personal data outside the EEA is regulated.

14

Other disclosure of personal data

Personal data may also be disclosed to:

• Other entities in Momentum Energy Group A/S.

15

Profiling

15.1

We do not use your personal data for profiling.

16

Security measures

16.1

We have taken the necessary technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss or alteration, as well as against unauthorized disclosure, misuse or other conduct in violation of applicable laws.

16.2

Access to personal data is limited to people who need access. Employees who process personal data are instructed and trained to know what to do with personal data and how to protect it.

16.3

When documents (papers, archival data, etc.) containing personal data are discarded, shredding or other measures are used to prevent unauthorized persons from accessing the personal data.

16.4

Passwords are used to access PCs and other electronic devices that contain personal data. Only the people who need access will have a code and only to the systems they need to use. People with passwords must not give the code to others or leave it where others can see it. Review of assigned codes will be performed at least once every six months.

16.5

If personal data is stored on a USB stick, the personal data must be protected, e.g. with a password and encryption. Otherwise, store the USB connector in a locked drawer or cabinet. The same applies when storing personal data on other portable data media.

16.6

PCs connected to the internet have an up-to-date firewall and virus check installed.

16.7

If sensitive personal data or personal identification numbers are sent to us via email over the internet, such emails must be encrypted. If you send personal data to us via email, please note that this is not secure if your emails are not encrypted. We advise you not to send us confidential or sensitive personal data via email unless specifically agreed in advance so that we can ensure the necessary level of security.

16.8

When repairing and servicing data equipment containing personal data and when data media are to be sold or discarded, we take the necessary precautions to ensure that personal data is not disclosed to unauthorized persons. For example, through the use of non-disclosure agreements.

16.9

When using an external data processor to process personal data, a written agreement is entered into between us and the data processor. This applies, for example, when using an external document or if cloud systems are used in the processing of personal data – including communication with you. Similarly, a written agreement is always made between us and you if we act as data processors. The data processing agreements are also available electronically.

17

Backing up your data

17.1

Momentum backs up all production data. Backups are stored on an external server.

17.2

All backed up data is stored for a maximum period of ten (10) years.

18

Retention periods and deletion

18.1

When do we delete your data?

18.1.1

For job applications, we delete personal data 6 months after the final rejection of the specific job application, unless you have consented to longer retention.

18.1.2

Please note that special circumstances or legal requirements may mean that this period may be shorter or longer, depending on the purpose of complying with legal requirements for deletion or retention of data.

18.2

How do we delete your data?

18.2.1

Personal data must be deleted from the production system. When personal data is deleted from the production system, it will be deleted from the backup system if technically possible.

18.2.2

Alternatively, personal data can be completely anonymized so that it can no longer be attributed to an individual. In this case, the GDPR does not apply at all and complete anonymization is therefore an alternative to deletion. However, it is important to keep in mind that anonymization – as an alternative to erasure – requires the deletion of all traces that can lead to the person to whom the data relates. It’s usually a very difficult practice.

18.2.3

After deletion/anonymization, we will perform appropriate cross-checks in the form of searches on name, email address, the specific case, etc. to ensure that nothing on the person appears.

18.2.4

Anonymization

18.2.5

Momentum Energy Group may use anonymized data from you for statistical and research purposes, as well as to improve systems, processes and products. This means that the results cannot be used to identify specific individuals. Thus, irrevocable anonymization is performed so that the data subject can no longer be identified.

19

Changes to privacy policy

19.1

Momentum Energy Group may change this privacy policy at any time and without notice and with future effect. In the event of such changes, our users will be informed via our website.

20

Contact information

20.1

If you have any questions about our privacy policy, our processing of personal data, rectification or your relationship with us in any other way, you can contact us at the following email address: compliance@momentumgreenenergy.com and via our website.

21

Your rights

21.1

We want to ensure the greatest possible transparency to allow you to make informed choices about how you want us to process your personal data.

• Your personal data: You can contact us at any time through the data protection contact point to find out what personal data we have about you and where we got it from. In some cases, you have the right to receive the personal data we have collected about you in a commonly used, structured and machine-readable format and to disclose your personal data to a third party of your choice.
• Right to correction of errors: If you discover that your personal data is inaccurate or incomplete, you can request that we correct it.
• Right to restriction of processing: You have the right to request that the processing of your personal data is restricted while the accuracy of your personal data is verified.
• Right to object: You also have the right to object to your personal data being used for direct marketing or disclosed to third parties for the same purpose. You can then let us know how often you want to hear from us.
• Consent: You can withdraw your consent to the processing of personal data at any time by using the contact email for data protection.
• Erasure: You can ask us to delete your personal data (except in certain cases, e.g. to document a transaction or to comply with legal requirements).
• Complaint: If you wish to complain about Momentum Energy Group’s processing of your personal data, you can contact the Danish Data Protection Agency.

Data Protection Authority
Carl Jacobsens Vej 35
DK-2500 Valby
Tel: 33193200
E-mail: dt@datatilsynet.dk
www.datatilsynet.dk