Document

Please see a brief overview of how we process our Third-Party personal data in the provision of our services.

• Our Third Party – Data Protection Statement (this statement) provides specific information about our processing activities relevant to business clients, suppliers, agencies, partners and any other relevant party whose personal data we process as part of our business activities.
• Our whistleblower system – Data Protection Statement provides specific information about how personal data is processed when we receive a report through our mandatory whistleblower system. 
• Our Candidate – Data Protection Statement provides specific information about active/potential job seekers, and candidates supplied on assignment, whose personal data we process as part of our business.
• Our Social media – Data Protection Statement provides specific information about how we process personal data on our social media profiles and through advertisement on social media.
• Our Monjasa app – Data Protection Statement (this statement) provides specific information about how we process personal data about users of the Monjasa app. 
• Our Group Information Statement provides information about the companies in the Group including relevant contact details. This information is relevant to all data subjects.
• The Data Protection Rights Statement is relevant to all data subjects and provides information about your rights and what you should do if you want to raise a concern.

This Data Protection statement applies to

For the purposes of this Third Party – Data Protection Statement, third parties are those that we engage with for services including the following:

• when you enter into several agreements in terms of buying product from Monjasa or supplying a product;
• when you have shown interest in Monjasa’s products or services, e.g., by providing your business card to Monjasa;
• when you participate in customer satisfaction surveys;
• when you fill in HSEQ event reports;
• when you make use of Monjasa’s website and portals;
• when you provide consultancy and advisory services;
• when you collaborate and communicate with Monjasa; and
• when you visit our physical address.

The data controller for the processing of your personal data is the Monjasa entity which you cooperate or communicate with.

The personal data sourced in order to fulfill the engagement is usually as follows:

• the personal data is often provided by the third party or created by us as part of the engagement;
• the personal data may be publicly available;
• the personal data may be collected indirectly from another person within the organization of the third party;
• the personal data may be collected through our website; and
• the personal data may be collected indirectly from a website or from another third party.

Monjasa processes third party personal data for the following purposes:

• Generally, to plan, perform and manage the business relationship, including any contracts 
• Administration, such as processing payments (including collection of outstanding invoices), evaluation of credit ratings, performing accounting, auditing, billing activities, arranging shipments and deliveries as well as providing support services
• Ensuring security on our physical addresses 
• Completion of requests received from you 
• General, including promotional, communication 
• Evaluation and development of our services, including statistics and analytics 
• Compliance and regulatory purposes, such as fulfilling our legal and compliance-related obligations to prevent illegal activity
• Dispute handling

We process all personal data lawfully and in accordance with the requirements of the relevant Data Protection Laws. In the EU, the GDPR sets out the legal grounds available for processing personal data. When we process personal data any one of the following legal grounds will generally apply considering the relevant legislation in the jurisdiction that the data is being processed and the GDPR.

CONTRACT

As per the Article 6(1)(b) of the GDPR and any other relevant legislation applicable in the respective jurisdiction, the processing of your personal data will in some cases be necessary for the performance of a contract.

LEGITIMATE INTEREST

Under the Article 6(1)(f) of the GDPR, if you communicate or cooperate with a Monjasa entity in the EU/EEA, or any other relevant jurisdiction that this is applicable, we may process your personal data pursuant to our legitimate interest in, for instance, to manage daily operations according to lawful and fair business practices, including planning, performing and managing the business relationship or our legitimate interest in e.g. fulfilling our contractual rights and obligations with our company, conducting credit ratings, statistics, analysis, customer satisfaction surveys, marketing activities (where consent is not required), providing support as well as improving and developing our products and services.

In some of our office premises, we have installed CCTV which may record you if you visit us for an interview. Such recordings are processed based on our legitimate interests in preventing and solving crimes on our locations (cf. Article 6(1)(f) of the GDPR).

We will not process your personal data on a legitimate interest basis where the impact of the processing on your interests or fundamental rights and freedoms outweigh our legitimate interests.

You may object to any processing we undertake on this basis. If you do not want us to process your personal data on the basis of our legitimate interests, contact us at privacy@monjasa.com and we will review our processing activities.

It must be noted that, in certain jurisdictions, “legitimate interest” is not considered as a lawfulness of processing and Monjasa taking all the accounts to ensure in the jurisdictions we operate that it is considered as a legal requirement.

LEGAL OBLIGATION

As per the Article 6(1)(c) of the GDPR and any other relevant legislation applicable in the respective jurisdiction, if we have a legal obligation to process personal data we will process personal data on this legal ground, based on the local rules and regulations operating within the jurisdiction. For instance, such as preventing illegal activity.

DEFENCE OF LEGAL CLAIMS

As per the Article 6(1)(f) of the GDPR and any other relevant legislation applicable in the respective jurisdiction, in limited circumstances and in accordance with the law we may use personal data in the defense of legal claims or enforcing legal rights.

CONSENT

As per the Article (6)(1)(a) of the GDPR and any other relevant legislation applicable in the respective jurisdiction, for certain processing activities we may rely on your consent.

If you accept our use of functional, statistical, and marketing cookies, we base the processing of your IP addresses, device information and digital footprint on your consent.

Retention Period

Your personal data will be deleted when it is no longer needed for one or more of the purposes mentioned above.

If you have any queries regarding the retention period, please email to privacy@monjasa.com

Personal Data Category	Description
Communications Data	This may include personal data exchanged over email, phone, letter, and electronic communications (i.e. social platforms).
Contact Data	This may include a person’s name, email address, phone number, postal address, other communication details, such as Skype and Linkedin. If it is a customer, it may also be a Customer ID.
CCTV Data	This may include images recorded on CCTV footage.
Branch/Business Area Data	This may include  branch and/or company name and/or company address.
Financial Data	This may include payment, bank, or credit card details or making use of our invoice checker.
Reference Data	This may include opinions or references provided by the third party or any feedback received about the third party.
Web Data	This may include information provided on any forms completed by a third party on our website and, to the extent it includes personal data, but not limited to; information on the type of device being used, its IP address, digital footprint, operating system, referral source, page views as well as information regarding the timing, frequency and pattern of the service use.

As Monjasa, we have certain values and they are “Respect”, Curiosity”, “Ambition”, and “Smile & Joy”.

Our goal is to continue and engage with our clients, suppliers and any third parties; for instance, to keep them informed of market developments, engage in networking events, and to be available any time for opportunities to expand our portfolio.

Examples of the activities that we would consider as evidence of our ongoing engagement with a third party and thus a reason to continue to retain their personal data include:

• receiving regular enquiries from the third party;
• having the third party as a billing contact/vendor; 
• participating regularly in bids and getting awarded;
• receiving regular offers; and
• making/receiving regular cold calls or face to face meeting invitations.

However, subject to other requirements under local law, the following retention periods apply:

• Personal data included in accounting records is kept for 5 years from the end of the financial year to which the records relates.
• Personal data contained in customer satisfaction surveys will be deleted within 5 years.
• Personal data contained in HSEQ event report will be deleted within 5 years.
• Personal data collected in connection with business, support or other commercial activities will be stored as long as such data is relevant for the handling and monitoring of the issue in question. The retention period will typically be commensurate with the period laid down in the rules on the limitation of legal claims or the duration of our business relationship.
• The personal data may, however, be processed and stored for a longer period of time if anonymised or if we are obliged to do so according to law.

If you use our ”Whistleblowing System”

Serious and sensitive concerns that may have an adverse impact on the operations and performance of Monjasa or which may have a significant effect on a person’s life or health may be reported via our whistleblowing system, whereby Monjasa will process personal data about data subjects which are part of a whistleblower reporting (i.e. the senders of notifications, the reported persons and other third parties involved).

Data controller

Unless otherwise informed, Monjasa Holding A/S is the data controller in relation to the personal data collected as part of a whistleblower reporting.

Collection of personal data

Monjasa may collect and process personal data when a report is made as well as during the investigation of reports.

Types of personal data

If you report a suspected misconduct, such report will remain confidential and, if desired, anonymous. You should in any case provide a contact email address, as the investigating person may need to contact you for further details on the incident to be able to handle the case properly.

We may process the following personal data about the reported person:

• Name, job position, contact information and reported facts, including a description of the suspected misconduct

The following personal data may be processed about other third parties mentioned in the report:

• Name, job position, contact information and reported facts, including potential criminal offences and sensitive personal data such as, sexual relations, health information, political opinions, trade union membership and race.

Purposes of the processing

Monjasa may process personal data for the following purposes:

• Initial reporting and investigation of reports of alleged breaches
• Provide responses to requests made by the whistleblower, the reported person or other third parties involved

Legal basis

Monjasa will mainly process the personal data based on one or more of the following legal bases:

• Public interest: We process the personal data to investigate reports we have received through our whistleblower system, as this is in the public interest (Article 6(1)(f) and Article 9(2)(g) of the GDPR).
• Legal obligation: Establishment of a whistleblowing system is mandatory to Monjasa and the processing of personal data is necessary to comply with a legal obligation (Article 6(1)(c) and Article 10(1) of the GDPR)

Subject to other requirements under local law, the report and collected information will be deleted:

• Immediately if the report is outside the scope or manifestly unfounded, or if no internal action is made in relation to the concern.
• Right after the closing of the case by the authorities if a report is filed with the police or other relevant authorities.
• 2 months after the investigation has been completed if no further action is taken.
• If disciplinary sanctions are made towards the reported employee based on the collected information or there are other reasons for it being necessary to continue storing the information, the collected information may be transferred to the employee’s personnel file. In such case the personal data will be deleted no later than 5 years after termination of employment.

We may need to share your personal data in order to deliver our services. We will always ensure that any disclosure of personal data is undertaken in compliance with the applicable Data Protection Law in the relevant jurisdiction that the personal data is being processed and ensure that appropriate technical and organisational measures are undertaken to protect and secure any personal data that is transferred.

The Third Party Personal Data is shared and disclosed in certain circumstances as follows:

• to business partners and third-party service providers for the purposes of delivering services to or on behalf of our company and administration of our business, including email, chat, ERP systems payment processors and invoicing systems, hosting service providers, external consultants, accountants, auditors, IT consultants, lawyers and other suppliers providing systems or services to Monjasa
• in connection with Monjasa’s development, the company structure may change, e.g. through a full or partial sale of Monjasa. In case of a partial hand over of assets containing personal data, the legal basis for the related disclosure of personal data is, as a general rule, Monjasa’s legitimate interest in handing over parts of its assets as well as making commercial changes. 
• if we are under a duty to disclose or share personal data in order to comply with any legal obligation (including tax, audit or other authorities), or in order to enforce or apply any contracts that we have
• to official authorities to protect our rights, property, or safety, or those of other persons (including you)
• to payment service partners for the processing of payments to and from our business,
• to protect our rights, property, or safety, or that of our customers, suppliers or others. This may include exchanging information with other companies and organisations for the purposes of fraud protection
• to analytics and search engine providers that assist us in the improvement and optimisation of our Website. This consists of information relating to the web pages visited on the Website and tracking codes from service providers like LinkedIn and Google
• to insurance companies/brokers and providers where required for administering claims
• to our email distribution partner and service providers in the case of marketing and newsletters

We will normally use and share personal data outside of your country for the following reasons:

• to carry out corporate oversight of our global business organization
• to provide shared services in certain functions such as HR, Finance, and IT
• to deploy certain tools and resources across the global organisation
• to facilitate interactions between our employees across our global locations

If your personal data is transferred to data processors or data controllers established in countries outside the EU/EEA which do not have an adequate level of protection, such transfers will in general be based on the Data Privacy Framework or EU Commission’s Standard Contractual Clauses which you have a right of access to. If you have any questions about the tools for transfers to countries outside the EU/EEA please contact us us at privacy@monjasa.com

Monjasa uses a variety of security safeguards to protect customer data and personal information from disclosure. These security safeguards are designed to prevent unauthorised access, improper use or disclosure, unauthorised modification and unlawful destruction or accidental loss of personal data.

We will ensure that any transfer of Personal Data outside of any jurisdiction is undertaken using legally compliant transfer mechanisms and in accordance with relevant laws.

We will take all steps reasonably necessary to ensure that all personal data is treated securely in accordance with this Data Protection Statement and the relevant Data Protection Laws in the applicable jurisdiction. In particular, we have put in place appropriate technical and organisational procedures to safeguard and secure the personal data we process.

We also use secure connections to protect personal data during its transmission. Where you have been given (or where you have chosen) a password which enables you to access services, you are responsible for keeping this password confidential. Please do not share your password with anyone.

If you think that there has been any loss or unauthorised access to personal data of any individual, please let us know immediately.

Please see our separate Cookie Notice available at Cookie Policy further information.

We will update the date on this Data Protection Statement when we make changes to it.

We will post any changes to this Data Protection Statement on the Website and when doing so will change the effective date at the top of this Data Protection Statement.

Please contact us at privacy@monjasa.com if you have any questions or concerns about how your personal data is being used by us.

Please use this link referring to Data Protection Rights Statement for further information about your rights.

If we are unable to resolve your concerns, you have the right to contact the supervisory authority in the country where you live or work, or where you consider that the data protection rules have been breached.

Please see section 5 of our Data Protection Rights Statement ”Queries and Supervisory Authority Contact Details” for further information about relevant Data Protection Authority contact details.