Privacy Notice
twoday GROUP

 

1. Introduction

1)    This Privacy Notice is intended to provide you with information on how twoday ("we", "us", "our") collect and process your personal data which you have given to us, or we have collected from you via our website https://twoday.no

2)    We will only process your personal data in accordance with this Privacy Notice and applicable law to which we are subject, including the General Data Protection Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the "GDPR") and any applicable national data protection legislation.

1.3) twoday is the data controller in relation to your personal data. You can contact twoday by using the contact information specified in Section 10.


2. The data we collect, the purpose and the legal basis for processing

2.1)  twoday may process personal data of the following types: 

⦁    Personal information
⦁    Names, addresses, email-addresses, phone numbers, geographic locations, demographic information, etc. 
⦁    Financial information
⦁    Invoices, receipts, bills, etc.
⦁    User-generated information
⦁    Uploaded files such as photos, videos, audio, comments, reactions, articles, blogs, etc.
⦁    Web traffic information
⦁    Usernames, ID’s IP-addresses, browser types, browser versions, etc. 
⦁    Statistics
⦁    Web page consumption and usage statistics like clicks, visited pages, time on pages, etc.
⦁    Information via job applications and contracts
⦁    Applications, resume, information about your education, qualification, grades and work experiences, presentations etc. 

2.2)    When you submit your application, including e.g. CV, portrait photo, video presentations, exam certificates, and provide us with information during job interviews and personality tests etc., we process your personal data to assess your eligibility for the job in question and to manage the recruitment process, including to communicate with you about your application, to respond to your inquiries, to schedule interviews and in the end to make a decision on whether we can offer you the position. When you provide references in your application, we may also collect information about you from these references or verify the information you have provided to us, including information on educational and professional qualification and experiences . We may also search for relevant information in publicly available databases, such as cvr.dk, LinkedIn and other social medias.

2.2.1)  The purpose of the processing is based on your application take steps prior to entering a potential employment contract and to pursue our legitimate interests in evaluating applicants for a position (article 6(1)(b) and (f) of the GDPR).


2.3)  When you use our Website we may collect information about you, including through the use of cookies. We will only use cookies – other than technically necessary cookies if you have consented to the use of these. We refer to our Cookie Policy for more information here.

Among other things, we collect information about your IP address, your login data and time, browser type and version, time zone and network location, and other information about the devices you use to access our website and platforms. We also collect information about how you use and interact with our website. 


2.3.1)   The purpose of our processing is to optimise the user experience and the website's functionality including creating statistics and to improve our service. This processing of personal data is necessary for us to pursue our legitimate interest in operating and improving our Website and in marketing our services (article 6(1) (f) of the GDPR).


2.4)   Using cookies, twoday collects your personal data to tailor specific content for you through direct marketing on social media platforms, emails, webpages or in a twoday services, based on your preferences to carry out profiling. The personal data processed are aggregated details about you such as IP-address, interests (where you have clicked, etc.) browser, and device. twoday will also be able to combine this information with information about the customer relationship we may have with your company.

2.4.1)  The purpose of the profiling is to deliver customized marketing to you, improve your user experience with our services/websites and deliver products that our customers are satisfied with. The legal basis for the processing is based on your consent (article 6(1) (a) of the GDPR), which you provide when you consent to the use of marketing cookies in the cookie management tool. We refer to section 3 for information on the possibility to opt-out from being subject to profiling.  


2.5)  When you interact with twoday e.g., by visiting twoday web pages, downloading content, attending webinars, communicate with us, and use twoday’s services, twoday will be processing your personal data, such as name, address, e-mail address, phone number, any user-generated content as stated in section 2.1, and the information you have provided when contacting us. 


2.5.1)    The purpose of our processing is to being able to process your requests and respond to other communication. This processing is necessary to pursue our legitimate interest to communicate with you and respond to your questions and other requests (article 6(1) (f) of the GDPR).

2.6) When you enter into a contract with us, we will process, twoday will be processing your personal data, such as name, address, e-mail address, phone number and financial information such as invoices, receipts and payment methods.

2.6.1)  The purpose of our processing is to administer and perform the agreement with you, including to set you up as a customer, manage and to collect payment for our services. The processing is necessary for the performance of a contract with you (article 6(1) (b) of the GDPR). 


2.7)  When you sign up for our newsletter, we collect personal data about you, including your name and your email address. We will not send you any e-marketing without you have given consent. 

2.7.1)    The purpose of our processing is to pursue our legitimate interest in marketing our services to you (article 6(1) (f) of the GDPR). 

2.8)  To the extent that we refer to our legitimate interest as the legal basis for the processing of personal data specified above, we have conducted a balancing test for those interests to ensure that our interest is not overridden by your interests or fundamental rights and freedoms. Please contact us by using the email provided in Section 8 below if you wish to receive more information on the balancing test.


3.  Opt-out of marketing & Profiling

3.1)    You have the right to opt out of receiving marketing communications from twoday and being subject to profiling. You can do this by either:
⦁    Following the instructions for opt-out in the relevant marketing communication
⦁    Changing preferences under the relevant edit account section if you have an account with twoday
⦁    Contacting us via e-mail at privacy@twoday.com
⦁    Using the applicable subscription management tool
⦁    You will also always have the option to opt-into/out of cookies on a particular web page, through our cookie banner.


3.2)  Please note that even if you opt out from receiving marketing communications, you may still receive administrative communications from twoday, such as order confirmations and notifications necessary to manage your account or the services provided to Customers.


4. How is your personal data collected

4.1)    In general, twoday collects personal data directly from you or other persons linked to our Customer. If the Customer you work for purchases twoday products or services via a twoday partner company, we may collect information about you from the partner company.

4.2)  When you interact with our Website, we may collect technical data about your equipment, browser activity and patterns. We collect these personal data by using cookies and other similar technologies. We may also receive technical data about you, if you visit other websites that use our cookies. We use cookies and other similar technologies to ensure we can provide the best possible user experience when you interact with twoday web pages or communicate with us via email. You can find more information on our use of cookies and similar technologies in our Cookie Policy. 

4.3)  In some cases, we may also collect information about you from other sources like: 
  ●     Third-party aggregators 
  ●    Third-party social networks

   ●    twoday marketing partners

    ●    Publicly available information


5. Disclosure of your personal data

5.1)  Your personal data is disclosed to third parties who process personal data on behalf of twoday, and therefore acts as our data processors. We have entered into data processing agreements that comply with article 28 of the GDPR with all our data processors to ensure that such data processors implement appropriate organisational and technical security measures in such a way that the processing complies with the requirements of the GDPR and ensures the protection of your rights. 

5.2)  Your personal data is disclosed within the twoday Group. twoday Group is a collection of subsidiaries and to make sure we can deliver the optimal user experience we may share your personal data across internal companies. 

5.3)  twoday may share your personal information with our partners in the event this is legitimate from a business perspective and according to applicable privacy legislation.

5.4)  The police and other authorities may request access to personal information from twoday. In such events twoday will only provide the data if this is on the basis of a legitimate court order. 


6. Transfer of your personal data to third countries

6.1) We will not transfer your personal data to recipients outside EU or EEA unless we have ensured compliance with GDPR Chapter V. 

6.2) Some of our third-party service providers are established outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA. However, to ensure that your personal information receive an adequate level of protection we have ascertained that sufficient safety measures have been implemented to allow for the transfer, including where the European Commission have deemed the country to provide an adequate level of protection for personal data; or by use of specific contracts approved by the European Commission (Standard Contractual Clauses) which give personal data essentially equivalent protection as it has in Europe.  

6.3)  If you require further information about on our current data processors established outside the EEA and the safety measures in place to allow for the transfer of personal data, you can request it from us – please send your request to us by email at privacy@twoday.com.


7. How do we protect your personal data?

7.1)  Your personal data is protected by a several different security control, such as:

Encrypted web traffic 
- twoday’s web pages use TLS - Transport Layer Security. 
- Your data is only communicated over encrypted channels when in transit. 

Encrypted storage 
- All personal data we store and process are encrypted when at-rest. 

Least-Privilege 
- All personal data we store have regulated access controls. Only personnel with dedicated tasks related to your personal information will have access to your data. 


8.  Your rights

Under certain circumstances, you have one or more of the following rights:


The right of access by the data subject

  • You have the right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

The right to rectification

  • You have the right to request correction of your personal data that we hold about you. If you become aware that the personal data, we process is inaccurate, we encourage you to contact us in writing which will enable you to have any incomplete or inaccurate information we hold about you corrected.

The right to erasure ("the right to be forgotten")

  • You may have the right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. To the extent the continued processing of your personal data is necessary, for example in order for us to comply with our legal obligations or for legal requirements to be established, enforced or defended, we are not required to delete your personal data.

 

The right to restriction of processing

  • You may have the right to request the restriction of processing of your personal data to consist only of storage. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.

    The right to data portability
  • You may have the right to obtain personal data that you have provided us with, in a structured, commonly used, machine-readable format and have the right to request a transfer of that information to another data controller.


The right to object

  • You have the right to object to our processing of your personal data at any time when it relates to our direct marketing efforts towards you.

  • Furthermore, you have the right to object to our processing of your personal data at any time, for reasons relating to your personal life, where we are relying on a legitimate interest as legal basis for processing.


The right to withdraw your consent

  • You have the right to withdraw a consent you have provided us with for the purpose of processing your personal data. If you wish to withdraw your consent, please contact us by using the contact information specified in Section 10.


The right to lodge a complaint


9.  Data Retention

9.1)  twoday will only store your personal information if there is a legitimate purpose for its retention. This means your personal data will be subject to different kinds of retention policies based on: 

9.1.1) You have applied for a job at twoday

9.1.2) Your personal data (CV, application, attachments, etc.) will be deleted when the recruitment process is closed (Typically 6 months after application deadline, unless otherwise agreed upon with you).

9.2)  You are using twoday’s website and services.

9.2.1)  Either you have an account to get access to reports, articles, etc. or you have a customer account and use our services. This personal data will be stored for as long as the accounts are active or there is a contractual obligation, and not later than 24 months after registered activity. 

9.2.2)  Personal data about your use of our Website, will be deleted at the latest, when you have not used the website for 6 months or if you choose to delete the cookies yourself.

9.2.3)  Personal data about contact information and purchases is retained to document purchases you have made, agreements we have entered into, and for accounting purposes. The data will be retained for 5 full fiscal years following the end of the year to which the purchase or agreement relates, or the later date the purchase price was paid in full.

 
9.3)  Marketing purposes

9.3.1)  Contact information related to leads and prospects. Personal data in this category will be deleted no later than 24 months after the last registered activity. 

9.3.2)  Personal data about you collected when you signed up for our newsletter will be deleted when your consent to receive newsletters is withdrawn. 


9.4)  We do, however, reserve the right to retain your personal data for an extended period of time if deemed necessary to establish, exercise or defend a legal claim or in order to meet a legal obligation.


10.  Contact information

10.1)    twoday is a European corporation, with legal entities, business processes, management structures and technical systems that cross borders. twoday delivers software and services to private and public businesses in Europe. 

10.2)    twoday’s head office is located in Copenhagen. All major decisions regarding privacy in twoday are made at a corporate level by the twoday Data Protection Council supervised and chaired by a Data Protection Officer (DPO). The controller responsible for the processing of your personal data is:
⦁    twoday Group and its subsidiaries
⦁    Head Office: Gærtorvet 3, 1799 København V, Denmark
⦁    E-mail: privacy@twoday.com

10.3)  If you have any questions regarding this Privacy Notice or wish to exercise your rights pursuant to Section 8, please use the contact information set out above in section 10.2:


11.  Changes to this privacy notice

11.1)    If we make changes to this privacy notice, we will orientate you via e-mail. Our privacy notice can always be found on here


12.  versions

12.1)   This is version 1 of twoday’s privacy notice, dated 25 October 2022.