Privacy Policy

This privacy policy informs you about the information we collect from you when you use our website. In the process of collecting this information, Wind Estate A/S acts as the Data Controller, and by law, we are required to provide you with information about us, why and how we use your data, and the rights you have concerning your data.

This privacy policy informs you about the information we collect from you when you use our website. In the process of collecting this information, Wind Estate A/S acts as the Data Controller, and by law, we are required to provide you with information about us, why and how we use your data, and the rights you have concerning your data.

Who are we?

Wind Estate A/S
Læsøvej 1, 8940 Randers SV
CVR: 26271886
Kontakt information: compliance@windestate.com

1 Introduction

In day-to-day operations, Wind Estate A/S makes use of a variety of information about identifiable individuals, including data about:

 

  • Former and current employees, wind turbine co-owners, authorities, interest organisations / associations, landowners, stakeholders in co-ownership of projects, suppliers and partners, including but not limited to lawyers and surveyors and potential customers / leads

Wind Estate stores and uses data such as:

  • Name, address,telephone number, e-mail address, business registration number, date of birth and personal identification number, cadastral number, ownership code, bank details and minutes of meetings

Through the collection and use of this data (called processing), Wind Estate A/S is subject to a number of different laws governing how such activities can be carried out and the security measures that must be in place.

2 Privacy Policy

2.1 Purpose

The purpose of this policy is to set out the relevant legislation and to describe the decisions Wind Estate A/S has taken to ensure compliance.

It is thus Wind Estate A/S’s policy to ensure compliance with the GDPR (General Data Protection Regulation) and other relevant legislation and that this can be documented at all times.

2.2 Basic definitions in GDPR

The most basic definitions for the purposes of this policy are as follows:

Personal data is defined asany information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental and psychological, economic, cultural or social identity of that natural person

Processing is defined as: any operation or set of operations which is performed on personal data or on a set of personal data, whether or not by automatic means, such as collection, recording, organisation, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure and publication by transmission, dissemination or otherwise making available, alignment or combination, restriction, adaptation, erasure or destruction of data

Controller is defined as:a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be determined by Union or Member State law

2.3 Principles for the processing of personal data

There are a number of fundamental principles on which the GDPR is based.

These are as follows:

 1.personal data must be: 

a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)

 b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with The Danish GDPR Article 89(1) shall not be considered incompatible with the original purposes (‘purpose limitation’)

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)

d) concise, accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate with regards to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods if the personal data are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with The Danish GDPR Article 89(1), provided that appropriate technical and organisational measures are implemented as required by this Regulation to safeguard the rights and freedoms of data subjects (‘storage limitation’)

f) processed in a manner that ensures appropriate security of the personal data concerned, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2.The Controller is responsible for complying with, and must be able to demonstrate compliance with, point 1 (‘accountability’).

 Wind Estate A/S will ensure that it complies with all these principles both in the processing currently carried out and as part of the introduction of new methods of processing, such as new IT systems.

 

2.4 Rights of the individual

The data subject also has rights under the GDPR. These consist of:

 Right to be informed

– Right of access to documents

– Right to rectification

– Right to erasure

– Right to restriction of processing

– Right to data portability / have data transferred to another provider

– Right to object to processing

– Rights in relation to automated decision-making and profiling

Each of these rights is supported by appropriate procedures at Wind Estate A/S that set out necessary measures and deadlines to be complied with under the GDPR. These timeframes are shown here;

Request/Timeframe, time limits for the requester

Right to be informed: When data is collected (if provided by the data subject) or within one month (if not provided by the data subject)

Right of access: One month

Right to rectification: One month

Right to erasure: Without undue delay

Right to restrict processing: Without undue delay

Right to data portability (not applicable): One month

Right to object to processing: Upon receipt of objection

Rights in relation to automated decision-making and profiling: Not applicable

2.5 Lawful processing / Legal basis

Under the GDPR, there are six alternative ways to obtain a legal basis for data processing. It is Wind Estate A/S’ policy to identify the legal basis for each data processing operation and to document it. The options are described in brief in the following sections.

2.5.1 Consent

Unless a legal basis can be found otherwise, Wind Estate A/S will always seek to obtain explicit consent from data subjects to collect and process their data.

The consent is based on transparent information about our use of personal data. In addition, we provide information about the data subjects’ rights, such as the right to withdraw consent. This information will be provided in an accessible format, written in plain language, at the time consent is obtained.

If personal data is not obtained directly from the data subject and the processing is to be based on consent, the information must be provided to the data subject within a reasonable period after receipt of the data, preferably within one month.

2.5.2 Performance of an agreement/contract

If processing is necessary for the fulfilment of a contract to which the data subject is party or if processing is necessary for the implementation of measures taken at the request of the data subject prior to entering into a contract, explicit consent is not required.

This option will often be used as a legal basis when the contract/agreement cannot be performed without the personal data in question – for example, it is clear that a delivery cannot be performed without an address to deliver to.

Wind Estate A/S utilises this legal basis extensively, as projects last up to 40 years, corresponding to the lifetime of wind turbines. Therefore, it is necessary to store both e-mail communication and project documents in order to document what has been agreed with whom. These contain few common personal data, which is also often available on the internet. No sensitive personal data is processed.

Likewise, employee data is processed on the basis of contract fulfilment.

2.5.3 Legal obligation

If personal data is collected and processed to comply with the law, explicit consent is not required. This may be the case where data relates to employment and taxation, and for many areas within the public sector.

Wind Estate A/S is legally obliged to keep shareholder registers and owner books, as well as to report certain information about employees to the authorities.

2.5.4 Vital interests of the data subject

In cases where processing of personal data is required to protect the vital interests of the data subject or other natural person, explicit consent is not required. Vital interests means first and foremost the interests of life and health. Wind Estate A/S provides reasonable and documented evidence that this is the case when this is used as a legal basis for processing. As an example, this can be used in connection with social care, especially in the public sector.

Wind Estate A/S has no vital interest data processing as a legal basis.

2.5.5 Task in the public interest

If Wind Estate A/S needs to perform a task that it believes is in the public interest or as part of an official duty, consent is not required. Wind Estate A/S will provide reasonable and documented evidence that this is the case.

Wind Estate A/S has no data processing with public interest as a legal basis.

2.5.6 Legitimate interests / Balancing of interests

If the processing of personal data is considered to be in the legitimate interest of Wind Estate A/S and if the processing is not deemed to significantly affect the rights and freedoms of the data subject, explicit consent is not required.

Wind Estate A/S has a legitimate interest in storing email communication and project documents indefinitely. Wind Estate A/S has prepared reasonable and documented evidence that this is the case.

Furthermore, Wind Estate A/S has a legitimate interest in processing various types of information about employees, as well as in processing data collected in connection with reasonable security measures in the company.

2.6 Data security by design

Wind Estate A/S has adopted the principle of data security and privacy by design in all new and significantly changed systems or processes.

2.7 Contracts regarding processing of personal data

Wind Estate A/S will ensure that all relationships involving the processing of personal data are subject to a documented contract containing the specific information and terms required by GDPR.

2.8 International transfers of personal data

Transfers of personal data outside the EU will be carefully scrutinized prior to the transfer taking place to ensure that they fall within the boundaries of the GDPR. This depends in part on the European Commission’s assessment of the adequacy of safeguards for personal data in the receiving country, which may change over time.

2.9 Data Protection Officer

Wind Estate A/S is not required to appoint a data protection officer. The data protection responsibility lies with our IMS Manager.

2.10 Security breach

A security breach is an incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data.

It is the policy of Wind Estate A/S to strike a fair and appropriate balance when considering measures to inform affected parties about personal data breaches. The balance should include whether there is a risk of physical, material or moral harm to the data subjects, the amount of data, and the level of risk.

If a breach is discovered to have occurred that is likely to result in a risk to data subjects, the Data Protection Authority (or other relevant supervisory authority) must be notified within 72 hours.

This will be handled in accordance with the Data Breach Response Procedure, which sets out the overall process for handling data security incidents.

2.11 Measures for GDPR compliance

The following measures are in place to ensure that Wind Estate A/S at all times complies with the principle of accountability under the GDPR:

  • The legal basis for processing personal data is clear and unambiguous and documented in the form ‘Registration of processing activities’.
  • Consent rules are followed
  • Guidance is available to data subjects wishing to exercise their rights regarding requests for access to personal data and such requests are processed effectively
  • Reassessment of procedures involving personal data is carried out regularly (annually)
  • Data protection by design is adopted for all new or modified systems and processes
  • Documentation of processing activities and data flows is completed with regards to
    • Purpose of data processing
    • Data erasure and retention plan is adopted
    • Relevant technical and organisational controls are in place

Your Right to Complain

“If you wish to file a complaint regarding our use of your data, we prefer that you contact us directly in the first instance so that we can address your concerns. However, you may also reach out to the national Data Protection Authority.

Updates to this Privacy Policy

We regularly review this privacy policy and update it periodically as our services and the use of personal data evolve. If we wish to use your personal data in a way that we have not previously done, we will contact you to provide information about this and, if necessary, request your consent.

We update the version number and date of this document each time it is amended.

Version

Version: 2.0
Date: April. 2024
Author: LF/AJ