Processing of personal data
GAIS is an employee engagement platform that, based on individuals’ responses, provides reports to individuals, teams, and companies about their job satisfaction. Therefore, we will also need to process personal data.
GAIS will process your personal data as a data controller when you use the platform as an individual, interact with our marketing, or access our website. We process your personal data as a data processor for your company or organization when you participate in a team or company assessment.
We only collect and store personal data when it is relevant and necessary. We place high demands on both the security of our IT systems and our employees’ handling of personal data to ensure that data is always protected to the best extent possible.
In the following, you can read more about the various areas of our privacy policy. You can learn, among other things, when we collect information about you, what information we collect, how we use the information, how long we keep your information, and your rights to your data.
If there is anything specific you should be aware of when using specific services, we will inform you about it.
We are the data controller – how can you contact us?
In most cases we will process data about you for your employer – in such cases we will be the data processor, and therefore, you will need to exercise your rights in relation to your company and not in relation to us.
If your objections or questions regarding data processing relate to GAIS in general, our website, or an individual GAIS-survey, the data controller for the data processing is:
GAIS A/S
Klokhøjen 4
8200 Aarhus N
Cvr. no.: 10062519
If you have any other questions regarding the way we processes your personal data, please do not hesitate to contact our Head of Operations Henrik Steuer Carlsen via:
Mail: henrik@gais.dk
Telephone: +45 4140 6371
As GAIS is a part of the Krifa-Group you can also contact Krifa’s data protection officer (DPO) Hans Ullemose Pedersen in the following ways:
Mail: dpo@krifa.dk
Telephone: +45 2544 4009
By letter: Krifa, attn.: HUP, Klokhøjen 4, DK-8200 Aarhus N.
Why do we process your personal data?
We only process your personal information if we have a valid reason to do so. The valid reason underlying the processing depends on the situation but always arises from your or your organization’s interaction with gais.dk, the GAIS platform, our advertising, or other interactions with GAIS.
Fundamentally, there are four overarching scenarios:
- When you create a user on the GAIS platform in order to be able to save your surveys and secure access to them;
- When you accept cookies on gais.dk or give us your data in response to our advertisements, in order for us to provide you with personalised and tailored communication and marketing;
- When your employer creates a GAIS survey that includes you, to give you an insight into job satisfaction at the workplace;
- When you ask us to do it in order for us to be able to contact you.
Our processing of your personal data requires a legal basis (legal authority), which corresponds to the basis described above.
The following constitutes our legal authority for processing the specific data:
- Most often our authority will be based on the agreement concluded (with you or your company) when you use the platform (Article 6 (1) (b) of the GDPR).
- We will obtain your consent if the processing goes beyond the required functionality of the platform, for example if you use gais.dk to ask us to send you newsletters, use non-required cookies or contact you (Article 6 (1) (a) and Article 9, (2) (a) of the GDPR).
- We may be under an obligation to store some data as a result of current legislation (e.g. accounting information) (Article 6 (1) (c) of the GDPR).
- In certain instances, processing may be based on a concrete assessment of interests, e.g. our use of necessary functional cookies. (Article 6 (1) (f) of the GDPR).
Which personal data do we process?
We only process personal data which is relevant for the purpose and legal authority for processing. As a consequence, data processing will depend on the way in which you interact with us.
On gais.dk, it will typically be the IP address, but if you request us to contact you or subscribe to our newsletter, you will be asked to provide an email address and/or a telephone number.
On the GAIS-platform, we will always process your name and (work) email address. Depending on the survey you are a part of, we may process information such as:
- Name
- Age group (e.g., 30-39 years)
- Gender (Other, Female, and Male)
- Information about your affiliation with your employer
- IP address
- Information you voluntarily provide to us in comments
Basically, we do not process personal data unless you give us such information on your own initiative via the comments field on the platform.
As the platform measures job enthusiasm for you specifically and, among other things, includes your experience of balance in your working life and your relationship with your manager, we consider your answers to contain confidential personal data. Therefore, you, as the only one, have access to your personally identifiable responses on the platform, and they are not shared with others unless you initiate it yourself.
One exception is our temporary access to the responses in connection with support cases – this access is limited to specific employees at GAIS, its usage is logged, you will be informed about it, and the capability is only utilized when specific support cases necessitate it.
How do we collect your personal data?
We mainly receive the personal data we process from you or your employer – depending on the way in which you interact with us.
We receive data from you when you interact with the GAIS platform, our website or our advertisements.
We receive data from your employer when they create a GAIS survey of the company – your employer is responsible for such data, but we process it for your employer.
With whom do we share your personal data?
In general, we will never pass on your data if we are not entitled to do so based on a legal obligation, your consent or if passing on is legitimate as a consequence of balancing of interests.
In practice, the data will only be passed on to suppliers who perform data processing for us according to our instructions (data processors). As a consequence, your data will not be shared with anyone who can use your data unless you ask us to do so. Therefore, your data will not be shared with the rest of the Krifa Group unless you ask us to do so.
If we receive your information in connection with a GAIS-survey, your information will only be accessible to data processors where necessary to make results available to you and possibly your employer. This may include hosting the platform, data exchange between the database and interface, and similar tasks.
If we receive your information in connection with marketing activities, the information may be shared with our marketing providers to provide you with more relevant marketing or to prevent you from receiving marketing from us.
Are any recipients of your personal data based in third countries, incl. international organisations?
All our data processing takes place in Europe, including the processing of the most confidential information. Our data processor on the platform is located in Denmark but uses several sub-processors.
However, some of our data processors are owned by American corporations, which are therefore based in a third country. We have implemented several additional measures and restrictions to ensure that:
- As little data as possible is processed by these sub-processors,
- Data does not leave the European servers where it is located,
- Employees outside the EU do not have access to the data,
- Data is inaccessible to requests from U.S. authorities.
If data exchange does occur, it will be based on the EU’s standard contractual clauses (SCC) from June 2021 or better, which are implemented in all data processing agreements with sub-processors. Additionally, we conduct ongoing risk assessments of our (sub)processors to ensure that data exchange with processors in the USA only occurs where the risk is acceptable.
For how long will we keep your personal data?
We will keep your personal data for as long as it is necessary in order to safeguard your rights, our contractual obligations towards you or your employer and our obligations under current legislation.
Data, which can identify the data subject, will be deleted from the GAIS platform upon request from the company or the data subject himself/herself. Replies on the platform will subsequently be kept in a completely anonymous form, ensuring that the anonymised data can form part of the future underlying data.
Your right to withdraw or limit your consent
Right to see your data (access)
You have a right to gain access to the data we process about you. If you wish to make use of this right, you may contact us on info@gais.dk
If we process data for your employer, however, you will need to contact you employer instead to gain access.
Right to have data corrected (rectification)
Right to erasure
You have a right to have your personal data erased or made anonymous if it is no longer necessary for us to keep or process your data. In some cases, however, we cannot erase or make your personal data anonymous – for example if we are under an obligation to keep it due to legislation.
If we process data for your employer, however, you will need to ask them to erase the data.
GAIS is also under an obligation, independently and proactively, to erase data about you which we no longer have a reason to process.
Right to restriction of processing
In certain instances, you have the right to have the processing of your personal data restricted. If you have the right to have the processing restricted, we will only be entitled to store the data in future. If we are to process it in another way, this will either require your consent or that legal requirements can be established/exercised/defended, or in order to protect a person or important public interests.
If we process data for your employer, however, you will need to exercise this right in relation to your employer instead.
Right to object (objection)
In certain cases you have the right to object against our otherwise legal processing of your personal data. You may also object against the processing of your data for direct marketing.
If we process data for your employer, however, you will need to exercise this right in relation to your employer instead.
Right to pass on data (data portability)
In certain cases you have the right to receive your personal data in a structured, commonly used and machine-readable format and possibly have the right to have this data transmitted from one data controller to another without hindrance.
If we process data for your employer, however, you will need to exercise this right in relation to your employer instead.
You can read more about your rights in the Danish Data Protection Agency’s guidelines about the rights of data subjects. This information can be found here www.datatilsynet.dk
To whom can you complain?
Use of data
The GAIS Platform has been designed to focus on securing data that can be attributed to persons as well as possible. GAIS may use respondents’ anonymised data for all purposes as GAIS sees fit while GAIS will always comply with the General Data Protection Regulation and the protection of the respondents as defined here. Examples of use include, but are not limited to:
- Academic research
- Analysis of anonymised data
- Publication of articles and reports based on data
- Benchmarks
This use of anonymised data cannot identify persons, but is based on the user’s anonymised test results.