Privacy Policy

DG Organic Basics ApS
Date: 28 October 2022

1 Privacy Policy

1.1 We process all personal data securely and confidentially. Organic Basics has internal procedures for e.g. deletion, data minimization, storage, collection, updating and disclosure of personal data to ensure the integrity, confidentiality and security of the personal data.

1.2 Organic Basics’ processing of your personal data only takes place for explicitly stated and legitimate purposes. We do not process your personal data in a way that is incompatible with these purposes.

1.3 We carry out and update risk assessments in relation to Organic Basics’ processing of personal data, including personal data about employees. Organic Basics’ initiatives in data protection and compliance with the General Data Protection Regulation (GDPR) are based on these risk assessments. In cases where it is necessary, we also carry out consequence analyses (DPIA) on individual treatment activities.

1.4 We have therefore adopted this personal data policy (hereinafter "Personal data policy"), which tells you how we process your personal data when you use our website.

1.5 The Personal data policy has been drawn up with reference to the rules in the data protection regulation (Regulation on the protection of natural persons in connection with the processing of personal data and on the free exchange of such information and on the repeal of Directive 95/46/EC (general regulation on data protection) (EU) 2016/679 (also known as “GDPR”)) and the Danish Data Protection Act (Act No. 502 of 23/05/2018 with any subsequent amendments) (“Data Protection Act”).

1.6 You will receive this Personal data policy via email when you are employed by Organic Basics. The Personal data policy can also be found on Organic Basics’ website www.organicbasics.com.

2 Who are we (we are the data controller)

2.1 We are the company responsible for the processing of your personal data in accordance with this policy which means that we are the data controller.

2.2 Our contact information:
DG Organic Basics ApS,
Sankt Peders Stræde 45B, st., 1453 DK-Copenhagen K, Denmark.
Company registration number: 43 42 06 23
Email: hello@organicbasics.com
Telephone: +45 78 73 72 70

2.3 To make the policy more user friendly we use “we”, “us”, “our” etc. to describe our company. When we talk about our “website” we mean www.organicbasics.com. When we refer to “you” we mean you as a user of our website or customer of our online services or products.

3 When does the policy apply?

3.1 The policy is related to the information we collect and process about you when you visit and sign up to our services/purchase goods via our website or when you are in contact with us.

4 The categories of data we process are:
As mentioned above, we are a company that provides underwear, activewear and everyday essentials (garments). We process your data to deliver these services and products to you. This includes:

4.1 Registering and identifying you as a customer/user,

4.1.1 Purpose
• Creating your account,
• Logging and saving the actions you take when you use our website,
• Delivering the services and/or products as mentioned above,
• Handling payment transactions,
• Shipping details
• Responding to your questions and providing you with customer service and support, including sending service-related messages to you, and
• Providing you with other services that can be ordered through the website.

4.1.2 Ordinary personal data:
• Your contact details, e.g., name, title, email, telephone number,
• Your purchase history, interest areas and use of our services,
• User requests, e.g., sign-up and use of our product,
• Login details and verification,
• Customer support, account and product setup, user interviews, UX research, customer feedback etc.,
• Payment information, incl. billing address, credit or debit card details, and payment and purchase history, we do not store the card details, but use our business partners to complete payments. The payment information is stored and therefore processed by an independent data controller.
• Information required to comply with requirements of public or governmental authorities.
• Information you provide when creating a user account
• IP address

4.1.3 Sensitive personal data:
• We do not process sensitive personal data.

4.2 Marketing:
We process your data for marketing-related purposes, including:
• sending you newsletters and email marketing (if you have consented),
• providing you with offers, sending you guides,
• tailoring our communication with you to accommodate your areas of interests and focus,
• sending you relevant promotions,
• If you sign up for an event etc., we will process your data in that regard.

4.2.1 Ordinary personal data:
• Your contact details, e.g., name, title, email, telephone number,
• Purchase history, interest areas and use of our services,
• User requests, e.g., sign-up and use of our product,
• What newsletters you signed up for, when you asked to receive email marketing and guides,
• Events or other arrangements you signed for, when, about what and if you provide feedback.
• Information about your use of the website
• Interests, including which products and services you have shown interest in

4.2.2 Sensitive personal data:
• We do not process sensitive personal data.

4.3 Suppliers:

4.3.1 This section describes Organic Basics’ policy for processing personal data collected from contact persons for Organic Basics’ B2B customers, suppliers and other business partners who work with Organic Basics.

4.3.2 We process personal data for the following purposes:
• When your company or the company you are employed by enters into an agreement with Organic Basics, including the purchase of products or services offered by Organic Basics
• When you have shown interest in Organic Basics' products or services, e.g., by giving Organic Basics your business card
• When you agree to receive Organic Basics’ newsletter
• When you collaborate or communicate with Organic Basics

4.3.3 Ordinary personal data:
• Names, email addresses, telephone numbers and similar identifying information
• Individual information, e.g., preferred language
• Organizational information such as company name, business address, position, business area, primary place of work and country
• Contractual information such as purchase orders, invoices, contracts, and similar agreements between your company (or employer) and Organic Basics, which may include your contact information
• Financial information such as payment terms, bank account details and creditworthiness
• Such information may be provided directly by you (primarily through emails and other correspondence) or by third parties such as your employer.

4.3.4 Sensitive personal data:
• We do not process sensitive personal data.

4.3.5 We collect your data directly from you and we will keep such data for as long as the relevant activity is ongoing and for the period after that as outlined in our data retention policy.

4.4 Business and product development:
We process your data for the purpose of data analysis, audits, developing new products and services, identifying usage trends, determining the effectiveness of our campaigns, and operating and expanding our business activities.

4.4.1 Ordinary personal data:
• Your contact details, incl. your name, email, address, and country,
• How you are using our products and services,
• Purchase history, interest areas and use of our digital services,
• Customer support, account and product setup, user interviews, UX research, customer feedback etc.

4.4.2 Sensitive personal data:
• We do not process sensitive personal data.

4.4.3 We collect your data directly from you and we will keep such data for as long as the relevant activity is ongoing and for the period after that as outlined in our data retention policy.

4.5 Statistics:
We process your data to compile statistics and analytics for the use of our website and to monitor and analyse usage and trends. The data we process about you in that regard is:

4.5.1 Ordinary personal data:
• When you visit our website, our servers may automatically log the standard data provided by your web browser. It includes your computer’s Internet Protocol (IP) address, your browser type and version, your user agent, the pages you visit, the time and date of your visit, the time spent on each page, and other details.
• Cookie information: We use cookies and similar technologies to collect additional website usage data and to operate our services.
• We receive information when you interact with our website, e.g., when you visit our website, log into your account and receive emails from us. This includes information such as your IP address, browser type, browser language, operating system, the referring web page, pages visited, location, device information etc.

4.5.2 Sensitive personal data:
• We do not process sensitive data in this regard.

4.5.3 Please read our cookie policy for more information about the data processors we use, the duration of the different cookies and the purposes of the processing of your data related to statistics. You can find our cookie policy here.

4.6 Improve, optimize, or modify the experience on our website and online services:
We process your data collected by your use of our website and online services and products to improve the user experience on our website and the services we offer. We use the data to operate our website, enhance the security of our website and services and its reliability and performance. We will also use the data to improve the content we show you, incl. determining what content is most helpful and how we can make the experience when visiting our website better.
You can read about the cookies we use on our website here.

4.6.1 Ordinary personal data:
• When you visit our website, our servers may automatically log the standard data provided by your web browser. It includes your computer’s Internet Protocol (IP) address, your browser type and version, your user agent, the pages you visit, the time and date of your visit, the time spent on each page, and other details.
• Cookie information: We use cookies and similar technologies to collect additional website usage data and to operate our services.
• We receive information when you interact with our services, e.g. when you visit our websites, when you sign into your account, or when you interact with email subscriptions. This includes information such as your IP address, browser type, browser language, operating system, the referring web page, pages visited, location, device information etc.

4.6.2 Sensitive data:
• We do not process sensitive data.

4.6.3 We keep this data for as long as described in our cookie policy.

4.6.4 We collect your data from you and your use of cookies, our website and products.

4.7 Legal basis
We process your personal data according to the following authority:
• Processing is necessary for the fulfilment of a contract to which you are a party, or for the implementation of measures taken at your request prior to entering into a contract, cf. GDPR, Article 6 (1) (b).
• Processing is necessary so that legal claims can be established, enforced, or defended, cf. GDPR, Article 9 (2) f.
• Processing is necessary to comply with a legal obligation incumbent on Organic Basics, cf. GDPR, Article 6 (1) (c) and GDPR, Article 9 (2), (b), cf. Section 7 of the Data Protection Act.
• Processing is necessary for us or a third party to pursue a legitimate interest, unless your interests or fundamental rights and freedoms precede this, cf. GDPR, Article 6 (1) (f).
In these situations, the legitimate interests will often be Organic Basics’ interest in being able to take care of general administration of the (employment) relationship and document the history of the (employment) relationship.
• You have given your consent to the processing of your personal data for one or more specific purposes, cf. GDPR, Article 6, (1), (a), Article 9, (2), (a), Section 8, subsection of the Data Protection Act. 3 and § 11, subsection 2, No. 2 of the Data Protection Act.

4.8 If you would like more information about our legal basis for processing your data, please feel free to contact us.

4.9 Please note that special circumstances or legal requirements may mean that such periods may be shorter or longer, depending on the purpose of complying with legal requirements for the erasure or keeping of information.

5 General data processing principles

5.1 We want to protect your personal data, and we process it in a reasonable, transparent, and secure manner.

5.2 We observe the following principles in connection with the processing of personal data:
• Lawfulness: We always process your personal data lawfully, fairly and in a transparent manner in relation to you as a data subject.
• Data minimisation: We limit the processing of your personal data to what is necessary and relevant in relation to the purposes for which it is processed.
• Limitation of purpose: We collect your personal data only for specific, explicit, and legitimate purposes, and we do not further process it in a manner that is incompatible with these purposes.
• Accuracy: We make sure that your personal data is accurate and – if necessary – updated.
• Integrity and confidentiality: We use technical and organizational measures to ensure appropriate data protection, taking into account, among other things, the nature of the personal data concerned. Such measures protect against unauthorised disclosure and access, accidental or unlawful destruction, accidental loss, or alteration and against other forms of unlawful processing.
• Access and rectification: We respect your rights in connection with the processing of your personal data.
• Storage limitation: We store your personal data in accordance with applicable law and regulations and no longer than is necessary for the purposes for which the personal data is processed.
• Protection of international transfers: We ensure adequate protection of your personal data in connection with transfers outside the EEA.
• Protection in relation to third parties: We ensure that third parties are only allowed access to (and are only allowed to transfer) personal data in accordance with applicable data protection law and with adequate contractual protection.

6 Lawful use of direct marketing and cookies:

6.1 We only send advertising material to you or place cookies on your computer in accordance with applicable data protection law and other relevant legislation.

7 Risk analysis

7.1 During our case process, we must carry out the technical and organisational measures to ensure a level of security that fits the risks specifically associated with our processing of personal data.

7.2 We have carried out a risk analysis which underlies this Privacy Policy.

8 Data protection impact assessments (DPIA)

8.1 The GDPR Article 35 requires that if processing, particularly by using new technologies and considering the nature, scope, context, and pur-poses of the processing, is likely to result in a high risk to the rights and freedoms of individuals, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

8.2 The obligation to carry out an impact assessment applies only in exceptional cases where there is a high risk involved regarding the rights and freedoms of individuals.

8.3 It is our assessment that we will rarely carry out processing that meet one of the above criteria. It must therefore be assumed that the rules on impact assessment will have a relatively limited scope in relation to our processing of your personal data.

8.4 If an impact assessment is carried out anyway, the results of the assessment will be considered when taking appropriate measures.

9 Data Protection Officer (DPO)

9.1 It is our assessment that Organic Basics does not process personal data to the above extent. We have therefore chosen not to appoint a data protection officer.

10 Data Controller

10.1 Regarding personal data about you, we will work independently, including independently assess whether there are grounds for collecting/processing personal data, what personal data is relevant and necessary, and how long personal data should be stored. In this situation, Organic Basics will therefore act as a data controller.

11 Data processors

11.1 In some cases, we use external companies to carry out the technical operation of Organic Basics’ IT systems etc. In some cases, these companies act as data processor for Organic Basics.

11.2 The data processor acts solely on our instructions and the data processor has taken the necessary technical and organizational security measures against the accidental or unlawful destruction, loss, or deterioration of personal data and against the disclosure of unauthorized persons, misrepresentations or otherwise being processed in breach of the GDPR.

11.3 In certain cases, our data processors use other data processors to process personal data for which Organic Basics is the data controller. Other data processors may be established inside and outside the EU/EEA.

12 Data Processing Agreements

12.1 If we are data controllers and have considered that a data-trading structure is available with one of our suppliers, a data processing agreement must be drawn up.

12.2 The data processing agreement shall be entered between us (the controller) and the other party (the data processor) and shall comply with the applicable requirements for data process agreements as referred to in Article 28 (3) of the GDPR. This implies drawing up a contract or other legal document binding on the data processor. It is also a requirement that the data processing agreement be in writing, including electronically.

12.3 In addition, the GDPR sets several specific requirements for the content of the data processing agreement. The agreement must include information on the status and duration of the processing, the nature and objectives of the processing, the type of personal data, categorization of data subjects and our obligations and rights as controller, as well as the duties of the data processor in relation to performing the task. The requirements are specifically described in GDPR Article 28 (3), (a)-(h).

13 Transfer of personal data to third countries

13.1 Organic Basics’ processing of personal data will predominantly take place within the EU.

13.2 If your personal data is transferred to countries outside the European Economic Area (“EEA”), we make sure that the required guarantees are provided, including:
• That the transfer is within the scope of a decision on required guarantees made by the EU Commission in accordance with GDPR, Article 45.
• That standard contract regulations for data protection, as approved by the EU Commission or a data protection authority in accordance with GDPR, Article 46, subsection 2 (c) or (d), are met
• That the requirements for binding corporate rules as approved by a data protection authority in accordance with GDPR, Article 46, subsection 2 (b), are met.

13.3 Please see the following link: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en for further information on how the transfer of personal data outside the EEA is regulated.

13.4 For further information on how we have provided the necessary guarantees, you may contact us through the Point of Contact for Data Protection (see Section 3 “Where to address questions and enquiries”).

14 Other disclosure of personal data

14.1 Personal data may also be disclosed to:
• Insurance companies
• Bank payment services
• Banks
• Credit institutions
• Accountants
• External law firms
• Influencers/ambassadors
• Other suppliers

15 Profiling

15.1 We do not use your personal data for profiling.

16 Security measures

16.1 We have taken the necessary technical and organizational security measures to protect your personal data from accidental or unlawful destruction, loss or change as well as from unauthorized public disclo-sure, misuse or other conduct in violation of applicable law.

16.2 Access to personal data is limited to persons who have a need for access. Employees who process personal data are instructed and trained to know what to do with the personal data and how to protect it.

16.3 When documents (papers, filing data, etc.) containing personal data are thrown out, shredding or other measures are used to prevent unauthorized persons from accessing the personal data.

16.4 Passwords are used to access PCs and other electronic devices containing personal data. Only the persons who need access will have a code and then only for the systems that he or she needs to use. Persons with access codes must not leave the code to others or leave it for others to see. Check-ups on assigned codes will be carried out at least once every six months.

16.5 If personal data is stored on a USB-stick, the personal data must be protected, for example by a password and encryption. Otherwise, the USB-stick must be stored in a locked drawer or cabinet. The same applies when storing personal data on other portable data media.

16.6 PCs connected to the Internet have an updated firewall and virus control installed.

16.7 If sensitive personal data or Social Security number is sent by email over the Internet, such emails must be encrypted. If you send personal data to us by email, please be aware that this is not secure if your emails are not encrypted. We advise you to not send us confidential or sensitive personal data by email unless this is specifically agreed in advance so that we can ensure the necessary level of security.

16.8 In connection with the repair and service of data equipment containing personal data and when data media is to be sold or discarded, we take the necessary measures to ensure that the personal data cannot come to the attention of unauthorised persons. For example, by using declarations of confidence.

16.9 When using an external data processer to process personal data, a written agreement is signed between us and the data processor. This applies, for example, when an external document is used or if cloud systems are used in the processing of personal data – including communication with you. Similarly, a written agreement is always made between us and you if we act as data processors. The data processing agreements are also available electronically.

17 Backup

17.1 Organic Basics takes backup of all data bases and files on shared drives. Backup is stored on an external server.

17.2 All backup data and files are overwritten (deleted) in intervals of 30 days.

18 Retention periods and deletion

18.1 Deletion – When

18.1.1 Personal data collected in connection with your purchases is generally stored for 3 years from the last purchase.

18.1.2 Personal data included in accounting material is stored for 5 years from the end of the financial year, after which the information is deleted.

18.1.3 Documentation of your marketing authorization is kept for 2 years from the time you have withdrawn your consent to receive direct marketing material.

18.1.4 However, we may store the personal data for a longer period if required by law, or if it is necessary for a legal claim to be settled, asserted, or defended. The information can also be processed and stored longer in anonymized form

18.2 Deletion – How

18.2.1 Deletion of personal data means that personal data is irrevocably removed from all storage media on which it has been stored and that personal data cannot be restored in any way.

18.2.2 Alternatively, personal data can be completely anonymized with the effect that it can no longer be assigned to a person. In that case, the regulation of personal data does not apply at all and complete anonymization is therefore an alternative to deletion. However, it is important to bear in mind that anonymization – as an alternative to deletion – presupposes the deletion of all traces that may lead to the person to which the information relates. It is usually a very difficult practice.

18.2.3 After deletion/anonymization, we will carry out appropriate cross-checks in the form of searches by name, email address, and the specific case, etc., to ensure that nothing appears.

19 Cookies

19.1 Cookies: A cookie is a small text file that is stored on a user's computer for recordkeeping purposes. We use cookies on this site. Cookies are typically categorised as "session" cookies or "persistent" cookies. Session cookies help you navigate through the website efficiently, keeping track of your progression from page to page so that you are not asked for information you have already provided during the current visit. Session cookies are stored in temporary memory and erased when the web browser is closed. Persistent cookies, on the other hand, store user preferences for current and successive visits. They are written on your device's hard disk and are still valid when you restart your browser. We use session ID cookies; these cookies are temporary and expire once you close your browser (or once your session ends). We use preferences cookies when you are a registered user and login, these cookies allow a website to remember choices you have made in the past, like what language or currency you prefer, or your username and password so you can automatically log in. If you reject cookies, you may still use our site, but your ability to use some areas of our site, such as contests or surveys, will be limited. Some of our business partners may use cookies on their sites. We have no access to or control over these cookies. This Privacy Policy covers the use of cookies by Organic Basics only; it does not cover the use of cookies by any advertisers. You can change your choice by amending your browser settings at any time. If you disable cookies that we use, this may impact your user experience.

20 Links to Other Sites

20.1 Our website may contain links to other sites that are not owned or controlled by Organic Basics. Please be aware that Organic Basics is not responsible for the privacy practices of such sites. We encourage you to be aware when you leave our site and to read the privacy statements of each website that collects personal data. This Privacy Policy applies only to personal data collected by this website.

21 Changes to this Privacy Policy

21.1 Organic Basics may change this Privacy Policy at any time and without notice and with future effect. In the event of such changes, our users are informed on www.organicbasics.com. Our new Privacy Policy will apply hereafter when using Organic Basics’ website and with respect to Organic Basics’ services in general.

22 Contact information

22.1 If you have any questions about this Privacy Policy, our processing of personal data, rectification of your relationship with us in any other way, you may contact us at the following email address: hello@organicbasics.com and via our website www.organicbasics.com.

23 Your rights

23.1 To allow you to make informed choices about how you want us to use your personal data, we would like to ensure the greatest possible transparency.
• Your personal data: You may contact us at any time through the Point of Contact for Data Protection to ascertain what personal data we have about you and where we obtained it. In some cases, you are entitled to receive the personal data we have collected about you, in a commonly used, structured and machine-readable format and disclose your personal data to a third party of your own choice.

• Right to correction of errors: If you notice that your personal data is erroneous or incomplete, you may request that we correct it.

• Right to limitation of processing: You have the right to request that the processing of your personal data be limited while the correctness of your personal data is being checked.

• Right to objection: You also have the right to object to your personal data being used for direct marketing purposes (or, if you prefer, you may inform us how often you want to hear from us) or being disclosed to third parties for the same purpose.

• Consent: You may withdraw your consent to the processing of personal data at any time by contacting the mentioned Point of Contact for Data Protection.

• Deletion: You may ask us to delete your personal data (except in certain cases, e.g. for documentation of a transaction or to comply with legal requirements).

• Complain: You can complain to the Danish Data Protection Agency (in Danish: “Datatilsynet”) regarding Organic Basics’ processing of your personal data:

Datatilsynet
Carl Jacobsens Vej 35
DK-2500 Valby
Tel: 33193200
E-mail: dt@datatilsynet.dk
www.datatilsynet.dk