Introduction and Purpose

Heads is committed to protecting and respecting your personal data. This privacy policy describes how Heads processes information relating to individuals and describes the rights and choices of the data subjects regarding your personal data ("privacy policy"). Please note that this privacy policy may be updated. Please visit this privacy policy occasionally to learn about new privacy practices or changes to this privacy policy.

This privacy policy has been adopted to comply with European privacy legislation, primarily the General Data Protection Regulation (EU) 2016/679 ("GDPR"). 

All terms with a capital letter designation in this privacy policy, which are not defined here, have the same meaning as in the GDPR. 

Heads goal is to ensure compliance with applicable data protection laws in all jurisdictions where the company operates.

Scope

This privacy policy describes the measures that Heads takes to protect personal data and to provide information about the processing of personal data that Heads carries out as a data controller. The privacy policy does not provide information about the data processing that Heads carries out in the role of processor or service provider on behalf of our customers, including various cloud products and services.

This privacy policy applies to all applicable business processes within Heads and all subsidiaries and affiliated companies that Heads exercises control over ("Heads).

Processing of Personal Data

It is necessary for Heads to process personal data in order to provide services to customers and to conduct its business. Heads primarily processes personal data about job seekers, customer contacts, and individuals representing potential customers. When you use and interact with Heads websites or services, communicate with or otherwise contact Heads, or visit our offices or participate in our events, Heads may therefore collect, use, share, and process information about you.

When Heads processes personal data, Heads ensures that there is a legitimate legal basis for the processing as well as a legitimate purpose. Furthermore, Heads ensures that all processing of personal data is necessary. In addition, Heads will not process personal data for longer than necessary. The following sections provide information on the processing of personal data that Heads performs.

Personal Data Collected

Heads collects and processes the following categories of personal data:

• Basic contact information such as name, phone number, address, and email address;

• Information about age, personal identification numbers;

• Details about employment, title, and position;

• Questions and comments relating to our products;

• Pictures taken of you at our offices;

• Various types of user information, such as username and password.

• Email and other information about email that has been sent to and from Heads.

Customer Contracts

To manage customer relationships and fulfill commitments under customer contracts, it is necessary for Heads to process personal data relating to customers' contact persons or users of our services. Heads processes these categories of personal data in order to;

• Manage the sales process and contract process with customers;

• Quote products and services at the customers' request;

• Fulfill contractual obligations;

• Provide support services to users of Heads services;

• Improve functionality and make Heads products and services more useful;

• Maintenance of Heads products;

• Ensure that Heads products are used in accordance with instructions.

• To manage customer contracts such as invoicing, orders, and administration.

Job Applications

Heads processes personal data about applicants for a position in order to decide whether to hire or not. The personal data is processed based on consent (if consent is necessary) or because Heads has a legitimate interest in processing the applicant's personal data and this interest does not infringe on the applicant's right to privacy.

Visitors

Personal data about visitors is processed by Heads to identify visitors. The processing of personal data is based on the legitimate interest of protecting confidential business secrets and security measures concerning employees, premises, and all visitors.

Potential Customers

Heads processes personal data about potential customers for marketing purposes. This can occur either through the collection of personal data at events or during customer meetings. Based on the activity, Heads may send out marketing offers.

Cookies

If a potential customer visits Heads website, an automation tool may be used to track the potential customer's activity on the website. Based on the activity, Heads may send out marketing offers. Heads will not process these categories of personal data within the automation tool unless consent has been given. Please note that the data subject can revoke consent at any time. Learn more about how Heads uses cookies on Heads website.

Sensitive Data

Sensitive personal data includes all information that reveals your race or ethnicity, political opinions, religious or philosophical beliefs, union membership, and personal data about your health or your private life. Heads generally does not process sensitive data about you. If you provide us with sensitive personal data, we will only process such data if we get your consent to this or if such processing is required by law. Heads limits the use of personal identification numbers and only processes personal identification numbers when necessary to ensure your identification.

Collection of Personal Data

Usually, Heads collects personal data directly from the data subject or from other people connected to their customers, for example, from a manager or a colleague. Sometimes, Heads collects personal data from other sources, e.g., from Heads partners handling marketing issues, recruitment, public registers, or from other types of social networks.

Sharing of Personal Data

Heads may share personal data with third parties in the following situations:

• Authorities: The Tax Agency and other authorities may require Heads to disclose personal data. In such cases, Heads will only disclose personal data if there is an official decision; and

• Mergers and Acquisitions: In connection with mergers, acquisitions, or divisions, the acquiring business and consultants appointed in the acquiring business may need access to the personal data that Heads processes. Heads ensures that confidentiality agreements about the processed personal data are concluded and that consent is obtained when necessary in these situations.

Storage and Protection of Personal Data

Considering the type of Personal Data collected and the risk that may arise in the event of a violation, there are reasonable and appropriate organizational, technical, and physical measures to protect the personal data collected and processed. Regarding the personal data of the data subject, Heads ensures the following:

General Protection

Regarding the protection of personal data, Heads ensures the following:

• preventing unauthorized access;

• preventing dissemination of personal data;

• that personal data is treated confidentially, and

• that personal data is available in accordance with applicable data protection legislation.

Organizational Measures

Regarding organizational measures, Heads ensures that it has:

• appointed an internal working group to continuously develop and evaluate the company's work with processing personal data;

• appointed a data protection officer;

• appointed people within each part of the organization who are responsible for issues and problems concerning personal data;

• established procedures for incident management so that the organization can act quickly and effectively in the event of a personal data incident or violation;

• conducted training on personal data management for employees, and

• concluded agreements on the processing of personal data with all customers and suppliers as needed.

Technical Measures

Regarding technical measures, Heads assures that the following measures have been implemented:

• Classification of personal data to introduce security measures that correspond to the risk assessment;

• Evaluation of the use of encryption and pseudonymization to reduce the risk of processing personal data;

• Limiting access to personal data only to those individuals who need access to fulfill legal obligations or obligations arising from contracts;

• Effective use of systems to detect, recover, prevent, and report privacy incidents.

• Effective use of tools to assess whether the technical and organizational measures taken are sufficient to protect personal data.

Physical Measures

To gain access to Heads premises, an access card is required.

Duration of Processing

Heads will only process personal data for as long as needed for the purpose for which the data was collected.

Use of Subprocessors and Transfer to Third Countries

Heads aims to keep personal data within the European Economic Area (EEA) but may engage suppliers outside the EEA, e.g. other companies within the Heads Group or companies that assist us with technical support and maintenance of our IT services. All such personal data will always be kept to a minimum that is relevant to the purpose. Regardless of where your personal data is transferred, Heads always takes necessary measures to ensure that the security level and the processing are in line with GDPR, for example by using the European Commission's standard contractual clauses.

Rights of the Data Subject

In regards to their own personal data, all data subjects have the right to:

• request information about our processing of their personal data, if any. Note that Heads may ask for certain details about a registered person to ensure that information is provided to the correct person and managed securely.

• Correction of personal data that Heads processes if these are in any way incorrect;

• request that we delete personal data that we have about a registered person. For example, if the information is no longer necessary to fulfill the purpose for which it was collected. Note that Heads, when legally necessary, may reject a request from a registered person, for example if the data is needed for tax or accounting purposes or is necessary to defend legal claims;

• request restrictions on the processing of your personal data. Note that Heads in such cases may need to further investigate the situation before a decision is made, and

• have the registered person's data transferred to another data controller. This, however, requires that the transfer is technically feasible and can be performed automatically and that the processing is based on the fulfillment of a contract with you.

Contact Details

If you have questions about our privacy policy, want to exercise your rights, or have other questions about our processing, please contact our data protection officer at dpo@heads.com. All inquiries will be handled confidentially.

Heads commits to cooperate with you to get a fair resolution to any complaints or concerns about privacy. However, if you believe that we have not been able to assist you with your complaint or concern and you are within the EEA, you have the right to submit a complaint to the competent supervisory authority.

Confidentiality

All policy documents are classified according to one of the following classifications: Company public, company internal, or company confidential. This privacy policy is classified as company public. Public information can be openly shared and discussed publicly as well as published, for example on the website and other social media platforms. Part of this privacy policy is published and made available on Heads website.

Training

All staff should regularly receive training in this privacy policy. Heads data protection officer is responsible for ensuring that applicable training is conducted annually.

Responsibility

It is each manager's responsibility to ensure that the requirements of this Privacy Policy are implemented in their respective organization, including preparing detailed support documents that are appropriate for their needs, and to ensure that their staff is aware of this privacy policy and its contents. All staff are responsible for ensuring that they act in accordance with this privacy policy. The data protection officer is responsible for updating this privacy policy as necessary. For any questions, contact dpo@heads.com.