Personal data policy
Personal data policy for Vicorda
This policy describes how Vicorda collects, processes, and stores personal data about you when you visit Vicorda's website, contact Vicorda, or are a customer through one or more of Vicorda's services (Health Screening, Physical Health Checks, Workplace Assessments, Pulse Surveys, Whistleblower, News Module, or Health Advisory). Vicorda is the data controller for the website and inquiries to Vicorda. For other services, Vicorda acts as a data processor under the instructions of a data controller through data processing agreements.
Regardless of Vicorda's role, Vicorda's clear goal is to ensure transparency in Vicorda's data processing and to protect your personal data in accordance with data protection legislation.
​
Vicorda's contact information is:
​
Vicorda ApS
Lejrvej 25
3500 Værløse
Tlf. +45 3055 4435
​CVR DK-37468835
​
​
Types of Data
Depending on whether you are a customer or a website visitor, Vicorda processes a range of data about you. This data is always collected with your involvement and typically includes:
​
​
As a website visitor
-
A unique ID and technical information about your computer, tablet, or mobile phone
-
Geographical area
-
Pages you click on (interests)
​
​
When using Vicorda's online contact form
-
Name, company, and number of employees
-
Email and phone number
-
Content of your inquiry (free text)
​
​
As a contact person at a partner company
-
Name
-
Email
-
Phone
​
​
When using health screening and physical health checks
​
Categories of personal data collected and processed include:
​
-
General personal data: General background questions such as gender, age, weight, height, full name, email address, workplace, employee type, pension status, health insurance status, workplace environment: ergonomics, relationships, psychosocial hazards, lifestyle: sleep, diet, smoking, alcohol, physical activity
-
Sensitive personal data: Health information including mental health: stress/anxiety/depression, self-care, cognitive functions, physical health: self-assessed health status, illness and absence, pain
-
Physical measurements (when physical health checks are included): Weight, waist measurement, body fat percentage, BMI, total cholesterol, HDL and LDL cholesterol, blood sugar, blood pressure, balance test
​
​
When using thematic surveys (Pulse Surveys):
​
Categories of personal data collected and processed vary by survey type and include:
​
-
General personal data: General background questions such as full name, email address, workplace, employee type, pension status, health insurance status
-
Sensitive personal data: Health information including mental health: stress/anxiety/depression/well-being/burnout/quality of life
​
​​
When using workplace assessments (APV):
​
Categories of personal data collected and processed include:
​​
-
General personal data: Gender, age, full name, email address, workplace, physical, ergonomic, biological, and psychological work environment conditions
​
​
When using the Whistleblower service:
​
Categories of personal data collected and processed include:
​
-
General personal data (if not anonymized): Full name, email address, workplace
-
Confidential personal data (may occur if you include personal data in your descriptions or attached documents):
- Date or period of the incident
- Theme of the incident
- Description of the incident
- Any attached documents (videos, images, text files)
​
When using Biomarkers (Face scan)
​
Categories of personal data collected and processed include:
-
General personal data: Full name, email address, workplace, employee type, pension supplier, health insurance supplier
-
Measurements and metrics): Blood pressure, Heart rate, Heart rate variability, Mental stress, Energy balance, Resonant breathing score, Respiratory rate, Mental health risk, Sleep quality
​
​
When using eNPS (Employee netpromoter score)
Categories of personal data collected and processed include:
-
General Personal Data: Company name, employee type.
Workplace Satisfaction: Questions about satisfaction with the workplace and indications of potential areas for improvement.
​​
​
How Long Do We Retain Your Data?
Vicorda generally retains personal data as long as there is an active relationship between you and Vicorda where it is in your interest that Vicorda processes the data. Data is deleted when this relationship ends. Deletion is, of course, only carried out to the extent that Vicorda does not have legal or other valid reasons to retain the data for a longer period.
Vicorda also has specific deletion procedures related to the various services in the solution:
-
Users always have the option to delete data/reports themselves
-
Users always have the option to delete their entire profile themselves
-
Users whose employer does not have a history will have their data deleted after 30 days
-
Inactive users will have their data deleted after 18 months of inactivity. Users are notified one month in advance.
-
If the company's agreement ends, the user's data is deleted
-
Data recorded in the medical record system in connection with telephone-based healthcare advice and your separate consent is stored in accordance with the regulations of medical record legislation.
​
​
Disclosure of Information
Vicorda exclusively uses European sub-processors, and the platform is hosted in Denmark. No data is transferred to third countries. These sub-processors operate solely on behalf of Vicorda and are strictly prohibited from using the data for their own purposes. None of the sub-processors have access to personally identifiable information. By using only European sub-processors and hosting all data within Denmark, Vicorda ensures that your data remains protected under Danish and European law. Additionally, Vicorda has entered into data processing agreements with its regular IT providers, ensuring that all data processed within specific systems (e.g., email and file systems, website hosting, customer management system, Health Screening, etc.) is handled securely and in full compliance with GDPR regulations.
​​
​
Legal Basis and Purpose
​
Vicorda processes your personal data for the following purposes:
-
Handling your inquiry if you send us an email or contact us through the website
-
Processing your visit to Vicorda's website (see Vicorda's Cookie Policy, link in footer)
-
Administration of Vicorda's cooperation if you are a contact person at a partner company
-
Administration of the relationship between you and Vicorda if you use Health Platform and the associated services
The legal basis for Vicorda's processing includes:
-
General information from your website visit or inquiry is processed under the legal basis of GDPR Article 6(1)(f) (the balancing rule). Vicorda assesses that Vicorda's interest in collecting, processing, and disclosing information about you does not outweigh your interest in the opposite. Consent is used if Vicorda collects other than functional cookies on the website.
-
General information in relation to Vicorda's solution and the respective services, as well as if you are a partner, is processed under the legal basis of GDPR Article 6(1)(b); processing for the purpose of fulfilling a contract (contractual relationship).
-
When using Vicorda's platform and the respective services, Vicorda also processes a range of sensitive and confidential information about you, requiring your voluntary and informed consent in accordance with GDPR Article 9(2)(a). You will automatically be asked for consent in the relevant contexts when using Vicorda's platform or one or more of the respective services. In connection with consent, you will be informed of the details of the processing, including purpose and withdrawal process.
​
Security
Vicorda ensures that data is stored securely and discreetly. Vicorda's security measures are divided into organizational and technical measures. The organizational security measures mean that only Vicorda's trusted personnel with a valid purpose have access to your personal data with your consent. Vicorda's personnel are continuously instructed and trained on data security, including how to handle and protect the information. Vicorda also maintains a record of its data processing activities, subject to the Danish Data Protection Agency's oversight.
The technical security measures relate to Vicorda's use of IT systems for registration and administration. Vicorda's data is securely and safely placed in a Danish data center with the necessary protection level according to current regulations. All communication on Vicorda's website is protected with approved security certificates with a 256-bit encryption key. Stored data (data at rest) is protected via 256-bit encryption, and sensitive data in use (data in memory) is also protected via 256-bit encryption. To ensure your personal data, backups of all your personal data are performed daily, and a Disaster Recovery as a Service (DRaaS) solution is in place.
Vicorda's internal IT systems (PCs, etc.) are protected with passwords, updated antivirus programs and firewalls, two-factor authentication (2FA), and physical materials are stored locked. When IT equipment is destroyed or repaired, it is disposed of responsibly to ensure that your personal data does not become accessible to unauthorized persons.
​
Your Rights
​
According to current legislation, everyone is guaranteed the following rights:
-
Right to information about the processing of personal data (right to be informed):
You have the right to know who the data controller is, the purpose of the processing, and who receives/processes the data.
This Privacy Policy generally contains all this information.
-
Right to access your personal data (right of access):
You can request information about what data Vicorda processes and request a copy of the collected data.
-
Right to have inaccurate personal data rectified (right to rectification):
If you believe that the data Vicorda holds about you is incorrect, inaccurate, or incomplete, you can request that the data be corrected.
-
Right to have personal data erased (right to be forgotten):
If you believe that the data Vicorda holds about you is not necessary for the original purpose it was collected, you can request that the data be deleted. Note that we are obliged and entitled to retain certain personal data to comply with legal requirements.
-
Right to data portability:
You generally have the right to receive information about yourself in a structured, commonly used, and machine-readable format, and you have the right to transfer this information to another company.
-
Right to object:
You have the right to object to the use of personal data for, among other things, direct marketing and profiling. We do not use profiling, and any marketing will always be linked to explicit consent.
When contacting Vicorda regarding any of the above points (access, rectification, deletion, etc.), you will receive a response within a month about what Vicorda will do with your request. If, for example, you request to have your data corrected or deleted, we will normally investigate whether all conditions are met, including whether there is a legal basis for continued data processing. If we find the objection justified, Vicorda will comply with the request.
​
Complaints and Contact Information
Complaints about Vicorda's processing of personal data, objections, and questions regarding the privacy policy should be directed to the data controller.
You can complain about the processing of your data by contacting the Danish Data Protection Agency. The contact information for the Danish Data Protection Agency can be found on their website, www.datatilsynet.dk.