Privacy Policy

Revision: 2 Date: 27-10-2025
Purpose and ScopeThis Policy sets out WellPerform’ s commitment to protecting the privacy and security of personal data in accordance with the EU General Data Protection Regulation (GDPR), and The Danish Protection Act (Databeskyttelsesloven), and other applicable data protection laws. It applies to all personal data processed by WellPerform relating to employees, consultants, applicants, clients, and other individuals (“Data Subjects”) as part of the company’s operation.

ResponsibilitiesThe Directors of WellPerform acts as the Data Protection Controller (DPC) and is responsible for ensuring that all personal data is processed in compliance with the Policy and the applicable data protection principles. All employees, contractor, and third parties acting on behalf of WellPerform are required to comply with this Policy and to ensure personal data is handled responsibly and securely.

Data Protection PrinciplesIn accordance with GDPR, WellPerform shall ensure that personal data is:

- Processed lawfully, fairly, and transparently
- Collected for specific, explicit, and legitimate purposes
- Adequate, relevant, and limited to what is necessary
- Accurate and kept up to date
- Retained only for as long as necessary
- Processed securely
- Handled in accordance with the Data Subject's rights
- Not transferred without ensuring adequate levels of protection

Personal DataPersonal data includes any information relating to an identified or identifiable individual, such as, name, address, email, photo, passport, personal registration number, phone number, test results, health information, family relations, education, salary, etc.

Processing of Personal DataWellPerform will only process personal data where a valid legal basis exists, including the performance of an employment or service contract, compliance with legal obligation, legitimate business interests, or explicit consent.

Consent may be required for the processing of personal data where no other lawful basis applies. Any personal data not covered by an exemption shall remain confidential and may only be shared with third parties upon appropriate consent or legal justification.

Data Subject RightsAll individuals whose data is held by WellPerform have rights under GDPR to access, rectify, erase, restrict, or object to processing, and to data portability. Request must be made in writing to WellPerform Management or the appointed DPC and will be handled promptly in accordance with legal timelines.

Data AccuracyWellPerform endeavour to maintain accurate and up-to-date personal data. Data Subjects must notify management promptly of any changes to their personal information.

Data SecurityWellPerform will take appropriate technical and organisational measures to protect personal data from unauthorised access, alteration, disclosure, or destruction.

Measures include, but are not limited to:

• Password protection and encryption of digital data
• Restricted access based on role and necessity
• Secure systems for storage and transmission of data
• Regular Reviews of security procedures.

Employees are required to respect the confidentiality and privacy of all personal data processed and must comply with the WellPerform IT Policy, Data Protection Procedure and Record Retention and Data Deletion Procedure.

Other personal data may be for publication or limited publication within WellPerform, therefore having a lower requirement for data security.

WellPerform must ensure that data processed by external processors, for example, service providers, cloud services including storage, web sites etc. are compliant with this policy and the relevant legislation.

Data Retention and Secure DestructionPersonal data is retained only as long as necessary to fulfil its purpose or meet legal obligations. When no longer required, data must be securely deleted or destroyed in accordance with best practices and the Record Retention and Data Deletion Procedure.

Data Breach NotificationIn the event of personal data breach, WellPerform must first assess whether the breach is likely to result in a risk to the rights and freedoms of individuals, and whether notification to the Data Protection Authority (Datatilsynet) is required under the General Data Protection Regulation (GDPR).

If it is determined that the breach meets the threshold for notifications, WellPerform shall report the incident to the Data Protection Authority within 72 hours of becoming aware of it, including all relevant information as required by law.

WellPerform is obligated to inform the affected Data Subject without undue delay if the breach is likely to result in a high risk to their rights and freedoms. Such notification shall describe the nature of the breach, its likely consequences, and the measures taken or proposed to mitigate potential adverse effects.

If the assessment concludes that the breach does not require notification to the Data Protection Authority WellPerform shall document the incident and the reasoning behind the decision, including details of the breach, its potential impact, and any remedial measures taken, to ensure accountability and compliance with GDPR record-keeping.

All employees must immediately report any suspected data breach to management or the Data Protection Controller for assessment and appropriate action.

Policy ReviewThis policy will be reviewed regularly or as required by changes in legislation to ensure its continued relevance and alignment.  Updates will be communicated to all employees through Connecteam.