One of the main principles of GDPR – EU General Data Protection Regulation 679:2016 is that companies are only allowed to collect information when it is necessary.
DANAK has deemed it unnecessary that DANAK collects and processes personal data which us documentation for the accredited company’s compliance of the requirements for accreditation.
DANAK must have access to review a representative number of members of staff to be able to assess the applicant’s expertise within the field of accreditation applied for. This assessment will mainly take place when visiting the company’s localities. 
When visiting the customer, DANAK reviews and registers the customer’s regular personal data in the form of descriptions of expertise and qualifications.
DANAK does not take these data from the customer and registrations made by DANAK in notes, deviations and inspection report must be unambiguous but must be written so that it does not refer personal data aside from name or other identification, function and DANAK’s assessment of compliance of the required elements.
If the company in connection with applications or documentation of adjusted actions submit documentation of members of staff’s expertise it does not have to contain social security numbers (CPR) or specific categories of personal data like union affiliation or information about health. DANAK deletes submitted documentation containing personal data after the assessment.
When using an electronic management system DANAK must have access to all relevant parts of the management system or to a copy of it, which must include functionality that allows a sufficient assessment. DANAK does not need general access to the company’s registrations, including registered personal data and access to this should be denied. DANAK will not extract personal data from the company’s registrations.
When signing an agreement with costumers the personal data of the companies contact person is collected. This data consists of name, work-email and -telephone number. These are published on DANAK’s website. The costumer is informed about this in the contract. The information is removed when the contract terminates.
Reports, correspondence, processing of non-conformities and other information about the costumers are kept on DANAK’s server where only internal members of staff have access. The process of non-conformity, reports and communication with the costumer is also put on the customer portal where internal and external members of staff who are associated with the case and customer have access.

DANAK has a data processing agreement with a Danish IT company, which ensures that DANAK's data is stored in hosting centers in Denmark and provides the necessary protection and backup. 

The security of the data processor and hosting centers is assessed annually by Deloitte in an ISAE 3402 type 2 audit report.

Mailboxes and all shared drives are backed up. The backup is treated confidentially and is only used if data has been lost in the main systems or if misuse is suspected.

DANAK does not send personal data to third parties, including third countries or international organizations, in addition to what has been mentioned above.

DANAK reports breaches of personal data security to the supervisory authority (The Danish Data Protection Agency) without unnecessary delay and if possible within 72 hours of DANAK being aware of the breach unless that it is unlikely the breach of the personal data security entails a risk for physical people’s rights or constitutional rights.
DANAK notifies the registered about breaches of the personal data security if such a breach is likely to entail a high risk for physical people’s rights or constitutional rights.
DANAK runs an impact analysis concerning data protection if a type of process is likely to entail a high risk for physical people’s rights or constitutional rights and makes enquiries with the supervisory authority (The Danish Data Protection Agency) before the process if an impact analysis concerning data security shows that the process will lead to high risk caused by lack of precautionary measures set in place by the data controller to limit the risk.