This page describes how zeal aps processes personal data on behalf of its clients in accordance with the EU General Data Protection Regulation (GDPR).
1. Roles and Responsibilities
In the context of our collaboration, the client acts as the data controller, while zeal aps acts as the data processor.
We process personal data solely on the basis of documented instructions from the client.
2. Purpose of Processing
We process personal data as part of the delivery of:
- research services
- analyses
- project work
- reporting and presentations
Processing is limited to what is necessary to provide the agreed services.
3. Types of Personal Data
Processing may include ordinary personal data, such as:
- name
- job title
- email address
- phone number
- business-related information about identifiable individuals
As a general rule, no special categories of personal data are processed unless explicitly agreed in writing.
4. Categories of Data Subjects
The personal data may relate to:
- employees of our clients
- business partners
- clients or respondents involved in research projects
5. Duration of Processing
Personal data is processed for the duration of the collaboration and thereafter in accordance with the client’s instructions and applicable law.
6. Security and Confidentiality
We have implemented appropriate technical and organizational security measures to protect personal data against unauthorized access, loss, or misuse.
These measures include, among others:
- access control and role-based permissions
- secure login procedures
- ongoing internal controls
All employees with access to personal data are subject to confidentiality obligations.
7. Use of Office 365
We use Microsoft Office 365 for the storage and processing of data.
Microsoft acts as a sub-processor, and processing is carried out in accordance with:
- Microsoft’s Data Processing Agreement
- applicable security standards
- the requirements of the GDPR
8. Sub-processors
We use the following sub-processor:
- Microsoft Corporation (Office 365)
We ensure that valid data processing agreements are in place with all sub-processors.
9. Transfers to Third Countries
To the extent that personal data is processed outside the EU/EEA (e.g. as part of the use of Office 365), such transfers are carried out in accordance with the GDPR, including through the use of the European Commission’s Standard Contractual Clauses.
10. Deletion and Return of Data
Upon termination of the collaboration, personal data will be deleted or returned at the client’s choice, unless retention is required by applicable law.
11. Documentation and Audits
We make available the information necessary to demonstrate compliance with the GDPR and will assist with audits upon prior agreement.
12. Contact
If you have questions about our processing of personal data or require a signed data processing agreement, please contact us at: