Privacy Policy for Tusass

In connection with the creation of you as a customer of Tusass A/S (hereinafter “Tusass”), several personal data about you are processed. This means that the General Data Protection Regulation¹ and the Greenlandic Personal Data Act² apply, and that Tusass is obliged to provide you with information about how your personal data is processed. Therefore, we have prepared this privacy policy, where you can read more about the purpose, legal basis, storage, disclosure and your rights in connection with the processing.

1.     The data controller

Tusass A/S is the data controller for the processing of your personal data..

Tusass A/S
Farip Aqqutta 8
3900 Nuuk
Grønland

CVR number: 17516345

privacy@tusass.gl

Data Protection Officer:
DPO Denmark acts as Data Protection Officer (DPO) on behalf of Tusass and can be contacted at:

DPO-tusass@dpo-danmark.dk

2.    Definitions

“Personal data”: All information that can be used to directly or indirectly identify a person. This can be, for example, name, address, IP address, telephone number or location data.

”Processing activity”: Any type of activity in which your information is involved when Tusass organizes, stores, deletes, analyzes or discloses data.

”Data controller”: Tusass is the data controller and decides how and for what purposes your personal data may be processed. 

3.   Categories of personal data

Tusass processes general and confidential personal data. Below you can read which personal data we process during each processing activity and which category they belong to.

4.   Purpose and basis for processing

Tusass processes your personal data for the following purposes:

Information collected directly from you

• Creation and administration of customer relationships
  General personal data: name, address, e-mail, telephone number, payment information, subscription type, usage history.

  Legal basis: General Data Protection Regulation, Art. 6, para. 1, letter b (necessary for the performance of the contract).

  Confidential personal data: CPR number

  Legal basis: Greenland Personal Data Act, Section 11, para. 2, no. 2 (consent)

  Purpose: Tusass processes this information in order to register you as a customer and administer your subscription, so that you can enter into a prepaid agreement with us. CPR number is processed for the purpose of preventing identity fraud, including ensuring that subscriptions are not created in someone else's name.

• Subscriptions for people under 18 years of age
  General personal data: name, address, telephone number, email address

  Legal basis: GDPR art. 6, para. 1, letter b (necessary for the performance of the contract).

  Confidential personal data: child's CPR number, parent/guardian's CPR number

  Legal basis: Greenland Personal Data Act § 11, para. 2, no. 2 (consent)

  Purpose: Tusass offers mobile subscriptions for children aged 5 to 17 years. To create a child subscription, the child's CPR number must be provided to verify age and ensure that the child is under 18 years of age and thus meets the conditions for a child subscription. A parent or guardian must confirm the child's CPR number and be linked to the child's subscription as the person responsible.

• Customer service and support
  Personal data: Name, contact information, call log, technical information.

  Legal basis: GDPR art. 6, para. 1, letter b

  Purpose: Tusass processes this to provide efficient customer service, respond to inquiries, handle technical problems and ensure proper follow-up on support requests..

• Marketing and newsletters
  Personal data: Name, email, preferences.
  Legal basis: GDPR art. 6, para. 1, letter a (consent).

  Purpose: If you wish to receive a newsletter, this personal data is used to accommodate this..

5.   Information collected automatically

• Operation and maintenance of networks and services
  General personal data: IP addresses, MAC addresses, technical log data.
  Legal basis: GDPR art. 6, para. 1, letter f (legitimate interest).

  Purpose: Tusass processes this to ensure stable operation, maintenance and security of Tusass' network and services, as well as for technical troubleshooting and improvement of the user experience.. 

• Compliance with legislation (e.g. logging executive order)
  Legislation: Telecommunications concession issued by Naalakkersuisut

  Information: Traffic and location data, including telephone numbers you call and/or write to, telephone numbers that call and/or write to you, the duration of calls made on Tusass' network and the time of calls and messages. In addition, information about location data (GPS) is collected. including the ability to locate where a given mobile number is located through bearing

  Legal basis: GDPR art. 6, para. 1, letter c (legal obligation) cf. Chapter 36 of the Danish Administration of Justice Act).

  Purpose: The processing is prescribed by law, and Tusass is therefore complying with a legal obligation by processing this data. 

6.   Retention period

Tusass complies with the principles of data protection law, including the requirement for storage limitation. This means that Tusass generally only stores your personal data for as long as is necessary to fulfill the purpose of the given processing. However, there may be other legislation that necessitates a different storage period.

• For processing that specifically relates to payment for your mobile or internet subscription, the rules of the Accounting Act³ apply, according to which accounting material must be stored for 5 years from the end of the financial year to which the material relates.

• For processing that concerns customer service and support as part of your subscription, personal data is stored for 5 years

• For processing where consent is the legal basis, i.e. for marketing activities, including newsletters, personal data is stored until you withdraw your consent or the processing is no longer necessary for Tusass to fulfill the purpose.

• For processing arising from unpaid debt, it is deleted after 10 years

• For traffic and location data - Deleted after 1 year, in accordance with the logging executive order

7.    Security

As a company, Tusass has a responsibility to "put in place appropriate technical and organizational security measures". This means that we have a responsibility to ensure that your personal data is protected so that other parties cannot enter our systems and misuse your information.  At Tusass, we have a department that works to ensure that the right precautions are taken so that you are sure your information is in safe hands when you buy a product or service from us.

This is done, among other things, through the use of firewalls, two-factor authentication and user management on all systems. At the same time, Tusass' employees are continuously trained in how we process personal data, as well as in IT security in general.

8.   Your rights

According to the General Data Protection Regulation, you have several rights in relation to Tusass' processing of information about you.

If you want to exercise your rights, you must contact us at: Privacy@tusass.gl

Right to see information (right of access)
You have the right to gain insight into what information Tusass has collected about you and is processing

Right to rectification (correction)
You have the right to have incorrect information about you corrected.

Right to erasure
In some cases, you have the right to have information about you deleted within the period for general erasure by Tusass. This applies, among other things, if consent constitutes the legal basis for the processing and you withdraw consent, or if there are special reasons on your part that override the processing.

Right to restriction of processing
In certain cases, you have the right to have the processing of your personal data restricted. If you have the right to have the processing restricted, Tusass may in future only process the information, except for storage, with your consent, or for the purpose of establishing, exercising or defending legal claims, or to protect a person or important public interests.

Right to object
In certain cases, you have the right to object to Tusass' otherwise lawful processing of your personal data. You can also object to the processing of your data for direct marketing.

Right to transmit information (data portability)
In certain cases, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to have this personal data transferred from one data controller to another without hindrance.

You can read more about your rights in the Danish Data Protection Authority's guidance on the rights of data subjects, which you can find at datatilsynet.dk.

Revision of the privacy policy
Tusass will update this privacy policy if there are changes to the way in which Tusass processes your personal data. The privacy policy in force at any time will be available on your Tusass website Privacy Policy – Tusass.

9.   Recipients

In some cases, Tusass uses external partners and suppliers, including for hosting, invoicing, customer service and IT suppliers. The data processor processes personal data exclusively on behalf of Tusass and according to Tusass' instructions. Tusass only uses data processors that have documented appropriate security guarantees and comply with applicable data protection regulations under the GDPR and Greenlandic data legislation.

In certain cases, Tusass may disclose your personal data to other third parties that are not data processors. This applies to public authorities, as required by law, or to third parties to fulfill a contract, however, data subjects must be informed of this.

10.   Transfer to third countries

Tusass strives to only use data processors within the EU/EEA. If personal data is transferred to third countries, Tusass ensures that a data processing agreement has been entered into and that there is a valid transfer basis according to Chapter V of the General Data Protection Regulation.

Legal basis: the basis for the transfer will usually be covered by Article 45(1) of the General Data Protection Regulation, which is based on the adequacy decisions of the EU Commission. If the third country, territory or sector in question is not assessed as having an adequate level of protection, Tusass ensures that another provision is in place before the transfer. This will usually be Article 46(2)(c) of the General Data Protection Regulation, which requires that appropriate safeguards are established between the controller (Tusass) and the processor before the transfer. This means that an adequate level of security is maintained so that the rights of data subjects can be enforced and that there is access to effective legal remedies.

11.   Complaint to the Danish Data Protection Authority

You have the right to file a complaint with the Danish Data Protection Authority if you are dissatisfied with Tusass' processing of your personal data.

www.datatilsynet.dk

Carl Jacobsens Vej 35
2500 Valby

Tel. 33 19 32 00
dt@datatilsynet.dk

1. Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016/679)

2. Ordinance on the entry into force for Greenland of the Personal Data Processing Act, no. 1238

3. In the Accounting Act, as put into effect for Greenland by Royal Decree No. 624 of 23 June 2008 on entry into force for Greenland, Section 10