In this document, we use the term “Company,” which is identical to the firm or entity that owns the company or project, and which, via their website, has directed you here through an internet link.
By using the aforementioned website that has brought you to this platform, you hereby confirm that you have seen the link, visited this site, read through this content, and accepted its terms.
Privacy Policy
This Privacy Policy explains how the company collects, processes, stores, and protects personal data. The company is fully committed to handling all personal information responsibly, lawfully, and transparently, in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and any other relevant regulations. Every individual interacting with the company—whether as a customer, employee, business partner, or website visitor—has the right to understand how their data is collected, used, and safeguarded.
The collection of personal data is conducted only when necessary and for clearly defined purposes. The company may collect information provided directly by individuals, such as names, contact details, addresses, professional credentials, payment details, and other relevant data required for business operations. In addition, data may be gathered automatically through digital interactions, including website analytics, IP addresses, device information, cookies, browsing behaviour, and interaction history. Data is collected lawfully and with explicit purposes, ensuring that individuals are aware of why their information is being processed.
Personal data is used strictly for the purposes for which it was collected. The company processes personal information to provide services, fulfil contractual obligations, respond to inquiries, improve customer experience, conduct business operations, comply with legal requirements, or protect the rights of the company and its stakeholders. Data processing is carried out with full respect for individual rights, ensuring that information is handled with integrity and confidentiality. The company does not sell, rent, or trade personal data with third parties for marketing or commercial gain.
In certain situations, personal data may be shared with third parties, such as service providers, business partners, legal advisors, regulatory authorities, or governmental institutions when legally required. Any data shared externally is strictly limited to what is necessary and is done so in accordance with legal obligations and appropriate safeguards. Third parties handling personal data on behalf of the company are required to adhere to strict data protection standards and contractual agreements to ensure compliance with privacy regulations.
The security of personal data is of the highest priority. The company implements robust technical and organisational measures to protect personal information from unauthorised access, misuse, loss, alteration, or destruction. Security protocols include data encryption, access controls, secure data storage, firewalls, and regular system monitoring. Employees and contractors who have access to personal data are required to comply with strict confidentiality obligations and data protection policies.
Retention of personal data is limited to the time necessary for the purposes for which it was collected. Once data is no longer required, it is securely deleted, anonymised, or archived in accordance with legal and regulatory requirements. The company follows strict retention schedules to ensure that personal information is not kept for longer than necessary.
Individuals have rights regarding their personal data, including the right to access, correct, restrict processing, request deletion, or obtain a copy of their data in a structured format. Requests related to data rights can be submitted to the company, and all inquiries will be handled promptly and transparently, in compliance with applicable data protection laws. In cases where consent has been given for specific processing activities, individuals have the right to withdraw their consent at any time.
Cookies and other tracking technologies may be used to enhance the website experience, analyse visitor behaviour, and optimise digital services. These technologies help the company understand user interactions, improve functionality, and tailor content to user preferences. Users have the ability to manage cookie settings through their browser preferences or opt-out options provided on the website. Any use of such technologies is conducted with respect for individual privacy and in compliance with data protection regulations.
The company reserves the right to update this Privacy Policy to reflect changes in legal requirements, business operations, or technological advancements. Any updates will be communicated through appropriate channels, and continued use of the company’s services or website after policy revisions will indicate acceptance of the updated terms.
For any inquiries regarding the collection, processing, or protection of personal data, or to exercise data rights, individuals may contact the company at [contact details]. The company is committed to addressing privacy-related concerns with diligence and ensuring that all personal data is handled in a responsible and ethical manner.
Laws, directive and frames
ASEAN Framework on Personal Data Protection (AF-PDP)
This framework, established by ASEAN, aims to create a consistent approach to personal data protection across member states while allowing each country to maintain its own regulations. It promotes best practices in data governance, security, and cross-border data transfers. While not legally binding, it encourages member states to adopt privacy principles similar to those in the GDPR, focusing on consent, transparency, accountability, and security.
Singapore – Personal Data Protection Act (PDPA)
The Personal Data Protection Act (PDPA), enacted in 2012 and amended in 2020, is Singapore’s primary data protection law. It regulates how personal data is collected, used, disclosed, and stored by organisations. It mandates businesses to obtain consent, provide transparency in data handling, and implement security measures to protect personal information. The law also includes the Do Not Call (DNC) Registry and imposes strict penalties for non-compliance.
Malaysia – Personal Data Protection Act 2010 (PDPA)
Malaysia’s PDPA 2010 governs the processing of personal data in commercial transactions. It applies to both local and foreign companies operating in Malaysia. The law establishes key principles such as notice and choice, disclosure limitations, data security, and rights of access. However, it does not apply to government agencies, which are governed by separate regulations. Amendments are being considered to strengthen enforcement and introduce data breach notification requirements.
Thailand – Personal Data Protection Act (PDPA)
Thailand’s PDPA, which came into full effect in 2022, is modelled after the GDPR and sets strict guidelines on the collection, processing, and protection of personal data. It applies to both Thai and foreign entities handling personal data of individuals in Thailand. The law introduces legal bases for data processing, rights for data subjects, data breach notification requirements, and penalties for non-compliance. It also mandates the appointment of Data Protection Officers (DPOs) for certain organisations.
Indonesia – Personal Data Protection Law (PDP Law 2022)
Indonesia enacted its PDP Law in 2022, making it the country’s first comprehensive personal data protection regulation. The law classifies personal data into general and specific categories, introduces requirements for data processing and cross-border transfers, and mandates organisations to appoint Data Protection Officers. It also includes provisions for sanctions, with penalties for breaches that include fines and potential criminal charges.
Philippines – Data Privacy Act of 2012 (DPA)
The Data Privacy Act of 2012 is the Philippines’ primary data protection law, enforced by the National Privacy Commission (NPC). It establishes guidelines on the lawful collection, processing, and storage of personal data, requiring organisations to implement security measures. The law provides individuals with rights to access, correct, and delete their personal data. Non-compliance can result in hefty fines and imprisonment.
Cambodia – Draft Personal Data Protection Law (PDP Law)
Cambodia does not yet have a comprehensive data protection law in place. However, the government has been working on a Draft Personal Data Protection Law (PDP Law), expected to introduce regulations similar to international standards. Currently, data protection is governed under sectoral laws, including the Law on Telecommunications (2015) and the Consumer Protection Law (2019), which contain provisions on privacy and data security. The upcoming PDP Law is expected to establish rules on consent, data subject rights, security obligations, and penalties for non-compliance.
Vietnam – Law on Cybersecurity (2018) & Draft Personal Data Protection Decree (PDPD)
Vietnam’s Law on Cybersecurity (2018) regulates data collection, storage, and processing, particularly for businesses operating in cyberspace. It imposes strict data localisation requirements, requiring certain types of data collected in Vietnam to be stored within the country. It also grants authorities broad powers to monitor and control online activities to protect national security.
The Personal Data Protection Decree (PDPD), which came into effect in 2023, is Vietnam’s first dedicated data protection regulation. It introduces GDPR-like principles, including personal data classification, consent requirements, and data subject rights. It applies to both domestic and foreign entities processing Vietnamese citizens’ data. The law requires businesses to conduct data impact assessments, notify authorities of data breaches, and restricts cross-border data transfers unless specific conditions are met.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is Canada’s main federal data protection law, applying to private-sector organisations engaged in commercial activities. It establishes ten fair information principles, including accountability, consent, limiting collection, and security safeguards. Individuals have rights to access and correct their personal data.
Digital Charter Implementation Act (Bill C-27) – Proposed
The Digital Charter Implementation Act (Bill C-27) is a proposed update to PIPEDA that would replace it with the Consumer Privacy Protection Act (CPPA). It aims to strengthen consumer rights, introduce stricter penalties, and establish the Data Protection Tribunal to oversee privacy violations.
Provincial Privacy Laws
Certain provinces have their own privacy laws that apply to private-sector organisations:
- Quebec’s Law 25 (formerly Bill 64) – Introduces stricter consent requirements and stronger penalties for non-compliance.
- Alberta Personal Information Protection Act (PIPA) – Regulates private-sector data collection and use.
- British Columbia Personal Information Protection Act (PIPA) – Similar to Alberta’s PIPA, governing data protection for businesses in British Columbia.
Privacy Act (For Public Sector Data)
The Privacy Act governs how federal government institutions handle personal information. It ensures individuals’ right to access and correct their data held by government bodies.
The Personal Information Protection Law (PIPL), enacted in 2021, is China’s first comprehensive data privacy law, comparable to the GDPR. It establishes strict rules on the collection, use, storage, and cross-border transfer of personal data. It applies to companies operating within China and foreign entities handling Chinese citizens’ data. The law emphasises principles of consent, purpose limitation, minimisation, and data security. Companies must conduct security assessments before transferring data abroad and can face severe penalties for non-compliance. PIPL is complemented by the Data Security Law (DSL), which regulates data processing activities that could impact national security.
China – Cybersecurity Law (CSL)
The Cybersecurity Law (CSL), implemented in 2017, focuses on network security, data localisation, and the protection of critical information infrastructure. It mandates that certain data collected in China must be stored within the country. Companies operating in China must ensure compliance with cybersecurity standards, undergo security reviews, and implement measures to protect user data. The CSL works alongside PIPL and DSL to create a comprehensive data protection framework.
Hong Kong – Personal Data (Privacy) Ordinance (PDPO)
The Personal Data (Privacy) Ordinance (PDPO), first enacted in 1996 and later amended, is Hong Kong’s primary data protection law. It regulates the collection, processing, and use of personal data, ensuring individuals’ privacy rights are protected. The law is based on six data protection principles, including fair and lawful collection, accuracy, purpose specification, security, openness, and data subject rights. The PDPO was updated in 2021 to introduce stricter rules against doxxing (malicious disclosure of personal data) and grant additional enforcement powers to the Privacy Commissioner for Personal Data (PCPD). Unlike China’s PIPL, Hong Kong’s PDPO allows for more flexibility in cross-border data transfers.
The Danish Data Protection Act (Databeskyttelsesloven)
The Danish Data Protection Act (Act No. 502 of 23 May 2018) supplements the GDPR by specifying national rules for the processing of personal data. It provides additional provisions regarding employment data processing, journalistic and research exemptions, and the role of the Danish Data Protection Agency (Datatilsynet) in enforcing GDPR compliance. The law ensures that public and private organisations processing personal data within Denmark adhere to both EU and national data protection standards.
The Danish Act on Electronic Communications (Telelovgivningen)
The Danish Act on Electronic Communications governs the use of electronic communication networks and services, ensuring data security, confidentiality, and consumer protection in Denmark. It implements the EU ePrivacy Directive into Danish law, regulating the use of cookies, online tracking, direct marketing, and interception of communications. It requires businesses and online platforms operating in Denmark to obtain user consent before collecting personal data through electronic means, ensuring compliance with privacy laws.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (Regulation (EU) 2016/679) is the primary law governing data protection and privacy in the European Union and the European Economic Area. It sets strict requirements for the collection, processing, storage, and transfer of personal data, ensuring individuals have greater control over their information. Key principles include lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, and security. It also grants rights such as access, rectification, erasure, and data portability while imposing heavy penalties for non-compliance.
ePrivacy Directive (Cookie Directive)
The ePrivacy Directive (Directive 2002/58/EC) regulates electronic communications, including the use of cookies, direct marketing, and confidentiality in digital communications. It complements GDPR by setting specific rules for online privacy, requiring informed consent before cookies or tracking technologies can be placed on users’ devices. It ensures protection against spam, unwanted marketing, and unauthorised data interception while promoting confidentiality in electronic communications.
Data Governance Act (DGA)
The Data Governance Act (Regulation (EU) 2022/868) establishes a legal framework to facilitate data sharing across the EU while ensuring privacy, security, and ethical data usage. It promotes data availability for research, innovation, and public benefit by introducing new rules for data intermediaries and altruistic data sharing. The regulation aims to strengthen trust in data sharing by ensuring that organisations handling non-personal and personal data comply with strict ethical and legal standards.
Digital Services Act (DSA)
The Digital Services Act (Regulation (EU) 2022/2065) focuses on creating a safer and more transparent digital environment within the EU. It imposes obligations on online platforms, including social media and e-commerce sites, to protect users’ personal data, combat illegal content, and ensure greater accountability for digital service providers. It enhances GDPR’s principles by requiring transparency in algorithms, advertising, and content moderation while introducing stricter regulations for very large online platforms.
UK General Data Protection Regulation (UK GDPR)
After Brexit, the UK adopted its own version of GDPR, known as UK GDPR. It retains most of the principles of the EU GDPR, including lawful data processing, individual rights, and accountability. It applies to businesses processing UK residents’ personal data, whether based in the UK or abroad.
Data Protection Act 2018 (DPA 2018)
The DPA 2018 supplements UK GDPR by outlining specific exemptions, enforcement mechanisms, and national security considerations. It also applies UK GDPR principles to law enforcement and intelligence services.
Privacy and Electronic Communications Regulations (PECR)
PECR governs electronic marketing, cookies, and communication security. It requires organisations to obtain consent for marketing emails, calls, and the use of tracking technologies like cookies.
Online Safety Act 2023
The Online Safety Act 2023 strengthens protections for users of online platforms, particularly children. It requires tech companies to prevent illegal content and ensure online safety, with enforcement by the Office of Communications (Ofcom).
California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)
The CCPA (2018) grants California residents rights over their personal data, including access, deletion, and opting out of data sales. The CPRA (2023) strengthens the CCPA by adding new consumer rights, placing restrictions on sensitive personal data, and establishing the California Privacy Protection Agency (CPPA) for enforcement.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA governs how healthcare providers, insurers, and business associates handle personal health information. It sets security and privacy standards to protect patient medical records.
Children’s Online Privacy Protection Act (COPPA)
COPPA protects children under 13 by restricting how websites and online services collect and process their personal data. Parental consent is required before collecting, using, or sharing children’s personal information.
Gramm-Leach-Bliley Act (GLBA)
GLBA applies to financial institutions and mandates safeguards for protecting consumers’ personal financial information. It also requires institutions to disclose their data-sharing practices.
Federal Trade Commission Act (FTC Act)
The FTC Act prohibits unfair and deceptive business practices, including misleading privacy policies and insufficient data protection measures. The Federal Trade Commission (FTC) enforces consumer privacy rights under this law.
State Privacy Laws
Several states have enacted their own privacy laws, including:
- Virginia Consumer Data Protection Act (VCDPA) – Grants Virginia residents rights over their personal data and imposes obligations on businesses.
- Colorado Privacy Act (CPA) – Establishes GDPR-like protections for residents, including data access, correction, and deletion rights.
- Connecticut Data Privacy Act (CTDPA) – Requires companies to provide transparency and consumer control over personal data.
In relation to recruitment, our database is located within the EU and is subject to EU and Danish data regulations, which are among the most protective for candidates. These are the frameworks we fully comply with, without exception.
Important Note: We are observing significant changes in legislation across multiple countries, particularly in the United States and the United Kingdom at this time. Always verify the current legal framework.
Do you have any questions regarding data processing, data storage, or data deletion: gdpr-officer@4selection.com