Personal data policy


Water Valley Denmark (hereinafter the Company) has prepared this general information about data protection that describes and ensures the Company’s compliance with applicable data protection legislation, notably the General Data Protection Regulation1 (hereinafter GDPR) and national legislation, the Danish Data Protection Act2 (hereinafter DBL).

In the general personal data policy, you can read more about how we process your personal data in general as part of the operation of our Company. You will have received the specific personal data policy relevant for you by email containing a direct link to the policy. You are receiving this specific information because we wish to ensure transparent data processing operations.

Water Valley Denmark has also prepared a cookie policy for our website,, that applies to our collection of personal data in connection with your use of these pages.


For ease of reading of the personal data policy, the Company has chosen to use footnotes that contain references to legislation etc. Therefore, you should be aware that you can find more detailed information there.


Water Valley Denmark, Hasselager Allé 8, 8260 Viby J, Denmark, CVR: 42726656, assumes the role of Data Controller3 when the Company processes personal data as part of its activities. This mainly concerns the following data processing:

  • Data processing activities performed by the Company with a view to delivering the services of the Company as described in detail in the case confirmation submitted. For this purpose, the Company will typically process personal data about the customer (if an individual person, single proprietor or partnership), employees and/or other relevant persons such as the customer’s customers;
  • The Company’s collaboration with suppliers, business partners and other parties, e.g. public authorities, where the Company processes personal data of the employees;
  • The Company’s observance of the provisions of the Danish Bookkeeping Act4 on storage of bookkeeping material and the GDPR on personal data;
  • The Company’s collection, storage and use of contact information about customers to be used in the Company’s marketing of similar services towards these;
  • Collection, storage and use of contact information with a view to issuing the Company’s newsletters to persons who have subscribed to the newsletter service and have given their consent to this.

The Company has not appointed any data protection officer5. If you have questions about the Company’s processing of your personal data, you may instead contact Water Valley Denmark through the following contact information:

Telephone: +45 93 40 00 80

Water Valley Denmark AS DATA PROCESSOR?
In certain specific cases the Company acts as the data processor6 rather than the data controller. By virtue of agreements concluded to this effect, the Company acts as the data processor since all of our data processing activities are performed as a result of the instructions received by the Company from the respective customers on behalf of whom we process personal data.

Article 5 of the GDPR stipulates a number of principles of processing that the Company considers to be important to comply with.

Read more about this below:

The Company solely processes your personal data if it is considered, on a case-by-case basis, to be relevant and necessary in relation to the purpose of processing. For that reason, the Company does not process any other personal data about you than data necessary for the Company for specific purposes of the processing.

The type and scope of personal data processed by the Company are typically required to fulfil a contract7, e.g. the contractual basis with the individual customer or supplier.

In some cases, a number of statutory duties are imposed on the Company to perform a specific processing8 as part of the operation of the Company. Among other things, such duty is imposed by Section 10 of the Danish Bookkeeping Act that imposes obligations as to the storage of appendices containing personal data.

Moreover, the Company processes a number of personal data to be used for specific marketing purposes where e.g. the Company’s processing of your contact information is necessary. In this connection, the Company processes such data pursuant to your consent or as a result of the Company’s legitimate interest in this regard10.

In some specific cases where the Company needs to store documentation containing your personal data, e.g. for the purpose of a dispute between you and the Company, this will take place in accordance with a balancing of interests11. In this respect, the Company will have an overriding interest in establishing, exercising or defending a legal claim12.

Wherever possible, the Company will check that the personal data about you that we process is not incorrect or misleading. In this connection, the Company will endeavour to update the personal data on an ongoing basis as we become aware of any changes.

The services of the Company depend on your personal data being correct and updated. For that reason, we ask you to inform us of any relevant changes in your data. Please address any changes to your designated contact person; alternatively, you can contact the Company on the above contact information and we will then ensure rectification.

The Company will perform erasure of your personal data when the data is no longer necessary for the use of the purpose of processing for which the Company originally collected the personal data.

In this connection the Company will delete personal data that is contained in the Company’s bookkeeping material after a period of 5 years from the end of the financial year to which the material relates13. The personal data belonging to you that is processed by the Company with a view to fulfilling its obligations under the GDPR will be deleted after 5 years14.

Personal data collected by the Company in connection with delivering specific services to the customer or ordering products or services from a supplier will be retained for an appropriate period after the end of the customer relationship. The storage period is normally 3 years15.

When the Company processes your personal data in relation to the processing activities described above, we always ensure that we have a lawful basis for processing your personal data.

The Company processes general personal data, including any confidential personal data, about you that is necessary to deliver the specific service or to order a product or a service in accordance with our agreement to this effect16 as a consequence of having to comply with our legal obligations17 or in order pursue our legitimate interests18.

The Company’s legal obligations are, among other things, observance of the Danish Bookkeeping Act and the GDPR.

The Company’s legitimate interests are to be able to correspond with you about the customer or supplier relationship and other relevant matters, to process personal data about persons associated with the task and the Company’s interest in retaining documentation to be used in a potential dispute.

In some specific cases the Company will obtain your consent for the processing and this will typically be for marketing purposes. Your consent is voluntary and you can withdraw your consent at any time. Please use the contact information above.

If the Company wishes to use your personal data for any other processing purposes than the original one, we will inform you of this new purpose – and, if necessary, obtain your consent for this – before we start the processing. If we base the data processing on another basis than your consent, we will inform you of this.

The Company will ensure on an ongoing basis that your personal data is only disclosed to third parties if such disclosure is based on legitimate reasons or on a specific agreement with you on this.

The Company has established internal instructions covering rules and measures with a view to protecting your or other people’s personal data from loss, alteration or destruction and from unauthorised persons gaining access to or knowledge of the data. In particular in relation to the Company’s prevention of loss of data, continuous backup is carried out of all data.

Your personal data will only be processed by authorised employees who will be granted internal access rights based on employees with a need to access your personal data.

The Company uses IT systems that are elaborated by external companies. These companies assume the role of data processors of the data for which the Company is the data controller. Before commencing collaboration with a potential IT provider, we ensure that comprehensive data processing agreements have been concluded with the company and that it has satisfactory safety procedures in place that are checked on a regular basis.

You will also be informed in the event of a personal data breach if it is assessed that the breach involves a high risk for you, e.g. the probability of discrimination, identity theft, financial loss, reputational loss or similar.

The Company has a legal need to collect and process some personal data about you which is done in order to deliver the specific service in a lawful manner.

This is typically personal data that is necessary in relation to observing the Company’s duty to keep books (the Danish Bookkeeping Act) and observing the Company’s data protection obligations according to law such as submission of notification letters, obtaining of consent etc. (the GDPR and the DBL).

Personal data for these purposes is necessary in order for the Company to handle the case.

If you refuse to provide the requested – and necessary – personal data to the Company, we will not be able to deliver the service or order the product/service and this will result in us not being able to establish the customer or supplier relationship.

You can exercise your rights by contacting us.

Right of access: You have the right to gain access to the information processed by the Company about you as well as some additional mandatory information in accordance with Article 15 of the GDPR.

Right to correction: In some cases, you have the right to have incorrect data corrected that the Company has associated with you.

Right to erasure: In specific cases you have the right to have personal data deleted before the time of the general deadlines for deletion.

Right to restriction of processing: In specific cases you have the right to have restriction of processing of personal data that the Company has associated with you.

If you have right to restriction of processing, the Company must in future only process the data – except for storage – with your consent or with a view to establishing, exercising or defending a legal claim or to protecting a person or for important reasons of public interest.

Right to object: In specific cases you have the right to object to the Company’s otherwise legal processing of your personal data.

Right to have information transmitted (data portability): In specific cases you have the right to receive your personal data in a structured, commonly used and machine-readable format and to have the personal data transmitted from one data controller to another without restrictions.

You have the right to file a complaint to the Danish Data Protection Agency if you are dissatisfied with the way that the Company processes your personal data.

You can find the contact information of the Danish Data Protection Agency at

1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

2 Law on additional provisions to the regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the Danish Data Protection Act).

3 Article 24, see Article 4(7), of the GDPR.

4 Consolidating Act 2006-06-15 no. 648 The Danish Bookkeeping Act.

5 Article 37 e.c. of the GDPR.

6 Article 4(8) of the GDPR.

7 Article 6(1), point b, of the GDPR.

8 Article 6(1), point c, of the GDPR and Section 11(2), point 1, of the DBL.

9 Article 6(1), point a, of the GDPR.

10 Article 6(1), point f, of the GDPR.

11 Article 6(1), point f, of the GDPR.

12 Article 9(2), point f, of the GDPR.

13 Section 10(1) of the Danish Bookkeeping Act.

14 Section 41(7) of the DBL.

15 Section 3(1) of the Danish Limitation Act.

16 Article 6(1), point b, of the GDPR.

17 Article 6(1), point c, of the GDPR.

18 Article 6(1), point f, of the GDPR.