At Enwerdi, we take the protection of personal data seriously. This privacy policy describes how we collect, process and store personal data in connection with our business activities and when you visit our websites.

We operate exclusively in the B2B (business-to-business) market. This policy applies to contact persons at our customers, suppliers and business partners, to visitors of our websites, and to job applicants. It is intended to comply with the EU General Data Protection Regulation (GDPR), the Danish Data Protection Act (Databeskyttelsesloven), the German Federal Data Protection Act (BDSG) and other applicable legislation.

1. Data Controller

The data controller responsible for the processing of personal data described in this policy is:

Enwerdi A/S (hereinafter “we”, “us” or “our”)

Blåkildevej 27, Vantinge

5750 Ringe, Denmark

Company reg. no. (CVR): 43823264

 

This policy also covers the following group entities:

Company

Reg. no. (CVR)

Contact

NLM A/S

44506289

info@nlmv.dk

Lipitec A/S

44506319

info@lipitec.com

OHplus GmbH

HRB 115011

info@ohplus.de

HCH High Chem Hamburg GmbH

HRB 71646

info@highchem.de

 

Enwerdi A/S serves as the administrative entity for the group’s GDPR compliance and administration. Personal data is only shared between group entities where there is a legitimate business purpose.

 

2. What We Collect and Why

2.1. Customers, Suppliers and Business Partners

When you represent a company that is a customer, supplier or business partner of ours, we process personal data about you in order to enter and fulfil agreements, deliver our products and services, manage the business relationship and communicate with you. This includes:

      Name, job title and department

•      Work email address and telephone number

•      Company name, registration number and address

•      Payment, invoicing and bank account information

•      Correspondence, order history and communication records

•      Technical specifications or delivery information linked to you as a contact person

2.2. Contact Inquiries

When you contact us via a contact form, email, telephone or fax, we process the data you provide (e.g. name, email address, content of your inquiry) in order to handle your request. Your data is retained until the inquiry is fully resolved or you request deletion, unless statutory retention periods apply.

2.3. Newsletters and Marketing

If you subscribe to our newsletter or register for our events, we process your name, email address, company name and job title to send you relevant information about our products and services. You may unsubscribe at any time via the link in our emails or by contacting us directly.

2.4. Job Applicants

If you submit an application to us (e.g. by email or via an online form), we process the associated personal data (e.g. contact details, CV, certificates, interview notes) to the extent necessary for deciding on the establishment of an employment relationship. Your data is shared only with persons involved in the recruitment process. If unsuccessful, it is deleted within 6 months of the conclusion of the process, unless you consent to longer retention.

 

3. Data Collection on Our Websites

3.1. Hosting and Server Log Files

Our websites are hosted by Umbraco. When you visit our websites, the hosting provider automatically records technical data transmitted by your browser, including:

      Browser type and version

      Operating system

      Referer URL

•      IP address of the accessing device

      Time and date of access

This data is used solely to ensure the secure and error-free operation of our websites and is not merged with other data sources.

3.2. Cookies

Our websites use cookies – small text files stored on your device by your browser.

Technically necessary cookies enable core website functions and are placed without your consent. They are typically deleted when your browser session ends.

Non-essential cookies (e.g. for analytics or marketing) are only placed with your explicit consent and can be managed or withdrawn at any time via our cookie banner.

We use Cookiebot to obtain and document your preferences.

3.3. SSL / TLS Encryption

Our websites use SSL/TLS encryption to protect the transmission of confidential content. You can recognise an encrypted connection by the “https://” prefix and the lock icon in your browser.

3.4. Third-Party Tools

Our websites may use third-party services. Where data is transferred to providers outside the EU/EEA, we rely on the safeguards described in section 5.

 

4. Legal Bases for Processing

The GDPR requires us to identify a legal basis for each processing activity. The table below provides an overview:

 

Processing Activity

Legal Basis (GDPR)

Additional Basis

Fulfilling customer / supplier contracts

Art. 6(1)(b) – contractual necessity

 

Pre-contractual inquiries

Art. 6(1)(b) – pre-contractual measures

 

Bookkeeping, tax and accounting

Art. 6(1)(c) – legal obligation

DK: Bogføringsloven DE: §257 HGB, §147 AO

Business relationship management

Art. 6(1)(f) – legitimate interest

 

Handling contact inquiries

Art. 6(1)(f) – legitimate interest

 

Newsletters and marketing

Art. 6(1)(a) – consent

 

Recruitment / job applications

Art. 6(1)(b) – pre-contractual measures

DE: BDSG §26

Technically necessary cookies and server logs

Art. 6(1)(f) – legitimate interest

DE: §25(2) TDDDG

Non-essential cookies and analytics

Art. 6(1)(a) – consent

DE: §25(1) TDDDG

 

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. Where processing is based on legitimate interest, you have the right to object (see section 7).

5. Recipients and Third-Country Transfers

We treat your personal data confidentially and only disclose it where necessary for the purposes described above. Recipients may include:

 

  • Group entities within Enwerdi (for contract administration and bookkeeping)
  • IT service providers and hosting providers (acting as data processors on our behalf)
  • Auditors and legal advisors in connection with audit or legal services
  • Public authorities (Danish Tax Agency/SKAT, German Finanzamt, data protection authorities), where legally required
  • Banks and payment service providers for the processing of transactions
  • Logistics and freight partners, where necessary for delivery of products or services

 

We have entered into data processing agreements with all suppliers that process personal data on our behalf.

 

As a general rule, we do not transfer personal data to countries outside the EU/EEA. Should such a transfer become necessary (e.g. due to the use of US-based service providers), we ensure that it takes place on a valid basis under GDPR Chapter V, such as EU Commission Standard Contractual Clauses (SCCs), an adequacy decision, or the EU-US Data Privacy Framework (DPF) where the recipient is certified.

 

6. Retention and Deletion

We retain personal data only for as long as necessary for its purpose. After that, it is securely deleted or anonymised, unless statutory retention obligations apply.

 

Category

Retention Period

Basis

Customer and supplier data

Duration of business relationship + 5 years

Statute of limitations

Invoices and accounting

5 years (DK) / 10 years (DE)

Bookkeeping / tax law

Applicant data

Up to 6 months after end of process

BDSG §26 / legitimate interest

Contact inquiries

Until purpose ceases or deletion requested

Art. 6(1)(b)/(f)

Newsletter / marketing data

Until consent is withdrawn

Art. 6(1)(a)

Server log files

[14 days / specify]

Art. 6(1)(f)

Cookies

See cookie policy, 3.2 in this document

Consent / legitimate interest

7. Your Rights

Under the GDPR, you have the following rights:

  • Right of access – Request information about your personal data we process (Art. 15).
  • Right to rectification – Have inaccurate or incomplete data corrected (Art. 16).
  • Right to erasure – Request deletion of your data in certain circumstances (Art. 17).
  • Right to restriction – Request that processing of your data be restricted (Art. 18).
  • Right to data portability – Receive your data in a machine-readable format (Art. 20).
  • Right to withdraw consent – Withdraw consent at any time, without affecting prior processing (Art. 7).

 

To exercise your rights, contact us at info@nlmv.dk. We will respond within 30 days and may ask you to verify your identity.

 

Right to Object (Article 21 GDPR)

Where we process your data based on legitimate interest (Art. 6(1)(f)), you may object at any time on grounds relating to your particular situation. We will then stop processing unless we can demonstrate compelling grounds that override your interests, or the processing is necessary for legal claims.

Where your data is processed for direct marketing, you may object at any time without providing reasons, and we will cease processing for that purpose immediately.

 

8. Personal Data Breaches

In the event of a personal data breach, we follow our internal incident response procedures. Where required, we notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and inform affected individuals in cases of high risk (GDPR Art. 34).

9. Complaints

If you are dissatisfied with our processing of your personal data, we encourage you to contact us first. You also have the right to lodge a complaint with the relevant supervisory authority:

Denmark

Datatilsynet – Carl Jacobsens Vej 35, 2500 Valby – www.datatilsynet.dk

Germany

BfDI – Graurheindorfer Str. 153, 53117 Bonn – www.bfdi.bund.de

In Germany, the competent authority may also be the relevant state data protection authority (Landesdatenschutzbeauftragte).

 

10. Changes to this Privacy Policy

We may update this policy to reflect changes in legislation or our practices. Material changes will be published on our website. The policy is reviewed at least annually.

11. Contact

Questions about this policy or your rights? Please contact us