VELUX Privacy Notice

All companies in the VELUX Group respect and protect your privacy. This VELUX Privacy Notice (‘Privacy Notice’) is meant to help you understand why we collect personal data about you, the types of personal data we collect, how we collect it and for how long we keep it, with whom we share it, as well as your rights. We also explain how we keep your data secure.

This VELUX Privacy Notice complies with the EU General Data Protection Regulation 2016/679 (‘GDPR’) and The Danish Law.

We, VELUX A/S (Hereinafter ‘VELUX’), with its registered office at Aadalsvej 99, 2970 Hoersholm, Denmark, under registration number 30003519, is the data controller for your personal data.

 Why do we process personal data and the lawful bases for collection

The main reason we collect, use, and store your data is to allow us to provide our services to you. “Service”, “our service” and similar descriptions mean conducting business with you/your organisation and assisting you with inquiries, sales processes, and claims.

We also process information about your use of the services for business development purposes, to inform you of our business operations, products, and services through marketing, and to improve our services through any feedback you give us. We may also process your personal data for contractual and recruitment purposes and to comply with legal obligations.

We process personal data based on different legal bases as listed below.

Performance of a contract, including a purchase – GDPR article 6(1)(b):

• When we process personal data in relation to a contract, our legal basis is ‘performance of a contract’, including a purchase.

Consent – GDPR article 6(1)(a):

• When we send out a newsletter about our products, we do this based on your consent. When the lawful basis for processing is consent, you have the right to withdraw your consent at any time.

Legal obligation – GDPR Article 6(1)(c):

• If we share your personal data with law enforcement agencies or other governmental bodies, we share this because we have a legal obligation to do so.

Legitimate interest - GDPR Article 6(1)(f):

• We have a legitimate business interest in processing your data, for example, when we assist you with enquires.

Special categories – GDPR Article 9(2)(a) and GDPR Article 9(2)(f):

• When we process special categories of data, we do so to comply with regulatory requirements related to compliance matters.

 The types of personal data we process

The following are the main types of personal data collected by VELUX, along with the main purpose and legal basis for collecting the personal data:

Activity

Types of personal data we collect (for illustration purposes)

Purpose(s)

Legal basis

General business operations

Name, contact details and other information necessary for conducting business with you or your organisation.

As part of general VELUX business operations, we collect personal data about individuals, customers, suppliers (including third-party service providers) and other stakeholders. We may also use your data for testing systems.

GDPR – Article 6(1)(b)
GDPR – Article 6(1)(f)

Assisting with enquiries

Name, email address, phone numbers, conversations, other contact details, photos, floor plans of your house when you provide this to VELUX.

You may choose to provide us with personal data, such as contact details when you contact us by phone, email, post, our chatbot or by using our digital platforms available.

This personal data enables us to respond to requests for information on such matters as VELUX products, to arrange a measure and quote for installation of VELUX products, or to arrange for a window to be serviced, or to present claims under the VELUX guarantee.

The information may be disclosed to VELUX A/S or other VELUX sales companies within the Group, relevant independent installers or dealers in order for us to assist customers with their enquiry or arrange for services or a quote.

We record calls for training purposes. We may also ask you to provide your feedback through surveys after the interaction.

GDPR – Article 6(1)a
GDPR – Article 6(1)(b)
GDPR – Article 6(1)(f

Sales (including web sales) and order fulfilment.

Name, contact details, payment and credit card details, credit information, and credit check etc.

We may collect personal data of customers and prospective customers in order to conduct business with you or your organisation. We use your data to analyse shopping trends through your web shop activity and purchase history to provide you a personalised browsing experience. Furthermore, we use the data for processing and fulfilling web shop orders by facilitating the delivery of product orders and providing relevant customer service, including processing your returns.

We may disclose the information to dealers or independent installers and logistic partners to process a customer’s order, including arranging delivery of VELUX products to the customer or assisting with enquiries such as arranging consultation between you and our product advisors. We also share your information with third parties for credit check purposes.

GDPR – Article 6(1)(b)
GDPR – Article 6(1)(a)
GDPR – Article 6(1)(f) 

Campaigns

Name, contact details, etc.

Execution of various campaigns (e.g., reward programs, cashback campaigns, sweepstakes). Acceptance of terms and conditions is collected before entry to the activity.

GDPR – Article 6(1)a
GDPR – Article 6(1)b

Product claims

Name, contact details, etc.

Facilitate service of VELUX products under the VELUX guarantee or by paid service, i.e., we solve claims by call, email, and visits to building sites. In this connection, we may share your personal data with VELUX partners to assist you with a service. We may ask you to provide your feedback through surveys after the interaction.

GDPR – Article 6(1)(c)
GDPR – Article 6(1)(f

Business development and VELUX apps

Personal data, which is collected at our digital platforms and in VELUX apps.

The personal data you provide to us, and personal data collected at our digital platforms will be used to enhance our consumer insights and drive relevant communication and offers across all touch points you may have with VELUX. Personal data will also be used for product and service development.

GDPR - Article 6(1)(a)

Marketing

Contact information, browsing history, sales and subscription service information, such as name, address, email, phone number, purchase history, unique identifiers such as cookie IDs or device IDs, tracked browsing history based on these IDs, etc. Please be aware that this list is not exhaustive as we may process any personal information collected in connection with your interactions with our parent company, VELUX A/S, our websites, mobile applications, products, and services.

Based on your consent or legitimate interest, when applicable, we process your personal data for the purpose of informing you of VELUX business operations, products, and services. For the above purposes, we create marketing, tailored to your preferences and profile, e.g.: - To optimise and tailor the content and delivery of our marketing communications when you want to receive them, and - To give you tailored marketing based on your preferences and profile, both when engaging with us on our own channels as well as via third party channels (e.g., social media, search sites, marketplaces). If you do not wish to receive any further information, you can easily and free of charge unsubscribe from our marketing communication anytime. You will find ways to unsubscribe in connection with subscribing to or receiving marketing communication from us. You can also contact us by email or post to unsubscribe, see Section 8. For some marketing activities we act as joint controller with other VELUX companies and have entered into joint controller agreements dividing the roles and responsibilities between the VELUX companies.

GDPR - Article 6(1)(a)
GDPR – Article 6(1)(f)

Your participation in photos, video, testimonial and campaigns

If you have agreed to it and sent a photo to us or if your photo is taken by a photographer hired by us.

We will use the photo, testimonials etc. as described in the contract signed by you

GDPR – Article 6(1)(b) when the photo and testimonial is based on a contract with compensation, please note that you cannot exercise the right to have the photo corrected, erased/deleted.
GDPR – Article 6(1)(a) If the photo and testimonial is processed based on consent where you can exercise all rights specified under section 6 below.
GDPR – article 6(1)(f) if a photo or video is taken at an internal VELUX event or the like, and we only share the photos or video internally.

Website visitors, customer surveys and market research

Personal data from digital platforms or customers as part of surveys.

To improve the products and services we offer, we may collect personal data from digital platform visitors or customers as part of surveys. We will contact you with a survey and process personal data as part of surveys through either consent or legitimate interests. Surveys processing personal data for marketing purposes will be used only with your consent.

GDPR – Article 6(1)(a)
GDPR – Article 6(1)(f)

Recruitment and employment contracts

Name, contact details, working history, educational diplomas, relevant record checks, information about professional interests, etc.

When a person applies for a job or enters into an employment contract with us, we may collect certain information such as name, contact details, information about working history, educational diplomas, relevant record checks and information about professional interests. This may be collected from the person directly, from a recruitment consultant including references and publicly available sources. This information is used to inform or assist us in the decision as to make the person an offer of employment or engage the person under a contract. For further information please read our VELUX recruitment process privacy notice.

GDPR – Article 6(1)(b)
GDPR – Article 6(1)(f)

Compliance including anti-corruption, Whistleblower hotline and sanctions check

All types of personal information.

We may collect personal data to comply with the law, a court or authority’s decision and/or to disclose information to relevant public authorities as required or permitted by law.

GDPR – Article 6(1)(c)
GDPR – Article 6(1)(f)
GDPR – Article 9(2)(a)
GDPR – Article 9(2)(f)

 How do we collect your personal data

Directly from you

In most cases, personal data is collected directly from you or generated as part of the use of our services, products, and channels. We collect personal data you provide to us, when you request products, services, or information from us, register with us, participate in public forums, use a chatbot or other activities on our digital platforms and apps, respond to customer surveys, or otherwise interact with us. We collect information through various technologies, e.g., cookies. For cookies, we refer to our Cookie Policy - velux.com

From our business partners

In some cases, we can collect your personal data from our business partners, when they need our assistance to provide you with the best possible service.

From your public website

In some cases, we collect your personal data on your company websites, when we want to offer you our services.

Links to other websites

This website contains links to other websites (such as Facebook, Google+, YouTube, and Pinterest) to which this this Privacy Notice does not apply. Please note that we do not endorse other websites and their content. We encourage you to read the privacy policies of each website you visit.

 How long do we keep your personal data

We will only keep your personal information for as long as it is necessary for the purposes described in this Privacy Notice. This means that the retention periods will vary according to the type of the information and the reason that we have the information. Examples of retention time:

• Call recordings will be stored for a period of 90 days.
• Until you opt out of a marketing campaign, which you can do at any point in time.
• We will store the photo and testimonials for as long is necessary and as described in a contract.
• Personal data are kept until the end of a recruitment process or withdrawal of the consent (if given for future recruitments).
• For compliance with, e.g., anti-corruption regulations, we will keep the data accordingly to laws which we are obliged to comply with.

 Who do we share your personal data with

Our company is a part of the VELUX Group, which operates globally. We share your personal information within the VELUX Group, but only if it is necessary to fulfil the purpose for which we are processing your personal data. All entities in the VELUX Group have entered into an Intercompany Data Processing Agreement and/or joined agreement where everyone follows the same procedures when processing personal data, ensuring that the same level of security is maintained throughout the Group; dividing the roles and responsibilities between the VELUX companies. If two or more companies act as joint controllers, each of the joint controllers is obliged to independently:

• Be the first contact for you.
• Fulfil the information obligations referred to in Articles 13 and 14 of the GDPR.
• Exercise your rights provided in Articles 15-22 of the GDPR.
• Deal with privacy breach Notices and privacy complaints.

We may also share your personal data with selected third parties, including but not limited to:

• Business partners, suppliers, and sub-contractors that we cooperate with to deliver you the best services during the support and sales process, including, for example, logistic providers and outsourced customer services.
• Technology providers, for example, analytics, tracking technologies, targeting and re-targeting technologies, and search engine providers that assist us in the improvement and optimisation of our platforms, as well as companies who provide us with website support and hosting.
• Advertisers and advertising networks that use data to select and serve relevant adverts to you and others if you have given your consent. · Social networking sites such as Facebook, Instagram, and Google, if required, when processing for marketing purposes and based on your consent.
• With other parties to ensure the safety and security of our customers, to protect our rights and property, to comply with legal processes, or in other cases if we believe in good faith that disclosure is required by law.
• VELUX Group companies or third parties who operate digital platforms and tools on behalf of our company to provide services connected with our activities (e.g., points collection programs, cashback campaigns, sweepstakes, and training). When we cooperate with external service providers, we enter into a data processing agreement, if relevant. These service providers are prohibited from using your personal data for purposes other than those requested by us or required by law.

Transfer to third countries

In some cases, we may also transfer personal data to companies in so-called ‘third countries’, which are countries outside of the European Economic Area. If we do so, we make sure we safeguard data, and only transfer if one of the following conditions apply:

• there is an adequate level of protection in the country in question, as determined by the European Commission,
• the company is certified under the EU - U.S. Data Privacy Framework, or
• we use standard contractual clauses (EU model-clauses) approved by the European Commission and additional supplementary measures to regulate the data transfer.

 Data security

The security, integrity, and confidentiality of your personal data is important to us. We have implemented technical, administrative, and physical security measures that are designed to protect your personal data from unauthorised access, disclosure, use, and modification. From time to time, we review our security procedures to consider appropriate recent technologies and methods. Please be aware that despite our best efforts, no security measures are perfect or impenetrable.

 Your privacy rights

The GDPR provides you, as the data subject, with the following rights in respect of the personal data we store about you:

Your rights

Legal basis

Elaboration

Access to your data

GDPR article 15

You have the right to request information about whether VELUX processes personal data relating to you, and if so, you have the right to request a copy of the personal data we have processed.

Request rectification

GDPR article 16

At any time, you have the right to request correction of any incorrect or incomplete personal data we may process on you.

Request erasure

GDPR article 17

You have the right to request deletion of your personal data depending on the processing activity, and under certain circumstances, before we would normally be obligated to cease processing.

Request restriction of processing

GDPR article 18

You have the right to request the restriction of processing which means that you can request that VELUX restricts the use of your personal data in certain circumstances.

Data portability

GDPR article 20

Under certain conditions, you have the right to receive the personal data you provided to us in a machine-readable format.

Right to object

GDPR – article 21

If you are not satisfied with how we process personal data in VELUX, you can send your objections to privacy@velux.com. If a complaint is made, the name and contact details of the complainant must be provided to VELUX.

If you have any questions regarding the specific personal data we process or retain about you, or if you want to exercise your rights, please contact privacy@velux.com

We will respond to your request to exercise any of your rights within one month, but we have the right to extend this period by two months. If we extend the response period, we will inform you within one month of your request. If you consider that we have failed to resolve the complaint satisfactorily, you may file a complaint to your local Data Protection Agency. You can find the contact details of your national Data Protection Agency on the European Data Protection Board website: www.edpb.europa.eu.

 Changes to this VELUX Privacy Notice

From time to time, we may change this Privacy Notice to accommodate the latest technologies, industry practices, regulatory requirements, or for other purposes. At all times, we will post the most recent version on our digital platforms. We advise you to read the Privacy Notice regularly.

This Privacy Notice was last updated: 01-06-2023