Nordic Privacy Statement
- About Nordic Consulting Partners, Inc.
Nordic Consulting Partners, Inc. (hereinafter: "Nordic", "we", "us" or "our") is an international consulting firm dedicated to the provision of healthcare IT services, staffing, advisory consulting, and managed services focused on a stronger business with better patient outcomes.
- Purpose of this Statement
Nordic is committed to protecting your personal information (called Personal Data under applicable data protection laws and in this Statement) and respecting your privacy and your rights. This Privacy Statement is intended to explain how and why Nordic processes personal data that we collect from or that are provided to us by people and organisations with whom we have contact with as part of our business activities including through our website, www.nordicglobal.com or our careers portal, www. nordic.wd1.myworkdayjobs.com.
- To which services and activities does this Privacy Statement apply?
This Privacy Statement applies to our processing of your personal data as our (potential) client, candidate or employee, business partner, or visitor in relation to all your interactions with our website, services, marketing and other activities or topics included in this Privacy Statement. The personal data we collect and process of you depends on your choices and interactions with us. For certain activities we created supplementary Privacy Statements to better tailor the information to your specific choices or activity.
- Nordic as a Data Controller
A Data Controller is the legal entity which determines how and why personal data is collected and used.
Nordic’s Head Office is located at 2601 West Beltline Hwy, Suite 600, Madison WI, 53713, USA
Nordic’s European Office is located at, 7 Riverwalk, Citywest, Dublin 24, D24 H2CE
- What personal data do we collect?
For the purposes of this Statement, ‘Personal Data’ means any personal data about you from which you can be identified, whether derived from that information on its own or when combined with other information, that we or another party may hold about you.
Depending on the nature of your interaction with us, the personal data we may collect could include:
- Full name, language, current job title/position and company name.
- Corporate contact details (e.g., telephone numbers, email, and company address).
- Correspondence with you including personal data about your questions, complaints, or disputes.
- Other personal data relevant for the provision of the requested services.
- Collecting personal data from prospective current or former employees of Nordic (e.g., Qualifications and career history; Contact information such as home addresses and who to contact in an emergency involving existing employees; Rewards and benefits information, including so that we can manage pension obligations for former employees and their beneficiaries; Special category Personal Data, for example on illness or disability).
- Collecting data from publicly available Sanction Lists related to employees Contractors or entities to verify that they are not listed as debarred, excluded or ineligible for participation in their profession.
- Collecting personal data about you from a third party who is authorized to act on your behalf or from third party services that you use to interact with our services.
- We may also collect your personal data from other sources such as public databases, marketing partners, and social media platforms, to the extent permitted by applicable laws.
- Other personal data that you voluntarily provide to us.
- In addition, this may include personal data about your computer and about your visits to and usage of our website, such as your Internet Protocol (IP) address, your computer’s operating system and browser type, and personal data collected via cookies.
If you provide us with any personal data relating to other individuals, you represent that you have the authority to do so and, where required, you have obtained any necessary consent. It is your responsibility to ensure that the person concerned is aware of the content of this Privacy Statement and you acknowledge that this personal data may be used in accordance with this Privacy Statement.
- How do we obtain your personal data?
We obtain your personal data from the following sources:
- Personal data that you provide to us.
- Business contacts.
- Third parties engaged by Nordic.
- Internet or social media.
- Publicly available data bases.
When you visit our website, we, or our partners, may automatically collect personal data from your device or web browser which may include personal data by using cookies or similar technologies such as web beacons. For more information about cookies, the personal data collected via cookies, and how we use such information, please read our cookie statement.
- Why do we process your personal data and what are the legal grounds for processing your personal data?
We may use your personal data for the following purposes, based on one or more of the following legal basis:
Purposes
|
Legal Basis
|
1. To provide you with the requested services.
2. To manage our relationship with you and to respond to your questions or complaints and internal administration.
3. Nordic will not knowingly employ, contract or bill for any individual, Contractors or entities that have been listed as debarred, excluded or ineligible for participation in their profession and carries out sanction screening activities for verification purposes from publicly available Sanction Lists.
|
Performance of a contract:
The processing is necessary for the performance of a contract to which you (or the company you represent) are a party or to take steps at your request prior to entering into a contract.
Legitimate interests:
The processing is necessary for legitimate interests pursued by us. We have taken your privacy interests into account in the processing; therefore, when balancing these interests, our legitimate business interests prevail to the extent that they would conflict.
Legal obligations:
The processing is necessary to comply with our legal and regulatory obligations such as responding to investigations by regulatory bodies.
|
3. For marketing activities such as organizing events and creating and publishing content on topics that are of interest to our (potential) clients and keep interested parties informed of our services, events and publications.
4. Collection and analysis of information, which includes surveys in order to improve the quality of, develop, and enhance our services.
5. To optimize our website, diagnose and resolve technical issues.
6. To exercise or defend claims.
|
Legitimate interests:
The processing for these purposes is necessary for legitimate interests pursued by us. We have taken your privacy interests into account in the processing; therefore, when balancing these interests, our legitimate business interests prevail to the extent that they would conflict.
Consent:
If required, we request your consent for the processing of your personal data. You can withdraw your consent at any time, by clicking the opt-out link in our emails and notifications, or by contacting us via the contact details provided in this Privacy Statement. Withdrawing your consent will not affect the lawfulness of our use of your personal data before your withdrawal.
|
7. To manage our relationship with you as a prospective, current or former employee.
|
Legitimate interests:
In order to consider applications for employment at Nordic. Supporting existing employees in the development of their career
Performance of a Contract:
Paying salaries and other employment benefits. Administration of pension schemes for current and former employees and their beneficiaries.
Comply with Legal Obligations:
Meeting health and safety or employment obligations.
Consent:
Where we process special category Personal Data, for example on illness, disability or dietary requirements.
|
8. To comply with legal or regulatory obligations and orders including court orders or legal proceedings.
|
Legal obligations:
Processing is necessary to comply with our legal and regulatory obligations for administrative, accounting and tax purposes, or if we are compelled to provide information to a government authority or law enforcement agency.
|
- What personal data do we use for which purposes?
Below, we specified per category of personal data that we may process about you (Section 5 What personal data do we collect?) for which purpose(s) we may process this information. The numbers refer to the numbers of the purposes as stated above.
We process the personal data that we collect for the following purposes:
Full name, gender, language, current job title/position and company name.
We may process this information for purposes: 1-4, 6, 8.
Corporate contact details (e.g., telephone numbers, email, and company address).
We may process this information for purposes: 1-4, 6,8.
Correspondence with you including information about your questions, complaints, or disputes.
We may process this information for purposes:1-6,8.
Other information relevant for the provision of the requested services.
We may process this information for purposes: 1-6,8.
Collecting personal data from prospective current or former employees
We may process this information for purposes: 6-8.
Collecting data related to employees Contractors or entities to verify that they are not listed as debarred, excluded or ineligible for participation in their profession.
We may process this information for purposes: 7.
Personal data from other sources such as public databases, marketing partners, and social media platforms.
We may process this information for purposes: 1-6,8.
Other information that you voluntarily provide to us.
We may process this information for purposes: 1-6,8.
Personal data about your computer and about your visits to and usage of Our website
We may process this information for purposes: 5.
- Who will have access to your personal data?
Nordic is a global organisation so your personal data may be transferred for any of the above stated purposes to a different global location. These transfers will be undertaken in compliance with applicable law(s) and regulation(s).
Your personal data will be processed by persons working for or on behalf of Nordic on a need-to-know basis for the purposes described in this Privacy Statement. We may further share your personal data with the following types of entities for the following purposes:
Our affiliates that are jointly responsible for the processing of your personal data as a relevant data controller for the purposes and under the conditions as described in this Privacy Statement. These are:
Healthtech, Inc., based in Canada
Tasman Global Holdings B.V., including its affiliates.
Where personal data is transferred to our affiliates within the group, we use an intra-group data agreement to ensure that your personal data is protected. Nordic Consulting Partners, Inc. will remain the data controller and your main point of contact for the processing of your personal data.
Service providers and their sub-contractors who process your personal data on our behalf, acting as a data processor or respectively as a sub processor, such as for providing hosting services. We conclude appropriate data processor agreements in line with the applicable data protection laws.
Other third parties to the extent necessary to: (i) comply with a request from a government authority or law enforcement agency, a court order or applicable law; (ii) to prevent violations of our agreements and our policies; (iii) to defend ourselves against claims or when you have provided your consent.
If we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, dissolution, or liquidation) we may also transfer your personal data.
- How do we transfer your personal data outside the EEA and UK?
The processing of your personal data for the purposes described in this Privacy Statement may entail the transfer of your personal data within the group to our affiliates or to selected service providers or other third parties that are located outside the European Economic Area (EEA) and/or United Kingdom (UK).
Your personal data may be stored on servers outside the EEA. When your personal data are transferred to or are accessed from countries outside of the EEA, we are required to ensure that your personal data is subject to an equivalent level of protection as it would receive within the EEA and UK. We take the necessary steps to ensure that your data is kept securely and handled in accordance with this Privacy Statement and applicable laws.
Transfers to third countries based on Standard Contractual Clauses of the European Commission and UK addendum.
We transfer personal data to countries that are not considered to provide an adequate level of protection according to UK and EU data protection laws. When we do so, we take appropriate (supplemental) safeguards to ensuring an equivalent level of data protection by concluding the Standard Contractual Clauses approved by the European Commission with the receiving party located in such third country in accordance with article 46.2(c) of the General Data Protection Regulation (GDPR) along with the UK addendum to the same.
- How long do we retain your personal data
We will not retain your personal data longer than necessary in relation to the purposes for which the data are processed, unless otherwise required or permitted by law. After expiration of the retention period, your personal data will be deleted. This means that:
- Personal data obtained based on your consent will no longer be retained after you withdraw your consent. To the extent necessary, we do retain information to prove that the previous processing activities were based on valid consent.
- If We are unable to completely delete the personal data from our systems, we will ensure that there are appropriate measures in place to secure the information and protect it from further use.
- How do we protect your personal data?
We are committed to ensuring that your personal data is kept secure. We use a variety of physical, technical, and organizational measures to maintain the safety of your personal data. Some of the technical and organizational measures taken by us include:
Technical security measures:
- Logical and physical security equipment (e.g., safe, firewall, network segmentation).
- Technical control of the authorizations and keeping log files.
- Management of the technical vulnerabilities (patch management).
- Making back-ups to safeguard availability and accessibility of the personal data.
- Modern encryptions of connections and certain equipment is in place and monitored.
- Using multi-factor authentication for certain systems.
Organizational security measures:
- Assignment of responsibilities for information security.
- Promotion of security awareness among new and existing employees.
- Establishment of procedures to monitor, test, assess and evaluate security measures periodically.
- Checking and monitoring of log files done regularly.
- Implementation of a protocol for the handling of data breaches and security incidents.
- Implementation of least privilege practices to ensure only the people in the organization who need to see the data are allowed to access it.
- Your rights
If you are a data subject under GDPR or other applicable laws, you have certain rights concerning our processing of your personal data. You can:
- Request access to your personal data held by us: You can ask us whether we process your personal data and, if so, to provide you with a copy of that personal data.
- Request us to rectify or complete your personal data: If you believe the personal data, we process about you is inaccurate or incomplete, you can ask us to rectify it.
- Request us to erase certain personal data: You can ask us to delete or remove your personal data in some circumstances.
- Request us to restrict the processing of your personal data: You can ask us to restrict the processing of your personal data in some circumstances, such as when you contest the accuracy of the personal data.
- Object to our processing of your personal data: You can object to our processing of your personal data and ask us to suspend such processing at any time if we rely on our own or someone else’s legitimate interests to process your personal data or where we process your personal data for direct marketing purposes. When we rely on legitimate interests, we may continue processing your personal data if we can demonstrate compelling legitimate grounds, which we will consider on an individual basis. Where you object to our processing for direct marketing purposes, we will no longer process your personal data for such purposes.
- Request not to be subject to automated decisions, including profiling: You have the right not to be subject to a decision based solely on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you.
- Request to port your personal data: You have the right, in certain circumstances, to obtain personal data you have provided to us (in a structured, commonly used, and machine-readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
- Request to withdraw your consent: If we rely on your consent for processing your personal data, you have the right to withdraw that consent at any time. Such withdrawal will not affect the lawfulness of the processing before you withdrew your consent.
- Lodge a complaint with a supervisory authority: If you have a concern about the way we have handled your personal data, you can lodge a complaint with your local supervisory authority.
You may send us a request using the information below. We will handle your request carefully and in line with the applicable data protection rules. We will respond to you without undue delay and at the latest within one month of receipt of your request in line with the applicable data protection rules. We may request that you provide proof of your identity for security reasons and in order to prevent the unauthorised disclosure or misuse of Personal Data. If, after contacting us, you are still not satisfied with our response, you have the right to lodge a complaint with the Data Protection Commission. Please see www.dataprotection.ie for more on this.
- How can you contact us?
We welcome any questions, comments, or concerns regarding our processing of your personal data and or our privacy practices. If you have any questions, or wish to exercise your privacy rights, please contact us by using the following contact details:
If you are located in the United States or Canada, please contact:
Nordic Consulting Partners Inc.
2601 West Beltline Hwy, Suite 600, Madison WI, 53713, USA
Attn: Privacy Officer
Email: dataprivacyoffice@nordicglobal.com
If you are located in the European Union, please contact:
Nordic Consulting Partners Inc.
7 Riverwalk, Citywest, Dublin 24, D24 H2CE
Attn: Data Protection Officer
Email: dataprivacyoffice@nordicglobal.com
- Changes to this General Privacy Statement
This Privacy Statement complies with HIPAA, GDPR, CCPA, and other applicable laws. Applicable laws and our practices may change over time. This Privacy Statement may be updated to reflect such changes. We recommend to regularly review this Privacy Statement or, where required by law, provide you with notice of such updates.
Reviewed and updated: September 9, 2024
Data Privacy Framework Notice
Nordic Consulting Group Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Nordic Consulting Group Inc. has certified to the U.S. Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Nordic Consulting Group Inc. has certified to the U.S. Department of Commerce that they adhere to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.
If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Nordic Consulting Group Inc. commits to resolve DPF Principles-related complaints about the collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding the handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Nordic Consulting Group Inc. at: dataprivacyoffice@nordicglobal.com
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Nordic Consulting Group Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning the handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
The Federal Trade Commission has jurisdiction over Nordic Consulting Group Inc. compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain situations, Nordic Consulting Group Inc. may be required to disclose personal data in response to lawful requests received from public authorities, including to meet national security or law enforcement requirements.
Nordic Consulting Group Inc. is responsible for the processing of personal data they receive under the DPF and subsequently transfer to a third party acting as an agent on its behalf. Nordic Consulting Group Inc. complies with the DPF Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.
For complaints regarding DPF compliance not resolved by any of the other DPF mechanisms, individuals have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website.