We use cookies to give you the best online experience. By using our website, you agree to our use of cookies in accordance with our Privacy Policy.

Privacy Policy – Bramidan Certify 

 

1. Introduction


This Privacy Policy describes how Bramidan A/S processes personal data in connection with the use of the BRAMIDAN Certify platform.

BRAMIDAN Certify is a digital training and documentation platform designed for machine operators.

Bramidan processes personal data in accordance with applicable data protection legislation, including Regulation (EU) 2016/679 (GDPR).
 

2. Roles and Responsibilities

For the purposes of applicable data protection legislation:

The Customer (employer) acts as Data Controller
Bramidan A/S acts as Data Processor

Bramidan processes personal data solely on behalf of and in accordance with the documented instructions of the Customer.

Processing is governed by a Data Processing Agreement (DPA) entered into between Bramidan and the Customer. The DPA forms an integral part of the contractual relationship. In case of conflict, the DPA shall prevail with respect to personal data processing. This Privacy Policy is provided for transparency purposes only and does not in itself constitute a Data Processing Agreement or regulate the detailed obligations between the parties.

3. Categories of Personal Data

The platform processes the following categories of personal data:

  • Identification data (e.g. name, employee ID, email)
  • User account data (e.g. login credentials, roles, access rights)
  • Training data (e.g. course completion, certification status, timestamps)
  • Usage data (limited to system logs necessary for security, access control, and technical troubleshooting, including login timestamps and access events)

4. Purpose of Processing

Personal data is processed strictly and exclusively for the following limited purposes, as defined by the Customer:

  • Administration of user access
  • Delivery of training content
  • Documentation of completed training
  • Generation of certificates
  • Platform security, including logging strictly limited to security monitoring and access control purposes
  • Platform support strictly limited to technical troubleshooting and resolution of platform-related issues, as instructed by the Customer

The platform serves solely as a documentation and support tool and does not replace employer responsibilities.

4A. Data Quality and Responsibility

The Customer is responsible for ensuring that all personal data entered into the platform is accurate, relevant, and limited to what is necessary.

Bramidan does not verify the correctness or completeness of the personal data provided and accepts no responsibility for inaccuracies in such data.

5. Legal Basis

The legal basis for the processing of personal data is determined solely by the Customer in its capacity as Data Controller.

Bramidan A/S:

  • processes personal data exclusively on documented instructions from the Customer
  • does not independently determine the purposes or means of processing
  • does not rely on or establish any legal basis under Article 6 GDPR

Any reference to legal bases for processing, including but not limited to Article 6(1)(b), (c), or (f), is solely the responsibility of the Customer.

Bramidan shall not use personal data for its own purposes, including analytics, profiling, or product development, unless explicitly agreed in writing.

6. Data Retention

Personal data is retained only for as long as necessary to fulfil the purposes defined by the Customer and in accordance with applicable law.

Retention periods may be modified based on documented instructions from the Customer.

Unless otherwise instructed by the Customer, the following default retention periods apply:

  • User accounts are retained for the duration of the user account and up to 12 months after deactivation, to allow for reactivation and audit traceability
  • Training and certification data are retained for up to 5 years after completion, to support documentation of training and compliance with workplace and regulatory requirements
  • Log and usage data is retained for 12 months for security monitoring, incident investigation, and system integrity
  • Backup data are retained in rolling backups not exceeding 30 days

Upon termination of the agreement:

  • personal data will be deleted within 30 days, or
  • returned to the Customer upon request

unless retention is required by law or explicitly instructed by the Customer. The Customer may at any time instruct deletion or return of personal data prior to the default retention periods.

7. Disclosure and Transfers

Bramidan may engage sub-processors for the delivery, hosting, maintenance, and support of the platform. Sub-processors are engaged subject to prior general or specific authorization from the Customer as set out in the DPA.

  • All sub-processors are subject to written data processing agreements
  • Sub-processors are bound to implement appropriate technical and organizational security measures
  • Bramidan remains fully responsible for its sub-processors

Transfers of personal data outside the EU/EEA:

  • will only take place where an adequate level of protection is ensured
  • are based on appropriate safeguards, including Standard Contractual Clauses where applicable

A current list of sub-processors is maintained and made available to Customers in the DPA.

8. Security Measures

Bramidan implements appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with the processing taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing

These measures include, as relevant:

  • Role-based access control and authentication
  • Segregation of customer data
  • Logging and monitoring of system activity
  • Secure communication (TLS)
  • Backup and recovery procedures
  • Ongoing system maintenance and security updates

Overall Bramidan will maintain a level at least equivalent to CIS18 IG1 as a baseline, supplemented by additional relevant controls based on risk assessment as stated in the DPA.

Security measures are continuously assessed and updated based on risk, technological development, and industry standards.

Further details are provided in the DPA.

9. Data Subject Rights

Data subjects have rights under GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

Requests relating to personal data must be directed to the Customer as Data Controller.

Bramidan shall:

  • assist the Customer in responding to such requests
  • implement appropriate technical measures to support the exercise of rights

Bramidan will not respond directly to data subjects unless instructed by the Customer or required by law.

10. Breach Notification

In the event of a personal data breach, Bramidan shall

  • notify the Customer without undue delay after becoming aware of the breach
  • provide relevant information necessary for the Customer to assess and fulfil its GDPR obligations including, where available:

- the nature of the breach 

- categories and approximate number of data subjects affected 

- likely consequences of the breach

Bramidan shall cooperate with the Customer in:

  • investigating the incident
  • mitigating potential impacts
  • supporting notification to supervisory authorities and data subjects where required

11. Changes

This Privacy Policy may be updated to reflect:

  • changes in applicable legislation
  • changes to the platform or processing activities
  • contractual or operational requirements

Material changes will be communicated to Customers where relevant.

The latest version will always be made available via the platform.

12. Contact

Bramidan A/S
Industrivej 69
DK-6740 Bramming
Email: bra-in@bramidan.com