1. Introduction
This policy describes how data ethics is considered and included in the use of data and design and implementation of technologies, especially new technologies (see section 4 below), used for pro-cessing of data at the Fritz Hansen Group. The policy applies in all aspects of processing of data whether the data enables identification of a natural person (“personal data”) or not.
2. Principles for data ethics
2.1 When the Fritz Hansen Group processes data or designs, purchases or implements technolo-gies, especially new technologies, for processing of data, the principles for data ethics de-scribed below must be assessed and included in the considerations during the design pro-cess and/or prior to the purchase or implementation of the processing activity or the technology used for the processing of data.
• Necessity
Only data which is necessary to fulfill the purpose of the processing activity shall be collect-ed and processed. For example, it shall be considered whether it is possible to achieve the purpose of the processing with anonymised data instead of personal data.
• Legality
The processing of data shall, at all times, comply with applicable legislation. For example, the processing of personal data requires a specific legal basis according to the General Data Protection Regulation (“GDPR”).
• Ethical design
Technologies for the processing of data, especially new technologies, shall be designed to respect principles of data ethics, including the principles laid down in this policy and the gen-eral processing principles as laid down in the GDPR. For example, technologies shall be de-signed to ensure correct and timely deletion of personal data in accordance with the Fritz Hansen Group’s retention periods.
• Consequences
The consequences of the processing activity and the technology used for the processing ac-tivity shall be considered, especially where new technology is used for the processing of personal data. In such case, the consequences for the individuals, both on short term and long term, shall be considered.
• Expectations
Data shall be processed in ways that are consistent with the intentions, expectations and un-derstanding of the disclosing party. For example, personal data may not be processed for new purposes which are incompatible with the purposes for which the personal data was orig-inally collected.
• Security
A sufficient level of security shall be implemented in and around technologies used for pro-cessing of data. The security measures shall include technical as well as organisational measures, and the sufficient level of security shall be assessed based on a risk assessment of the specific processing activity and the technology used for the processing of data.
• Transparency
Data shall always be processed in a way which ensures transparency, especially where algo-rithms are used for the processing. Furthermore, when the processing activity includes auto-mated decision making for decisions which have legal or similarly significant effects, the re-sults shall be subject to human review.
• Respect for human rights
Processing of data and the design of technologies used for processing of data shall ensure that human rights are respected. For example, processing of data or use of technologies for the processing of data may not be biased with a risk of discrimination, marginalisation or stigmatisation against individuals.
• Proportionality
Data shall be used only for purposes which are proportional taking into account the rights of the individuals, including the right of privacy. Thus, a proportionality assessment shall always be carried out before beginning new processing activities or implementing or designing tech-nologies for the processing of data. If the proportionality assessment shows that the pro-cessing is not proportional, the processing activity may not be initiated.
• Accountability
The Fritz Hansen Group shall be able to demonstrate that this policy is complied with. Thus, the considerations relating to these principles for data ethics shall be documented in relation to all processing activities, designs or choice of technologies.
Furthermore, the Fritz Hansen Group shall conduct and document reviews of use of data and this data ethics policy to ensure continuous compliance with this policy in accordance with section 6.3 and 7 below.
3. Use of data
3.1 The Fritz Hansen Group is primarily focused on business to business relationships which entails that the group is primarily in possession of business to business information, includ-ing contact information regarding contact persons with business partners. The group is, how-ever, also in possession of a limited amount of regular personal data concerning consumers, which primarily relates to product guarantees (“My Fritz Hansen”).
3.2 The Fritz Hansen Group does not buy or sell data from or to third parties. Any disclosure of data to third parties is subject to careful considerations of the purposes and justification of such disclosure.
3.3 The Fritz Hansen Group works with consideration to protection and respectful use of data in all aspects of the group’s activities. As such, the individual whose data is used or whose be-havior the Fritz Hansen Group aims to impact by the use of data must always be at focus when the Fritz Hansen Group uses data or plans new activities involving use of data.
3.4 Employees enjoy extra protection when it comes to use of data. Because of this, the Fritz Hansen Group shows extra consideration in relation to use of such data, especially the pur-poses and necessity of the use of data as well as the consequences for the employees.
3.5 Any intended use of data for new activities shall be subject to careful consideration of the principles set out in section 2 of this policy. Prior to the implementation of any new activities which involve use of data, the Fritz Hansen Group assesses whether compliance with the principles set out in section 2 is possible with regard to the new activity.
3.6 The Fritz Hansen Group documents the assessments made pursuant to section 3.5 of this policy in relation to all new activities which involve use of data. The department which imple-ments the new activity is responsible for ensuring that such assessment is conducted and documented.
3.7 The Fritz Hansen Group’s data privacy manager reviews and updates assessments of the Fritz Hansen Group’s use of data pursuant to this policy on a regular basis.
4. Use of new technology and profiling
4.1 The Fritz Hansen Group does not use new technology, nor does the Group use profiling.
4.2 Any intended use of new technology, such as artificial intelligence, or profiling shall be sub-ject to careful consideration with regard to protection and respectful use of data in accord-ance with the principles set out in section 2 of this policy. As such, the individual whose data is used or whose behavior the Fritz Hansen Group seeks to impact by the use of data must always be at focus when the Fritz Hansen Group uses or plans on using new technologies or profiling.
4.3 Approval of use of new technology and profiling
4.3.1 Use of new technology or profiling is subject to the Fritz Hansen Digital Strategy Committee’s approval. New technology or profiling may under no circumstances be implemented without the prior written approval of the Digital Strategy Committee.
4.3.2 Where the Fritz Hansen Group wishes to implement new technologies or profiling, a thorough assessment of the possibilities of ensuring compliance with the principles set out in section 2 of this policy must be conducted and documented. The assessment shall be handed in to the Digital Strategy Committee along with the following information:
• A brief description of the solution which the Fritz Hansen Group wishes to implement, including the characteristics of the solution
• A description of the purposes for the use of the solution
• A description of the types of data, which is to be used in relation to the solution, in-cluding where such data originates from
• A description of the categories of individuals who will or may be affected by the Fritz Hansen Group’s use of the solution (whether it be individuals whose data is subject to processing by use of the solution or individuals whose behaviour the Fritz Hansen Group wishes to impact by using the solution etc.)
4.3.3 The Digital Strategy Committee reviews the information received in accordance with section 4.3.2. and decides whether the solution shall be approved. The Digital Strategy Committee documents its assessment and decision.
4.4 Changes in use of new technology and profiling
4.4.1 Where the Fritz Hansen Group wishes to implement changes to the use of new technologies or profiling, a thorough assessment of the compliance with the principles set out in section 2 of this policy must be conducted and documented in relation to the intended changes.
4.4.2 Any intended changes to the use of new technologies or profiling in the Fritz Hansen Group is subject to approval by the Digital Strategy Committee in accordance with the approval pro-cedure set out in section 4.3.
4.5 Once every year the Digital Strategy Committee reviews and updates all assessments of the Fritz Hansen Group’s use of new technology and profiling.
5. Training of employees
5.1 The Fritz Hansen Group ensures that employees who, as a part of their job with the Fritz Han-sen Group, use data or are engaged in designing, purchasing or implementing technologies for the use of data, receive training in the principles for data ethics described in section 2 above, and in complying with this policy, on a regular basis.
5.2 If the Fritz Hansen Group finds that certain employees need additional training or more fre-quent training than described above in section 5.1, the Fritz Hansen Group ensures that such employees receive the training deemed necessary to ensure compliance with this policy.
5.3 The Fritz Hansen Group ensures that this policy is available to employees with the purpose of ensuring the employees’ access to the applicable principles for data ethics for the Fritz Han-sen Group.
6. Decisions
6.1 Decisions regarding the Fritz Hansen Group’s use of data, including design, purchase or im-plementation of regular technologies for use of data, pursuant to section 3 of this policy are made by the relevant managers in each department.
6.2 Decisions regarding the Fritz Hansen Group’s use of new technologies, e.g. artificial intelli-gence, and profiling, including for which purposes such technologies may be used, pursuant to section 4 of this policy, are made by the Digital Strategy Committee, which consists of the CFO, CSO and head of marketing and IT. Submissions for the Digital Strategy Committee’s approval must be made in accordance with the procedure set out in section 4.3.
6.3 The Fritz Hansen Group has appointed a Group General Counsel which is responsible for and oversees The Fritz Hansen Group’s compliance, including compliance with data ethics and this policy. The Group General Counsel assists the Digital Strategy Committee with the Fritz Hansen Group’s tasks pursuant to this policy and conducts regular audits with the Fritz Han-sen Group’s compliance with this policy.
7. Evaluation
7.1 Dilemmas in the field of data ethics within the Fritz Hansen Group shall be discussed and assessed by the Digital Strategy Committee whenever such dilemmas arise.
7.2 At least once every year the Fritz Hansen Group evaluates efforts, actions and policies of the Fritz Hansen Group in the field of data ethics, including in relation to the use of new technol-ogy and profiling. Such evaluation shall include an assessment of whether it is necessary or appropriate to make any changes to this policy or relevant procedures of the Fritz Hansen Group.
8. Questions
8.1 Any questions regarding this policy or data ethics may be addressed to Fritz Hansen Group’s Group General Counsel.
Last updated: 3 January 2022