Vinder af MyImage-analysen for sjette år i træk
Vinder af MyImage-analysen for sjette år i træk

Privacy policy

Privacy Policy &Co.

November 2025

Version 0.1

1. WHY DID WE CREATE THIS PRIVACY POLICY?

ANDCO A/S (“&Co”, ”we” and “us”) gives high priority to confidentiality and data security. This privacy policy applies to our processing of personal data as data controller and establishes guidelines for the way &Co. processes your personal data.

This privacy policy provides you with the information that you are entitled to receive under applicable data protection laws.

You should read the privacy policy before you hand over your personal data to &Co.

2. DATA CONTROLLER AND CONTACT INFORMATION

The data controller of your personal data is:

ANDCO A/S
CVR no.: 21 70 55 35
Adelgade 12, 4.
1304 Copenhagen K
+45 33 46 33 00
GDPR@andco.dk

3. DATA CONTROLLER OR DATA PROCESSOR

&Co. acts as data controller for your personal data pursuant to this privacy policy.

For the purpose of providing services to our customers, &Co. also acts as a data processor. The scope of the data processing activities &Co. will carry out as data processor is described in the data processing agreement entered into between the customer as data controller and &Co. as data processor.

4. FROM WHERE DO WE COLLECT PERSONAL DATA ABOUT YOU?

&Co. may potentially collect and process personal data about you from the following sources:

  • Directly from you.
  • From your employer if you are an employee of our customer, business partner or supplier.
  • From public websites and social media platforms when we are creating a database for relevant contact persons in relation to future lectures, assignments, conferences, and other events. 

5. PURPOSE, TYPES OF PERSONAL DATA, LEGAL BASIS, AND DELETION

&Co.’s processing of personal data will depend on the customer agreement, your interaction, consents given, and behaviour. Therefore, you should start by reading the below sections "Which persons are covered?" to clarify whether the processing activity, the purposes in question, types of personal data, legal bases and deletion deadlines are relevant to you:

5.1: Processing activity: customer agreements

  • 5.1a Which persons are covered?:
    - Employees of customers.
  • 5.1b For what purposes is the personal data used?
    - Enter into customer agreements and complying with customer agreements.
  • 5.1c What types of personal data are used?
    - Name, e-mail, phone number, work address, position, role services your company has purchased and signature.
  • 5.1d What is the legal basis for the processing?
    - Our legal basis for processing personal data is entering into a contract and complying with the contract (Article 6(1)(b) of the GDPR).
  • - It can also be our legitimate interest in being able to comply with the contract entered into with your employer (Article 6(1)(f) of the GDPR).
  • 5.1f When will the personal data be deleted?
    - 5 years from last contact.

5.2: Processing activity: phone marketing

  • 5.2a Which persons are covered?:
    - Contact persons of customers.
  • 5.2b For what purposes is the personal data used?
    - Marketing and &Co.’s services.
  • 5.2c What types of personal data are used?
    - Name, position, phone number and profession.
  • 5.2d What is the legal basis for the processing?
    - Our basis for processing personal data is our legitimate interest in being able to sell our services (Article 6(1)(f) of the GDPR).
  • 5.2e When will the personal data be deleted?
    - 5 years from last contact.

5.3: Processing activity: film production

  • 5.3a Which persons are covered?:
    - Talents/participants (cast, extras and models)
    - Potentially also parent or guardian of persons under the age of 13.
    - Third-party rights holders, such as music, voice-over recordings, and stock material.
  • 5.3b For what purposes is the personal data used?
    - Cast, extras and models are used in film production.
    - For paying the agreed fee.
  • 5.3c What types of personal data are used?
    - Name, address, e-mail, phone number, pictures, and videos, other relevant information voluntarily provided by the talent (such as personal stories) as well as social registration number in some cases.
    - Financial information, such as bank account numbers, as well as personal information, such as age and gender.
    - Sensitive personal data, such as trade union membership and health information, may also be processed in some cases.
    - Information about criminal offences, such as a criminal record certificate, will sometimes be processed.
    - If the model is under 13, the social registration number and contact details of the parent or guardian will be obtained.
  • 5.3d What is the legal basis for the processing?
    - A talents/participant’s contract (Article 6(1)(b) of the GDPR) forms the legal basis for the processing of general personal data, including contact details, pictures, videos, financial information (e.g. bank account numbers), and other personal information (e.g. age and gender).
    - Sensitive personal data, such as trade union membership and health information, will be processed in accordance with Article 9(2)(a) of the GDPR (consent).
    - Information about criminal offences, such as a criminal record certificate, will always be processed in accordance with section 8(3) of the Danish Data Protection Act (consent).
    - Social registration number for the purpose of tax purposes will be processed based on section 11(2)(1) of the Danish Data Protection Act.
    - Further personal data regarding a model under 13 years of age will be processed based on a legal obligation (Article 6(1)(c) of the GDPR) and section 11(2)(1) of the Danish Data Protection Act cf. executive order regarding children’s work).
  • 5.3e When will the personal data be deleted?
    - As long as &Co. holds the rights to store the personal data under the concluded contracts.
    - Personal data that is not part of the production or the contract, will be stored for maximum 5 years from last contact.

5.4: Processing activity: organising events, and webinar

  • 5.4a Which persons are covered?:
    - Participants in events, and webinars.
  • 5.4b For what purposes is the personal data used?
    - Registration, and administration
  • 5.4c What types of personal data are used?
    - Contact information, role, position, information about participation in the event or webinar, as well as personal data in the form of photos and/or video recordings of the participants.
  • 5.4d What is the legal basis for the processing?
    - Our basis for processing personal data is the conclusion of an agreement regarding participation in the webinar, event, or conference, etc. (Article 6(1)(b) of the GDPR).
    5.4e When will the personal data be deleted?
    - 5 year after the event or webinar was held.

5.5: Processing activity: use of images and videos for own marketing

  • 5.5a Which persons are covered?:
    - Talents (cast, extras and models)
    - Employees of current, former and potential customers, employees of suppliers, and employees of group companies.
  • 5.5b For what purposes is the personal data used?
    - Marketing
  • 5.5c What types of personal data are used?
    - Photos/videos and contact information.
    - Signature and copy of contract.
  • 5.5d What is the legal basis for the processing?
    - Our legal basis for processing personal data is your consent under Article 6(1)(a) of the GDPR (consent) or Article 6(1)(b) of the GDPR (for the performance of a contract).
  • 5.5e When will the personal data be deleted?
    - When consent is revoked or when the contract expires.

5.6: Processing activity: legal claims and lawsuits

  • 5.6a Which persons are covered?:
    - Employees of customers and suppliers.
  • 5.6b For what purposes is the personal data used?
    - Defend, exercise, and establish legal claims.
  • 5.6c What types of personal data are used?
    - Description of the claim and contact details.
  • 5.6d What is the legal basis for the processing?
    - Our basis for processing personal data is our legitimate interest in establishing, defending, and asserting legal claims (Article 6(1)(f) of the GDPR).
  • 5.6e When will the personal data be deleted?
    - 5 years after the end of the contract or participation in events.

5.7: Processing activity: send satisfaction surveys and market research and generally improve our products and services

  • 5.7a Which persons are covered?:
    - Employees of customers who have purchased services from us, as well as guests who have participated in events.
  • 5.7b For what purposes is the personal data used?
    - Improve our products and services and marketing. In addition, to generally ensure customer satisfaction.
  • 5.7c What types of personal data are used?
    - Contact information, position, and customer information.
  • 5.7d What is the legal basis for the processing?
    - We base the processing of your personal data on our legitimate interest in being able to develop and improve our products and to contact you if your response indicates that you have had a bad experience with us. Participation in the survey is voluntary (Article 6(1)(f) of the GDPR).
  • 5.7e When will the personal data be deleted?
    - 5 years after the end of the contract or participation in events.

5.8: Processing activity: comply with the danish consolidated bookkeeping act

  • 5.8a Which persons are covered?:
    - Contact persons of customers.
  • 5.8b For what purposes is the personal data used?
    - Ensure documentation of the costumer contract in accordance with The Danish Consolidated Bookkeeping Act.
  • 5.8c What types of personal data are used?
    - Transaction Information.
  • 5.8d What is the legal basis for the processing?
    - Our basis for processing personal data is our legal obligation under the Danish Consolidated Bookkeeping Act (Article 6(1)(c) of the GDPR).
  • 5.8e When will the personal data be deleted?
    - Accounting material, including personal data, which we are obliged to store in accordance with the Danish Consolidated Bookkeeping Act, is stored for up to 6 years.

5.9: PROCESSING ACTIVITY: COOPERATION WITH COMPANIES.

  • 5.9a Which persons are covered?:
    - Suppliers and partners.
  • 5.9b For what purposes is the personal data used?
    - General planning, fulfilment, and administration of collaborations, including contracts.
    - Product and service development.
    - Statistics and analysis.
    - Conflict management.
  • 5.9c What types of personal data are used?
    - Name, email address, telephone number and corresponding contact details.
    - Individual information, such as preferred languages.
    - Organizational information such as company name and address, job title, area of employment, primary place and country of work.
    - Contractual information such as orders, invoices, contracts, and other agreements between your company that may include, for example, your contact information.
  • 5.9d What is the legal basis for the processing?
    - In certain cases, the processing of your personal data is necessary for the performance of a contract (Article 6(1)(b) of the GDPR).
    - We may process your personal data on the basis of our legitimate interests in, for example, managing day-to-day operations in accordance with lawful and fair business practices, including planning, executing and administering the cooperation or our legitimate interest in, for example, carrying out credit ratings, statistics, analyses, marketing activities (where consent is not required), providing support, improvement and development of our products and services. The processing may also be necessary for our legitimate interest in preventing fraud or establishing, defending, or asserting legal claims (Article 6(1)(f) of the GDPR).
    - The processing of your personal data will in some cases be necessary for compliance with legal obligations, such as our obligation to prevent illegal activities (Article 6(1)(c) of the GDPR).
  • 5.9e When will the personal data be deleted?
    - 5 years after last contract.

6. COOKIES

&Co. only uses cookies or similar technologies that are technically necessary to ensure the proper functioning of the website. Consequently, no personal data is collected through cookies or similar technologies on the website.

7. TO WHOM DO WE TRANSFER YOUR PERSONAL DATA?

In some special cases, we transfer your personal data to independent data controllers. In the following table, we have listed the categories of these third parties, what personal data may be transferred about you to the third parties and the legal basis for the transfer.

7.1 Categories of recipients – lawyers, insurance companies, authorities, police, and courts

  • 7.1a Types of personal data:
    - Relevant information in relation to a specific dispute.
  • 7.1b Legal basis:
    - Article 6(1)(f) of the GDPR (legitimate interest).

7.2 Categories of recipients – customers

  • 7.2a Types of personal data:
    - Film production material will, in some cases, be transferred to customers which will process the material as a separate data controller.
  • 7.2b Legal basis:
    - Article 6(1)(b) of the GDPR (contract).

7.3 Categories of recipients – lawyers, insurance companies, authorities, police, and courts

  • 7.3a Types of personal data:
    - Payment and card information.
  • 7.3b Legal basis:
    - Article 6(1)(b) of the GDPR (contract).

7.4 Categories of recipients – lawyers, insurance companies, authorities, police, and courts

  • 7.4a Types of personal data:
    - Payment and social registration number regarding models in film production.
  • 7.4b Legal basis:
    - Article 6(1)(c) of the GDPR and section 11 (2) (1) of the Danish Data Protection Act (legal obligations)

8. TO WHOM DO WE ENTRUST YOUR PERSONAL DATA?

Suppliers (third parties) may have access to your personal data based on a contractual relationship with &Co. when providing relevant services to &Co., such as hosting providers, AI-providers (OpenAI), suppliers to film productions, providers of conducting satisfaction surveys and group companies assisting with IT support. Such suppliers (data processors) will only process personal data based on a data processing agreement and in accordance with our instructions.

9. DO WE TRANSFER YOUR PERSONAL DATA TO UNSAFE THIRD COUNTRIES?

If your personal data is transferred to data processors or data controllers established in countries outside the EU/EEA that do not have an adequate level of protection, such transfer will only take place when a transfer is based on the EU Commission's Standard Contractual Clauses. Transfer of personal data to the USA may also take place based on the EU-US Data Privacy Framework. If you have any questions about the basis for transfers to countries outside the EU/EEA, please contact us.

10. IF YOU VISIT OUR PROFILES OTHERWISE SOCIAL MEDIA PAGE

This section contains the policy for &Co.’s processing of personal data collected through &Co.’s profiles or social media pages.

ANDCO A/S has profiles or pages on the following social media:

  • LinkedIn (LinkedIn Ireland Unlimited Company)
  • LinkedIn's privacy policy is available here

For LinkedIn, &Co. and LinkedIn are joint data controllers for the processing of personal data collected in connection with your interactions with the profile, including the profile’s postings.

&Co. and LinkedIn have entered into an agreement on the distribution of data protection tasks. Under this agreement, &Co. and LinkedIn are each responsible for the tasks associated with the processing they respectively undertake. However, it has been agreed between &Co. and LinkedIn that LinkedIn is responsible for responding to requests from you regarding the rights described in the 'What rights do you have?' section below.

Collection of personal data

When you visit or interact with our social media profile on LinkedIn, &Co. and LinkedIn may collect, process and store the following types of personal data about you:

  • Information available on your profile, including your name, gender, marital status, workplace, interests, photo and city
  • Whether you "like" or have used other reactions to our profile
  • Comments you leave on our posts
  • That you have visited our profile
  • Your IP address

Purposes of processing

&Co.’s processes your personal data for the following purposes:

  • Improving our products and services, including our social media profiles and pages
  • Statistics and analysis
  • To communicate with you if you comment on a post, leave a review or send us a message
  • Marketing in general

LinkedIn processes, among other things, your personal data for the following purposes:

  • Improving their ad system
  • To provide &Co. with statistics that social media providers compile on the basis of, among other things, your visit to our profiles and pages
  • Advertising and personalization of activities on the Site

Basis for processing

The processing of your personal data is based on the following basis:

  • Legitimate interests: &Co.’s the processing of your personal data is based on our legitimate interests in being able to communicate with and market ourselves to you on our social media profiles, as well as our legitimate interest in improving our products and services (Article 6(1)(f) of the GDPR)

Storage period

Your personal data will be stored for 5 years when stored in own systems. However, the information may be stored longer in anonymized form.

Please refer to the privacy policy of LinkedIn for information on how long they keep your personal data.

Who do LinkedIn share your personal data with?

LinkedIn may, among other things, share your personal data with the following categories of recipients:

  • Other entities within the group of which LinkedIn is part of
  • External partners providing analysis and survey services
  • Advertisers
  • Other individuals who visit our social media profile or page (to the extent your information is publicly available)
  • Researchers and other academics

You can find more information about who LinkedIn shares your personal data with in its privacy policy.

LinkedIn may transfer your personal data to recipients outside the EU/EEA in accordance with applicable data protection legislation. You can read more about this in LinkedIn’s privacy policy.

You can read more about who &Co. shares your personal data within the sections above titled "To whom do we disclose your personal data?" and "To whom do we entrust your personal data?".

11. WHAT RIGHTS DO YOU HAVE?

General rights
When &Co. processes personal data about you as stated above, you have several rights under applicable data protection legislation:

  • You have the right to access the personal data we process about you
  • You have the right to object to our collection and further processing of your personal data
  • You have the right to rectification and erasure of your personal data, however, with certain statutory exceptions, including the Danish Consolidated Bookkeeping Act
  • You have the right to request the restriction of the processing of your personal data
  • In certain circumstances, you can request to receive a copy of your personal data as well as to transmit the personal data you have provided to us to another data controller (data portability)
  • You can withdraw any consents you may have given at any time. We will then delete your personal data unless we can continue processing on other grounds. Withdrawal of consent will have effect on the future processing of your personal data. Withdrawal of your consent does not affect the lawfulness of the processing we carried out based on the consent before the withdrawal.

Right to object
You always have the right to object to the collection and further processing of your personal data, including the right to object to our processing based on the balancing of interests rule pursuant to Article 6(1)(f) of the GDPR. This applies, among other things, when we process your information for marketing purposes.

12. DO YOU HAVE QUESTIONS AND DO YOU WANT TO EXERCISE YOUR RIGHTS?

If you have any questions about this privacy policy or if you wish to complain about the way we process your personal data, please feel free to contact us as stated in section 2 above.

If your complaint is not resolved by us and you want to proceed with the case, you can complain to the Danish Data Protection Agency:

The Danish Data Protection Agency
Carl Jacobsens Vej 35
DK-2500 Valby
Phone: 33 19 32 00
Email: dt@datatilsynet.dk

13. LINKS TO OTHER WEBSITES

Our websites may contain links to other websites. We are not responsible for the content of other websites (third party websites) or for the procedures such third parties have for collecting and processing personal data. When you visit a third-party website, you should read the website owner's privacy policy and other relevant policies.

14. CHANGES TO THE PRIVACY POLICY

This privacy policy does not constitute an agreement between &Co. and you, but instead forms the basis of our duty of disclosure under data protection legislation. We reserve the right to make changes to this privacy policy from time to time in accordance with applicable data protection laws. In case of changes, the date and version number at the top of the privacy policy will be changed. The privacy policy in force at any time will always be available via Privacy policy. In case of material changes to the privacy policy, you will receive an email or other notification with reference to the updated privacy policy.