Nordic's Privacy Statement

This General Privacy Statement was last updated on November 16, 2022

Nordic Consulting Partners, Inc. is an international consulting firm dedicated to the provision of healthcare IT services/staffing, advisory consulting, and managed services focused on a stronger business with better patient outcomes.

This General Privacy Statement describes how Nordic Consulting Partners, Inc. and its affiliates, including Tasman Global Holdings B.V. and Healthtech Consultants (hereinafter: "Nordic", "we", "us" or "our") collect, process, and transfer personal data when you interact with Nordic through our website and/or services. It also explains how your personal data is protected and what choices you have relating to your personal data. This General Privacy Statement applies to the website and services provided by Nordic.

If you have any questions about this General Privacy Statement, the processing of your personal data by Nordic, or if you wish to exercise your privacy rights please contact our DPO at dataprivacyoffice@nordicwi.com.

To which services and activities does this General Privacy Statement apply?

This General Privacy Statement applies to our processing of your personal data as our (potential) client, business partner, or visitor in relation to all your interactions with our website, services, marketing and other activities or topics included in this General Privacy Statement. The personal data we collect and process of you depends on your choices and interactions with us.

For certain activities we created supplementary Privacy Statements to better tailor the information to your specific choices or activity.

Who is responsible for the processing of your personal data?

Nordic Consulting Partners Inc. headquartered in the United States is the main data controller and your main point of contact for the processing of your personal data.

What personal data do we collect?

We may collect personal information that you provide to us, for example by using our online contact form on our website, or when you interact with our website and our services. We collect the following personal data:

  • Full name, language, current job title/position and company name.
  • Corporate contact details (e.g., telephone numbers, email, and company address).
  • Correspondence with you including information about your questions, complaints, or disputes.
  • Other information relevant for the provision of the requested services.
  • Content that you have provided, including postings on our social media platforms.
  • Other information that you voluntarily provide to us.
  • Information obtained via cookies or similar technologies

How do we obtain your personal data?

We obtain your personal data from the following sources:

  • Information that you provide to us.
  • Business contacts.
  • Third parties engaged by Nordic.
  • Internet or social media.

When you visit our website we, or our partners, may automatically collect information from your device or web browser which may include personal data by using cookies or similar technologies such as web beacons. For more information about cookies, the information collected via cookies, and how we use such information, please read our cookie statement.

Why do we process your personal data and what are the legal grounds for processing your personal data?

We may use your personal data for the following purposes, based on the following legal grounds:

Purposes Legal grounds

1. To provide you with the requested services.


2. To manage our relationship with you and to respond to your questions or complaints and internal administration.

Performance of a contract:

The processing is necessary for the performance of a contract to which you (or the company you represent) are a party or to take steps at your request prior to entering into a contract.

Legitimate interests:

The processing is necessary for legitimate interests pursued by us. We have taken your privacy interests into account in the processing; therefore, when balancing these interests, our legitimate business interests prevail to the extent that they would conflict.

3. For marketing activities such as organizing events and creating and publishing content on topics that are of interest to our (potential) clients and keep interested parties informed of our services, events and publications.

4. Collection and analysis of information, which includes surveys in order to improve the quality of, develop, and enhance our services.

5. To optimize our website, diagnose and resolve technical issues.

6. To exercise or defend claims.

Legitimate interests:

The processing for these purposes is necessary for legitimate interests pursued by us. We have taken your privacy interests into account in the processing; therefore, when balancing these interests, our legitimate business interests prevail to the extent that they would conflict.

Consent:

If required, we request your consent for the processing of your personal data. You can withdraw your consent at any time, by clicking the opt-out link in our emails and notifications, or by contacting us via the contact details provided in this Privacy Statement. Withdrawing your consent will not affect the lawfulness of our use of your personal data before your withdrawal.

7. To comply with legal or regulatory obligations and orders including court orders or legal proceedings.

Legal obligations:

Processing is necessary to comply with our legal and regulatory obligations for administrative, accounting and tax purposes or if we are compelled to provide information to a government authority or law enforcement agency.

What personal data do we use for which purposes?

Below, we specified per category of personal data that we may process about you (section 3 What personal data do we collect?) for which purpose(s) we may process this information. The numbers refer to the numbers of the purposes as stated above.

We process the personal data that we collect for the following purposes:

  • Full name, gender, language, current job title/position and company name.

We may process this information for purposes: 1-4, 6, 7.

  • Corporate contact details (e.g., telephone numbers, email, and company address).

We may process this information for purposes: 1-4, 6,7.

  • Correspondence with you including information about your questions, complaints, or disputes.

We may process this information for purposes:1-7.

  • Other information relevant for the provision of the requested services.

We may process this information for purposes: 1-7.

  • Content that you have provided, including postings on our social media platforms.

We may process this information for purposes: 1-7.

  • Other information that you voluntarily provide to us.

We may process this information for purposes: 1-7.

Who will have access to your personal data?

Your personal data will be processed by persons working for or on behalf of Nordic on a need-to-know basis for the purposes described in this General Privacy Statement.

We may further share your personal data with the following types of entities for the following purposes:

Our affiliates that are jointly responsible for the processing of your personal data as a relevant data controller for the purposes and under the conditions as described in this General Privacy Statement. These are:

  • Healthtech Incorporated, based in Canada.
  • Tasman Global Holdings B.V., including its affiliates.

Where personal data is transferred to our affiliates within the group, we use an intra-group data agreement to ensure that your personal data is protected. Nordic Consulting Partners Inc. is the main data controller and your main point of contact for the processing of your personal data.

Service providers and their sub-contractors who process your personal data on our behalf, acting as a data processor or respectively as a sub processor, such as for providing hosting services. We conclude appropriate data processor agreements in line with the applicable data protection laws.

Other third parties to the extent necessary to: (i) comply with a request from a government authority or law enforcement agency, a court order or applicable law; (ii) to prevent violations of our agreements and our policies; (iii) to defend ourselves against claims or when you have provided your consent.

If we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, dissolution, or liquidation) we may also transfer your personal data.

How do we transfer your personal data outside the EEA and UK?

The processing of your personal data for the purposes described in this General Privacy Statement may entail the transfer of your personal data within the group to our affiliates or to selected service providers or other third parties that are located outside the European Economic Area (EEA) and UK. Your personal data may be stored on servers outside the EEA. When your personal data are transferred to or are accessed from countries outside of the EEA, we are required to ensure that your personal data is subject to an equivalent level of protection as it would receive within the EEA and UK. We take the necessary steps to ensure that your data is kept securely and handled in accordance with this General Privacy Statement and applicable laws.

Transfers to third countries based on Standard Contractual Clauses of the European Commission and UK addendum

We transfer personal data to countries that are not considered to provide an adequate level of protection according to UK and EU data protection laws. When we do so, we take appropriate (supplemental) safeguards to ensuring an equivalent level of data protection by concluding the Standard Contractual Clauses approved by the European Commission with the receiving party located in such third country in accordance with article 46.2(c) of the General Data Protection Regulation (GDPR) along with the UK addendum to the same.

How long do we retain your personal data?

We will not retain your personal data longer than necessary in relation to the purposes for which the data are processed, unless otherwise required or permitted by law. This means that:

  • Personal data obtained based on your consent will no longer be retained after you withdraw your consent. To the extent necessary, we do retain information to prove that the previous processing activities were based on valid consent.

How do we protect your personal data?

We are committed to ensuring that your personal data is kept secure. We use a variety of physical, technical, and organizational measures to maintain the safety of your personal data. Some of the technical and organizational measures taken by us include:

Technical security measures:

  • Logical and physical security equipment (e.g., safe, firewall, network segmentation).
  • Technical control of the authorizations and keeping log files.
  • Management of the technical vulnerabilities (patch management).
  • Making back-ups to safeguard availability and accessibility of the personal data.
  • Modern encryptions of connections and certain equipment is in place and monitored
  • Using multi-factor authentication for certain systems

Organizational security measures:

  • Assignment of responsibilities for information security.
  • Promotion of security awareness among new and existing employees.
  • Establishment of procedures to monitor, test, assess and evaluate security measures periodically.
  • Checking and monitoring of log files done regularly.
  • Implementation of a protocol for the handling of data breaches and security incidents.
  • Implementation of least privilege practices to ensure only the people in the organization who need to see the data are allowed to access it.

Which privacy rights do you have?

If you are a data subject under GDPR or other applicable laws, you have certain rights concerning our processing of your personal data. You can:

  • Request access to your personal data held by us: You can ask us whether we process your personal data and, if so, to provide you with a copy of that personal data.
  • Request us to rectify or complete your personal data: If you believe the personal data we process about you is inaccurate or incomplete, you can ask us to rectify it.
  • Request us to erase certain personal data: You can ask us to delete or remove your personal data in some circumstances.
  • Request us to restrict the processing of your personal data: You can ask us to restrict the processing of your personal data in some circumstances, such as when you contest the accuracy of the personal data.
  • Object to our processing of your personal data: You can object to our processing of your personal data and ask us to suspend such processing at any time if we rely on our own or someone else’s legitimate interests to process your personal data or where we process your personal data for direct marketing purposes. When we rely on legitimate interests, we may continue processing your personal data if we can demonstrate compelling legitimate grounds, which we will consider on an individual basis. Where you object to our processing for direct marketing purposes, we will no longer process your personal data for such purposes.
  • Request not to be subject to automated decisions, including profiling: You have the right not to be subject to a decision based solely on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you.
  • Request to port your personal data: You have the right, in certain circumstances, to obtain personal data you have provided to us (in a structured, commonly used, and machine-readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
  • Request to withdraw your consent: If we rely on your consent for processing your personal data, you have the right to withdraw that consent at any time. Such withdrawal will not affect the lawfulness of the processing before you withdrew your consent.
  • Lodge a complaint with a supervisory authority: If you have a concern about the way we have handled your personal data, you can lodge a complaint with your local supervisory authority.

You may send us a request using the information below. We will handle your request carefully and in line with the applicable data protection rules. We will respond to you without undue delay and at the latest within one month of receipt of your request in line with the applicable data protection rules. We may need to identify you and obtain proof of your identity in order to be able to respond to your request.

How can you contact us?

We welcome any questions, comments, or concerns regarding our processing of your personal data and or our privacy practices. If you have any questions, or wish to exercise your privacy rights, please contact us by using the following contact details:

Nordic Consulting Partners Inc.

2601 West Beltline Hwy, Suite 600

Madison WI, 53713

Attn: Data Protection Officer

Email: dataprivacyoffice@nordicwi.com

Changes to this General Privacy Statement

This General Privacy Statement complies with HIPAA, GDPR, CCPA, and other applicable laws. Applicable laws and our practices may change over time. This General Privacy Statement may be updated to reflect such changes. We recommend to regularly review this Privacy Statement.