Data Ethics Policy
1. Introduction
The purpose of this data ethics policy is to establish the high standards for data ethics that Nordic Solar A/S (“Nordic Solar” or the “Company”) wish to adhere to and to emphasize our commitment to a responsible and sustainable use of data. Data ethics includes how Nordic Solar collects, processes, uses, shares and deletes data.
2. Principles for data ethics
When the Company processes Personal Data or designs, purchases or implements technologies, for processing of Personal Data, the principles for data ethics described below must be assessed and included in the considerations during the design process and/or prior to the purchase or implementation of the processing activity or the technology used for the processing of Personal Data.
2.1. Necessity
Only Personal Data which is necessary to fulfil the purpose of the processing activity shall be collected and processed.
2.2. Legality
The processing of Personal Data shall, at all times, comply with applicable legislation. For example, the processing of Personal Data requires a specific legal basis according to the General Data Protection Regulation (“GDPR”).
2.3. Ethical design
Technologies for the processing of Personal Data, shall be designed to respect principles of data ethics, including the principles laid down in this policy and the general processing principles as laid down in the GDPR. For example, technologies shall be designed to ensure correct and timely deletion of Personal Data in accordance with the Company’ retention periods.
2.4. Consequences
The consequences of the processing activity and the technology used for the processing activity shall be considered, especially where new technology is used for the processing of Personal Data. In such case, the consequences for the individuals, both on short term and long term, shall be considered.
2.5. Expectations
Personal data shall be processed in ways that are consistent with the intentions, expectations and understanding of the disclosing party. Thus, Personal Data may not be processed for new purposes which are incompatible with the purposes for which the Personal Data was originally collected.
2.6. Security
A sufficient level of security shall be implemented in and around technologies used for processing of Personal Data. The security measures shall include technical as well as organizational measures, and the sufficient level of security shall be assessed based on a risk assessment of the specific processing activity and the technology used for the processing of Personal Data.
2.7. Transparency
Personal data shall always be processed in a way which ensures transparency, especially where algorithms are used for the processing. Furthermore, when the processing activity includes automated decision making for decisions which have legal or similarly significant effects, the results shall be subject to human review.
2.8. Respect for human rights
Processing of Personal Data and the design of technologies used for processing of Personal Data shall ensure that human rights are respected. For example, processing of Personal Data or use of technologies for the processing of Personal Data may not be biased with a risk of discrimination, marginalization, or stigmatization against individuals.
2.9. Proportionality
Personal data shall be processed only for purposes which are proportional taking into account the rights of the individuals, including the right of privacy. Thus, a proportionality assessment shall always be carried out before beginning new processing activities or implementing or designing technologies for the processing of Personal Data. If the proportionality assessment shows that the processing is not proportional, the processing activity may not be initiated.
2.10. Accountability
The Company shall be able to demonstrate that this policy is complied with. Thus, the considerations relating to these principles for data ethics shall be documented in relation to all processing activities, designs, or choices of technologies. Furthermore, the Company shall conduct and document audits to ensure continuous compliance with this policy in accordance with section 6 below.
3. Training of employees
The Company ensures that employees who, as a part of their job with the Company, process Personal Data or are engaged in designing, purchasing, or implementing technologies for the processing of Personal Data, receive relevant and adequate training in the principles for data ethics described in section 2 above.
4. Availability
The Company ensures that this policy is available to employees, e.g., on the intranet, with the purpose of ensuring the employees’ access to the applicable principles for data ethics for the Company.
5. Decisions
Decisions regarding the Company’ processing of Personal Data, including design, purchase, or implementation of regular technologies for processing of Personal Data, are made by the relevant managers in e.g., IT, HR, and finance departments. Decisions regarding the Company’ use of new technologies, e.g., artificial intelligence, to the processing of Personal Data, including for which purposes such technologies may be used, are made by the Executive Management.
6. Evaluation
Dilemmas in the field of data ethics within the Company shall be discussed and assessed by Executive Management whenever such dilemmas arise. At least once every year the Company evaluates efforts, actions, and policies of the Company in the field of data ethics, including in relation to the use of new technology. Such evaluation shall include an assessment of whether it is necessary or appropriate to make any changes to this policy or relevant procedures of the Company.
7. Review and amendments
The Board of Directors shall review and assess the adequacy of this policy in accordance with "Rules of procedure of the Board of Directors” on an annual basis to ensure that it always reflects the Company's data ethics considerations. This data ethics policy may be amended at any time by the Board of Directors by simple majority.
Adopted by the Board of Directors on 23 February 2022