VELUX Privacy Notice

125721-02-XXL.tif
140777-01-XXL.tif

All companies in the VELUX Group respect and protect your privacy. This VELUX Privacy Notice (‘Privacy Notice’) is meant to help you understand why we collect personal data about you, the types of personal data we collect, how we collect it and for how long we keep it, with whom we share it, as well as your rights. We also explain how we keep your data secure.

This VELUX Privacy Notice complies with the Data Protection Act 2018 and the UK General Data Protection Regulation (Regulation (EU) 2016/679) (“UK GDPR”).

We, VELUX Company Ltd. (Hereinafter ‘VELUX’), with its registered office at Woodside Way Glenrothes East, Fife KY7 4ND, Scotland, under registration number 70286, is the data controller for your personal data. 

 

Why do we process personal data and the lawful bases for collection

The main reason we collect, use, and store your data is to allow us to provide our services to you. “Service”, “our service” and similar descriptions mean conducting business with you/your organisation and assisting you with inquiries, sales processes, and claims.

We also process information about your use of the services for business development purposes, to inform you of our business operations, products, and services through marketing, and to improve our services through any feedback you give us. We may also process your personal data for contractual and recruitment purposes and to comply with legal obligations.

We process personal data based on different legal bases as listed below.

Performance of a contract, including a purchase – Article 6(1)(b) of the UK GDPR

  • When we process personal data in relation to a contract, our legal basis is ‘performance of a contract’, including a purchase.

Consent – Article 6(1)(a) of the UK GDPR

  • When we send out a newsletter about our products, we do this based on your consent. When the lawful basis for processing is consent, you have the right to withdraw your consent at any time.

Legal obligation – Article 6(1)(c) of the UK GDPR

  • If we share your personal data with law enforcement agencies or other governmental bodies, we share this because we have a legal obligation to do so.

Legitimate interest - Article 6(1)(f) of the UK GDPR

  • We have a legitimate business interest in processing your data, for example, when we assist you with enquires.

The types of personal data we process

The following are the main types of personal data collected by VELUX, along with the main purpose and legal basis for collecting the personal data:

Activity Types of personal data we collect (for illustration purposes) Purpose(s) Legal basis
General business operations Name, contact details and other information necessary for conducting business with you or your organisation. As part of general VELUX business operations, we collect personal data about individuals, customers, suppliers (including third-party service providers) and other stakeholders. We may also use your data for testing systems. Based on general business operations being a legitimate interest and necessary in ensuring business handling throughout VELUX, within what is reasonably expected by you, cf. Article 6(1)(f) of the UK GDPR.
Assisting with enquiries Name, email address, phone numbers, conversations, other contact details, photos, floor plans of your house when you provide this to VELUX. You may choose to provide us with personal data, such as contact details when you contact us by phone, email, post, our chatbot or by using our digital platforms available.

This personal data enables us to respond to requests for information on such matters as VELUX products, to arrange a measure and quote for installation of VELUX products, or to arrange for a window to be serviced, or to present claims under the VELUX guarantee.

The information may be disclosed to VELUX A/S or other VELUX sales companies within the Group, relevant independent installers or dealers in order for us to assist customers with their enquiry or arrange for services or a quote.

We record calls for training purposes. We may also ask you to provide your feedback through surveys after the interaction
Based on our assistance with enquiries and contact being a legitimate interest and necessary in ensuring communication with you and throughout the organisation, within what is reasonably expected by you, cf. Article 6(1)(f) of the UK GDPR.
Sales (including web sales) and order fulfilment. Name, contact details, payment and credit card details, credit information, and credit check etc. We may collect personal data of customers and prospective customers in order to conduct business with you or your organisation. We use your data to analyse shopping trends through your web shop activity and purchase history to provide you a personalised browsing experience. Furthermore, we use the data for processing and fulfilling web shop orders by facilitating the delivery of product orders and providing relevant customer service, including processing your returns.

We may disclose the information to dealers or independent installers and logistic partners to process a customer’s order, including arranging delivery of VELUX products to the customer or assisting with enquiries such as arranging consultation between you and our product advisors. We also share your information with third parties for credit check purposes.
Necessary for the performance of a contract to which you or the organisation you work for is a party, cf. Article 6(1)(b) of the UK GDPR.
Campaigns Name, contact details, etc. Execution of various campaigns (e.g., reward programs, cashback campaigns, sweepstakes). Acceptance of terms and conditions is collected before entry to the activity. Necessary for the performance of a contract to which you or the organisation you work for is a party, cf. Article 6(1)(b) of the UK GDPR.
Product claims Name, contact details, etc. Facilitate service of VELUX products under the VELUX guarantee or by paid service, i.e., we solve claims by call, email, and visits to building sites. In this connection, we may share your personal data with VELUX partners to assist you with a service.
We may ask you to provide your feedback through surveys after the interaction.
Necessary for the performance of a contract to which you or the organisation you work for is a party, cf. Article 6(1)(b) of the UK GDPR.
Business development and VELUX apps Personal data, which is collected at our digital platforms and in VELUX apps. The personal data you provide to us, and personal data collected at our digital platforms will be used to enhance our consumer insights and drive relevant communication and offers across all touch points you may have with VELUX. Personal data will also be used for product and service development. Based on our business development being a legitimate interest and necessary ensuring the improved effectiveness of our business operations, within what is reasonably expected by you, cf. Article 6(1)(f) of the UK GDPR.
Marketing Contact information, browsing history, sales and subscription service information, such as name, address, email, phone number, purchase history, unique identifiers such as cookie IDs or device IDs, tracked browsing history based on these IDs, etc.

Please be aware that this list is not exhaustive as we may process any personal information collected in connection with your interactions with our parent company, VELUX A/S, our websites, mobile applications, products, and services.
Based on your consent or legitimate interest, when applicable, we process your personal data for the purpose of informing you of VELUX business operations, products, and services.

For the above purposes, we create marketing, tailored to your preferences and profile, e.g.:

- To optimise and tailor the content and delivery of our marketing communications when you want to receive them, and
- To give you tailored marketing based on your preferences and profile, both when engaging with us on our own channels as well as via third party channels (e.g., social media, search sites, marketplaces).

If you do not wish to receive any further information, you can easily and free of charge unsubscribe from our marketing communication anytime. You will find ways to unsubscribe in connection with subscribing to or receiving marketing communication from us.

For some marketing activities we act as joint controller with other VELUX companies and have entered into joint controller agreements dividing the roles and responsibilities between the VELUX companies.
Based on your informed consent when legally required for sending you newsletters, cf. Article 6(1)(a) of the UK GDPR, or based on this being a legitimate interest necessary in sending you newsletters, within what is reasonably expected by you, cf. Article 6(1)(f) of the UK GDPR.
The personalisation of the marketing will be based on a legitimate interest in profiling being necessary when improving marketing impact, within what is reasonably expected by you, cf. Article 6(1)(f) of the UK GDPR.
Your participation in photos, video, testimonial and campaigns If you have agreed to it and sent a photo to us or if your photo is taken by a photographer hired by us. We will use the photo, testimonials etc. as described in the contract signed by you. Necessary for the performance of a contract with compensation to which you are a party, cf. Article 6(1)(b) of the UK GDPR. For our internal marketing this will be based on our marketing being a legitimate interest and necessary in using the photos etc. in internal marketing purposes, within what is reasonably expected by you, cf. Article 6(1)(f) of the UK GDPR.
Website visitors, customer surveys and market research Personal data from digital platforms or customers as part of surveys. To improve the products and services we offer, we may collect personal data from digital platform visitors or customers as part of surveys.

We will contact you with a survey and process personal data as part of surveys through either consent or legitimate interests.

Surveys processing personal data for marketing purposes will be used only with your consent.
Based on our surveys and market research being a legitimate interest and necessary when improving products and services, within what is reasonably expected by you, cf. Article 6(1)(f) of the UK GDPR.
Recruitment and employment contracts Name, contact details, working history, educational diplomas, relevant record checks, information about professional interests, etc. When a person applies for a job or enters into an employment contract with us, we may collect certain information such as name, contact details, information about working history, educational diplomas, relevant record checks and information about professional interests.

This may be collected from the person directly, from a recruitment consultant including references and publicly available sources.

This information is used to inform or assist us in the decision as to make the person an offer of employment or engage the person under a contract.

For further information please read our VELUX recruitment notice in WorkDay.
Based on our recruiting being a legitimate interest and necessary in improving a successful match between our company and you as a candidate, within what is reasonably expected by you, cf. Article 6(1)(f) of the UK GDPR.
Compliance including anti-corruption, Whistleblower hotline and sanctions check All types of personal information. We may collect personal data to comply with the law, a court or authority’s decision and/or to disclose information to relevant public authorities as required or permitted by law. Necessary for the compliance with a legal obligation to which we are subject, cf. Article 6(1)(c) of the UK GDPR.
Use of AI All types of personal information. Our company uses Artificial Intelligence (AI) to process personal data as part of our regular business activities. We use AI in different areas of our business to make our processes more efficient and improve how we operate overall. When we use AI, we require all our employees to enter as little personal data as possible, using only what is necessary for the task at hand. GDPR – Article 6(1)(a)

GDPR – Article 6(1) (b)

GDPR – Article 6(1)(f) 

How do we collect your personal data

Directly from you

In most cases, personal data is collected directly from you or generated as part of the use of our services, products, and channels. We collect personal data you provide to us, when you request products, services, or information from us, register with us, participate in public forums, use a chatbot or other activities on our digital platforms and apps, respond to customer surveys, or otherwise interact with us. We collect information through various technologies, e.g., cookies. For cookies, we refer to our website

From our business partners

In some cases, we can collect your personal data from our business partners, when they need our assistance to provide you with the best possible service.

From your public website

In some cases, we collect your personal data on your company websites, when we want to offer you our services.

Links to other websites

This website contains links to other websites (such as Facebook, Google+, YouTube, and Pinterest) to which this this Privacy Notice does not apply. Please note that we do not endorse other websites and their content. We encourage you to read the privacy policies of each website you visit.

Automated decisions

We use automated decision-making in processing your personal data for certain services and products, such as our efforts in fraud prevention and detection on our online platforms. You have the right to request information about the methodology behind these automated decisions and to seek verification of their accuracy. We may reject such requests as permitted by applicable law, particularly if providing the information could disclose trade secrets or impede our ability to detect fraud or other criminal activities. However, in such instances, we will generally verify that the algorithm and source data are functioning as intended, without error or bias. 

 

How long do we keep your personal data

How long do we keep your personal data

We will only keep your personal information for as long as it is necessary for the purposes described in this Privacy Notice. This means that the retention periods will vary according to the type of the information and the reason that we have the information.

Examples of retention time:

  • Call recordings will be stored for a period of 90 days.

  • Contact details with contractual terms etc. will be stored while your account is active or for as long as needed to provide services to you.

  • We will store the photo and testimonials for as long is necessary and as described in a contract.

  • Personal data are kept until the end of a recruitment process or withdrawal of the consent (if given for future recruitments).

  • For compliance with, e.g., anti-corruption regulations, we will keep the data accordingly to laws which we are obliged to comply with.

We will also retain your personal data where this is advisable to safeguard or improve our legal position (for instance in relation to statutes of limitations, security, litigation, or regulatory investigations).

Who do we share your personal data with

Our company is a part of the VELUX Group, which operates globally. We share your personal information within the VELUX Group, but only if it is necessary to fulfil the purpose for which we are processing your personal data. All entities in the VELUX Group have entered into an Intercompany Data Processing Agreement and/or joined agreement where everyone follows the same procedures when processing personal data, ensuring that the same level of security is maintained throughout the Group; dividing the roles and responsibilities between the VELUX companies. If two or more companies act as joint controllers, each of the joint controllers is obliged to independently:

  • Be the first contact for you.
  • Fulfil the information obligations referred to in Articles 13 and 14 of the GDPR.
  • Exercise your rights provided in Articles 15-22 of the GDPR.
  • Deal with privacy breach Notices and privacy complaints.

We may also share your personal data with selected third parties, including but not limited to:

  • Business partners, suppliers, and sub-contractors that we cooperate with to deliver you the best services during the support and sales process, including, for example, logistic providers and outsourced customer services, as well as third parties in relation to customer satisfaction surveys.
  • Technology providers, for example, analytics, tracking technologies, targeting and re-targeting technologies, and search engine providers that assist us in the improvement and optimisation of our platforms, as well as companies who provide us with website support and hosting.
  • Advertisers and advertising networks that use data to select and serve relevant adverts to you and others if you have given your consent.
  • Social networking sites such as Facebook, Instagram, and Google, if required, when processing for marketing purposes and based on your consent.
  • With other parties to ensure the safety and security of our customers, to protect our rights and property, to comply with legal processes, or in other cases if we believe in good faith that disclosure is required by law.
  • VELUX Group companies or third parties who operate digital platforms and tools on behalf of our company to provide services connected with our activities (e.g., points collection programs, cashback campaigns, sweepstakes, and training).

When we cooperate with external service providers, we enter into a data processing agreement, if relevant. These service providers are prohibited from using your personal data for purposes other than those requested by us or required by law.

Transfer to countries outside the European Economic Area (“EEA”)

As a global organisation with offices and operations throughout the world, we will transfer personal data collected by us on an aggregated or individual level to various divisions, subsidiaries, joint ventures and affiliated companies of the VELUX Group around the world located inside or outside the EEA for the purposes stated above and in accordance with applicable laws, as well as to sub-contractors to VELUX (data processors) for storage and service purposes. Your personal data will not be disclosed to anyone outside the VELUX Group unless permitted or required under applicable legislation and where necessary subject to appropriate written assurances from third parties who have access to your personal data, in which they must guarantee that they will protect the data with security measures designed to provide an adequate level of protection. Unless you are otherwise notified, any transfers of your personal data from within the EEA to third parties outside the EEA will be based on an adequacy decision or are governed by the EU-Commission Standard Contractual Clauses and/or Binding Corporate Rules. Any other, non-EEA originating, international transfers of your personal data, will take place in accordance with the appropriate international data transfer mechanisms and safeguards. You can always request a copy of the transfer agreements, which includes the transfer of personal data, by sending an e-mail to gdpr@velux.co.uk.

Data security

The security, integrity, and confidentiality of your personal data is important to us. We have implemented technical, administrative, and physical security measures that are designed to protect your personal data from unauthorised access, disclosure, use, and modification. From time to time, we review our security procedures to consider appropriate recent technologies and methods. Please be aware that despite our best efforts, no security measures are perfect or impenetrable.

Your privacy rights

The Data Protection Act 2018 and the UK General Data Protection Regulation (Regulation (EU) 2016/679) (“UK GDPR") provides you, as the data subject, with the following rights in respect of the personal data we store about you:

Your rights Legal basis Elaboration
Withdraw your consent UK GDPR article 7(3) You have the right to withdraw your consent at any time by opting out of the e-mail or by contacting us. This will not affect our right to process personal data obtained prior to the withdrawal of your consent, or our right to continue parts of the processing based on other legal bases than your consent.
Access to your data UK GDPR article 15 You have the right to request information about whether VELUX processes personal data relating to you, and if so, you have the right to request a copy of the personal data we have processed. There are some exemptions, which means you may not always receive all the data we process.
Request rectification UK GDPR article 16 At any time, you have the right to request correction of any incorrect or incomplete personal data we may process on you.
Request erasure UK GDPR article 17 You have the right to request deletion of your personal data depending on the processing activity, and under certain circumstances, before we would normally be obligated to cease processing.
Request restriction of processing  UK GDPR article 18 You have the right to request the restriction of processing which means that you can request that VELUX restricts the use of your personal data in certain limited circumstances.
Withdraw your consent  UK GDPR article 7(3) You have the right to withdraw your consent at any time by opting out in the e-mail or by contacting us. However, this will not affect our right to process personal data obtained prior to the withdrawal of your consent, or our right to continue parts of the processing based on other legal bases than your consent.
Data portability UK GDPR article 20 Under certain conditions, you have the right to receive the personal data you provided to us in a machine-readable format where the processing is based on your consent or a contractual fulfilment.
Right to object UK GDPR article 21 If you are not satisfied with how we process personal data in VELUX, you can send your objections to gdpr@velux.co.uk. However, it only applies in certain circumstances, and we may not need to stop the processing of your personal data if we can give legitimate reasons to continue using your personal data. If a complaint is made, the name and contact details of the complainant must be provided to VELUX.

 

If you have any questions regarding the specific personal data we process or retain about you, or if you want to exercise your rights, please contact gdpr@velux.co.uk.

We will respond to your request to exercise any of your rights within one month, but we have the right to extend this period by two months. If we extend the response period, we will inform you within one month of your request.

If you consider that we have failed to resolve the complaint satisfactorily, you may file a complaint to your local Data Protection Agency. You can find the contact details of the Information Commissioner's Office on their website.

Changes to this VELUX Privacy Notice

From time to time, we may change this Privacy Notice to accommodate the latest technologies, industry practices, regulatory requirements, or for other purposes. At all times, we will post the most recent version on our digital platforms. We advise you to read the Privacy Notice regularly.

This Privacy Notice was last updated: 23-10-2024