Policy for the processing and protection of personal data

The data protection policy applies to Morellco Pharma A/S (the company).

The policy must help to ensure and document that the company protects its personal data in accordance with the rules for the processing of personal data. The policy also contributes to the company informing about the processing and use of the registered personal data.

The policy is reviewed every year.

List of the processing of personal data

The company processes personal information about:

  • Employees
  • Customers
  • Suppliers
  • Applicants

The company has compiled a list of the processing of personal data. The list provides an overview of the treatments for which the company is responsible.

The personal information is a prerequisite for the Company to enter into employment, customer and supplier contracts.

Purpose and legality of the treatment

The personal information is processed and archived in connection with:

  • Personnel administration, including recruitment, employment, resignation and payment of salaries
  • Master data for customers as well as orders and sales
  • Master data for suppliers as well as requisitions and purchases
  • Contracts

The processing is lawful pursuant to the legal basis.

The company does not use the personal information for purposes other than those listed. The company does not collect more personal information than necessary in relation to the fulfillment of the purpose.

Storage and deletion

The company has introduced the following general guidelines for the storage and deletion of personal data:

§ Personal information is stored in physical folders.§ Personal information is stored in IT systems and on server drives.§ Personal data is not stored longer than is necessary for the purpose of the processing.§ Personal data for employees is deleted five years after termination of employment, and personal data about applicants is deleted after six months. 

Data securityBased on the attached risk assessment, the company has implemented the following security measures for the protection of personal data:§ Only employees who have a work-related need for access to the registered personal information have access to it either physically or through IT systems with rights management.§ All computers have passwords and employees must not share their passwords with others.§ Computers must have a firewall and antivirus program installed that is constantly updated.§ Personal information is deleted in a responsible manner by phasing out and repairing IT equipment.§ USB keys, external hard drives, etc. with personal information must be stored in a locked drawer or cupboard.§ Physical folders are located in a locked office or in locked cabinets.§ Personal information in physical folders is deleted by shredding.§ All employees must receive instruction in what they may do with personal data and how personal data must be protected. 


Personal information about employees can be passed on to public authorities such as SKAT and pension companies. 

Data processors

The company only uses data processors if the data processors provide the necessary guarantees that they will implement the appropriate technical and organizational security measures to meet the requirements of personal data law. All data processors sign a data processor agreement before the processing is initiated. 


The company handles the data subject’s rights, including the right of access, withdrawal of consent, rectification and deletion, and informs the data subjects about the company’s processing of personal data. Registered persons also have the right to complain to the Danish Data Protection Agency. 

Violation of personal data security

In the event of a breach of personal data security, the company reports the breach to the Danish Data Protection Agency as soon as possible and within 72 hours. The director is responsible for making this happen. The notification describes the breach, which groups of persons it concerns and what consequences the breach may have for these persons, as well as how the Company has or will remedy the breach. In cases where the breach involves a high risk for the persons about whom the Company processes personal data, the Company will also notify these. The company documents all breaches of personal data security on an access-controlled drive.

Scroll to Top