Name: Implement Consulting Group
Price range: $

Introduction

We are under an obligation to protect the confidentiality, integrity and accessibility of our customers’, suppliers’, partners’ and employees’ data, including personal data. Protecting personal data is essential to us, and we are continuously working on ensuring compliance with applicable data protection legislation, including the General Data Protection Regulation (GDPR).

Data controller and data processor

When Implement processes personal data in connection with the provision of consultancy services, we assess, together with our customers, whether we are a data processor on behalf of the customer or a separate data controller.

If we process personal data on behalf of our customers and in accordance with customer instructions, we will be considered as data processors and the customer and Implement enter into a data processing agreement.

This data protection policy contains information on Implement’s processing of personal data, when we are the data controller. More information on this may be found below.

Our processing activities

The data controller for Implement’s processing activities is the company within the Implement group of companies which determines the purposes and means of the processing of personal data.

The company details for all Implement group companies may be found here.

You can read more on the categories of personal data that we process for which purposes and on which legal grounds in the table below:

Customer and contract management

Data controller	Purpose	Data subject(s)	Categories of personal data	Legal basis	Source	Retention period	Disclosure to third parties
The company which has entered into a contract or an engagement letter with the customer.	Management of customer relations, including financial and contract administration.	Clients and customers, including their employees.	Non- sensitive personal data, i.e. name, position, contact details.	Processing is necessary in order for Implement to pursue its legitimate interests in being able to manage contracts, invoice and evaluate the customer relationship, manage and maintain IT systems, administer and manage our website, systems and applications, statistics and business development, cf. GDPR, Article 6(1)(f).	The data subjects.	Five years after the latest project for the customer has been completed.	Personal data may be transferred to other Implement group companies in accordance with the terms laid down in Implement’s intragroup data processing agreement. Personal data may also be transferred to subcontractors who are directly involved in the project for the customer.

General consulting tasks, including customer business development

Data controller	Purpose	Data subject(s)	Categories of personal data	Legal basis	Source	Retention period	Disclosure to third parties
The company which has entered into contract or engagement letter with the customer.	Provision of consultancy services to customers, including data collection, data analysis for business development purposes and Implementing and/or operating business applications.	Customers' employees, management, end customers, end users or suppliers.	Non- sensitive personal data, i.e. name, position, contact details. Special categories of personal data will only be processed in special cases and will be based on consent.	Processing is necessary in order for Implement to pursue its legitimate interests in being able to deliver consultancy services to its customers, cf. GDPR, Article 6(1)(f). If Implement processes special categories of personal data, cf. GDPR, Article 9(1), the processing will also be based on a consent, cf. GDPR, Articles 6(1)(a) and 9(2)(a).	The data subjects and/or the customer.	Five years after the relevant project for the customer has been completed.	Personal data may be transferred to other Implement group companies in accordance with the terms laid down in Implement’s intragroup data processing agreement. Personal data may also be transferred to subcontractors who are directly involved in the project for the customer.

Market research and industry surveys

Data controller	Purpose	Data subject(s)	Categories of personal data	Legal basis	Source	Retention period	Disclosure to third parties
The company conducting the survey.	Gaining knowledge within a specific industry or business area for marketing and business development purposes.	Survey respondents, e.g. experts or professional within a specific industry.	Contact information and survey replies.	Processing is necessary in order for Implement to pursue its legitimate interests strengthening our industry knowledge and developing our business and services, cf. GDPR, Article 6(1)(f).	The data subjects.	As long as data are necessary for conducting the survey and market research.	Personal data may be transferred to other Implement group companies in accordance with the terms laid down in Implement’s intragroup data processing agreement. Implement uses a third-party survey provider who will process the personal data on behalf of Implement.

Marketing and customer relation management (CRM system)

Data controller	Purpose	Data subject(s)	Categories of personal data	Legal basis	Source	Retention period	Disclosure to third parties
The company that has a relation to the customer, potential customer or their employees.	Marketing activities, including customer relation management (CRM) system. Processing in the CRM system has the purposes of creating an overview of our network, identifying marketing opportunities, customizing and planning events.	Customers and potential customers, including their employees.	Non-sensitive personal data, i.e. name, position, contact details, employer, relation to employees in Implement, participation in events and involvement in previous projects.	Processing is necessary in order for Implement to pursue its legitimate interests in being able to manage and strengthen customer relations, developing our business and services (e.g. identifying customer needs and improvements in service delivery) cf. GDPR, Article 6(1)(f). Processing for direct marketing purposes is based on the data subjects’ consent, cf. GDPR, Article 6(1)(a). Read more about data subjects’ rights below under "Your right to object and withdraw consent”.	Customers, including customers’ employees and public sources such as cvr.dk, biq.dk, greens.dk, linkedIn.com.	As long as data are necessary for the listed purposes or until the data subject requests a deletion of the data.	Personal data may be transferred to other Implement group companies in accordance with the terms laid down in Implement’s intra group data processing agreement.

Newsletters

Data controller	Purpose	Data subject(s)	Categories of personal data	Legal basis	Source	Retention period	Disclosure to third parties
The company to which the data subject has consented to receiving newsletters from.	Administration of newsletters.	Subscribers to newsletters.	Non-sensitive personal data, i.e. name, position, contact details.	Subscribers provide their consent to receiving newsletters when subscribing. Processing for direct marketing purposes is based on the data subjects’ consent, cf. GDPR, Article 6(1)(a).	The data subjects.	Until the data subjects terminates the subscription.	Implement does not disclose any personal data to third parties unless we are under a legal obligation to do so. Implement uses a third-party provider to send out newsletters. This third party will process the personal data on behalf of Implement.

External whistleblower platform

Data controller	Purpose	Data subject(s)	Categories of personal data	Legal basis	Source	Retention period	Disclosure to third parties
Implement Consulting Group P/S, CBR: 32767788 (Denmark).	Management of Implement’s external whistle- blower system.	Customers, customers’ employees, Implement’s partners or employees, business partners and business partners’ employees.	Name, contact details, personal data contained in the report regardless of whether it is an internal or external reporting channel.	Processing is necessary for Implement to pursue its legitimate interests in being able to investigate and handle irregularities, improper behaviour, criminal offences etc., cf. GDPR, Article 6(1)(f) and the Danish Data Protection Act, section 8(3).	Persons reporting incidents through the whistle- blower system. Internal and external persons who have information on the reported incident.	Reports beyond the scope of the whistle- blower system will be erased as soon as the investigation has been completed. Reports giving rise to action will be erased five years after the matter has been finally resolved.	Implement may disclose personal data to external legal counsel. In case of criminal offences, personal data may be disclosed to the police. Finally, Implement will disclose to public authorities where we are under a legal obligation to do so.

Management of suppliers and business partner

Data controller	Purpose	Data subject(s)	Categories of personal data	Legal basis	Source	Retention period	Disclosure to third parties
The company which has entered into a contract with the supplier or business partner.	Management of suppliers and business partners	Suppliers and business partners, including their employees.	Non- sensitive personal data, i.e. name, position, contact details.	Processing is necessary in order for Implement to pursue its legitimate interests in being able to evaluate the business relationship, cf. GDPR, Article 6(1)(f). When supplier or business partner is a natural person, processing of personal data is necessary for the performance of contracts with the supplier or business partner, cf. GDPR, Article 6(1)(b).	The data subjects.	As long as data are necessary for the listed purposes or until the data subject requests deletion of the data.	Personal data may be transferred to other Implement group companies in accordance with the terms laid down in Implement’s intra- group data processing agreement.

Course activities

Data controller	Purpose	Data subject(s)	Categories of personal data	Legal basis	Source	Retention period	Disclosure to third parties
The company which organises the course.	Management of courses for customers and at Implement Learning Institute (ILI).	Course participants, course instructors.	Non-sensitive personal data, i.e. name, position, contact details.	Processing is necessary in order for Implement to pursue its legitimate interests in being able to evaluate the course, cf. GDPR, Article 6(1)(f). Processing of personal data is necessary for the performance of contracts with the course instructors, cf. GDPR, Article 6(1)(b).	The data subjects.	Five years from the date on which the participant signed up for the course.	Implement might disclose personal data to third parties, such as location providers or booking companies, if necessary in order to hold the course.

Event activities

Data controller	Purpose	Data subject(s)	Categories of personal data	Legal basis	Source	Retention period	Disclosure to third parties
The company which organises the event.	Administration of events, recruitment and marketing, if relevant.	Applicants for events and participants in events.	Non-sensitive personal data, i.e. name, position, contact details.	Processing is necessary in order for Implement to pursue its legitimate interests in being able to evaluate the event, cf. GDPR Article 6(1)(f). For recruitment purposes, read our Consent and Privacy Policy for recruitment at Implement Consulting Group.	The data subjects.	As long as data are necessary for the listed purposes or until the data subject requests deletion of the data. For recruitment purposes, read our Consent and Privacy Policy for recruitment at Implement Consulting Group.	Implement might disclose personal data to third parties, such as. location providers or booking companies, if necessary in order to hold the event. If the event is co-hosted by Implement and another company or companies, Implement may disclose personal data to such other company/ companies for the purpose of hosting the event.

Our processing activities for recruitment

Data controller	Purpose	Data subject(s)	Categories of personal data	Legal basis	Source	Retention period	Disclosure to third parties
Please see our Consent and Privacy Policy for recruitment.	Recruitment.	Please see our Consent and Privacy Policy for recruitment.	Please see our Consent and Privacy Policy for recruitment.	Please see our Consent and Privacy Policy for recruitment.	Please see our Consent and Privacy Policy for recruitment.	Please see our Consent and Privacy Policy for recruitment.	Please see our Consent and Privacy Policy for recruitment.

Read our Consent and Privacy Policy for recruitment at Implement Consulting Group.

Are you applying for a position at The Tech Collective, read their Consent and Privacy Policy here.

Are you applying for a position at Is It A Bird, read their Consent and Privacy Policy here.

Video surveillance

We process personal data about visitors obtained from video surveillance for security purposes. The processing of personal data is necessary to pursue our legitimate interest in ensuring a high level of security, cf. GDPR, Article 6(1)(f) and GDPR, Article 10, cf. Data Protection Act, Section 8(3).

In case we process sensitive personal data, it is necessary for the establishment, exercise or defence of legal claims, cf. GDPR, Article 9(2)(f). In the areas where we use video surveillance, we inform visitors about such surveillance in accordance with the Danish TV Surveillance Act, Section 3(1). All recordings are stored securely and are only viewed if there are reasonable grounds for doing so, e.g. in case of an incident, and in such case only by selected persons. The recordings are automatically overwritten after five days, unless a problem is identified which requires investigation.

Personal data will only be disclosed to the police when an issue requiring investigation (e.g. theft) has occurred.

Use of cookies on our websites

We use cookies on our websites in order to optimise the user experience.

Security of processing

Data security is a high priority at Implement. We work seriously and professionally with information security, and we base our work on internationally recognised security standards. We have implemented security measures to ensure data protection of customer data, personal data and other confidential data. We conduct regular internal follow-ups in relation to the adequacy and compliance of policies and measures.

We occasionally use other third parties, such as subcontractors, in connection with the provision of our services. Such third parties may be granted access to personal data in order for them to be able to provide the agreed service. Implement enters into data protection agreements that are necessary in order to ensure that security is in place to protect data and comply with our data protection obligations.

Implement also uses sub-data processors as part of our day-to-day IT operations. This means that personal data are processed by Implement’s sub-data processors. These sub-data processors are located within the EU. There are data processing agreements in place between Implement and all sub-data processors to ensure that all processing takes place in accordance with Implement’s instructions and is subject to the necessary security requirements.

Your rights as a data subject

As a data subject, you have certain rights pursuant to the General Data Protection Regulation. Your rights may be summarised as follows:

The right of access by the data subject. You have the right to gain access to the personal data concerning you that we process.
The right to have incorrect personal data rectified. You have the right to have incorrect personal data about yourself rectified without undue delay.
The right to have personal data erased. You have the right to have your personal data erased at an earlier point in time than when our ordinary erasure takes place, where appropriate.
The right to restriction of data processing. You have the right to restrict our processing of your personal data, where appropriate. In such cases, we may only process your data with your consent or in some very specific situations as outlined in the General Data Protection Regulation.
The right to object to personal data processing, if our processing is based on Article 6(1)(e) and (f). In such cases, we may only process your personal data if we are able to demonstrate compelling legitimate grounds for doing so.
The right to data portability. You have the right to receive your personal data in a structured, commonly used and machine-readable format. You may also request that we transmit your personal data to another data controller without hindrance.

For further information on your rights as a data subject, please refer to the Danish Data Protection Agency’s website (www.datatilsynet.dk), where you will find further guidelines.

When we process personal data based on your consent, you have the right to withdraw your consent at any time. Please contact us to withdraw consent for our processing of your personal data.

Your right to object and withdraw consent

As a data subject, you have the right to object to our processing of your personal data in certain situations, which are listed below:

Processing based on legitimate interests

You have the right to object to personal data processing, if our processing is based on Article 6(1)(e) and (f) of the GDPR. In such cases, we may only process your personal data, if we are able to demonstrate compelling legitimate grounds for doing so, which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Processing for direct marketing purposes

You have the right to object to personal data processing, if we process the personal data for direct marketing purposes, cf. Article 21(2) of the GDPR, e.g. when registering you in our CRM system. In such cases the personal data will no longer be processed for such purposes.

Changes to this data protection policy

We acknowledge that transparency is an ongoing responsibility. Therefore, we will continually review and update this data protection policy in order to ensure our compliance with applicable personal data law from time to time.

The data protection policy was updated in January 2025.

Contact

Please contact us if you would like to exercise your rights as described above, or if you have questions about our processing of your personal data or this data protection policy.

Implement Consulting Group
CVR: 32767788
Attn.: privacy@implement.dk
Strandvejen 54, 2900 Hellerup
Tel: +45 4586 7900

You may also get in touch with your contact person at Implement, who will be able to help you contact the right person.

Complaints

If you wish to complain about our processing of personal data, please send an email with the details of your complaint to privacy@implement.dk. We will handle your complaint and get back to you.

You also have the right to lodge a complaint about your rights and Implement’s processing of your personal data to the Danish Data Protection Agency. For further information on how to lodge a complaint to the Danish Data Protection Agency, please consult their website: www.datatilsynet.dk.

Statutory rules

The applicable statutory rules for Implement’s processing of your personal data may be found in:

The General Data Protection Regulation (GDPR)
The Danish Data Protection Act

Data protection policy