LinkedIn image

Howdy ApS as Data Controller

Introduction

Our set-up is slightly different from what you sometimes see among other technology suppliers, as we take the role of data controller and not data processor. We do this for the reason that we store employee wellbeing data, which we must ensure is anonymous to the employer (cf. our privacy policy), and we cannot guarantee this if the employer himself is the data controller, since the right and duty of instructions lies with the data controller and thus can recall data.

For that reason, we have created a structure where Howdy is the data controller and the employer claims legitimate interests in relation to sharing employee master data and continuously offering Howdy to its employees. When an employee (voluntarily) signs up for the Howdy service, all data processing takes place under uniquely obtained consent and associated privacy policy.

Generel

Howdy ApS processes data as a data controller. As data controllers, we are responsible for collecting and processing data as well as complying with GDPR legislation and relevant national data protection laws. We take data protection seriously. PWC audits us in the ISAE 3000 program and we renew our ISAE3000 Type II declaration annually on March 5. 

We only share our ISAE 3000 reports with clients under confidentiality agreements, which can be downloaded here

With Howdy as the data controller, you as an employer are obliged to inform the employees that you share certain data with us – in the same way, as you would, for example, do with a pension company. The data you share is limited to: 

  • Employment ID, 
  • Name, 
  • Email address, 
  • Phone number (optional) and 
  • Their organizational location and possible role in the company (depending on the solution you have chosen). 

Once you have shared this data with us, the individual engagement, degree of participation, scores and cases will all be completely anonymous to you as described in our privacy policy. 

Employees decide whether they want to sign up for the solution – to do this, they must give a declaration of consent. They can read our privacy policy before doing so. 

It is permitted to share data with us if there is a legitimate interest. 

The assessment from Howdy’s lawyers reads: 

  • Any company or equivalent can claim legitimate interests as justification for using Howdy 
  • Public authorities can use §12 of the Data Protection Act as a basis for processing, including disclosure, in Howdy. §12 mentions that a data controller can process data covered by GDPR art 6 and 9 in order to comply with obligations and/or pursue rights arising from employment and labour legislation and/or collective agreements, e.g. the obligation to offer a safe and healthy working environment cf. the Danish Working Environment Act. 

The law firm Howdy uses is Lundgrens Advokatpartnerselskab.

It should be noted that the customer’s legitimate interests only relate to the fact that WLB addresses the company’s employees with a view to offering registration to the Howdy solution. The employee’s actual use of the solution takes place under explicit consent, which the employee himself gives to Howdy before access to Howdy is granted. 

Contact

If you have questions or need further information, contact us at gdpr@howdy.care

Table of contents