CSIS Group Privacy Notice

Last update: 2025-08-27

1. Introduction

CSIS Group is a leading European cybersecurity provider focused on safeguarding the privacy, confidentiality, and compliance of all personal data we process. This Privacy Notice explains our practices regarding the collection, use, retention, sharing, and protection of your data. We operate in accordance with the EU General Data Protection Regulation (GDPR), Danish data protection law, and the SOC 2 Privacy criteria, ensuring transparency and respect for your rights.

2. Data Controller Information

CSIS Security Group A/S, registered at Lindevangs Allé 12, 3rd floor, DK-2000 Frederiksberg, Denmark, is the main controller of your personal data in line with this Notice. For certain managed services, CSIS may also act as a data processor, strictly following documented instructions from business customers. Our privacy compliance is monitored by designated responsible employees. All communications regarding this Privacy Notice should be directed to info@csis.com.

3. Categories of Personal Data Collected

Depending on your relationship with CSIS, we may collect identification details (e.g., name, email, contact information), professional and employment details, IT system activity (user IDs, IP addresses), business and contractual records, and in special circumstances, whistleblowing or sensitive information. Data classification, ownership, and access controls are implemented in line with our policies, ensuring only necessary data is collected and processed for legitimate purposes.

4. Purpose and Legal Basis for Processing

We process data to enter or fulfil contracts, operate services, communicate, comply with legal obligations, protect legitimate interests, or when you give consent. Legal bases are documented as required by GDPR (Articles 6 and 9), and purposes include service delivery, security operations, employment administration, regulatory compliance, and supporting our legitimate business operations. Our legal, contractual, and business requirements are regularly reviewed for alignment.

5. Methods of Data Collection

We collect data directly (through communication, forms, service enrollments, or job applications), automatically (from IT systems, web analytics, cookies), and indirectly (from business partners, public sources, or legal/regulatory requests). All methods adhere to GDPR guidelines on transparency and proportionality. Where required, privacy information is provided at collection or as soon as feasible.

6. Use and Disclosure of Personal Data

CSIS uses collected data only for the stated or closely related purposes. Common uses include service delivery, billing, communication, regulatory reporting, network and information security, audit, and support. We do not sell your data. Further processing for different purposes only occurs with suitable legal basis, appropriate notice, and, where needed, your consent.

7. Data Sharing with Third Parties and Processors

Your personal data may be shared with carefully selected external service providers and partners—including IT/cloud vendors, auditors, professional advisors, or regulators—only when essential for our legitimate business needs or legal obligations. Before engaging with any third party, CSIS Group conducts thorough due diligence, background checks, and reviews contractual, security, and privacy certifications (including GDPR and SOC 2 where appropriate). All such parties are bound by written agreements that mandate confidentiality, compliance with our security standards, and duty to process data only on CSIS’s documented instructions. We ensure access to personal data is strictly limited to individuals who need it for their roles, in accordance with the principle of least privilege, as outlined by our policies. Data transfers, especially those involving external parties or cross-border processing—are encrypted or secured as required, and we regularly review and monitor our third-party arrangements and controls for compliance with our internal policies and regulatory requirements.

8. International Data Transfers

If CSIS needs to transfer your data outside the EEA, such transfers only occur under strict safeguards such as adequacy decisions, Standard Contractual Clauses, or explicit consent in compliance with GDPR Chapter V. Each transfer is assessed for data protection risks, and we inform data subjects of transfer rationale and safeguards as required.

9. Data Security

CSIS applies industry standard technical and organizational security controls, including encryption, access management, continuous monitoring, staff training, vulnerability management, and physical/logical segregation of environments, as documented in our Information Security Policy, Secure Disposal Policy, and supporting procedures. Our compliance program includes ISO 27001:2022 and SOC 2 Privacy and Security criteria and periodic audits to maintain best practices. Incident response and breach notification are governed by our Data Breach Policy and immediate reporting to the Internal Security Task Force.

10. Data Retention Periods

CSIS only retains personal data for the necessary period defined by legal, contractual, or business necessity, according to our contracts, our Data Processing Agreement, and our Internal Data Retention Policy. When the retention period ends, data is securely deleted or anonymized. Shorter or longer retention periods may apply based on legal, regulatory, or contract requirements; for details, you may contact us at info@csis.com.

11. Data Subject Rights

Your rights under GDPR include access, rectification, erasure, restriction, objection, and data portability of your personal data. Requests are handled with urgency and at no cost, barring manifestly unfounded or excessive requests. CSIS verifies all such requests and provides responses within statutory timelines, except where legal exceptions apply.

12. Automated Decision-Making and Profiling

CSIS does not employ processing based solely on automated decision-making, including profiling, that produces legal or similarly significant effects. If ever required, we will communicate relevant details, including logic and potential impacts, and your right to a human review.

13. How to Exercise Your Rights

To exercise any data protection rights or to make a request about your personal data, please contact info@csis.com or write to our registered office. Include enough information to verify your identity and specify your request.

14. Complaints and Supervisory Authority Contact Information

If you believe that our data processing does not comply with law, you can contact us at info@csis.com for informal resolution. You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet, dt@datatilsynet.dk), or your local supervisory authority if outside Denmark.

15. Updates to This Privacy Notice

CSIS reviews at least yearly and updates this Privacy Notice as needed to reflect changes in our practices, legal requirements, or services. The current version is always available on our website. Please check the notice regularly for the latest version.

16. Contact Details for Privacy Queries

For all privacy concerns, data subject requests, or questions about this notice, contact: CSIS Security Group A/S
Lindevangs Allé 12, 3rd floor, DK-2000 Frederiksberg, Denmark
Email: info@csis.com
Phone: +45 8813 6030