Information about how Purpose and Means processes personal data

Purpose and Means is a sole proprietorship registered in Denmark (CVR number: 18895692) and is the data controller for personal data processed via this website for conducting its business of providing organisations and individuals with various products and services.

Purpose and Means uses a Quality Management System (QMS) for conducting its training activities approved and audited by APMG international based in the UK.

Purpose and Means is owned by Timothy Clements.

Who we are

Purpose and Means is based in Denmark and is subject to the General Data Protection Regulation (GDPR). As we also operate globally, we are also subject to a multitude of applicable data protection and privacy laws. Being a very small business, we are not able to fully comply with every single law but we regularly make ourselves aware of key nuances between the GDPR and other laws, especially if a client demand e.g. large volumes of data subjects necessitates greater focus.

Purpose and Means sees data protection as a key part of doing business and respects key principles like lawfulness, fairness and transparency, data minimisation, purpose limitation to name a few.

We do not have a Data Protection Officer (DPO) appointed because in our business context, we do not meet the criteria specified within the GDPR.

In our processing context we do not assess our processing activities to pose a 'high risk' to the rights and freedoms of individuals.

In our products and services we strive to convey the importance of robust data protection practices and explain whenever possible the history and reasons why the laws exist.

Please do contact us if you have any questions or concerns, or feedback about how Purpose and Means processes personal data.

Our take on data protection

Purpose and Means, Esthersvej 21.st, 2900 Hellerup, Denmark.

Mobile/sms: +45 6113 5106
Email: tc@purposeandmeans.io

Contact us

Active data collection
Active data collection is when you knowingly provide personal data to Purpose and Means and tend to have an understanding of why you are providing the data. We actively collect data from you when you:

  • Complete a web form

    • Registration for a education or training course

    • Signing up for a newsletter

    • Provide credit card information

  • Request information about a product or service via email to Purpose and Means

Data collection

Passive data collection
When passive data collection takes place, data about you is collected in a manner that you may not be fully aware of what is taking place. In particular when you make a payment using a credit card, we use Stripe (an Irish/US company) for processing of the credit card transaction and need to allow Stripe to place security and anti-fraud related cookies on your device.

Stripe cookies, such as __stripe_sid and __stripe_mid, are essential for fraud detection and prevention. They help identify potentially malicious traffic and secure transactions, which is crucial for both our businesses and you as a consumer. Stripe's cookies also enable core website functionality related to payments, such as adding items to a cart and completing purchases. Without these cookies, our credit card payment process would not function correctly.

Although you are able to delete the Stripe cookies (function key + F12 in your browser, and then right click the cookie entry in your console, followed by selecting 'delete') you will not be able to pay for a Purpose and Means product or service by credit card if you do so.

We do offer alternative payment channels for some products and services. Contact us if you do not wish to pay by credit card.

Other cookies
When passive data collection takes place, data about you is collected in a manner that you may not be fully aware of what is taking place. In particular when you make a payment using a credit card, we use Stripe (an Irish/US company) for processing of the credit card transaction and need to allow Stripe to place security and anti-fraud related cookies on your device.

Stripe cookies, such as __stripe_sid and __stripe_mid, are essential for fraud detection and prevention. They help identify potentially malicious traffic and secure transactions, which is crucial for both our businesses and you as a consumer. Stripe's cookies also enable core website functionality related to payments, such as adding items to a cart and completing purchases. Without these cookies, our credit card payment process would not function correctly.

Although you are able to delete the Stripe cookies (function key + F12 in your browser, and then right click the cookie entry in your console, followed by selecting 'delete') you will not be able to pay for a Purpose and Means product or service by credit card if you do so.

We do offer alternative payment channels for some products and services. Contact us if you do not wish to pay by credit card.

Cookies
Our website uses a number of technologies to support eCommerce requirements and as our EU-based hosting company (Hostinger) uses Amazon Web Services' Content Delivery Network (CDN) our pages are served from data centres outside EU/EEA. We use a cookie consent solution from a Lithuanian company, Cookie Script. Our cookie banner can be viewed at any time by clicking on the red/black cookie icon in the bottom left of the browser screen. This details the cookies used on our website categorised by 'strictly necessary,' 'performance,' targeting,' and 'functionality.' Cookie Script scans our website on a monthly basis and updates the list of cookies used. Occasionally there are glitches, please do contact us if you have issues or concerns: tc@purposeandmeans.io and we'll endeavour to rectify the matter as soon as possible.

Purpose and Means processes personal data using different lawful bases depending upon who you are.

1. Private individuals

  • Consent to receive a marketing newsletter from Purpose and Means no more than once a month

  • Legitimate interests of Purpose and Means to conduct profitable commerce providing its portfolio of products and services

  • Compliance with legal obligations inline with Danish tax and financial laws

  • Performance of a contract prior to, or actual purchasing of Purpose and Means products and services


2. Training instructors

  • Legitimate interests of Purpose and Means to conduct profitable commerce providing its portfolio of products and services

  • Compliance with legal obligations inline with Danish tax and financial laws

  • Performance of a contract prior to, or actual procurement of instructor services delivered by 3rd party instructors


3. Employees of Purpose and Means clients

  • Legitimate interests of Purpose and Means to conduct profitable commerce providing its portfolio of products and services


For details of our purposes of processing, please refer to 'Data Usage.'

Lawful bases for processing

Purpose and Means processes the following data about people dependent on the purpose of processing (see also section 'Data Usage):

Provided data:

  • First name and surname

  • Postal address

  • Email address

  • Credit card details

  • Opinions about products and services provided


Derived data:

  • Attendance levels (for courses)

  • Purchase history

  • Levels of understanding (knowledge checks, quizzes)


Inferred data:

  • Propensity to purchase other products or services (for manual recommendations)

What data is collected?

Personal data is securely retained and backed-up by Purpose and Means in Denmark in line with the duration of the processing detailed in the 'Data Usage' section.

Personal data is replicated to servers in Germany managed by Hetzner Online GmbH - for more information, see the 'Data Sharing' section.

Invoices
For accounting purposes we use a 3rd party tool called Dinero, a Danish company, that stores invoice information. For private individuals and 3rd party training instructors, the invoices specify personal data, and for our corporate clients, this may contain some personal data. This data is retained for 5 years to comply with Danish financial and tax laws.

Email
Purpose and Means currently uses Microsoft Outlook as an email and calendar application, so personal data received by email is also retained and replicated by Microsoft - see also the 'Data Sharing' section. Unless there are specific purposes to continue processing, this personal data is retained for 3 years.

Complaints and complaint log
If a complaint has been received, personal data related to the complaint will be retained for 2 years after the complaint is resolved. This is in the event of a subsequent legal claim being made.

Data subject requests (if you exercise a individual right - see section about 'Your rights')
From completion of the request regarding the exercise of rights, personal data will be retained for 5 years. This is in line with recommendations issued by the Danish Data Protection Authority, Datatilsynet.

Consent records
Records of consent will be retained for 2 years or until no longer necessary for the purposes for which the personal data is processed (for instance, a legal claim). This is in line with recommendations issued by the Danish Data Protection Authority, Datatilsynet.

Data retention

Purpose and Means uses data for the following purposes (per lawful basis):

  • Consent (can be withdrawn at anytime)

    • Providing you with a promotional newsletter

  • Legitimate interests (for running a profitable business)

    • Dealing with your business-related requests and enquiries

    • Improvement of our products and services through requests for feedback from you

    • Promotion of Purpose and Means products and services through your testimonial

    • Determining the levels of understanding of our training courses (quizzes, knowledge checks)

    • In the interests of security and anti-fraud activities

  • Performance of a contract

    • Prior enquiries, registration and purchase of a product or service

    • Transfer of necessary data to 3rd party training instructors (email address)

    • Transfer of necessary data to IAPP in the US (name, email and country)

  • Legal obligation

    • Complying with Danish financial and tax laws

Data usage

Data transfers within the EU/EEA

Transfers to IAPP instructors
Purpose and Means collaborates with a number of 3rd party training instructors who are located in various EU countries (currently the Czech Republic and Denmark). Data about course participants (email addresses) is sent to the instructors so they can send calendar invitations typically using MS Teams or Google Meet.

Cloud storage in Germany
We store personal data in a NextCloud solution hosted in Germany at Hetzner Online GmbH.

Data transfers

Data transfers outside the EU/EEA

For IAPP courses
Purpose and Means collaborates with a number of 3rd party training instructors who are located in various countries outside of the EU/EEA (currently the UK). Data about course participants (email addresses) is sent to the instructors so they can send calendar invitations typically using MS Teams.

We also transfer participant information (First name, surname, email address and country) to IAPP in the US for course registration and IAPP KnowledgeNet membership). This transfer is required as part of the contractual agreement Purpose and Means has with IAPP.

General business applications
We currently use US company Microsoft Office 365 including Outlook and Teams for email and video conferencing respectively.

Website
Our website at purposeandmeans.io is hosted at Hostinger, a Lithuanian company with data centres in the US (CDN solution).

Data about you is deleted when there is no purpose to retain the data. It's therefore important to understand the 'purposes of processing' mention in the 'Data Usage' section.

Retention is determined by several factors. For example. Purpose and Means needs to retain some personal data for five years to comply with Danish financial and tax laws.

Another example is when you register for the Purpose and Means newsletter that you will have consented to. If you decide to withdraw your consent, your data in relation to this activity is deleted, unless there is another purpose to retain it - this could be your email address that relates to say, a financial transaction that you also made in relation to purchasing a product or service.

Data deletion

You have a number of rights that you can exercise depending up the lawful basis for processing. For the processing carried out by Purpose and Means, the following rights apply for all processing.

  • Right to access

    • This allows you to request confirmation that we're processing your personal data, and if so, request a copy of the data

  • Right to rectification

    • If you discover errors, or see the data about you is incomplete, you can request rectification of your personal data

  • Right to restrict processing

    • You can request us to limit the use of your personal data if it’s wrong or used unlawfully, instead of deleting it.

  • Right to not be subject to automated decision making including profiling

    • You have the right to ensure major decisions about you, including those using profiling, aren’t made solely by a computer.

  • Right to lodge a complaint with a Supervisory Authority

    • You have the right to complain to a Supervisory Authority. As we're a Danish company, complaints should be made to Datatilsynet, though please note they recommend initially complaining to the Data Controller, in other words, please complain to Purpose and Means.


In addition to the rights listed above, you have other rights depending upon the lawful basis for processing

  • Right to withdraw consent

    • This right only applies if you have provided consent, typically only in relation to receiving our marketing newsletter

  • Right to erasure

    • You can request erasure when the lawful bases are

      • Consent

      • Performance of a contract

      • Legitimate interests

  • Right to data portability

    • You can request a copy of the personal data you have provided us with, and also data we have observed, derived or inferred e.g. course participation, quiz scores. This will be provided to you in a commonly used, structured, machine readable format. You can exercise this right when the lawful bases are:

      • Consent

      • Performance of a contract

  • Right to object

    • In our processing context, you have the right to object to direct marketing that is conducted when the lawful basis is:

      • Legitimate interest

Your rights

How to exercise your rights
Please send an email detailing your request to tc@purposeandmeans.io with a subject line 'Data Subject Request.' We may request proof of identity and/or context in order to process your request.

We recognise that information security is a vital part of data protection. While no data transmission, including online, can be completely secure from intrusion, we implement a variety of physical, technical, and procedural measures to protect personal data from unauthorised access, use, disclosure, alteration, or destruction, in line with data protection laws. Additionally, when working with third parties, we prioritise security and data protection as essential criteria during vendor selection and due diligence processes.

Information security

This page was last updated on 8 January 2024.