Skip To Main Content 2023 Ransomware Report | Download Now

Privacy Policy for Vendors and Business Partners

Latest revision: 06.21

Protection of personal data processed about you

As part of your customer or business partner relationship to the Group (“we”, “us”, “our”), we process personal data about you.

It is crucial to us that your personal data is properly protected and respected, when you are a customer or a business partner to us or work as an employee for a customer or business partner to us. Therefore, we strive for constantly protecting your personal data, including complying with any applicable data protection laws, such as the General Data Protection Regulation (“GDPR”).

Under the GDPR, the Group is obligated to inform you about how we process the personal data about you, and about your rights as a data subject etc. You can find that information in this Privacy Notice.

1.0 Data controllers

Bullwall consists of various legal entities, each independently responsible and accountable for its own processing of personal data under the GDPR, depending on which legal entity your organisation has a contractual relationship with.

The contact details of the legal entities in Bullwall are:

BullWall Lab A/SReg. no.: 37800171Øster Snedevej 15B, st.7120 Vejle ØstDenmark Phone: +45 2949 9571Email: dpo@bullwall.comBullWall A/SReg. no.: 38878786Øster Snedevej 15B, st.7120 Vejle ØstDenmark Phone: +45 2949 9571Email: dpo@bullwall.comBullWall LtdReg. no.: 111668038 The Courtyard, Furlong RdBourne End, Bucks SL8 5AUEngland Phone: +45 2949 9571Email:

Inquiries concerning how we process your personal data, or inquiries related to you exercising your rights as a data subject, may be sent to the responsible legal entity via the contact information found above.

2.0 Categories of personal data

The purposes of the processing of personal data about you, are in general to make it possible to us to manage and maintain our customer relationship and our business partner relationship with you and your employer.

 We process the following categories of personal data about you:

  • Identification data, including name, address, telephone number and email
  • Correspondence with you

We collect the personal data from either you, your employer or other third parties.

3.0 Purposes of the processing

We only process personal data about you to the extent necessary for the purpose of the specific processing activity. The purposes of the processing of personal data about you are as follows:

  • Information used in regular administration and case handling, e.g. contracts with signatures etc.
  • Necessary registrations in our systems when you use our services

4.0 Legal basis of the processing

We will process the personal data about you based on our legitimate interest in offering our services to our customer and to administer and maintain our relationship with the customer (see Article 6(1)(f) of the GDPR).

We may also process personal data about you to meet a legal obligation (see Article 6(1)(c) of the GDPR.

5.0 Data recipients and third countries

In certain situations, we disclose the personal data we process about you to other data controllers, e.g., when involving a lawyer or another expert in specific disputes and matters.

 Such data controllers include:

  • Law firms
  • Consultancy and auditing firms
  • Public authorities to which we are legally obligated to transfer personal data about you

 We also use data processors, which also process personal data about you or/and your employees.

 Currently, we use data processors to handle the following measures and activities:

  • Office 365 (OneDrive, Teams, Skype, etc.).
  • Google Drive and Google Maps
  • Web-emails and Microsoft services
  • Firewalls/log of IP addresses
  • Remote support
  • IT setup
  • Task centre
  • Handling of accounting records
  • Handling CRM and websites

Some of our data processors and their sub-processors transfer personal data to countries outside the EEA:

Countries with an adequacy decision offering the equivalent level of data protection as in the EU: Argentina, Canada, Faroe Island, Isle of Man, Israel, Japan, New Zealand, Switzerland and United Kingdom.

Countries without an adequacy decision offering the equivalent level of data protection as in the EU (list of all possible countries): Australia, Brazil, Chile, China, Columbia, Egypt, El Salvador, Guatemala, Hong Kong, India, Indonesia, Kenya, Malaysia, Mexico, Peru, Philippines, Serbia, Singapore, South Africa, South Korea, Taiwan, Turkey, United Arab Emirates and USA.

For these countries, the transfers are based on the EU Commission Standard Contractual Clauses. If you wish to receive a copy of the clauses, please contact us.

6.0 Storage period

Personal data are only stored if necessary, for the purposes of the processing activities, or if required under relevant and applicable legislation, including the rules of the Danish Bookkeeping Act, whereinafter storage of accounting records is undertaken for at least five years plus the current accounting period.

 Contracts with customers will be deleted 36 months after expiration or termination. Personal data collected in relation to licenses issued to customers will be deleted 3 months after the license expires.

 Contact details contained in our customer relationship management system will be deleted 36 months after a contract expires, at the latest.

7.0 Your rights

If you wish to exercise your rights as further described below, please use the contact details listed above.

Your rights are the following:

  • Right of access: You have the right to be granted access to the personal data processed about you, including information on how such personal data is processed, the sources, etc.
  • Right of rectification: You have the right to have incorrect personal data about you rectified.
  • Right of deletion: Under certain conditions, you have the right to have personal data about you deleted prior to deletion otherwise in accordance with our general deletion procedures.
  • Right of restriction of processing: Under certain conditions, you have the right to have the processing of your personal data restricted. If you are entitled to such restricted processing, we may only process your personal data – except for storage – with your consent, for the purpose of establishing, exercising or defending a legal claim or to protect a person or on grounds of important public interests.
  • Right of data portability: You have the right to data portability to the extent that our processing of your personal data is based on your consent or an agreement, and the processing takes place automatically. This right implies that you are entitled to have your personal data forwarded in a structured, generally applied and machine-readable format, which you may transfer to another service provider.
  • Right of objection: Under certain conditions, you have the right to object to our processing of your personal data.
  • Right of withdrawal of consent: To the extent that our processing is based on your consent, you are entitled to withdraw your consent wholly or partly. The withdrawal of your consent will not affect the lawfulness of the processing made by us until withdrawal.

For more information on your rights, see the Danish Data Protection Agency’s, Datatilsynet, guidelines describing your rights as a data subject on

If you make use of your rights as described above, we also process personal data relating to reception and responding to your inquiry. If there is doubt about your identity, we have the right to request more information necessary to confirm your identity. In such cases, we will process additional information about you for the purpose of knowing your correct identity.

8.0 Complaints

If you wish to complain about our processing of your personal data, you may complain to the Danish Data Protection Agency, Datatilsynet. Contact details can be found at

9.0 Updates

This Privacy Notice was made in July 2021. We will regularly revise our processing activities and update the Privacy Notice, when and if necessary.