50 years in the tyre industry 

Privatlivspolitik for NDI A/S – Version 2 af 30.09.2025

Data Controller – Who Are We?

NDI A/S
Merkurvej 7
6650 Brørup
CVR-nr.: 81203113
Tlf.: +45 76 15 10 00
E-mail: gdpr@ndi-dk.com

NDI A/S is the data controller responsible for processing your personal data.

What Information We Collect – and Why?

We process the following categories of personal data depending on your interaction with us:

For credit assessment, one or more of the following are collected.:
- VAT, Name, address, phone number and email

When purchasing from the webshop:
- Name, address, phone number and emai
- Order history and payment information
- Any communication and service messages
- Tracking information for shipments

With consent for newsletters and marketing:
- Contact information (name, email, phone number)
- Interactions with previous marketing campaigns
- Preferences and click behavior
- Social media profiles (anonymized where relevant)

This information is collected directly from you when you use our websites ndias.com, ndi.no, ndi.se, ndi.fi, ndi.eu, or when you sign up via forms—for example, on social media, YouTube, Facebook, Google services, etc.

Use of cookies and reference to the cookie policy

NDI A/S uses cookies and similar technologies on our websites to ensure functionality, analyze traffic, and target advertising.

Cookies can collect information about:

  • Your browser and device type
  • IP address and approximate geographic location
  • Your behavior on our website, including clicks, searches, and page views

We only place cookies for statistical or marketing purposes if you have given your consent via our cookie banner. You can change or withdraw your consent at any time using the link at the bottom of our website.

Read more in our cookie policy.

You can find detailed information about the specific cookies we use, their purposes, storage periods, and partners in our cookie policy by using the cookie icon in the bottom left corner.

Purpose and legal basis for processing

NDI A/S processes your personal data for a range of well-defined purposes, each based on a lawful basis under the General Data Protection Regulation (GDPR). We ensure that your information is only used when necessary and lawful, and always in accordance with your rights.

The specific purposes of the processing and the corresponding legal bases are:

1. Credit assessment

When entering into or expanding a customer relationship, we may perform a credit assessment to ensure responsible and secure transactions. In this context, we use information from RISIKA, which collects data from public registers (including information on the beneficial owners of companies) and other lawful sources. The purpose is to evaluate our customers’ creditworthiness and reduce the risk of loss. The information collected is used solely for credit assessment and is not shared with other parties.

  • Legal basis: GDPR Article 6(1)(f) (The processing of personal data is based on our legitimate interest in conducting credit assessments)

2. Execution of purchases and fulfillment of contractual obligations

When you make a purchase through our webshop, we process your personal data to deliver the ordered goods, send order confirmations, and handle payment and invoicing. This processing is necessary to enter into and fulfill the agreement with you as a customer.

  • Legal basis: GDPR Article 6(1)(b) (performance of a contract)

3. Customer service and handling of complaints

We process your information in connection with customer service inquiries, product questions, and if you need to make a complaint about a product. This is done to ensure good customer service and to document our correspondence and deliveries.

  • Legal basis: GDPR Article 6(1)(f) (legitimate interest in providing good service and fulfilling obligations)

4. Sending service messages and order status information

We use your contact information to inform you about important aspects of your purchases, such as confirmations, shipping details, delivery times, and any changes. These messages are considered necessary service communications and are not marketing.

  • Legal basis: GDPR Article 6(1)(b) and (f) (performance of a contract and legitimate interest)

4. Sending newsletters and commercial marketing

When you have given consent, we use your information to send newsletters, offers, promotions, and information about new products and services. We tailor the content to be relevant to you as a customer.

  • Legal basis: GDPR Article 6(1)(a) (consent) and the Danish Marketing Act § 10 (requirements for consent in electronic marketing)

5. Targeted advertising and use of social media

We use your information to tailor ads on digital platforms such as Facebook, LinkedIn, and Google, so you receive relevant messages. This is done either using anonymized data or—where consent is given—using identifiable information.

  • Legal basis: GDPR Article 6(1)(a) (consent)

6. Analysis, statistics, and improvement of our services

We process aggregated and, in some cases, pseudonymized data to understand customer behavior, analyze purchasing patterns, and improve our products, services, and user experience on our platforms.

  • Legal basis: GDPR Article 6(1)(f) (legitimate interest in developing and optimizing our business and services)

Disclosure and recipients of personal data

NDI A/S handles your personal data with a high level of confidentiality and only discloses it when necessary to fulfill the purposes of processing or when required by law. Any disclosure is always in accordance with applicable data protection legislation and only to trusted third parties.

The following categories of recipients may have access to your personal data:

  1. External advisors and authorities

We may disclose information to:

  • Auditors and accounting consultants in connection with financial management and reporting.
  • Legal advisors in cases of disputes or statutory requests.
  • Public authorities, such as the Danish Tax Agency (SKAT) or the Data Protection Authority, if we are legally obliged to do so.

  1. IT and system providers

To operate our business efficiently, we use external providers for technical operations, IT support, hosting, backup, and security monitoring. These providers act as data processors and handle personal data solely according to our instructions.

Examples include:

  • Providers of our webshop platform and payment solutions.
  • Suppliers of email marketing tools.
  • Hosting providers and cloud storage services.

  1. Marketing and analytics partners

We use partners for sending newsletters, conducting customer satisfaction surveys, and analyzing and segmenting our customer data to help us improve our service and marketing.

  1. Digital platforms and social media

In connection with digital advertising and targeted marketing, we may share limited and pseudonymized data with platforms such as Facebook, Google, LinkedIn, AdForm, YouTube, and Instagram. This data is used to show you relevant ads. In these cases, the mentioned platforms have independent responsibility for their data processing.

  1. Group-affiliated companies

Personal data may be shared internally within our group (parent, subsidiary, and sister companies) for the purposes of joint operations, support functions, marketing, and customer service, where relevant.

Security in the event of disclosure

We have entered into written data processing agreements with all external parties that process personal data on our behalf. These agreements ensure that your information is handled securely, confidentially, and in compliance with the GDPR.

We also ensure that only the information necessary for the specific purpose is disclosed, and we continuously assess our partners to maintain a high level of data protection.

Transfer to third countries

Your information is generally stored within the EU/EEA. However, in connection with marketing and the use of social media, transfers to third countries such as the USA may occur. This is done under the EU Commission’s Standard Contractual Clauses (SCC).

Retention period

NDI A/S only retains your personal data for as long as necessary to fulfill the purposes for which the data was collected or to comply with legal obligations. We continuously review our data to ensure that it is not kept longer than necessary and that deletion is carried out in a secure and controlled manner.

Below are the specific retention periods depending on the type of personal data and its associated purpose:

  1. Information related to purchases and accounting

Information such as name, address, contact details, order history, and billing data is retained to fulfill our obligations under the Danish Bookkeeping Act and other applicable legislation.

  • Retention period: Up to 5 years from the end of the financial year to which the information relates, in accordance with the Danish Bookkeeping Act § 10.

  1. Information used for handling complaints

For complaints, we store the necessary information to process your request and document correspondence in case of disputes.

  • Retention period: Up to 2 years from the delivery date, corresponding to the statutory complaint period for consumer purchases. For valid complaints, the period may be extended in line with any new complaint period.

3. Information for marketing and newsletters

When you have given consent to receive marketing or newsletters, we retain your contact details, preferences, and consent information for as long as you wish to receive the material.

  • Retention period: Until you actively withdraw your consent. If there has been no activity (e.g., clicks, opens, responses) for 2 years, your information will be automatically deleted unless you have given new consent.

4. Documentation of consent

We store technical and legal documentation of your consent, including when and how it was given, as well as any changes or withdrawals. This is necessary to demonstrate compliance with GDPR and marketing legislation.

  • Retention period: Up to 5 years after the last use of the consent. This corresponds to the statute of limitations for any potential legal liability.

NDI automatically deletes or anonymizes your information when the retention period has expired, unless there are other legal reasons to retain it longer—for example, in the case of ongoing disputes, claims, or statutory requirements.

Automated decisions and profiling

NDI does not use automated decisions that have a significant impact on you. However, we do use profiling for social media advertising and newsletters based on consent and behavior. Additionally, social media platforms may profile you according to their own criteria.

Your rights

As a data subject, you have a number of rights when we process your personal data. These rights are established under the General Data Protection Regulation (GDPR) and are designed to ensure transparency, control, and protection of your data. You can contact us at any time to exercise your rights – see the contact information at the beginning of this policy.

1. Right of access (Article 15)

You have the right to obtain confirmation of whether we are processing your personal data, and if so, to receive a copy of the information we have recorded about you. You also have the right to receive information about:

  • Purpose of the processing
  • The types of information we process
  • Who we may share your information with
  • How long we retain the information
  • The source of the information
  • Whether we use automated decisions or profiling

2.Right to rectification (Article 16)

If you believe that the information we hold about you is incorrect, inaccurate, or incomplete, you have the right to have it corrected or updated. It is important that you inform us of any changes to your information—for example, if you move or change your email address.

3. Right to erasure (“the right to be forgotten,” Article 17)

In certain cases, you have the right to have your personal data deleted. This applies, for example, if:

  • The information is no longer necessary for the purpose for which it was collected
  • You withdraw your consent, and there is no other legal basis for the processing
  • You object to the processing, and we do not have overriding legitimate grounds
  • The processing is unlawful

However, there may be situations where we are legally required to retain information for a certain period and therefore cannot delete it immediately.

4. Right to restriction of processing (Article 18)

In certain cases, you have the right to restrict the processing of your information. This means that we may only store your data and not use it for other purposes until the matter is resolved. This right can, for example, be exercised if:

  • You believe the information is incorrect
  • You have objected to the processing
  • The processing is unlawful, but you do not want the data to be deleted

5. Right to data portability (Article 20)

If the processing is based on your consent or a contract and is carried out automatically, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. You also have the right—where technically feasible—to have it transferred directly to another data controller.

6. Right to object (Article 21)

You have the right to object to our processing of your personal data if the processing is based on our legitimate interests, including for direct marketing purposes. If you object, we will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests and rights.

7. Right not to be subject to automated individual decisions (Article 22)

You have the right not to be subject to decisions based solely on automated processing—including profiling—that have legal or similarly significant effects on you. If we use such automation (e.g., for marketing profiles), you will be informed separately, and you can request a manual review.

Contact us at gdpr@ndi-dk.com to exercise your rights.

Withdrawal of consent

You can withdraw your consent at any time via:

  • The unsubscribe link in emails

  • Contacting customer service at +45 76 15 10 50


Data Protection Contact Person

In accordance with applicable data protection legislation, NDI A/S has determined that the company is not required to appoint a formal Data Protection Officer (DPO).

However, we still take your personal data and right to privacy very seriously.

You are always welcome to contact our data protection contact if you have questions regarding:

  • How we process your personal data
  • Your rights as a data subject
  • How to exercise your rights
  • Or if you wish to submit a complaint or withdraw your consent

E-mail: gdpr@ndi-dk.com

We strive to respond to all inquiries as quickly as possible, and no later than the deadlines specified under the GDPR.

Right to lodge a complaint

You can lodge a complaint with the Danish Data Protection Agency:
Carl Jacobsens Vej 35, 2500 Valby
Phone.: +45 33 19 32 00
www.datatilsynet.dk

We encourage you to contact us first to seek a resolution.

Updates to the Privacy Policy

NDI A/S reserves the right to continuously review and update this privacy policy to ensure it always reflects the actual processing of personal data, our technological developments, organizational changes, as well as applicable laws and regulatory requirements.

When do we update?

Changes may occur, for example, in the following cases:

  • We change the types of information we process
  • We introduce new features or systems that require additional processing
  • We adjust our collaboration with third parties
  • There are significant changes in legislation or regulatory interpretations

Where can you find the latest version?

The current version of the privacy policy is available on our websites.

How will you be informed?

In the case of significant changes—for example, if we introduce new purposes for processing or change your rights—we will inform you directly.