The D‑seal is relevant to all types of business
The D‑seal is adapted to the individual company, so a small business such as a locksmith does not have to meet the same number of criteria as a large IT company.
The number of criteria that a company has to meet depends on the size of the company, its business model, use of data and IT, and its impact on humans.
The D‑seal has the following business groups which reflect the risks and complexity that a given company faces.
Group I
Small company with few employees (1 to 9) or sole trader with limited revenue (up to DKK 7.9 million), e.g. craftsman, consultant, programmer, etc.
A company that falls into Group I (based on number of employees and revenue), but processes specific categories of personal data (e.g. health details, race, sexuality), will be placed in Group II.
A small company that falls into Group I (based on number of employees and revenue), but is a supplier of software or IT services, will be placed in Group III. For this business type, we recommend writing to contact@d-seal.eu for free advice. See discount for this business type.
Group II
Small company, typically with 10 to 49 employees and revenues from DKK 8 to 155.9 million. This business type may store or process specific categories of personal data, e.g. medical practice, carpentry firm or small IT company.
A company that falls into Group I (based on number of employees and revenue), but processes specific categories of personal data (e.g. health details, race, sexuality), will be placed in Group II.
A small company that falls into Group II (based on number of employees and revenue), but is a supplier of software or IT services, will be placed in Group III. For this business type, we recommend writing to contact@d-seal.eu for free advice. See discount for this business type.
Group III
Medium-sized company with many employees (50 to 249) and revenues between DKK 156 and 313 million. This business type will always process personal data, e.g. small pension companies, manufacturers, etc.
A small company that falls into Group I or II (based on number of employees and revenue), but is a supplier of software or IT services, will be placed in Group III. For this business type, we recommend writing to contact@d-seal.eu for free advice. See discount for this business type.
Group IV
Large company with revenues of DKK 313 million and above, and many employees (250+). Typically processes large volumes of personal data and sensitive data, e.g. exchange-listed companies.
Which group does your company belong to?
The number of criteria and requirements that the company has to meet will depend on the business group, but all companies must at least meet Criteria 1, 2, 3 and 5.
Factors for group placement | Gruppe I | Gruppe II | Gruppe III | Gruppe IV |
---|---|---|---|---|
Number of employees (FTEs) | 0-9 | 10-49 | 50-249 | 250+ |
Net revenue (DKK millions) | 0-7,9 | 8-155,9 | 156-313 | ≥ 313 |
Supplier of software or IT services | No | No | Yes | Yes |
Processes specific categories of personal data (e.g. health details, race, sexuality) | No | Yes | Yes | Yes |
Factors for criteria assignment
All companies must at least meet Criteria 1, 2, 3 and 5. Criteria 4, 6, 7 and 8 are only applicable to particular companies.
If the company uses a provider to process personal data and/or business-critical information, the provider must meet Criterion 4: Requirements for providers’ IT security and responsible use of data.
If the company develops software, it must meet Criterion 6: Privacy & Security by Design & Default.
If the company uses or develops algorithms or AI, it must meet Criterion 7: Trustworthy algorithms and AI.
Criterion 8: Data ethics applies mainly to Groups II to IV, and only in special cases to Group I.