DATA PROTECTION POLICY FOR THE DANISH REFUGEE COUNCIL
1.1 This Data Protection policy (the "Policy") applies to all information that you disclose to us, and/or that we collect regarding you, either as an element of a member/customer or donator relationship, as a user of our services or including by using our website. Here, you can read about the data we collect, how we process it and for how long we retain your data. You should read this Policy and contact us if there is any information in this Policy about which you have questions or cannot accept. The current version of the Policy will always be available here on www.drc.ngo.
2 Data Controller
2.1 The Data Controller organisation for the processing of your Personal Data is:
Danish Refugee Council
Borgergade 10, 3rd floor
DK-1300 Copenhagen K
Tel. no.: +45 3373 5000
CVR no.: 20699310
(Hereinafter referred to as the "Organisation")
2.2 The overall legal framework for our processing of Personal Data is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC with related regulation. In addition, a new Danish Data Protection Act has been adopted - Act No. 502 of 23 May 2018 supplementary provisions to the Regulation on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Exchange of Such Information (Data Protection Act).
2.3 Any questions concerning this Policy, the processing of your data and any suspected breach must initially be addressed to Nadine Coogan, GDPR Project Manager, Danish Refugee Council.
3.1 Below are definitions of some of the most important legal terms concerning Personal Data:
- Personal Data
Any form of information concerning an identified or identifiable natural person. This means all information that directly or indirectly, alone or in combination, may identify a specific natural person.
- Data Controller
The natural or legal person, public authority, institution or other body that alone, or together with others, determines the purpose and by which means Personal Data may be processed.
- Data Processor
The natural or legal person, public authority, institution or other body that processes Personal Data on behalf of the Data Controller
Any activity or series of activities involving the use of Personal Data, such as fundraising, registration, systematisation, changes, searches, compilation, transfer or disclosure to persons, authorities, companies, etc. outside the Organisation.
- Special Categories of Personal Data
Information concerning racial or ethnic origin, political opinions, religion or beliefs, trade union membership, genetic data or health status, or information concerning a natural person's sex life or sexual orientation, and information in the form of biometric data, if the biometric data is processed for the purpose of unique identification of a natural person (sensitive Personal Data).
- General Data Protection Regulation
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC with related regulation.
- Danish Data Protection Act
The Act that may be adopted on the basis of the Bill for supplementary provisions to the Regulation on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (the Danish Data Protection Act) proposed on 25 October 2017.
4 Purpose of processing your Personal Data
4.1 Regardless of whether you are a member, customeror volunteer for our national fundraising campaign or a donator, or just a user of our websites, we process your Personal Data to ensure that we can provide you with the services you require, and fulfil our obligations as the Danish Refugee Council. This applies to handling any donations that you may make - unless you choose to donate anonymously - and any purchases you make of services or items from us, when we administrate any subscriptions you may hold, and/or your memberships. This may also be as a National Fundraiser or your use of our webstore (only shipping in Denmark, Greenland, Faroe Islands), our customer service, and/or in conjunction with our marketing towards you. In every case in which we collect Personal Data about you, we will inform you of the purpose of processing your Personal Data.
5 Your Personal Data that we process
5.1 We collect this data from you directly:
5.1.1 When you are a member, customer or donator, we may collect the following ordinary Personal Data from you: Name, address, zip code, town/city, mobile number, e-mail address, and bank registration and account number depending on your relationship with us.
5.1.2 When you visit our website, and contribute to our work, we also collect your IP address.
5.1.3 We collect the following ordinary Personal Data in order to gain new members for the Danish Refugee Council: name, address, zip code, town/city and telephone number.
On our website, "cookies" are used, e.g. for web-statistical purposes, to see how many people visit our website, and how they use the website. We also use this to measure ads on other sites based on visits to our site (Google Remarketing). A cookie is a small text file that is sent from our server to your browser, and is stored on your computer's hard disk or your mobile device. Cookies enable you to use the website more effectively and easily. We do not process information concerning user behaviour that is collected via cookies in any way that may link user behaviour with specific persons. You can set your browser to inform you when you receive a cookie, so that you can always decide whether you wish to accept it. You can also turn off the function completely in your browser . If you do this, the website will not function optimally, however. Cookies do not contain Personal Data such as details of your e-mail address or other Personal Data than as specified in this Policy. You can read our cookie declaration here
7 How we process your Personal Data
7.1 In concrete terms, we use your Personal Data for several different purposes, depending on whether you are a member, customer, national fundraiser or donator, or solely a user of our website.
7.1.1 If you are a member, we use your Personal Data to be able to:
- administrate your membership
- send you the necessary information about your membership
- send you marketing material, provided that this is also in accordance with the Danish or local Marketing Act in force at any time.
7.1.2 If you are a customer, we use your Personal Data to be able to:
- make functionalities on our website, available to you
- send you order confirmations
- respond to any questions and fulfil your requests
- fulfil your orders
- handle administration of our customer relationship with you
- send you marketing material, provided that this is also in accordance with the Danish Marketing Act in force at any time.
7.1.3 If you are a donator, we use your Personal Data to be able to:
- administrate your payment(s)
- send you the necessary information about your donation(s)
- report your donation to SKAT (the Danish tax authorities), so that your donation will be shown on your tax return (only applies if you pay tax in Denmark)
- send you marketing material, provided that this is also in accordance with the Danish Marketing Act in force at any time.
7.1.4 If you are a volunteer or attend one of our events, we use your Personal Data to be able to:
- administrate your relation to an event
- send a receipt for your registration for an event
- be able to send you material concerning the event
7.1.5 If you are solely a user of our website, we use your Personal Data to be able to:
- make functionalities on our website available for you to use
- prepare statistics concerning your browsing of our website
- optimise our website's design
8 Why are we permitted to process data concerning you (basis for processing)?
8.1 When you become a member, make a donation or enter into any other type of agreement with us, we will process your ordinary Personal Data for this specific purpose. We may also process your ordinary Personal Data in situations where you e.g. have made an enquiry or similar prior to your decision to enter into an agreement with us. The legal basis for processing your Personal Data is Article 6(1) (b) of the General Data Protection Regulation, since the processing of your data is necessary for the performance of our agreement with you, or for us to handle enquiries and similar prior to any agreement which you make with us.
8.2 We can also process your ordinary Personal Data because we have a legitimate interest in processing the data concerning you, cf. Article 6(1) (f) of the General Data Protection Regulation, unless our legitimate interest in processing your data is overridden by your right to protection of your own ordinary Personal Data.
8.3 We have a legitimate interest in processing your Personal Data (your name and e-mail address) for marketing purposes. Our legitimate interest thus concerns knowing your preferences, so that we can better match our offers to you, and ultimately offer products and services that better fulfil your needs and requirements. We naturally also observe the rules laid down in the relevant Marketing Act . It is also with reference to this provision that we prepare various statistics for the number of members, donations, use of our website, etc.
8.4 In certain cases, we are also legally obliged to process Personal Data concerning you. This might be to use for the documentation of transaction tracking and similar, as laid down in the rules in the Danish Bookkeeping Act. Among other things, we must save accounting documents for five years from the end of the financial year which the material concerns. This may also be in conjunction with declarations to SKAT (the Danish tax authorities) (6.1 c.) so that your donations to us can be deducted on your tax return. Declarations to SKAT must be made stating your CPR number, cf. the Danish Tax Control Act, which is therefore the basis for our processing of data concerning your CPR no.
8.5 As a charitable organisation, cf. Section 8 A of the Danish Tax Assessment Act , we are permitted to contact persons in order to enter into agreements concerning membership of our organisation cf. Part 1, Section 1(2), Section 8 and Section 11(3) of the Danish Collection Act.
8.6 If you are not a customer, member or donator, but e.g. solely a user of our website, we have a - limited - need to be able to administrate the information you provide, in order to e.g. manage cookies. Read more in our cookie-declaration here. In some cases, we can register which IP addresses have accessed our website. An IP address may be Personal Data, and if we process your IP address, this will take place on the same basis as described above under clause 8.2.
9 Sharing your Personal Data
9.1 We may share your Personal Data with the suppliers and partners that assist us with the execution of your order, or who assist us with our IT operations, hosting, etc. This means that we may share your data with e.g. our service providers, technical support, recruitment partners etc.
9.2 We may also share your data with our consolidated companies/organisations, to the extent that this is legal. This takes place within the framework of the Danish Refugee Council collaboration.
9.3 In addition to the aforementioned, we share your data to the extent that we are obliged to do so, e.g. as a consequence of requirements to report to public authorities such as SKAT.
10 Storage and erasure of your Personal Data
10.1 We store your Personal Data according to the following rules:
10.2 If you are a member or donator, we will store your Personal Data while you are associated with our organisation, and for up to five years after the current year, as from your most recent donation, in accordance with the Danish Bookkeeping Act. Personal Data concerning bank, reg. no. and account number is deleted 13 months after your payment service agreement with NETS has been cancelled, cf. the Danish Payment Service Act of 2009 , which requires the Danish Refugee Council to be able to document for up to 13 months after the expiry of the agreement that an agreement has been entered into.
10.3 If you are a fundraising volunteer, we will retain your data for up to three years after the fundraising campaign, in order to be able to recruit you to take part in a new fundraising campaign.
10.4 If you have taken part in a signed petition we will retain your data for up to one year from the date of signing the petition.
10.5 If you are a user of our website, and neither a customer, member, former member nor donator, we will retain the information about you that we have registered via Google Analytics' statistics for up to 38 months from your most recent visit.
10.6 If we have purchased Personal Data and contacted you to become a member, we will store your data indefinitely if you have declined to receive marketing material or to be contacted by the Danish Refugee Council at all, so that we can take your wishes into account. If we are unable to make contact with you, we will delete your data after 24 months.
11 Your rights
11.1.1 You have a right of access to the Personal Data concerning you which we process. You can write to us at [email protected] to request access to the Personal Data that we have registered concerning you, including the purposes for which the data has been collected. We will accommodate your request for access as soon as possible.
11.2 Rectification and deletion
11.2.1 You are entitled to request correction, supplementary processing, deletion or blocking of the Personal Data that we process concerning you. We will accommodate your request as soon as possible, to the necessary extent. If are unable to meet your request - for any reason - we will contact you.
11.3 Limitation of processing
11.3.1 In special circumstances, you have the right to limit the processing of your Personal Data. Please contact us at [email protected] if you wish to limit the processing of your Personal Data.
11.4 Data portability
11.4.1 You have the right to receive your Personal Data (only data concerning yourself, which you have given us yourself) in a structured, generally used and machine-readable format (data portability). Please contact us at [email protected] if you wish to use the opportunity for data portability.
11.5 Right to object
11.5.1 You are entitled to ask us not to process your Personal Data in cases where the processing is based on Article 6(1) (e) (a task carried out in the public interest or in the exercise of official authority vested in the controller) or Article 6(1) (f) (legitimate interests). This Policy states the extent to which we process your data for such purposes. You may contact us at [email protected] at any time to exercise your right to object.
11.6 Revocation of consent
11.6.1 If the processing of your Personal Data is based on your consent, you are entitled to revoke this consent at any time. Your revocation will not affect the legality of the processing performed before your consent was revoked. Please contact us at [email protected] if you wish to revoke your consent.
11.6.2 If you wish to revoke your consent to receive sales promotion information and offers in general, including by ordinary mail, e-mail, via text message, by telephone or by other electronic means, you can do this at any time by writing to [email protected] If we are in any doubt concerning your identity, we can request you to provide proof of identity. This is free of charge, apart from the ordinary communication costs.
11.7 Write to [email protected] in order to exercise one or more of the aforementioned rights.
11.8 There may be conditions or limitations concerning the exercising of the aforementioned rights. It is therefore not certain that you are e.g. entitled to data portability in the concrete situation, as this will depend on the particular circumstances for the processing activity in question.
12 Possible consequences of not providing Personal Data
12.1 If you are obliged to provide us with your Personal Data, this will be stated when we collect such data. In some cases, this will be a statutory or contractual requirement, cf. Article 13(2) (e) of the General Data Protection Regulation.
If you do not wish to provide the Personal Data that we request, this may have the consequence that we will be unable to deliver the required services to you, or to complete your orders, create you as a donator, report your donations to SKAT, etc. Required information for the purpose of the processing will be marked * in the forms on the websites where we collect your Personal Data.
13 Use of automated decision-making/profiling
13.1 We use automated decision-making as an element of our direct marketing. This means that we use the Ordinary Personal Data that we collect about you in order to create a profile of you. The logical process for this is as follows: We use existing data concerning our users to create a profile on e.g. Facebook - called an indirect profile, since we cannot track the user's activity by other means than to advertise content targeted at the user. We are able to import and export data to and from Facebook in the form of name, e-mail address, telephone number and profile ID. We can only obtain a profile ID, however, in the case of fundraisers, whereby users at their own initiative collect money for the Danish Refugee Council on Facebook. In addition, engagement (a like, comment, share, viewing of a video or sign-up) from users is tracked internally by Facebook and gives the advertiser (us) a better opportunity to target our content at them.
14.1 In our organisation, our processing of Personal Data is subject to our IT and Security Policy. Our IT and Security Policy also includes rules for the performance of risk assessment and impact analysis of both existing, and new or changed, processing activities. We have implemented internal rules and procedures to maintain adequate security as from the time when we collect Personal Data up to its erasure, just as we solely assign our processing of Personal Data to Data Processors that maintain an equivalent adequate security level.
15 Complaints to the supervisory authority
15.1 If you are not satisfied with our processing of Personal Data, you may complain to the Danish Data Protection Agency:
Data Protection Agency, Borgergade 28, 5th floor, DK-1300 Copenhagen K., tel. no.:3319 3200, e-mail: [email protected]
16 Updating of this Policy
16.1 The Danish Refugee Council is committed to complying with the fundamental principles for the protection of Personal Data and data protection. We therefore regularly review this Policy in order to keep it updated and in accordance with current principles and legislation. This Policy may be amended without notice. Significant amendments to the Policy will be published on our website, together with an updated edition of the Policy.
16.2 Any future amendments made to this Policy will be published on this page and may be notified to you by e-mail.
This Policy was most recently updated on June 11th 2020.