Privacy Policy

The Danish Refugee Council (DRC) is committed to protecting the privacy and personal data of everyone it engages with, including donors, partners, beneficiaries, and website visitors. This privacy policy outlines how DRC collects, uses, stores, and safeguards personal information, as well as the rights individuals have regarding their data. It reflects DRC’s dedication to transparency, accountability, and compliance with relevant data protection regulations.

Privacy Policy image

Summary

We collect and process personal data when you interact with us — for example when you donate, become a member, sign up for events, or otherwise use our services. We use this information to provide the services you request, manage donations, memberships, and communications, comply with legal obligations, and, where permitted, share relevant information with you about our work. We always aim to collect only the data that is necessary for these purposes. 

We store your personal data securely and only for as long as required by law or legitimate operational needs. Your data may be shared with trusted partners and service providers who help us operate our services, but it is never sold or used for third-party marketing. We take active steps to minimize tracking on our websites and use only essential cookies. 

You have full rights under data protection laws, including the right to access, correct, delete, or restrict how we process your personal data, and to object to certain types of processing. You can withdraw consent at any time where consent is the legal basis. If you have concerns, you can contact us directly — or lodge a complaint with the Danish Data Protection Agency. 

Full version

DRC Danish Refugee Council 
Lyngbyvej 100 
2100 Copenhagen 
Denmark 

Business Registration Number: 20699310 

(Hereinafter referred to as "DRC") 

Questions or concerns related to this Privacy Policy? Please email us at [email protected]

Below are definitions of some of the most important legal terms in this policy. 

General Data Protection Regulation (GDPR) 
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC with related regulation. 

Danish Data Protection Act 
The Danish Data Protection Act is adopted on the basis of GDPR for supplementary provisions to the Regulation on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (Act nr. 502 of 23 May 2018). 

Data Controller 
The entity that determines the purpose and the methods of processing Personal Data. 

Data Processor 
The entity that processes Personal Data on behalf of the Data Controller. 

Data Processing 
Any activity or series of activities involving the use of Personal Data, including transfer or disclosure to entities outside DRC.  

Personal Data 
Any form of information concerning an identified or identifiable person. This includes all information that directly or indirectly, alone or in combination, can be used to identify a specific person. 

Sensitive Data 
A special category of Personal Data concerning racial or ethnic origin, political opinions, religion or beliefs, trade union membership, genetic data or health status, or information concerning a natural person's sex life or sexual orientation, and information in the form of biometric data, if the biometric data is processed for the purpose of unique identification of a natural person. 

We process your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable national data protection law. Depending on your relationship with us and the purpose of the processing, one or more of the following legal bases apply:

Consent (GDPR Article 6(1)(a)) 
Where required by law, we will obtain your consent before processing your personal data. You may withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal. 

Performance of a contract (GDPR Article 6(1)(b)) 
We process your personal data when this is necessary to fulfil an agreement with you or to take steps at your request prior to entering into such an agreement. This includes, for example, processing related to donations, memberships, purchases, event registrations, and handling enquiries submitted to us. 

Legal obligation (GDPR Article 6(1)(c)) 
In certain cases, we are legally required to process and retain personal data. This includes fulfilling accounting and documentation obligations under Danish bookkeeping legislation, which requires us to retain relevant records for a specified period. 

We may also be required to report donations to the Danish tax authorities (SKAT) so that donations can be deducted on your tax return. In this context, we may process your CPR number where required by law. 

As a charitable organisation, we are permitted under Danish legislation to use personal data to contact individuals for the purpose of entering into agreements concerning membership or donations, in accordance with applicable fundraising laws. 

Legitimate interests (GDPR Article 6(1)(f)) 
We may process your personal data where we have a legitimate interest in doing so, provided that this interest is not overridden by your fundamental rights and freedoms. This includes, for example, communicating with you about our activities, improving our services, preparing statistics, and sending marketing material in accordance with applicable fundraising and marketing legislation. 

Processing of special categories of personal data (GDPR Article 9 (2) 
If you participate in a social or employment-related programme, we may process sensitive personal data about you, including health information. This may occur, for example, in connection with assessments of your wellbeing or factors affecting your ability to obtain or retain employment. 

In Danmark, such processing is carried out on behalf of public authorities and in accordance with applicable national legislation. We process this data pursuant to Article 9(2) of the General Data Protection Regulation, where necessary for the provision of social support or care, or for the fulfilment of social rights and obligations. 

We collect and process personal data in order to deliver our services, fulfil our legal obligations, and support our organisational activities. The way we use your data depends on how you interact with us. 

Categories of personal data 
Depending on the context, we may process the following categories of personal data: 

  • Basic contact information, such as name, email address, telephone number, and postal address 
  • Supplier due diligence data, such as full name, gender, nationality, address, place of birth, and date of birth 
  • Partner due diligence data, such as copies of passports and national IDs 
  • Transactional information, such as donation amounts, membership status, purchases, and receipts 
  • Communication and interaction data, such as enquiries, registrations, newsletter subscriptions, event participation, petitions, or campaign engagement 
  • Payment and identification data, including payment references and, where required by law, CPR number 
  • Technical and security data, such as information necessary to operate and protect our websites and services 
  • Sensitive and confidential personal data to the extent that processing is necessary to fulfil the purpose of a task assigned to DRC, such as health data, criminal record, and national ID-number. 

We only collect personal data that is relevant and necessary for the specific purpose at hand. 

Purposes of processing 
We process your personal data for the following overall purposes: 

  • to manage donations, memberships, purchases, registrations, and other interactions with us 
  • to communicate with you about your relationship with us, including confirmations, receipts, and relevant information 
  • to communicate with you about our work and activities, including marketing and fundraising, in accordance with applicable legislation 
  • to improve our services, understand engagement with our activities, and produce aggregated statistics 
  • to comply with legal and compliance obligations, including donor, accounting, documentation, and tax reporting 
  • To provide social support and care through programmes for people of concern, including employment-related support, with the aim of enhancing wellbeing, promoting self-sufficiency, and supporting the fulfilment of their social rights and obligations. 

Where we collect personal data directly from you, we will inform you of the specific purpose of the processing and relevant details at the time of collection. 

Sharing of personal data 
We may share personal data with trusted system suppliers and partners who assist us in operating our services, such as IT providers, payment processors, communication and risk management platforms, and hosting providers. These parties process personal data on our behalf and only in accordance with our instructions and applicable data protection law. 

We may also share personal data within the framework of the DRC group of organizations, where legally permitted and necessary for operational purposes. 

In addition, we disclose personal data where we are legally obliged to do so, for example to public authorities such as the Danish tax authorities (SKAT). 

We never sell personal data or share it for third-party marketing purposes. 

Retention periods 
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Retention periods are determined by the nature of the data and the purpose of processing. As a general rule, DRC retains all records for seven (7) years, unless donor, national government, or other requirements necessitate shorter or longer retention period. 

In general: 

  • Member and donor data is retained while you are associated with our organization, and for up to five years after your most recent donation, in accordance with accounting and documentation requirements. 
  • Petition and campaign participation data is typically retained for up to one year after the relevant activity has ended. 
  • Payment related data is retained only for the period required by applicable financial and payment legislation is deleted once it is no longer necessary for documentation or security purposes. 
  • Supplier due diligence data is retained in accordance with our retention policy. Unless another retention period is specifically required, supplier due diligence data is retained for 12 years after the last engagement. 
  • If DRC acts as a data processor, the retention period is governed by a data processing agreement with the data controller, unless storage of the personal data is required by law. 

If we have obtained contact details for marketing purposes and you object to being contacted, we will retain only the minimum information necessary to ensure that your wishes are respected. If no contact is established, such data is deleted after a limited period. 

When retention periods expire, personal data is securely deleted or anonymised. 

Specific processing contexts 
Some parts of our organisation involve additional or more sensitive processing of personal data, such as HR, volunteer management, asylum counselling, integration activities, compliance and risk management.  

In these contexts, personal data may be processed for purposes such as safeguarding, due diligence and compliance. These processing activities are subject to additional safeguards and legal requirements. Where relevant, they are described in dedicated sections of this policy or in supplementary privacy notices made available to the individuals concerned. 

Suppliers 
We may process personal data relating to suppliers, supplier representatives, beneficial owners, key individuals, and other relevant persons connected to suppliers where necessary for procurement, due diligence, donor compliance, sanctions screening, audit, documentation, and supplier relationship management. This may include identification details, contact information, role or ownership information, due diligence documentation, screening results, and related compliance documentation.  

We use profiling as part of our communication and fundraising activities. Profiling means that we analyse certain aspects of how individuals interact with us to better understand interests, engagement, and preferences. 

This profiling is based on information such as donation history, engagement with our campaigns, interaction with emails and newsletters, and similar activity data. The purpose is to ensure that our communication is relevant, timely, and proportionate, and to reduce unnecessary or inappropriate messaging. 

Profiling is used to: 

  • group individuals into segments for communication and fundraising purposes 
  • tailor the content, timing, and channel of messages 
  • identify patterns that may indicate reduced engagement, so we can adjust our communication accordingly 

Our profiling activities support human decision‑making and do not involve fully automated decisions that produce legal effects or similarly significant effects for you. Participation in profiling does not affect your access to our services, your rights, or your ability to make donations or engage with us. 

Profiling is used solely for communication and fundraising optimisation and does not affect access to services, legal status, benefits, or any decisions of a sensitive or consequential nature. 

Use of digital platforms 
We use email marketing and communication platforms to manage newsletters and other digital communication. These platforms may use standard engagement data (such as email opens and link clicks) to trigger or adjust communications based on predefined rules. 

We also use digital advertising platforms, such as social media, to reach relevant audiences. In this context, limited personal data (such as contact details) may be shared with the platform in a secure and pseudonymized form in order to display relevant content. The platform processes this data in accordance with its own policies and acts as an independent data controller for its own purposes. 

Some information is necessary for us to deliver a service — for example, to process a donation, complete a purchase, or register you for an event. Where this is the case, we will tell you at the point of collection, and required fields will be marked with *. 

If you choose not to provide required information, we may be unable to deliver the service in question. 

We make a conscious effort to minimize visitor tracking and maximize visitor anonymity on our websites. As a result, we only set a single cookie necessary to prevent malicious behavior. See details about cookies and tracking on our websites at drc.ngo/cookies

We have implemented internal rules and procedures to maintain adequate security as from the time when we collect Personal Data up to its erasure, just as we solely assign our processing of Personal Data to Data Processors that maintain an equivalent adequate security level. 

Some of our suppliers and service providers may process personal data outside the EU/EEA as part of providing technical, hosting, communication, or support services. 

Where personal data is transferred outside the EU/EEA, we ensure that such transfers are subject to appropriate safeguards in accordance with applicable data protection law, such as adequacy decisions or standard contractual protections. We assess and monitor these arrangements as part of our vendor management and security processes. 

You may contact us if you would like more information about international data transfers and the safeguards applied. 

You have the right to access the Personal Data we hold about you, and to request that we correct or delete it. You can also ask us to restrict how we use your data, or to receive it in a portable format. 

Where our processing is based on legitimate interests, you have the right to object. Where it is based on your consent, you can withdraw that consent at any time — note that this does not affect the legality of processing performed prior to your withdrawal of consent. 

You also have the right to object at any time to the use of your data for direct marketing, including any profiling related to it. 

To exercise any of these rights, please use the form below. We will respond within one month. If we cannot fulfil your request, we will explain why. We may ask you to verify your identity before proceeding.

Complaints about our Privacy Policy or our processing of your personal data should be directed at Danish Refugee Council via [email protected] or the Danish Data Protection Agency: 

Datatilsynet 
Carl Jacobsens Vej 35 
2500 Valby 
Denmark 

Phone 0045 3319 3200 
Email [email protected] 
Website www.datatilsynet.dk 

Material changes to this Privacy Policy will be notified by email where possible, and prominently announced on this page. Minor clarifications may be made without notice. The current version will be available on this page. 

Latest update: 8 June 2026 -- clarifications only. 

Data Subject Request Form

Use this form for request to access, rectify, or delete your personal data. Please click to accept cookies and open the form.

This content is embedded from an external source.
It may store tracking cookies in your browser.
See our Privacy Policy for more information.

Read more about ...

Climate Conflict Emergency Humanitarian mine action Lebanon Occupied Palestinian territory Syria Ukraine Afghanistan Algeria Americas Asia Asylum Bangladesh Burkina Faso Cameroon Camp Chad Children Civil society engagement Colombia Democratic Republic of Congo Denmark Diaspora Djibouti Drought East Africa Economic recovery Ethiopia EU Europe Health Innovation Iraq Jordan Kenya Legal aid Libya Localization Mali Middle East Migration Myanmar Niger Nigeria Peace Protection Safety training Serbia Shelter Somalia South Caucasus South Sudan Sudan Tunisia Türkiye Uganda Venezuela WASH West & North Africa Women Yemen