Information about processing of personal data
In the following, we have described the processing of personal data by Erhvervsakademiet Copenhagen Business Academy S/I (‘Cphbusiness’, ‘we’, ‘us’) together with the other information we are obliged to provide proactively to data subjects in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (the ‘General Data Protection Regulation’, ‘GDPR’).
Data controller
The legal entity responsible for processing your personal data is
Erhvervsakademiet Copenhagen Business Academy S/I
CVR number 31678021
Nansensgade 19
DK-1366 Copenhagen K
Tel.: +45 36 15 45 00
persondata@cphbusiness.dk
Contact information for our Data Protection Officer:
E-mail: GDPR@efif.dk
Phone: 89 36 32 80
Address: Sønderhøj 28, 8260 Viby
Minimum technical requirements for the security of IT solutions
As an independent institution, Cphbusiness is not subject to the minimum technical requirements for the security of IT solutions for state authorities, but we have decided to comply with them for the sake of the data subjects.
Further Cphbusiness uses compliance with the minimum technical requirements as a criterion in the selection of partners in working with suppliers and data controllers.
The current minimum technical requirements have been published on SikkerDigital.dk and can be found here (in Danish): Tekniske minimumskrav for statslige myndigheder
Processing activities
When you are signed up for a newsletter from Cphbusiness
Data covered by the processing activity
If you sign up for a newsletter with us, we process information about your name and the contact details you provide.
We assume that with your registration you have actively decided that you wish to receive communication about study programmes from Cphbusiness. We do not ask for information about age in connection with registration, and therefore do not process information about this. In addition to the processing of contact information for the persons who sign up for newsletters, we will process data on opening and click rates for the newsletters and look into which stories and parts of the newsletter are read and clicked on.
We do not analyze this data for the individual user, but only on an aggregated level.
Legal basis for the processing
The legal basis for the processing is the Data Protection Regulation, Article 6, subsection 1 letter a, a specific consent that you give in connection with signing up.
Disclosure of data
The information is not passed on to other parties. Cphbusiness uses an approved data processor for the newsletter, who therefore supports Cphbusiness in carrying out the work, and who therefore processes the personal data under instructions from Cphbusiness.
Specifically about the newsletter ‘Studieliv’
Full-time students are automatically subscribed to the newsletter ‘Studieliv’, and therefore do not sign up themselves. ‘Studieliv’ communicates information of a general nature relevant to the students' study environment and educational process, which is why we automatically sign up the students to receive the newsletter.
We process information about the students' name and student e-mail, and a number of information about the use of the newsletter itself.
We analyze the open and click-through rate of the newsletters themselves, client usage (i.e. which devices the newsletter is opened on), which country the readers are in when they open the newsletter, and demographic data about the newsletter’s readers (based on any name in the email) We do not analyse this data about the individual user, but only on an aggregated level.
Legal basis for processing, the newsletter ‘Studieliv’
The legal basis for the processing is Article 6(1)(c) of the General Data Protection Regulation, as we are legally obliged to process certain information about our students in order to offer their education and provide them with relevant information and offers. It is possible to unsubscribe from the newsletter for one semester at a time, but you will then miss out on important information.
Disclosure of data, all newsletters
The personal data involved in this process is not disclosed. Cphbusiness uses an approved data processor for the newsletter service, which therefore supports Cphbusiness in carrying out the work, and who therefore processes the personal data under instructions from Cphbusiness.
Storage and erasure
We store information about your registration as long as you have not withdrawn it.
In addition, we delete all registrations for users who have not opened a newsletter in the course of 12 months.
Storage and deletion, for the newsletter ‘Studieliv’
We store information about registrations as long as you have not withdrawn your registration. We delete all registrations at the end of each semester and at each start of the semester we register all full time students with an active enrolment again. You will therefore automatically be subscribed to the newsletter Studieliv after each semester start until you finish your education. However, you can always unsubscribe from the newsletter, but must do so every semester. We delete registrations for students who have not opened the newsletter Student Life within 12 months.
Applicants for study places
Data covered by the processing activity
When you apply for admission to a study programme or part of a study programme at Cphbusiness, we process data about your name, civil registration (CPR) number, previous (including qualifying) education, data about work experience and other documentation that may be required in relation to admission to specific study programmes. For students who need to pay for their participation in a given study programme, we also process payment details.
It is mandatory to provide data about name and civil registration number as well as data required in connection with an application for admission. If we do not receive these data, we cannot process your application.
For course participants who are under the Danish Prison and Probation Service, we also process data about the detention facility and assigned educational counsellor, if such information is provided.
Lawfulness of processing
There are different types of lawfulness of processing, depending on the type of study programme for which you are applying for admission. The lawfulness of our processing may be based on Article 6(1)(b) of the General Data Protection Regulation where the processing is necessary for us to enter into or perform a contract with you, and/or on Article 6(1)(c), as we are legally obliged to collect certain data about applicants as a basis for our assessment of their applications, as well as on Article 6(1)(e), as the processing is necessary for the exercise of official authority. In rare cases, the lawfulness of our processing will be based on Article 6(1)(f) of the General Data Protection Regulation where the data are necessary for us to pursue our legitimate interests in admitting students at the right level in relation to their competences and qualifications.
The lawfulness of our processing of data about a civil registration number is based on section 11(2) para (1) of the Danish Data Protection Act (Databeskyttelsesloven), as we are required to use the civil registration number in connection with our reporting to public authorities, including reporting as a basis for disbursement of public funds for the study programme.
The lawfulness of our processing of data about criminal offences (we process data about the detention facility assigned educational counsellor, and only if such information is provided, and based on this information it is possible to deduce that the data subject is under the Danish Prison and Probation Service) is based on section 8(3) of the Danish Data Protection Act, as the data are necessary for us to pursue our legitimate interests in complying with our obligations under our cooperation with the Danish Prison and Probation Service.
Disclosure of data
To the extent that we are obliged to do so, we disclose data about you to the Coordinated Enrolment System, the Danish Ministry of Higher Education and Science, Statistics Denmark and the Danish National Archives.
For courses offered by third parties, data about you as a course participant are disclosed to these parties, and we also receive data about your participation from such course suppliers.
For courses run for unemployed persons, data are exchanged with municipal authorities (job centres) and – in some cases – with the Danish Ministry of Employment.
For students who have to pay for their study programme themselves, data may be disclosed to the Danish Debt Collection Agency.
For students who are not citizens of an EU member state, data are exchanged with the Danish Ministry of Immigration and Integration.
Storage and erasure
If you are admitted to a study programme, your data will be transferred and stored in accordance with our storage and erasure time limits for student data. Other data, as well as data about applicants who are not admitted to a study programme, are generally erased after a maximum of one year (and often before); but no earlier than when we have complied with our obligations to the Danish National Archives.
When you are enrolled in an education or take a course at Cphbusiness
Data covered by the processing activity
If you are admitted to a study programme or parts of a study programme, you will be assigned a Cphbusiness email address and a single sign-on (WAYF), which ensures that you are recognised with your rights in those of our systems that you need to use in connection with your study programme. If you have name and address protection, we will ask you to state which alias you want to use on, for example, our learning platform, and we will subsequently process this data.
If you start on a full-time study programme, a portrait photo must be provided in connection with your study start, and we process this photo in connection with the issue of a student identity card, which you can use to identify yourself as a student. We also process this photo in our student administrative systems, where it is used as part of your master data. Therefore, it will, for example, appear in the digital learning system (Moodle) and class lists for administrative use.
During your studies at Cphbusiness, your data – including the data we received in connection with your application for admission – are processed on an ongoing basis together with additional data collected continuously. This comprises data about participation in or absence from courses and classes, the reasons for absence (as disclosed to us by you), data about loans from and other use of our library, submission of papers and assignments and data about consent to lending out of papers and assignments, exam registrations and results, complaints and appeals, applications for exemptions, data about your use of our systems, data about participation in the work of councils and boards, including any participation in talent programmes, as well as other data that you may give us as a basis for our administration of your course of study.
We also process the data required as documentation in state education grant and loan cases, special educational support cases and cases regarding state educational support for adults, in complaints and appeals and in cases concerning other special circumstances. These data may comprise special categories of data (‘sensitive data’); in particular health data.
Finally, we process your answers to a number of evaluations of and questionnaires about your course of study at Cphbusiness if you choose to participate in these evaluations and questionnaire surveys.
When you complete your study programme or part programme, we will issue a diploma to you and send it to you via a secure connection. You may later find that you receive questionnaires and evaluations aimed at ensuring the quality of your study programme and educational institution. You are under no obligation to respond to these evaluations and questionnaires, but we would encourage you to do so, as they are very important for ensuring the quality of your study programme and educational institution.
As part of the quality assurance of our study programmes, we use data-driven education statistics, which are statistical analyses of data about students and applicants. These are, for example, analyses of grade history, the development in retention/drop-out of students on our study programmes and the development in the number and types of complaints and appeals. The analyses form part of Cphbusiness’ quality assurance work. There is no analysis at the individual level.
For students enrolled in online classes
Cphbusiness offers some full-time programmes 100% online, i.e. without physical teaching and participation. (This is subsequently referred to as online classes.) To be a student in an online class, you must agree to the procedures described below.
In online classes, it is a requirement that the students participate online, and for this purpose have acquired relevant equipment to be able to attend an online class, such as a computer with camera, headset with microphone and a fast internet connection. Especially in relation to exams, it is important that each student has a powerful internet connection which can handle simultaneous up- and download of both audio and video.
Students are responsible for this equipment and its operability, both during teaching sessions and examinations.
In online classes, it is also a requirement that you as a student contribute to an active learning environment by participating with the camera tuned on. We emphasize that everyone is present with the camera turned on in the digital classroom, as it is a prerequisite for being able to create the relationships that are important for your learning outcome.
We always record teaching in online classes, so that each class has the opportunity to go back and revisit different parts of the teaching sessions and the like. These are the following types of recordings:
- Generic videos
- Current videos
- Semester-specific videos
Generic videos
Generic videos are typically videos that focus on a specific theory and/or model. Such videos will be stored for up to 5 years and used internally at Cphbusiness.
Current videos
Current videos typically exemplify a theory or a model in a contemporary context, perhaps prompted by current events. This type of video can be used across study programmes. Such videos will be stored for up to 2 years.
Semester-specific videos
Semester-specific videos are videos that can be about a subject-related topic, but are characterized by discussion. Such videos are published only to the relevant class participating in the recording and the teaching team responsible for the class. The recordings will be deleted after the semester has ended.
Recordings of teaching sessions are not part of and thus not covered by Cphbusiness' policy for television surveillance.
Lawfulness of processing
There are different types of lawfulness of processing, depending on the type of study programme on which you are enrolled. The lawfulness of our processing may be based on Article 6(1)(b) of the General Data Protection Regulation, as the processing is necessary for us to enter into or perform a contract with you, and/or on Article 6(1)(c), as we are legally obliged to process certain data about our students, including to report data to public authorities, as well as on Article 6(1)(e), as the processing is necessary for the exercise of official authority. In rare cases, the lawfulness of our processing will be based on Article 6(1)(f) of the General Data Protection Regulation where the data are necessary for us to pursue our legitimate interests in ensuring effective operations.
The lawfulness of our processing of sensitive data is based on Article 9(2)(f) of the General Data Protection Regulation, as the processing is necessary for the establishment, exercise or defence of legal claims, for example a legal claim that you may have for an increased state education grant due to a functional impairment, and on Article 6(1)(e), as the processing is necessary for the exercise of official authority, as well as on Article 6(1)(c), as the processing is necessary for compliance with a legal obligation. Finally, in rare cases, the lawfulness of our processing will be based on Article 6(1)(f), as the processing is necessary for us to pursue our legitimate interests in ensuring adequate, correct and lawful case handling. If the lawfulness of our processing cannot be based on Article 9(2)(f) and no other legal basis can be found in either Article 9 of the General Data Protection Regulation or in the Danish Data Protection Act, we will obtain your consent to our processing of sensitive data.
The lawfulness of our processing of data about a civil registration number is based on section 11(2) para (1) of the Danish Data Protection Act, as we are required to use the civil registration number in connection with our reporting to public authorities, including reporting as a basis for disbursement of public funds for the study programme.
The lawfulness of our processing of data about criminal offences (we process data about the detention facility assigned educational counsellor, and only if such information is provided, and based on this information it is possible to deduce that the data subject is under the Danish Prison and Probation Service) is based on section 8(3) of the Danish Data Protection Act, as the data are necessary for us to pursue our legitimate interests in complying with our obligations under our cooperation with the Danish Prison and Probation Service.
Disclosure of data
To the extent that we are obliged to do so, we disclose data about you to the Coordinated Enrolment System, the Danish Ministry of Higher Education and Science, Statistics Denmark and the Danish National Archives.
For courses offered by third parties, data about you as a course participant are disclosed to these parties, and we also receive data about your participation from such course suppliers.
For courses held for unemployed persons, data are exchanged with job centres and – in certain cases – with the Danish Ministry of Employment.
For students who have to pay for their study programme themselves, data may be disclosed to the Danish Debt Collection Agency.
For students who are not citizens of an EU member state, data are exchanged with the Danish Ministry of Immigration and Integration.
If Cphbusiness receives a request from law enforcement authorities about disclosure of information, we are obliged to comply with it.
Storage and erasure
We store the data necessary to be able to recreate diplomas for 30 years after the issue of the diploma, as we are legally obliged to do so. As a general rule, other data are erased when we have met our obligations to the Danish National Archives in relation to the data in question.
Administration of internships
Data covered by the processing activity
If you are an internship host or some other form of contact person for at student taking an internship, we process data about your name, your contact details, your job title, the company you represent and the internship agreement(s) entered into for our students.
If you are doing an internship as a student, we process data about your civil registration number and name, data about the internship place and period, your work tasks in connection with your internship as well as evaluations and statements from the internship place.
Lawfulness of processing
The lawfulness of our processing is based on Article 6(1)(b) of the General Data Protection Regulation, as the processing is necessary for us to enter into or perform a contract with you as internship host, on Article 6(1)(c), as we have a legal obligation to process certain data in connection with students’ internship course, as well as on Article 6(1)(e), as the processing is necessary for the exercise of official authority. In rare cases, the lawfulness of our processing will be based on Article 6(1)(f), as the processing is necessary for us to pursue our legitimate interests in supporting a good internship course for both the student and the internship place.
Disclosure of data
We disclose the data to the internship place when a student initiates the submission of an internship contract. Otherwise, data are not disclosed without consent.
Storage and erasure
We store the data necessary to be able to recreate diplomas for 30 years after the issue of the diploma, as we are legally obliged to do so. As a general rule, other data are erased when we have met our obligations to the Danish National Archives in relation to the data in question.
With regard to information about internships and contact persons, we will generally store this information until the student's internship (and subsequent relevant complaint periods) has ended. In certain cases, we will obtain consent for a longer storage and then store the information in accordance with the consent.
International exchange stays
Data covered by the processing activity
If, while you are a student, you apply for a place as an exchange student with another institution via Cphbusiness International, we process data about your application, including your civil registration number and name, your study programme and class at Cphbusiness, the institution with which you want to go on an exchange stay, data about any organisations that handle the exchange process as well as the data necessary for your application to be processed by the desired institution.
Lawfulness of processing
The lawfulness of our processing is based on Article 6(1)(c) of the General Data Protection Regulation, as we have a legal obligation to process certain data about our students, including reporting information to public authorities, on Article 6(1)(e), as the processing is necessary for the exercise of public authority, as well as, to a limited extent, on Article 6(1)(f), as the processing is necessary for us to pursue our legitimate interests in ensuring good and efficient cooperation with the educational institutions with which we collaborate.
The lawfulness of our processing of data about a civil registration number is based on section 11(2) para (1) of the Danish Data Protection Act, as we are required to use the civil registration number in connection with our reporting to public authorities, including reporting as a basis for disbursement of public funds for the study programme.
Disclosure of data
We disclose data to the educational institution you have applied for a place at, if it is an institution with which Cphbusiness has exchange agreements. If this is an educational institution outside the EU, the data are generally transferred on the basis of Article 49(1)(b) of the General Data Protection Regulation.
Storage and erasure
Exchange stay data form part of the material necessary to enable us to prepare – and subsequently recreate –your diploma. Therefore, we store the data for 30 years after the issue of the diploma, as we are legally obliged to be able to recreate your diploma during this period.
Administration of conferences and open events etc.
Data covered by the processing activity
If you attend a conference or an open event with us, we process data about your name and your contact details, data about the event in which you are participating as well as payment details for events for which a participant’s fee is charged.
If the event is streamed, we also process data about you in the form of audio and video recordings.
Lawfulness of processing
The lawfulness of our processing is based on Article 6(1)(a) of the General Data Protection Regulation and a specific consent which you grant in connection with either registration for or participation in the event or on Article 6(1)(b), as the processing is necessary for us to enter into or perform a contract with you, as well as on Article 6(1)(f), as the data are necessary for us to pursue our legitimate interests in holding such events.
If the event is streamed and recorded for subsequent accessibility, we always provide information about this both before the event and in connection with the actual event.
Disclosure of data
If the event is held in collaboration with external partners, we may disclose data about your name and, if relevant, the business that you represent to these partners, so they have the best possible basis for organising their contribution to the conference. We provide information about such a collaboration when you register for the event.
Storage and erasure
As a general rule, we store the data for five years from the end of the year in which the event was held.
Data about suppliers and other partners
Data covered by the processing activity
If we have entered into an agreement with you or a company you represent in relation to us on the delivery of goods or services between Cphbusiness and you or the company you represent, we will process data about your name, your contact details, the company you represent, our correspondence with you as well as data about our trading history with you or the company you represent.
Lawfulness of processing
The lawfulness of our processing is based on Article 6(1)(b) of the General Data Protection Regulation, as the processing is necessary for us to enter into or perform a contract with you or the company you represent, and on Article 6(1)(f) of the General Data Protection Regulation, as the processing is necessary for us to pursue our legitimate interests in effective communication and relations with our suppliers, internship hosts and other partners.
Storage and erasure
The personal data may be included in our accounting records, for example in connection with invoices. Accounting transactions are stored for five years from the end of the year which the transaction concerns, see the requirements of the Danish Bookkeeping Act (Bogføringsloven). Other personal data, including master data, agreements, correspondence and trading history, are stored for five years from the end of the year in which the latest interaction or transaction with you/your company took place. However, data about contact persons will be erased immediately if/when we are informed that a contact person has been replaced.
Processing of enquiries from persons without affiliation to Cphbusiness
Data covered by the processing activity
When you contact us as a citizen without affiliation to Cphbusiness, we process data about your name or the name you use, your contact details and the content of your enquiry for the purpose of answering your enquiry.
Lawfulness of processing
Depending on the nature of the enquiry, the lawfulness of our processing will be based either on Article 6(1)(c) of the General Data Protection Regulation, as the processing is necessary for compliance with our legal obligations under the Danish Access to Public Administration Files Act (Offentlighedsloven) and the Danish Public Administration Act (Forvaltningsloven), or on Article 6(1)(f) of the General Data Protection Regulation, as the processing is necessary for us to pursue our legitimate interests in processing enquiries from external persons.
Storage and erasure
As a general rule, we store your data for six months, after which the data are erased. However, data which are subject to an archiving obligation in accordance with the Danish Archives Act (Arkivloven) will be erased at the earliest when the archiving has been completed. However, we may store your data for a longer period if this is necessary for us to comply with a legal obligation or for us to establish, exercise or defend a legal claim.
CCTV surveillance
Data covered by the processing activity
We have established CCTV surveillance at our locations for crime prevention and investigation purposes.
We therefore process data in the form of images of you when you are at our locations.
Lawfulness of processing
The lawfulness of our processing is based on Article 6(1)(f) of the General Data Protection Regulation, as the data are necessary for us to pursue our legitimate interests in creating safe and secure premises for our employees and students, as well as on the Danish TV Surveillance Act (TV-overvågningsloven).
Data about criminal offences shown on the recordings are processed in accordance with section 8(3) of the Danish Data Protection Act.
Disclosure of data
We may disclose the data to law enforcement authorities if this is necessary for purposes of investigation and criminal proceedings.
Storage and erasure
The recordings are stored for 30 days, after which they are erased. However, recordings may be stored for longer where this is necessary for the investigation and handling of specific incidents.
Research and development activities
Information covered by the processing activity
In addition to the provision of education, Cphbusiness is also required to carry out practice-oriented and application-oriented research and development activities. In this way, we very often come into contact with different types of personal data. The type of data will depend on the nature of the different research projects.
Very often, data collection consists of interviews and questionnaire surveys, whereby data subjects are contacted directly and can thus decide on their participation. In such a context, we will inform you about the purpose of the processing and how the data subject's data is included and for how long.
There are also a few examples where Cphbusiness processes data about data subjects without making direct contact with the persons concerned. As a general rule, these will be projects where data is extracted from different source systems. This data will subsequently be anonymised or pseudonymised prior to further processing. In such projects, it is not possible to identify the individual data subject.
Legal basis for processing
The legal basis for the processing of data where the data subjects decide on their participation in the form of interviews or questionnaires, is Article 6(1)(a) of the General Data Protection Regulation, a specific consent that you give in connection with your participation or participation in the research and development activity.
For projects where personal data are anonymised or pseudonymised, the legal basis for the processing is Article 89 of the General Data Protection Regulation, as it is processing for the purpose of scientific investigations of significant social importance and where the processing is necessary for the purposes of research.
Disclosure of information
Data subjects' data collected in connection with the projects will not be disclosed. Depending on the nature of the activity, reporting on the research and development projects, will result in knowledge production and communication about it, and for some types of projects, research results will be disseminated by clear agreement with the data subjects, from which it is possible to deduce that a specific data subject has participated in the project. This only happens in cases where there is a clear agreement with the individual data subject to this effect.
For research projects involving anonymised or psedonymised personal data, the information will not be disclosed in a personally identifiable form. It is only disclosed, if at all, in aggregated form.
Storage and deletion
We store the information necessary for the reliability and validity of the research taken place. Other information is generally deleted when we have fulfilled our obligations to the Danish National Archives in relation to the information in question.
Operation of website
Data covered by the processing activity
When you visit our website, we process data about you in the form of cookies.
You can read more about this processing, including about the cookies we use and the purposes for which we use them, in our cookie policy.
Lawfulness of processing
The lawfulness of our processing is based on Article 6(1)(f) of the General Data Protection Regulation, as the data are necessary for us to pursue our legitimate interests in optimising our website and ensuring stable operation thereof.
Disclosure of data
The data in certain cookies can also be accessed by third parties – please see the details on this in our cookie policy.
Storage and erasure
The storage period for the individual cookies is stated in our cookie policy, to which reference is made.
Use of social media
It is possible to follow Cphbusiness on a number of social media. Cphbusiness uses these media for marketing purposes, and citizens may interact with Cphbusiness’s profile and with other users on Cphbusiness’s wall and posts.
If you do so as a user, you should be aware that you provide personal data about yourself, both in the form of data which are visible in the medium and in the form of cookies. Cphbusiness has access to these data to a certain extent, as the social media most often entail joint data controlling.
Lawfulness of processing
The lawfulness of our processing is based on Article 6(1)(f) of the General Data Protection Regulation, as the data are necessary for us to pursue our legitimate interests in optimising our website and generally ensuring stable operation thereof.
Disclosure of data
The data in certain cookies can also be accessed by third parties – please see the details on this in our cookie policy.
Storage and erasure
The storage period for the individual cookies is stated in our cookie policy, to which reference is made.
Recruitment of employees
Data covered by the processing activity
When you apply for a job with Cphbusiness, we process data about your name, your contact details, data about completed and any ongoing study programmes and training programmes, data about current and previous employment, data about special competences, (for example language skills, certifications and the like), results from tests done as part of the recruitment process, references and other data that you as an applicant may state in your application or CV.
Lawfulness of processing
The lawfulness of our processing is based on Article 6(1)(b) of the General Data Protection Regulation, as the processing is necessary for us to enter into or perform a contract with you, and on Article 6(1)(f), as the data are necessary for us to pursue our legitimate interests in treating all applicants in a fair and serious manner and selecting the best qualified applicant for positions with us.
Disclosure of data
Depending on the recruitment circumstances, we may disclose data to
- The tempotrary employment agency you are affiliated with, if this is the case
- Municipial authorities such as e.g. the job centre, if your job centre is involved in the employment process
- Niels Brock Copenhagen Business College (for office trainees).
Storage and erasure
For applicants who succeed in obtaining employment with us, the data are transferred as part of the data we process in connection with the employment and are stored in accordance with our policy on storage of personal data.
For applicants who do not succeed in obtaining employment with us, the data are erased no later than 12 months after you have received a final rejection of your application, unless you have granted your consent for us to store the data for longer.
Personnel management
Data covered by the processing activity
When you are employed by Cphbusiness – and for five years from the end of the year in which your employment terminated – we process data about your civil registration number, name, contact details, data about completed and any ongoing study programmes and training programmes, data about previous employment, data about special competences, for example language skills, certifications and the like, results from tests done as part of the recruitment process, data about current and previous salary/remuneration and adjustments, data about deductions and income tax rate, data about bank accounts, data about workplace, data about teaching schedule and the like, results of evaluations and employee performance reviews, data about competence development, lecturer requests, data about illness, holidays, working hours and maternity/paternity leave, any sanctions in employment law, including warnings, as well as other data you have submitted to us as an applicant in connection with the employment process or in the subsequent course of your employment.
Your employee profile on our intranet is deactivated when you leave your position, and it will be erased completely after five years. Your employee profile on our website will be erased completely with immediate effect when you leave your position. Any content you may have posted on our intranet as part of your work at Cphbusiness will be kept, and you will be shown as the sender for up to five years after you have left your position.
Lawfulness of processing
The lawfulness of our processing is based on Article 6(1)(b) of the General Data Protection Regulation, as the processing is necessary for us to enter into or perform a contract with you, as well as on Article 6(1)(f), as the data are necessary for us to pursue our legitimate interests in having the best possible basis for managing our business in accordance with our right of management and so that we can contribute to creating a good and developing course of employment.
The lawfulness of our processing of data about your civil registration number is based on section 11(2) of the Danish Data Protection Act.
If, in exceptional cases, we process special categories of data (‘sensitive data’) about you, these will usually be health data, and the lawfulness of our processing of these data is based on section 12 of the Danish Data Protection Act.
Disclosure of data
We disclose data to the Danish Tax Agency and Statistics Denmark, as well as to other public authorities to which we are obliged to disclose data.
For lecturer requests, we also disclose data to an assessment committee and to the Danish Ministry of Higher Education and Science.
Storage and erasure
As a general rule, we store your data for five years from the end of the year in which your employment has terminated.
Transfer of data to data processors and transfer to third countries in connection with this
In addition to disclosure of data and any consequent transfer of data to third countries, as described in connection with the individual processing activities, Cphbusiness transfers your personal data to the data processors which provide IT services or other services to us.
As data processors, these companies are only allowed to process data in accordance with the instructions we give them – unless they are required by law to process data – and they are thus not allowed to use the data for their own purposes.
Some of these data processors are based in countries outside the EU/EEA or use subprocessors based outside the EU/EEA, including in countries that do not ensure the same level of protection of personal data that you have within the EU/EEA. We only transfer personal data to these data processors if they are subject to Binding Corporate Rules or if another transfer basis has been established – most often the EU Commission’s standard contractual clauses.
Where the transfer basis is the EU Commission’s standard contractual clauses, you can request a copy of these contracts by contacting us at persondata@cphbusiness.dk.
Storage and erasure
The duration of our storage of your data depends on the purpose of our processing. Under the individual processing activities, we have described for how long we generally store the data processed as part of the individual processing activity.
However, we may store your data for longer if
- it is necessary to comply with a legal obligation
- it is necessary for the establishment, exercise or defence of a legal claim or
- you have granted your consent for a longer storage period.
In addition, we will erase your data at the earliest when our archiving obligation vis-à-vis the Danish National Archives for the data in question has been complied with.
Your rights
As a data subject, you have the following rights under the General Data Protection Regulation:
- You have the right to request access to, rectification of or erasure of your personal data.
- You also have the right to object to the processing of your personal data and have the processing of your personal data restricted
- In particular, you have an unconditional right to object to the processing of your personal data for the purpose of direct marketing.
- If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any given time. Your withdrawal will not affect the lawfulness of the processing done prior to your withdrawal of your consent.
- In certain cases, you have the right to receive the personal data which you yourself have provided in a structured, commonly used and machine-readable format (data portability).
- You have the right not to be subject to automated decision-making, including profiling, in cases where the decision has a significant impact on you.
Please note that there may be conditions or restrictions attached to the exercise of some of these rights.
You may exercise these rights by contacting us – our contact details are shown in the ‘Data controller’ section at the top of the document.
In addition to the above rights, you can always file a complaint with a data protection authority, for example the Danish Data Protection Agency. You can read more about the possibilities for filing a complaint and about your rights in general at datatilsynet.dk/english.
Updates of information about processing of personal data
We may update our information about processing of personal data from time to time. You can always find the current version at our website.
The information was last updated on 1 May 2023.