Privacy policy

It is Cphbusiness' policy to treat all collaboration partners (students, stakeholders and partners) decently and well. With that in mind, we are keen to take good care of the personal data we are entrusted with - and process it in accordance with applicable legislation.

We store your data securely and confidentially. We protect it from accidental destruction, loss or degradation and against falling into the hands of unauthorised persons, being used fraudulently or otherwise processed contrary to the law.

Below you can read more about how we process personal data, your rights, e.g. in relation to access, deletion and raising objections - as well as how to give consent and, if you wish, withdraw consent.

Contact

You can always contact Cphbusiness about this:
persondata@cphbusiness.dk

You can also contact our DPO (Data Protection Officer):
Email: GDPR@efif.dk
Telephone: 89 36 32 80
Address: Sønderhøj 28, 8260 Viby

  • Information on data processing that ensures transparency

    Cphbusiness works to ensure that, as a person registered with us, you are guaranteed the transparency to which you are entitled under the EU General Data Protection Regulation.

    In our overall privacy policy, we have made it clear that we only collect and process the data required for us to manage your course of study (etc.) - and to enable us to run Cphbusiness.

  • Privacy policy

    Information about processing of personal data

    In the following, we have described the processing of personal data by Erhvervsakademiet Copenhagen Business Academy S/I (‘Cphbusiness’, ‘we’, ‘us’) together with the other information we are obliged to provide proactively to data subjects in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (the ‘General Data Protection Regulation’, ‘GDPR’).

    Data controller

    The legal entity responsible for processing your personal data is

    Erhvervsakademiet Copenhagen Business Academy S/I
    CVR number 31678021
    Nansensgade 19
    DK-1366 Copenhagen K
    Tel.: +45 36 15 45 00
    persondata@cphbusiness.dk

    Contact information for our Data Protection Officer:
    E-mail: GDPR@efif.dk
    Phone: 89 36 32 80
    Address: Sønderhøj 28, 8260 Viby

    Minimum technical requirements for the security of IT solutions

    As an independent institution, Cphbusiness is not subject to the minimum technical requirements for the security of IT solutions for state authorities, but we have decided to comply with them for the sake of the data subjects.

    Further Cphbusiness uses compliance with the minimum technical requirements as a criterion in the selection of partners in working with suppliers and data controllers.

    The current minimum technical requirements have been published on SikkerDigital.dk and can be found here (in Danish): Tekniske minimumskrav for statslige myndigheder

    Processing activities

    When you are signed up for a newsletter from Cphbusiness

    Data covered by the processing activity

    If you sign up for a newsletter with us, we process information about your name and the contact details you provide.

    We assume that with your registration you have actively decided that you wish to receive communication about study programmes from Cphbusiness. We do not ask for information about age in connection with registration, and therefore do not process information about this. In addition to the processing of contact information for the persons who sign up for newsletters, we will process data on opening and click rates for the newsletters and look into which stories and parts of the newsletter are read and clicked on.

    We do not analyze this data for the individual user, but only on an aggregated level.

    Legal basis for the processing

    The legal basis for the processing is the Data Protection Regulation, Article 6, subsection 1 letter a, a specific consent that you give in connection with signing up.

    Disclosure of data

    The information is not passed on to other parties. Cphbusiness uses an approved data processor for the newsletter, who therefore supports Cphbusiness in carrying out the work, and who therefore processes the personal data under instructions from Cphbusiness.

    Specifically about the newsletter ‘Studieliv’

    Full-time students are automatically subscribed to the newsletter ‘Studieliv’, and therefore do not sign up themselves. ‘Studieliv’ communicates information of a general nature relevant to the students' study environment and educational process, which is why we automatically sign up the students to receive the newsletter.

    We process information about the students' name and student e-mail, and a number of information about the use of the newsletter itself.

    We analyze the open and click-through rate of the newsletters themselves, client usage (i.e. which devices the newsletter is opened on), which country the readers are in when they open the newsletter, and demographic data about the newsletter’s readers (based on any name in the email) We do not analyse this data about the individual user, but only on an aggregated level.

    Legal basis for processing, the newsletter ‘Studieliv’

    The legal basis for the processing is Article 6(1)(c) of the General Data Protection Regulation, as we are legally obliged to process certain information about our students in order to offer their education and provide them with relevant information and offers. It is possible to unsubscribe from the newsletter for one semester at a time, but you will then miss out on important information.

    Disclosure of data, all newsletters

    The personal data involved in this process is not disclosed. Cphbusiness uses an approved data processor for the newsletter service, which therefore supports Cphbusiness in carrying out the work, and who therefore processes the personal data under instructions from Cphbusiness.

    Storage and erasure

    We store information about your registration as long as you have not withdrawn it.

    In addition, we delete all registrations for users who have not opened a newsletter in the course of 12 months.

    Storage and deletion, for the newsletter ‘Studieliv’

    We store information about registrations as long as you have not withdrawn your registration. We delete all registrations at the end of each semester and at each start of the semester we register all full time students with an active enrolment again. You will therefore automatically be subscribed to the newsletter Studieliv after each semester start until you finish your education. However, you can always unsubscribe from the newsletter, but must do so every semester. We delete registrations for students who have not opened the newsletter Student Life within 12 months.

    Applicants for study places

    Data covered by the processing activity

    When you apply for admission to a study programme or part of a study programme at Cphbusiness, we process data about your name, civil registration (CPR) number, previous (including qualifying) education, data about work experience and other documentation that may be required in relation to admission to specific study programmes. For students who need to pay for their participation in a given study programme, we also process payment details.

    It is mandatory to provide data about name and civil registration number as well as data required in connection with an application for admission. If we do not receive these data, we cannot process your application.

    For course participants who are under the Danish Prison and Probation Service, we also process data about the detention facility and assigned educational counsellor, if such information is provided.

    Lawfulness of processing

    There are different types of lawfulness of processing, depending on the type of study programme for which you are applying for admission. The lawfulness of our processing may be based on Article 6(1)(b) of the General Data Protection Regulation where the processing is necessary for us to enter into or perform a contract with you, and/or on Article 6(1)(c), as we are legally obliged to collect certain data about applicants as a basis for our assessment of their applications, as well as on Article 6(1)(e), as the processing is necessary for the exercise of official authority. In rare cases, the lawfulness of our processing will be based on Article 6(1)(f) of the General Data Protection Regulation where the data are necessary for us to pursue our legitimate interests in admitting students at the right level in relation to their competences and qualifications.

    The lawfulness of our processing of data about a civil registration number is based on section 11(2) para (1) of the Danish Data Protection Act (Databeskyttelsesloven), as we are required to use the civil registration number in connection with our reporting to public authorities, including reporting as a basis for disbursement of public funds for the study programme.

    The lawfulness of our processing of data about criminal offences (we process data about the detention facility assigned educational counsellor, and only if such information is provided, and based on this information it is possible to deduce that the data subject is under the Danish Prison and Probation Service) is based on section 8(3) of the Danish Data Protection Act, as the data are necessary for us to pursue our legitimate interests in complying with our obligations under our cooperation with the Danish Prison and Probation Service.

    Disclosure of data

    To the extent that we are obliged to do so, we disclose data about you to the Coordinated Enrolment System, the Danish Ministry of Higher Education and Science, Statistics Denmark and the Danish National Archives.

    For courses offered by third parties, data about you as a course participant are disclosed to these parties, and we also receive data about your participation from such course suppliers.

    For courses run for unemployed persons, data are exchanged with municipal authorities (job centres) and – in some cases – with the Danish Ministry of Employment.

    For students who have to pay for their study programme themselves, data may be disclosed to the Danish Debt Collection Agency.

    For students who are not citizens of an EU member state, data are exchanged with the Danish Ministry of Immigration and Integration.

    Storage and erasure

    If you are admitted to a study programme, your data will be transferred and stored in accordance with our storage and erasure time limits for student data. Other data, as well as data about applicants who are not admitted to a study programme, are generally erased after a maximum of one year (and often before); but no earlier than when we have complied with our obligations to the Danish National Archives.

    When you are enrolled in an education or take a course at Cphbusiness

    Data covered by the processing activity

    If you are admitted to a study programme or parts of a study programme, you will be assigned a Cphbusiness email address and a single sign-on (WAYF), which ensures that you are recognised with your rights in those of our systems that you need to use in connection with your study programme. If you have name and address protection, we will ask you to state which alias you want to use on, for example, our learning platform, and we will subsequently process this data.

    If you start on a full-time study programme, a portrait photo must be provided in connection with your study start, and we process this photo in connection with the issue of a student identity card, which you can use to identify yourself as a student. We also process this photo in our student administrative systems, where it is used as part of your master data. Therefore, it will, for example, appear in the digital learning system (Moodle) and class lists for administrative use.

    During your studies at Cphbusiness, your data – including the data we received in connection with your application for admission – are processed on an ongoing basis together with additional data collected continuously. This comprises data about participation in or absence from courses and classes, the reasons for absence (as disclosed to us by you), data about loans from and other use of our library, submission of papers and assignments and data about consent to lending out of papers and assignments, exam registrations and results, complaints and appeals, applications for exemptions, data about your use of our systems, data about participation in the work of councils and boards, including any participation in talent programmes, as well as other data that you may give us as a basis for our administration of your course of study.

    We also process the data required as documentation in state education grant and loan cases, special educational support cases and cases regarding state educational support for adults, in complaints and appeals and in cases concerning other special circumstances. These data may comprise special categories of data (‘sensitive data’); in particular health data.

    Finally, we process your answers to a number of evaluations of and questionnaires about your course of study at Cphbusiness if you choose to participate in these evaluations and questionnaire surveys.

    When you complete your study programme or part programme, we will issue a diploma to you and send it to you via a secure connection. You may later find that you receive questionnaires and evaluations aimed at ensuring the quality of your study programme and educational institution. You are under no obligation to respond to these evaluations and questionnaires, but we would encourage you to do so, as they are very important for ensuring the quality of your study programme and educational institution.

    As part of the quality assurance of our study programmes, we use data-driven education statistics, which are statistical analyses of data about students and applicants. These are, for example, analyses of grade history, the development in retention/drop-out of students on our study programmes and the development in the number and types of complaints and appeals. The analyses form part of Cphbusiness’ quality assurance work. There is no analysis at the individual level.

    For students enrolled in online classes

    Cphbusiness offers some full-time programmes 100% online, i.e. without physical teaching and participation. (This is subsequently referred to as online classes.) To be a student in an online class, you must agree to the procedures described below.

    In online classes, it is a requirement that the students participate online, and for this purpose have acquired relevant equipment to be able to attend an online class, such as a computer with camera, headset with microphone and a fast internet connection. Especially in relation to exams, it is important that each student has a powerful internet connection which can handle simultaneous up- and download of both audio and video.

    Students are responsible for this equipment and its operability, both during teaching sessions and examinations.

    In online classes, it is also a requirement that you as a student contribute to an active learning environment by participating with the camera tuned on. We emphasize that everyone is present with the camera turned on in the digital classroom, as it is a prerequisite for being able to create the relationships that are important for your learning outcome.

    We always record teaching in online classes, so that each class has the opportunity to go back and revisit different parts of the teaching sessions and the like. These are the following types of recordings:

    • Generic videos
    • Current videos
    • Semester-specific videos

    Generic videos

    Generic videos are typically videos that focus on a specific theory and/or model. Such videos will be stored for up to 5 years and used internally at Cphbusiness.

    Current videos

    Current videos typically exemplify a theory or a model in a contemporary context, perhaps prompted by current events. This type of video can be used across study programmes. Such videos will be stored for up to 2 years.

    Semester-specific videos

    Semester-specific videos are videos that can be about a subject-related topic, but are characterized by discussion. Such videos are published only to the relevant class participating in the recording and the teaching team responsible for the class. The recordings will be deleted after the semester has ended.

    Recordings of teaching sessions are not part of and thus not covered by Cphbusiness' policy for television surveillance.

    Lawfulness of processing

    There are different types of lawfulness of processing, depending on the type of study programme on which you are enrolled. The lawfulness of our processing may be based on Article 6(1)(b) of the General Data Protection Regulation, as the processing is necessary for us to enter into or perform a contract with you, and/or on Article 6(1)(c), as we are legally obliged to process certain data about our students, including to report data to public authorities, as well as on Article 6(1)(e), as the processing is necessary for the exercise of official authority. In rare cases, the lawfulness of our processing will be based on Article 6(1)(f) of the General Data Protection Regulation where the data are necessary for us to pursue our legitimate interests in ensuring effective operations.

    The lawfulness of our processing of sensitive data is based on Article 9(2)(f) of the General Data Protection Regulation, as the processing is necessary for the establishment, exercise or defence of legal claims, for example a legal claim that you may have for an increased state education grant due to a functional impairment, and on Article 6(1)(e), as the processing is necessary for the exercise of official authority, as well as on Article 6(1)(c), as the processing is necessary for compliance with a legal obligation. Finally, in rare cases, the lawfulness of our processing will be based on Article 6(1)(f), as the processing is necessary for us to pursue our legitimate interests in ensuring adequate, correct and lawful case handling. If the lawfulness of our processing cannot be based on Article 9(2)(f) and no other legal basis can be found in either Article 9 of the General Data Protection Regulation or in the Danish Data Protection Act, we will obtain your consent to our processing of sensitive data.

    The lawfulness of our processing of data about a civil registration number is based on section 11(2) para (1) of the Danish Data Protection Act, as we are required to use the civil registration number in connection with our reporting to public authorities, including reporting as a basis for disbursement of public funds for the study programme.

    The lawfulness of our processing of data about criminal offences (we process data about the detention facility assigned educational counsellor, and only if such information is provided, and based on this information it is possible to deduce that the data subject is under the Danish Prison and Probation Service) is based on section 8(3) of the Danish Data Protection Act, as the data are necessary for us to pursue our legitimate interests in complying with our obligations under our cooperation with the Danish Prison and Probation Service.

    Disclosure of data

    To the extent that we are obliged to do so, we disclose data about you to the Coordinated Enrolment System, the Danish Ministry of Higher Education and Science, Statistics Denmark and the Danish National Archives.

    For courses offered by third parties, data about you as a course participant are disclosed to these parties, and we also receive data about your participation from such course suppliers.

    For courses held for unemployed persons, data are exchanged with job centres and – in certain cases – with the Danish Ministry of Employment.

    For students who have to pay for their study programme themselves, data may be disclosed to the Danish Debt Collection Agency.

    For students who are not citizens of an EU member state, data are exchanged with the Danish Ministry of Immigration and Integration.

    If Cphbusiness receives a request from law enforcement authorities about disclosure of information, we are obliged to comply with it.

    Storage and erasure

    We store the data necessary to be able to recreate diplomas for 30 years after the issue of the diploma, as we are legally obliged to do so. As a general rule, other data are erased when we have met our obligations to the Danish National Archives in relation to the data in question.

    Administration of internships

    Data covered by the processing activity

    If you are an internship host or some other form of contact person for at student taking an internship, we process data about your name, your contact details, your job title, the company you represent and the internship agreement(s) entered into for our students.

    If you are doing an internship as a student, we process data about your civil registration number and name, data about the internship place and period, your work tasks in connection with your internship as well as evaluations and statements from the internship place.

    Lawfulness of processing

    The lawfulness of our processing is based on Article 6(1)(b) of the General Data Protection Regulation, as the processing is necessary for us to enter into or perform a contract with you as internship host, on Article 6(1)(c), as we have a legal obligation to process certain data in connection with students’ internship course, as well as on Article 6(1)(e), as the processing is necessary for the exercise of official authority. In rare cases, the lawfulness of our processing will be based on Article 6(1)(f), as the processing is necessary for us to pursue our legitimate interests in supporting a good internship course for both the student and the internship place.

    Disclosure of data

    We disclose the data to the internship place when a student initiates the submission of an internship contract. Otherwise, data are not disclosed without consent.

    Storage and erasure

    We store the data necessary to be able to recreate diplomas for 30 years after the issue of the diploma, as we are legally obliged to do so. As a general rule, other data are erased when we have met our obligations to the Danish National Archives in relation to the data in question.

    With regard to information about internships and contact persons, we will generally store this information until the student's internship (and subsequent relevant complaint periods) has ended. In certain cases, we will obtain consent for a longer storage and then store the information in accordance with the consent.

    International exchange stays

    Data covered by the processing activity

    If, while you are a student, you apply for a place as an exchange student with another institution via Cphbusiness International, we process data about your application, including your civil registration number and name, your study programme and class at Cphbusiness, the institution with which you want to go on an exchange stay, data about any organisations that handle the exchange process as well as the data necessary for your application to be processed by the desired institution.

    Lawfulness of processing

    The lawfulness of our processing is based on Article 6(1)(c) of the General Data Protection Regulation, as we have a legal obligation to process certain data about our students, including reporting information to public authorities, on Article 6(1)(e), as the processing is necessary for the exercise of public authority, as well as, to a limited extent, on Article 6(1)(f), as the processing is necessary for us to pursue our legitimate interests in ensuring good and efficient cooperation with the educational institutions with which we collaborate.

    The lawfulness of our processing of data about a civil registration number is based on section 11(2) para (1) of the Danish Data Protection Act, as we are required to use the civil registration number in connection with our reporting to public authorities, including reporting as a basis for disbursement of public funds for the study programme.

    Disclosure of data

    We disclose data to the educational institution you have applied for a place at, if it is an institution with which Cphbusiness has exchange agreements. If this is an educational institution outside the EU, the data are generally transferred on the basis of Article 49(1)(b) of the General Data Protection Regulation.

    Storage and erasure

    Exchange stay data form part of the material necessary to enable us to prepare – and subsequently recreate –your diploma. Therefore, we store the data for 30 years after the issue of the diploma, as we are legally obliged to be able to recreate your diploma during this period.

    Administration of conferences and open events etc.

    Data covered by the processing activity

    If you attend a conference or an open event with us, we process data about your name and your contact details, data about the event in which you are participating as well as payment details for events for which a participant’s fee is charged.

    If the event is streamed, we also process data about you in the form of audio and video recordings.

    Lawfulness of processing

    The lawfulness of our processing is based on Article 6(1)(a) of the General Data Protection Regulation and a specific consent which you grant in connection with either registration for or participation in the event or on Article 6(1)(b), as the processing is necessary for us to enter into or perform a contract with you, as well as on Article 6(1)(f), as the data are necessary for us to pursue our legitimate interests in holding such events.

    If the event is streamed and recorded for subsequent accessibility, we always provide information about this both before the event and in connection with the actual event.

    Disclosure of data

    If the event is held in collaboration with external partners, we may disclose data about your name and, if relevant, the business that you represent to these partners, so they have the best possible basis for organising their contribution to the conference. We provide information about such a collaboration when you register for the event.

    Storage and erasure

    As a general rule, we store the data for five years from the end of the year in which the event was held.

    Data about suppliers and other partners

    Data covered by the processing activity

    If we have entered into an agreement with you or a company you represent in relation to us on the delivery of goods or services between Cphbusiness and you or the company you represent, we will process data about your name, your contact details, the company you represent, our correspondence with you as well as data about our trading history with you or the company you represent.

    Lawfulness of processing

    The lawfulness of our processing is based on Article 6(1)(b) of the General Data Protection Regulation, as the processing is necessary for us to enter into or perform a contract with you or the company you represent, and on Article 6(1)(f) of the General Data Protection Regulation, as the processing is necessary for us to pursue our legitimate interests in effective communication and relations with our suppliers, internship hosts and other partners.

    Storage and erasure

    The personal data may be included in our accounting records, for example in connection with invoices. Accounting transactions are stored for five years from the end of the year which the transaction concerns, see the requirements of the Danish Bookkeeping Act (Bogføringsloven). Other personal data, including master data, agreements, correspondence and trading history, are stored for five years from the end of the year in which the latest interaction or transaction with you/your company took place. However, data about contact persons will be erased immediately if/when we are informed that a contact person has been replaced. 

    Processing of enquiries from persons without affiliation to Cphbusiness

    Data covered by the processing activity

    When you contact us as a citizen without affiliation to Cphbusiness, we process data about your name or the name you use, your contact details and the content of your enquiry for the purpose of answering your enquiry.

    Lawfulness of processing

    Depending on the nature of the enquiry, the lawfulness of our processing will be based either on Article 6(1)(c) of the General Data Protection Regulation, as the processing is necessary for compliance with our legal obligations under the Danish Access to Public Administration Files Act (Offentlighedsloven) and the Danish Public Administration Act (Forvaltningsloven), or on Article 6(1)(f) of the General Data Protection Regulation, as the processing is necessary for us to pursue our legitimate interests in processing enquiries from external persons.

    Storage and erasure

    As a general rule, we store your data for six months, after which the data are erased. However, data which are subject to an archiving obligation in accordance with the Danish Archives Act (Arkivloven) will be erased at the earliest when the archiving has been completed. However, we may store your data for a longer period if this is necessary for us to comply with a legal obligation or for us to establish, exercise or defend a legal claim.

    CCTV surveillance

    Data covered by the processing activity

    We have established CCTV surveillance at our locations for crime prevention and investigation purposes.

    We therefore process data in the form of images of you when you are at our locations.

    Lawfulness of processing

    The lawfulness of our processing is based on Article 6(1)(f) of the General Data Protection Regulation, as the data are necessary for us to pursue our legitimate interests in creating safe and secure premises for our employees and students, as well as on the Danish TV Surveillance Act (TV-overvågningsloven).

    Data about criminal offences shown on the recordings are processed in accordance with section 8(3) of the Danish Data Protection Act.

    Disclosure of data

    We may disclose the data to law enforcement authorities if this is necessary for purposes of investigation and criminal proceedings.

    Storage and erasure

    The recordings are stored for 30 days, after which they are erased. However, recordings may be stored for longer where this is necessary for the investigation and handling of specific incidents.

    Research and development activities

    Information covered by the processing activity

    In addition to the provision of education, Cphbusiness is also required to carry out practice-oriented and application-oriented research and development activities. In this way, we very often come into contact with different types of personal data. The type of data will depend on the nature of the different research projects.

    Very often, data collection consists of interviews and questionnaire surveys, whereby data subjects are contacted directly and can thus decide on their participation. In such a context, we will inform you about the purpose of the processing and how the data subject's data is included and for how long.

    There are also a few examples where Cphbusiness processes data about data subjects without making direct contact with the persons concerned. As a general rule, these will be projects where data is extracted from different source systems. This data will subsequently be anonymised or pseudonymised prior to further processing. In such projects, it is not possible to identify the individual data subject.

    Legal basis for processing

    The legal basis for the processing of data where the data subjects decide on their participation in the form of interviews or questionnaires, is Article 6(1)(a) of the General Data Protection Regulation, a specific consent that you give in connection with your participation or participation in the research and development activity.

    For projects where personal data are anonymised or pseudonymised, the legal basis for the processing is Article 89 of the General Data Protection Regulation, as it is processing for the purpose of scientific investigations of significant social importance and where the processing is necessary for the purposes of research.

    Disclosure of information

    Data subjects' data collected in connection with the projects will not be disclosed. Depending on the nature of the activity, reporting on the research and development projects, will result in knowledge production and communication about it, and for some types of projects, research results will be disseminated by clear agreement with the data subjects, from which it is possible to deduce that a specific data subject has participated in the project. This only happens in cases where there is a clear agreement with the individual data subject to this effect.

    For research projects involving anonymised or psedonymised personal data, the information will not be disclosed in a personally identifiable form. It is only disclosed, if at all, in aggregated form.

    Storage and deletion

    We store the information necessary for the reliability and validity of the research taken place. Other information is generally deleted when we have fulfilled our obligations to the Danish National Archives in relation to the information in question.

    Operation of website

    Data covered by the processing activity

    When you visit our website, we process data about you in the form of cookies.

    You can read more about this processing, including about the cookies we use and the purposes for which we use them, in our cookie policy.

    Lawfulness of processing

    The lawfulness of our processing is based on Article 6(1)(f) of the General Data Protection Regulation, as the data are necessary for us to pursue our legitimate interests in optimising our website and ensuring stable operation thereof.

    Disclosure of data

    The data in certain cookies can also be accessed by third parties – please see the details on this in our cookie policy.

    Storage and erasure

    The storage period for the individual cookies is stated in our cookie policy, to which reference is made.

    Use of social media

    It is possible to follow Cphbusiness on a number of social media. Cphbusiness uses these media for marketing purposes, and citizens may interact with Cphbusiness’s profile and with other users on Cphbusiness’s wall and posts.

    If you do so as a user, you should be aware that you provide personal data about yourself, both in the form of data which are visible in the medium and in the form of cookies. Cphbusiness has access to these data to a certain extent, as the social media most often entail joint data controlling.

    Lawfulness of processing

    The lawfulness of our processing is based on Article 6(1)(f) of the General Data Protection Regulation, as the data are necessary for us to pursue our legitimate interests in optimising our website and generally ensuring stable operation thereof.

    Disclosure of data

    The data in certain cookies can also be accessed by third parties – please see the details on this in our cookie policy.

    Storage and erasure

    The storage period for the individual cookies is stated in our cookie policy, to which reference is made.

    Recruitment of employees

    Data covered by the processing activity

    When you apply for a job with Cphbusiness, we process data about your name, your contact details, data about completed and any ongoing study programmes and training programmes, data about current and previous employment, data about special competences, (for example language skills, certifications and the like), results from tests done as part of the recruitment process, references and other data that you as an applicant may state in your application or CV.

    Lawfulness of processing

    The lawfulness of our processing is based on Article 6(1)(b) of the General Data Protection Regulation, as the processing is necessary for us to enter into or perform a contract with you, and on Article 6(1)(f), as the data are necessary for us to pursue our legitimate interests in treating all applicants in a fair and serious manner and selecting the best qualified applicant for positions with us.

    Disclosure of data

    Depending on the recruitment circumstances, we may disclose data to

    • The tempotrary employment agency you are affiliated with, if this is the case
    • Municipial authorities such as e.g. the job centre, if your job centre is involved in the employment process
    • Niels Brock Copenhagen Business College (for office trainees).

    Storage and erasure

    For applicants who succeed in obtaining employment with us, the data are transferred as part of the data we process in connection with the employment and are stored in accordance with our policy on storage of personal data.

    For applicants who do not succeed in obtaining employment with us, the data are erased no later than 12 months after you have received a final rejection of your application, unless you have granted your consent for us to store the data for longer.

    Personnel management

    Data covered by the processing activity

    When you are employed by Cphbusiness – and for five years from the end of the year in which your employment terminated – we process data about your civil registration number, name, contact details, data about completed and any ongoing study programmes and training programmes, data about previous employment, data about special competences, for example language skills, certifications and the like, results from tests done as part of the recruitment process, data about current and previous salary/remuneration and adjustments, data about deductions and income tax rate, data about bank accounts, data about workplace, data about teaching schedule and the like, results of evaluations and employee performance reviews, data about competence development, lecturer requests, data about illness, holidays, working hours and maternity/paternity leave, any sanctions in employment law, including warnings, as well as other data you have submitted to us as an applicant in connection with the employment process or in the subsequent course of your employment.

    Your employee profile on our intranet is deactivated when you leave your position, and it will be erased completely after five years. Your employee profile on our website will be erased completely with immediate effect when you leave your position. Any content you may have posted on our intranet as part of your work at Cphbusiness will be kept, and you will be shown as the sender for up to five years after you have left your position.

    Lawfulness of processing

    The lawfulness of our processing is based on Article 6(1)(b) of the General Data Protection Regulation, as the processing is necessary for us to enter into or perform a contract with you, as well as on Article 6(1)(f), as the data are necessary for us to pursue our legitimate interests in having the best possible basis for managing our business in accordance with our right of management and so that we can contribute to creating a good and developing course of employment.

    The lawfulness of our processing of data about your civil registration number is based on section 11(2) of the Danish Data Protection Act.

    If, in exceptional cases, we process special categories of data (‘sensitive data’) about you, these will usually be health data, and the lawfulness of our processing of these data is based on section 12 of the Danish Data Protection Act.

    Disclosure of data

    We disclose data to the Danish Tax Agency and Statistics Denmark, as well as to other public authorities to which we are obliged to disclose data.

    For lecturer requests, we also disclose data to an assessment committee and to the Danish Ministry of Higher Education and Science.

    Storage and erasure

    As a general rule, we store your data for five years from the end of the year in which your employment has terminated.

    Transfer of data to data processors and transfer to third countries in connection with this

    In addition to disclosure of data and any consequent transfer of data to third countries, as described in connection with the individual processing activities, Cphbusiness transfers your personal data to the data processors which provide IT services or other services to us.

    As data processors, these companies are only allowed to process data in accordance with the instructions we give them – unless they are required by law to process data – and they are thus not allowed to use the data for their own purposes.

    Some of these data processors are based in countries outside the EU/EEA or use subprocessors based outside the EU/EEA, including in countries that do not ensure the same level of protection of personal data that you have within the EU/EEA. We only transfer personal data to these data processors if they are subject to Binding Corporate Rules or if another transfer basis has been established – most often the EU Commission’s standard contractual clauses.

    Where the transfer basis is the EU Commission’s standard contractual clauses, you can request a copy of these contracts by contacting us at persondata@cphbusiness.dk.

    Storage and erasure

    The duration of our storage of your data depends on the purpose of our processing. Under the individual processing activities, we have described for how long we generally store the data processed as part of the individual processing activity.

    However, we may store your data for longer if

    • it is necessary to comply with a legal obligation
    • it is necessary for the establishment, exercise or defence of a legal claim or
    • you have granted your consent for a longer storage period.

    In addition, we will erase your data at the earliest when our archiving obligation vis-à-vis the Danish National Archives for the data in question has been complied with.

    Your rights

    As a data subject, you have the following rights under the General Data Protection Regulation:

    1. You have the right to request access to, rectification of or erasure of your personal data.
    2. You also have the right to object to the processing of your personal data and have the processing of your personal data restricted
    3. In particular, you have an unconditional right to object to the processing of your personal data for the purpose of direct marketing.
    4. If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any given time. Your withdrawal will not affect the lawfulness of the processing done prior to your withdrawal of your consent.
    5. In certain cases, you have the right to receive the personal data which you yourself have provided in a structured, commonly used and machine-readable format (data portability).
    6. You have the right not to be subject to automated decision-making, including profiling, in cases where the decision has a significant impact on you.

    Please note that there may be conditions or restrictions attached to the exercise of some of these rights.

    You may exercise these rights by contacting us – our contact details are shown in the ‘Data controller’ section at the top of the document.

    In addition to the above rights, you can always file a complaint with a data protection authority, for example the Danish Data Protection Agency. You can read more about the possibilities for filing a complaint and about your rights in general at datatilsynet.dk/english.

    Updates of information about processing of personal data

    We may update our information about processing of personal data from time to time. You can always find the current version at our website.

    The information was last updated on 1 May 2023.

  • Cookie policy

    The website uses cookies

    Some are used for statistical purposes and others are set up by third party services. When visiting cphbusiness.dk/english, you will be exposed to a pop-up asking for your permission to use cookies. By clicking 'Accept all', you accept the use of cookies.

    Different types of cookies

    Strictly necessary

    Strictly necessary cookies help make a website navigable by activating basic functions such as page navigation and access to secure website areas. Without these cookies, the website would not be able to work properly.

    Functional

    Functional cookies make it possible to save information that changes the way the website appears or acts. For instance your preferred language or region.

    Statistical

    Statistical cookies help the website owner understand how visitors interact with the website by collecting and reporting information.

    Marketing

    Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and interesting to the individual user and thus more valuable for publishers

    Unclassified

    We are in the process of classifying unclassified cookies together with the providers of the individual cookies.

    What is a cookie?

    A cookie is a small datafile that is saved on your computer, tablet or mobile phone. A cookie is not a program that can contain harmful programs or viruses.

    How/why the homepage uses cookies

    Cookies are necessary for the homepage to function. Cookies help us get an overview of your visit to the homepage so that we can continually optimize and adjust the homepage to your requirements and interests. For example, cookies remember what you might have added to a shopping cart, if you have previously visited the page, if you are logged in and what languages and currency you want to be displayed on the homepage. We also use cookies to target our ads to you on other homepages. On a very general level, cookies are used as part of our services in order to show content that is as relevant as possible to you.

    How long are cookies saved?

    How long cookies are saved on your device can vary. The time when they are scheduled to expire is calculated from the last date you visited the homepage. When cookies expire, they are automatically deleted. You can view a complete list of cookies below.

    This is how you can reject or delete your cookies

    You can always reject cookies on your computer, tablet or phone by changing your browser settings. Where these settings can be found depends on the type of browser you are using. If you do change the settings, please be aware that there will be some functions and services that you cannot use because they rely on the homepage being able to remember the choices you have made.

    You can choose to not receive cookies from Google Analytics here.

    Deleting cookies

    You can delete cookies that you have previously accepted. If you are using a PC with a recent version of a browser, you can delete your cookies by using these shortcut keys: CTRL + SHIFT + Delete

    If the shortcut keys do not work and/or you are using an Apple computer, you must find out, what browser you are using and then click on the relevant link:

    Remember: If you are using several different browsers, you must delete the cookies in all of them.

    Do you have any questions?

    Should you have any questions or comments in connection with this information and/or our processing of personal data, you are welcome to get in touch with us. The cookie declaration itself is updated every month via Cookie Information. If you have any questions regarding the Cookie Information, you can send an e-mail to info@cookieinformation.com

  • Information about the legal basis and consent

    Processing of personal data resulting from the legal basis

    It is important that, as a student at Cphbusiness and as a collaboration partner, you are made aware that we process your personal data. We do this in order to enable you to be enrolled as a student, take classes, sit exams, obtain the SU student grant, and more. We also process personal data in order to be able to cooperate with other partners.

    This means that you do not have to give permission (consent) for Cphbusiness to process such information.

    As an educational institution, Cphbusiness is allowed (i.e. has a legal basis) to process information about you as a student when the processing is done to comply with a legal obligation incumbent on Cphbusiness, and when the processing is within the public exercise of authority imposed on Cphbusiness.

    For current and potential students, this applies for example when we process your application for admission, your enrolment information, your application for an SU grant, any requests for a waiver, and any complaints.

    Processing of personal data where consent must be given

    In certain situations, Cphbusiness has no legal basis for processing your personal data. In such situations, we will always ask you for permission to process your data. For example, we may take portrait photos of you (including team photos) that we would like to publish, or we might like to include statements you make about a course in a course description on our website.

    If we ask for your consent to the processing of your personal data, you have the option of saying no. If you give your consent, you also have the option to withdraw it afterwards. Read more about consent in other situations here.

    For former employees

    When you stop being employed at Cphbusiness, there may be situations where Cphbusiness will continue to process your personal data for a period of time.

    For example, there may be information to be passed on to SKAT and holiday account (Feriekonto), HR-relevant information (e.g. about possible Associate Professor qualification), personal data in other systems and documents that were relevant to your employment (e.g. in flow charts or minutes, etc.) - as well as stories and news on the intranet and the website in which you appear.

    Your employee profile (on the intranet and the website) will be deleted.

    Where do the rules come from?

    Article 6 of the General Data Protection Regulation sets out the criteria for lawful processing of personal data, and Cphbusiness' processing is typically within the scope of Article 6(1)(c) and (e) (legal basis) and (a) (consent).

    The processing of sensitive personal data is based on Article 9(2)(a) of the Regulation (consent) and (b) (safeguarding rights, e.g. in a collective agreement).

  • The right of access

    You have the right, at "reasonable intervals", to access the personal data we have about you and be informed about how we process it.

    If you request access, you have the right to access the personal data that we have registered about you, and you have the right to obtain the following information:

    • How we process the data.
    • The purposes of the data processing.
    • The categories of personal data concerned.
    • To whom we possibly transfer the personal data.
    • Where we obtained the personal data from, if we did not receive them from you. 
    • How long we will keep them - or, if it is not possible to say exactly, information about the criteria used to determine this period of time.
    • Information on the right to rectification.
    • Information on the right to deletion. 
    • The right to complain to the Danish Data Protection Agency.

    Cphbusiness has a duty to comply with your request for inspection "without undue delay".

    Cphbusiness' policy is that the processing of your request must be done within one month of receipt of your request. 

    Cphbusiness wants to work to make exercising your right of access as easy as possible. The goal is for you to be able to log in yourself and see what data we have registered about you. 

    How to access your data

    To request access, you send your request from a secure site, where you ask to access the personal data we have about you.

    You can request access here.

    We will need your name and personal identification number (CPR-nummer) in order to find the correct personal data. 

    Where do the rules come from?

    Article 15 of the General Data Protection Regulation describes the right of a data subject to have access to information about him/her that is processed by a data controller. Article 12 of the Regulation describes the obligations of the data controller, including to comply with requests for access.

  • The right to be forgotten (be deleted)

    You have the right to have personal data deleted if it is no longer necessary for the purpose for which it was stored, if you have withdrawn your consent or if it is not processed in accordance with the EU General Data Protection Regulation.

    Cphbusiness is obliged to delete this personal data "without undue delay". Cphbusiness' policy is that the processing of your request for access to or deletion of personal data must be done within one month of receipt of your request.

    Please be aware that there is a wide range of data that cannot be deleted, as Cphbusiness is required by other laws and regulations to store student and employee data.

    What to do

    To request deletion of your personal data, you send your request from a secure site, where you ask for the personal data you specify to be deleted.

    You can request deletion here.

    We will need your name and personal identification number (CPR-nummer) in order to find the correct personal data.

    Where do the rules come from?

    Article 17 of the General Data Protection Regulation describes the data subject’s right to have their personal data deleted ("right to be forgotten").

  • The right to rectification

    Personal data must be accurate, and Cphbusiness will take all reasonable steps to ensure that any personal data that is inaccurate in relation to the purposes for which it is processed is rectified.

    If you become aware that there are errors in the personal data that Cphbusiness has registered about you, you have the right to have the error corrected as soon as possible. You also have the right to have personal data completed if you become aware that Cphbusiness has registered incomplete data about you. Please contact Cphbusiness to let us know about any errors or anything that is incomplete.

    Cphbusiness is obliged to respond to your request for access within one month of receipt of your request.

    If your data has been disclosed to other agencies, Cphbusiness will notify them of the changes to your data so that your data can also be corrected there. You have the right to know which other bodies have received your data. Please contact Cphbusiness about this.

    Please be advised that you have the right to correct actual errors or to supplement data that is incomplete. You cannot change facts or add any data that has arisen after you graduated from Cphbusiness, for example.

    What to do

    You request personal data to be corrected by sending the request from a secure site, asking for the personal data you provide to be corrected.

    You can request rectification here.

    We will need your name and personal identification number (CPR-nummer) in order to find the correct personal data.

    Where do the rules come from?

    The right to rectification is described in Article 16 of the General Data Protection Regulation, and Article 19 sets out Cphbusiness' obligation to inform other bodies which may have your personal data about rectification or completion, as well as your right to be informed of which bodies have received your data.

  • The right to object

    You have the right to object to the processing of personal data on the basis of your particular situation when the processing of the data is done on the basis of very specific situations. These are situations in which the processing takes place in the exercise of official authority which Cphbusiness has been entrusted with.

    Please note that this means that you cannot object to all processing of your personal data but only to certain types of processing. For example, you cannot object to us processing information about your enrolment when you are a student at Cphbusiness.

    When you have objected to the processing, and if Cphbusiness finds that the processing in question is covered by your right of objection, Cphbusiness must, as a general rule, no longer process the personal data unless there are very specific and compelling reasons for doing so, including any legal claims. If Cphbusiness finds that there are very specific and compelling reasons for the processing of your personal data to continue despite your objection, Cphbusiness must demonstrate this.

    In the case of direct marketing from Cphbusiness, you have the right at any time to object to the processing of your personal data for this purpose. Therefore, if you object to direct marketing, we will immediately discontinue processing your personal data for this purpose.

    If you believe that Cphbusiness is processing personal data about you in a manner that violates applicable law, you may, of course, always demand that this processing be terminated. Please contact Cphbusiness about this.

    Cphbusiness has a duty to make a determination regarding the case within one month of receiving your request.

    You will receive a decision on the case, and if your request has not been met, you will receive instructions on how you can appeal against the ruling.

    What to do

    You object to the processing of your personal data by sending the request from a secure site, specifying what you object to.

    You can object here.

    We will need your name and personal identification number (CPR-nummer) in order to process your objection.

    Where do the rules come from?

    The right to object is set out in Article 21 of the General Data Protection Regulation.

  • The right to restrict processing

    You have the right to request a restriction of processing in the following cases:

    • If you believe that your personal data is incorrect, the processing should be restricted until the data controller has been able to determine whether it is correct or not.
    • If the processing of your personal data is unlawful, you can request that your personal data be used to a limited extent instead of being deleted.
    • If the data controller no longer needs the personal data for processing, but it is required in order for a legal claim to be determined, invoked or defended, you can ask for limited processing.
    • If you have objected to the processing of your personal data, you can request limited processing during the period of an investigation into whether your legitimate interests have priority over those of the data controller.

    Cphbusiness has a duty to make a determination regarding the case within one month of receiving your request.

    If your request is accepted, you will be notified before any revocation of the restriction.

    What to do

    You request restriction on the processing of your personal data by sending the request from a secure site, specifying what you object to.

    You can request restriction here.

    We will need your name and personal identification number (CPR-nummer) in order to process your objection.

    Where do the rules come from?

    The right to object is set out in Article 18 of the General Data Protection Regulation.

  • The right not to be subject to profiling

    Profiling means fully automated processing of your personal data for the purpose of assessing certain facts about you and, for example, making an automatic decision that has legal effect for you or otherwise affects your situation significantly.

    Typical examples of profiling are automatic profiles that can be used for credit assessment by a bank or mortgage institution.

    You have the right to access information collected about you, including information used for profiling purposes. You have the right not to be subject to a decision that includes profiling.
    Cphbusiness does not use these types of automated decisions.

    Where do the rules come from?

    The right not to be subject to profiling is set out in Article 22 of the General Data Protection Regulation.

  • Guidelines for information on data processing

    Cphbusiness has a duty to inform data subjects (students, employees, examiners, members of the public) about our processing of data pertaining to them.

    When we collect the data directly from the data subject

    Situation: When we collect data about people directly from the person (e.g. in connection with an application), we must inform them that we are doing so.

    How: Cphbusiness is obliged to inform these individuals on its own initiative. There is no requirement to do this in writing, but since we must be able to demonstrate that we have provided the information, that will be an advantage.

    Exception: However, if the data subjects are already aware of the information, we are not required to inform them.

    When: We inform people no later than at the time of collecting the data.

    What do we give information about?

    • The data controller and its contact details (possibly for a representative).
    • The DPO's contact details. (DPO = Data Protection Officer).
    • The purpose of the processing of the data collected and the legal basis for the processing.
    • Recipients or categories of data recipients.
    • If Cphbusiness intends to transfer the data to a third country, and an indication of its level of security.
    • The time period for which the data will be stored.
    • Right of access, rectification and deletion, as well as restriction of processing and objection.
    • The right to withdraw consent in the case of processing on the basis of consent given.
    • The right to complain to the supervisory authority.
    • Whether the data subject is required by law or contractually to provide the data, and the consequences for the data subject of not providing the data.
    • The use of automated decisions, including profiling, and the logic of the automated decisions.
    • If Cphbusiness wishes to further process the personal data for a purpose other than that for which it was collected, information about this must be given.

    When we do not collect the personal data directly from the data subject

    Situation: When we receive data about a person who has not personally provided it to us, we are obliged to inform the person of this.

    Exceptions: If the data subjects are already aware of the information, or it is impossible or will require a disproportionate effort to inform them (especially in connection with archival purposes or research), then it is not a requirement that we inform them.

    Furthermore, in the case of collection or disclosure expressly provided for by EU or national law, they do not need to be informed.

    When:

    • The information below must be provided within a reasonable period after collection, but not later than one month (taking account of the specific conditions under which the information is processed).
    • If the personal data is to be used to communicate with the data subject, information must be provided no later than at the time of the first communication with the data subject.
    • If the data is intended to be transferred to another recipient, information must be given no later than when the personal data is disclosed for the first time.

    What do we give information about?

    Generally, information is given about the same details as when the data has been collected from the data subject.

    • The data controller and its contact details (possibly for a representative).
    • The DPO's contact details. (DPO = Data Protection Officer).
    • The purpose of the processing of the data collected and the legal basis for the processing.
    • The categories of personal data concerned (different from the categories we have collected from the data subject).
    • Recipients or categories of data recipients.
    • If Cphbusiness intends to transfer the data to a third country, and an indication of its level of security
    • The time period for which the data will be stored.
    • Right of access, rectification and deletion, as well as restriction of processing and objection.
    • The right to withdraw consent in the case of processing on the basis of consent given.
    • The right to complain to the supervisory authority.
    • The source of the personal data, and an indication of whether there are public sources.
    • The presence of automated decisions, including profiling, and the logic of the automated decisions;
    • If Cphbusiness wishes to further process the personal data for a purpose other than that for which it was collected, information about this must be given.

    Where do the rules come from?

    Cphbusiness' information obligations are set out in Articles 13 and 14 of the General Data Protection Regulation.