Privacy policy

It is Cphbusiness' policy to treat all collaboration partners (students, stakeholders and partners) decently and well. With that in mind, we are keen to take good care of the personal data we are entrusted with - and process it in accordance with applicable legislation.

We need some of your personal data if you are a student at Cphbusiness, for example. Otherwise, we cannot manage your study programme. This data could be, for example, your name, address, contact details, CPR number, your qualifying exam, your coursework grades, any absence due to illness, and so on. We have a legal basis for collecting and processing personal data of this kind.

Some personal data goes beyond the examples mentioned above but are important for us to collect and process, e.g. to ensure good quality of teaching and, through marketing, to maintain a good livelihood for Cphbusiness. In such cases, we may only process personal data if you expressly give us your consent.

As a general rule, Cphbusiness may only collect and process personal data that we need; we can only use it for that specific purpose, and we may only retain it for as long as it is needed. Any processing of personal data should be legal and reasonable.

We store your data securely and confidentially. We protect it from accidental destruction, loss or degradation and against falling into the hands of unauthorised persons, being used fraudulently or otherwise processed contrary to the law.

Below you can read more about how we process personal data, your rights, e.g. in relation to access, deletion and raising objections - as well as how to give consent and, if you wish, withdraw consent.

Contact

You can always contact Cphbusiness about this:
persondata@cphbusiness.dk

You can also contact our DPO (Data Protection Officer):
Flemming Rasmussen
Data protection consultant, EFIF
Mobile: (+45) 2060 1942
Mail: fr@efif.dk

  • Information on data processing that ensures transparency

    Cphbusiness works to ensure that, as a person registered with us, you are guaranteed the transparency to which you are entitled under the EU General Data Protection Regulation.

    In our overall privacy policy, we have made it clear that we only collect and process the data required for us to manage your course of study (etc.) - and to enable us to run Cphbusiness as a successful business.

    We only process personal data for that purpose; if we need it for another purpose, we will inform you first.

    As mentioned above, Cphbusiness aims primarily to process data we have the legal authority to process, but where we can only do so after obtaining consent from you, we will only process that data once we have obtained consent and we will stop at the moment you want to withdraw, if that is what you choose to do.

    Transparency is also ensured by the fact that you are always welcome to ask to inspect the personal data we have registered about you and how we use it. We would, however, encourage you to use this option cautiously and not too frequently - at "reasonable intervals", as the General Data Protection Regulation puts it.

    Where do the rules come from?

    Article 5 of the General Data Protection Regulation sets out the principles governing the processing of personal data, which everyone, including Cphbusiness, must comply with. Article 12 of the Regulation describes the responsibility of a data controller for ensuring transparency in the processing of data.

  • Privacy policy

    Transparency in data processing

    Cphbusiness works to ensure that as a person registered with us, you are guaranteed the transparency to which you are entitled under the EU General Data Protection Regulation.
    In our overall privacy policy, we have made it clear that we only collect and process the data required for us to manage your course of study (etc.) – and to enable us to run Cphbusiness as a successful business.

    We only process personal data for that purpose; if we need it for another purpose, we will inform you first.

    Situations in which we process your data (general citizens)

    When, as a citizen with no links to Cphbusiness, you contact us in writing, we receive your enquiry in secure systems and process it with the aim of answering your questions. When we have finished processing the matter, it is deleted within the email systems but retained in journal data, as Cphbusiness is subject to the provisions on open administration and the duty to record data. We do not disclose your data to any other party.

    Situations in which we process your data (newsletter recipients)

    If you subscribe to a newsletter from Cphbusiness, we will use your email address to send you marketing information. We do not disclose your data to any other party. You can unsubscribe from the newsletter at any time.

    Situations in which we process your data (suppliers, partners, internship hosts and contact persons)

    If we have an agreement with you whereby you provide a service to us or we provide a service to you, we will process your personal data for the purpose of fulfilling this agreement. We do not disclose your data to any other party. 

    When you host an internship for a Cphbusiness student or act as a contact person during an internship, your data will be processed in our CRM system as part of the internship contract for the student. The purpose is to establish the frame work for the student’s internship. We do not disclose your data to any other party.

    Situations in which we process your data (applicants and students)

    When you apply for admission to a study programme or a part of a study programme at Cphbusiness, this is usually done by creating an application in a system and uploading documentation. We receive this information via a secure connection and process it in our various study administration systems, to assess whether you meet the admission requirements. If information is missing or there are any questions, we will contact you. We use secure connections for this communication.

    If you are admitted to the study programme or part of a study programme, you will receive notice, and prior to commencing studies you will be assigned a Cphbusiness email address and be added to the systems we use to support our tuition such as our learning platform. You will be added with a single sign-on (WAYF), which ensures that you are recognised as a user in the systems with your assigned privileges.

    While you study at Cphbusiness, your data is processed on an ongoing basis as you attend lectures, receive and answer emails and sit exams, and if you lodge any complaints or apply for exemption etc. You will also occasionally receive questionnaires and evaluations aimed at ensuring the quality of your study programme and educational institution. You are under no obligation to respond to these evaluations and questionnaires, but we would encourage you to do so, as they are very important for ensuring the quality of your study programme and educational institution. (Please note that a study-start test will be held for full-time study programmes in connection with commencing studies, for which attendance is compulsory.)

    If you, while you are a student, apply to become an exchange student with an institution with which Cphbusiness has an agreement, we will provide documentation for your examination results and your application to the partner. We will inform you when this happens. Cphbusiness' European partners are also subject to the Data Protection Regulation and will take good care of your data. For partners outside the EU, Cphbusiness has a dialogue with the institutions about data protection.

    When you complete your study programme or part of a study programme, we will send you a diploma via a secure connection. You may later find that you receive questionnaires and evaluations aimed at ensuring the quality of your study programme and educational institution. You are under no obligation to respond to these evaluations and questionnaires, but we would encourage you to do so, as they are very important for ensuring the quality of your study programme and educational institution.

    As part of the quality assurance for our study programmes, we are working with data-driven education statistics, which are statistical analyses of information, students, and applicants. There is no analysis at the individual level.

    All administrative processing of your personal data takes place in secure systems, to which only security-cleared personnel have access, and is in line with national legislation. In rare instances, you will have to give consent for your data to be processed.
    All surveys sent to you by Cphbusiness are either in line with legislation or required by the Danish Ministry of Higher Education and Science.

    Situations in which we disclose your data (applicants and students)

    Cphbusiness only discloses data about you in very rare cases. This applies to situations where the ministry or its underlying agencies or other government authorities order us to do so, for example when reporting study activities for all students. Cphbusiness is granted funding to provide education and do research on the basis of this reported information. Cphbusiness does not have the option to refrain from disclosing this data, and you therefore cannot request to be exempted from this disclosure. Disclosure takes place via secure connections, and the government authorities also have a very clear focus on data security and using data for the intended purpose.

    Cphbusiness does not disclose data about you to any third party, unless the third party has a clear legal authority to receive and process the data. This applies, for example, if you participate in a course paid for by your employer. In this case, we will disclose data about your course registration which your employer needs in order to pay for your participation. (Typically your name, the name of the course, the starting date and price.) If your course is cancelled or no payment is charged for other reasons, your employer will be informed so that the company is aware that the attendance fee does not have to be paid. No further data about you will be disclosed.

    Cphbusiness uses data processors that assist us with IT or other services. These data processors act on instructions from Cphbusiness and process personal data on behalf of Cphbusiness. Cphbusiness thereby ensures that the data processors observe applicable legislation.

    Situations in which we disclose your data (employees)

    Cphbusiness discloses data about employees to the Danish Tax and Customs Administration (SKAT), pension funds and other relevant government authorities – for example to municipalities for reimbursement in connection with long-term illness. Apart from these legally entitled recipients, Cphbusiness discloses no data about employment without the employee’s consent.

    CCTV surveillance

    As part of the security at Cphbusiness, we monitor inside our buildings and entrances and exits. Recordings are deleted after 30 days. The recordings are stored in secure systems, to which only security-cleared personnel have access. We only disclose this data if there is a clear legal obligation to do so – for example if the police request the recordings in connection with a report of theft or assault. 

    Storage time

    We store your data until it is no longer necessary for us to process it. In some situations, it can be difficult to provide a precise time frame beforehand, but the section below outlines our framework for how long your data is stored.

    Applicants and students

    We store your personal data in accordance with the various legal requirements for government agencies and institutions, including the Danish Archives Act (Arkivloven), the Danish Public Information Act (Offentlighedsloven), the Danish Public Administration Act (Forvaltningsloven),the Danish Act on Business Academies for Higher Education Programmes (Lov om erhvervsakademier for videregående uddannelse) and the Examination Order (Eksamensbekendtgørelsen). We will delete such data for enrolled students when our reason for processing the data as a government institution has passed.

    We also only process data about students/former students where a separate basis for doing so exists.

    If the separate basis is consent, we store such personal data until the purpose of the processing has expired or you revoke your consent.

    Suppliers, partners, etc.

    Data linked to transactions between you and us is generally deleted no later than at the end of the ordinary time limit of five years after the expiry of the agreement.

    Participants at conferences, workshops, open house events, etc.

    We delete your personal data immediately at your request.

    Marketing consent

    Deleted as soon as possible after you unsubscribe.

    Enquiries from you

    Will normally be stored for up to six months after processing is complete, unless journal obligations require otherwise.

    If we have reason to keep your personal data in order to meet legal obligations such as in relation to legal disputes, we reserve the right to keep your personal data for an extended period, and at least until the case is closed.

    As mentioned above, Cphbusiness aims primarily to process data we have the legal authority to process, but where we can only do so after obtaining consent from you, we will only process that data once we have obtained consent and we will stop at the moment you want to withdraw your consent, if that is what you choose to do.

    Transparency is also ensured by the fact that you are always welcome to ask to inspect the personal data we have registered about you and how we use it.

    We would, however, encourage you to use this option cautiously and not too frequently – at ‘reasonable intervals’ as the General Data Protection Regulation puts it.

    Have you used Unibuddy?

    In case you ask questions to a student ambassador via Unibuddy on cphbusiness.dk we will process your data up to 24 months after your last interaction with the Cphbusiness student ambassador chat. We do so in order to be able to track the effect of the student ambassador chat function: Have potential students who have asked questions enrolled into a programme at Cphbusiness? You can at any time exercise your right to anonymize data which you have disclosed via Unibuddy. Click here to anonymize your data.

    Where do the rules come from?

    Article 5 of the General Data Protection Regulation sets out the principles governing the processing of personal data, which everyone, including Cphbusiness, must comply with. Article 12 of the Regulation describes the responsibility of a data controller for ensuring transparency in the processing of data.

  • Information about the legal basis and consent

    Processing of personal data resulting from the legal basis

    It is important that, as a student at Cphbusiness and as a collaboration partner, you are made aware that we process your personal data. We do this in order to enable you to be enrolled as a student, take classes, sit exams, obtain the SU student grant, and more. We also process personal data in order to be able to cooperate with other partners.

    This means that you do not have to give permission (consent) for Cphbusiness to process such information.

    As an educational institution, Cphbusiness is allowed (i.e. has a legal basis) to process information about you as a student when the processing is done to comply with a legal obligation incumbent on Cphbusiness, and when the processing is within the public exercise of authority imposed on Cphbusiness.

    For current and potential students, this applies for example when we process your application for admission, your enrolment information, your application for an SU grant, any requests for a waiver, and any complaints.

    Processing of personal data where consent must be given

    In certain situations, Cphbusiness has no legal basis for processing your personal data. In such situations, we will always ask you for permission to process your data. For example, we may take portrait photos of you (including team photos) that we would like to publish, or we might like to include statements you make about a course in a course description on our website.

    If we ask for your consent to the processing of your personal data, you have the option of saying no. If you give your consent, you also have the option to withdraw it afterwards. Read more about consent in other situations here.

    For former employees

    When you stop being employed at Cphbusiness, there may be situations where Cphbusiness will continue to process your personal data for a period of time.

    For example, there may be information to be passed on to SKAT and holiday account (Feriekonto), HR-relevant information (e.g. about possible Associate Professor qualification), personal data in other systems and documents that were relevant to your employment (e.g. in flow charts or minutes, etc.) - as well as stories and news on the intranet and the website in which you appear.

    Your employee profile (on the intranet and the website) will be deleted.

    Where do the rules come from?

    Article 6 of the General Data Protection Regulation sets out the criteria for lawful processing of personal data, and Cphbusiness' processing is typically within the scope of Article 6(1)(c) and (e) (legal basis) and (a) (consent).

    The processing of sensitive personal data is based on Article 9(2)(a) of the Regulation (consent) and (b) (safeguarding rights, e.g. in a collective agreement).

  • About consent

    There is data processing that Cphbusiness may perform because there is a legal basis for this, and then there is data processing requiring consent.

    We may only use personal data with your consent in the following cases:

    • Portrait photos (including team photos and model photos)
    • Adding your contact information to member lists
    • Lending of examination papers

    You have the right to withdraw your consent at any time.

    Photos from classes or the study environment may be used for marketing purposes, e.g. in brochures or on the website.

    How to give consent:

    Your consent must be a clear acknowledgement, which means a voluntary, specific, informed and unambiguous statement by you, in which you agree that Cphbusiness may process this personal data.

    You have to give consent for each purpose for which we want to process your personal data, but Cphbusiness is working to enable this to be done via a single form.

    You can give consent here.

    Cphbusiness' policy is that all consent must be given in writing - preferably electronically. This gives you the greatest degree of security and makes management easier for us. Cphbusiness is working to enable all consent to be given electronically by filling in a form.

    How to withdraw your consent:

    You have the right to withdraw your consent at any time.

    Please note that you will not be able to withdraw your consent retroactively. The data processing that we have carried with your consent cannot be cancelled.

    Cphbusiness is working to make withdrawal of consent as easy as giving consent, i.e. electronically by filling in a form.

    Where do the rules come from?

    Article 7 of the General Data Protection Regulation describes the conditions for consent, the registration of rights and the obligations of the data controller in relation to this. Article 6 of the Regulation describes lawful processing of personal data and states that the processing is lawful if the data subject has given consent for one or more specific purposes.

  • The right of access

    You have the right, at "reasonable intervals", to access the personal data we have about you and be informed about how we process it.

    If you request access, you have the right to access the personal data that we have registered about you, and you have the right to obtain the following information:

    • How we process the data.
    • The purposes of the data processing.
    • The categories of personal data concerned.
    • To whom we possibly transfer the personal data.
    • Where we obtained the personal data from, if we did not receive them from you. 
    • How long we will keep them - or, if it is not possible to say exactly, information about the criteria used to determine this period of time.
    • Information on the right to rectification.
    • Information on the right to deletion. 
    • The right to complain to the Danish Data Protection Agency.

    Cphbusiness has a duty to comply with your request for inspection "without undue delay".

    Cphbusiness' policy is that the processing of your request must be done within one month of receipt of your request. 

    Cphbusiness wants to work to make exercising your right of access as easy as possible. The goal is for you to be able to log in yourself and see what data we have registered about you. 

    How to access your data

    To request access, you send your request from a secure site, where you ask to access the personal data we have about you.

    You can request access here.

    We will need your name and personal identification number (CPR-nummer) in order to find the correct personal data. 

    Where do the rules come from?

    Article 15 of the General Data Protection Regulation describes the right of a data subject to have access to information about him/her that is processed by a data controller. Article 12 of the Regulation describes the obligations of the data controller, including to comply with requests for access.

  • The right to be forgotten (be deleted)

    You have the right to have personal data deleted if it is no longer necessary for the purpose for which it was stored, if you have withdrawn your consent or if it is not processed in accordance with the EU General Data Protection Regulation.

    Cphbusiness is obliged to delete this personal data "without undue delay". Cphbusiness' policy is that the processing of your request for access to or deletion of personal data must be done within one month of receipt of your request.

    Please be aware that there is a wide range of data that cannot be deleted, as Cphbusiness is required by other laws and regulations to store student and employee data.

    What to do

    To request deletion of your personal data, you send your request from a secure site, where you ask for the personal data you specify to be deleted.

    You can request deletion here.

    We will need your name and personal identification number (CPR-nummer) in order to find the correct personal data.

    Where do the rules come from?

    Article 17 of the General Data Protection Regulation describes the data subject’s right to have their personal data deleted ("right to be forgotten").

  • The right to rectification

    Personal data must be accurate, and Cphbusiness will take all reasonable steps to ensure that any personal data that is inaccurate in relation to the purposes for which it is processed is rectified.

    If you become aware that there are errors in the personal data that Cphbusiness has registered about you, you have the right to have the error corrected as soon as possible. You also have the right to have personal data completed if you become aware that Cphbusiness has registered incomplete data about you. Please contact Cphbusiness to let us know about any errors or anything that is incomplete.

    Cphbusiness is obliged to respond to your request for access within one month of receipt of your request.

    If your data has been disclosed to other agencies, Cphbusiness will notify them of the changes to your data so that your data can also be corrected there. You have the right to know which other bodies have received your data. Please contact Cphbusiness about this.

    Please be advised that you have the right to correct actual errors or to supplement data that is incomplete. You cannot change facts or add any data that has arisen after you graduated from Cphbusiness, for example.

    What to do

    You request personal data to be corrected by sending the request from a secure site, asking for the personal data you provide to be corrected.

    You can request rectification here.

    We will need your name and personal identification number (CPR-nummer) in order to find the correct personal data.

    Where do the rules come from?

    The right to rectification is described in Article 16 of the General Data Protection Regulation, and Article 19 sets out Cphbusiness' obligation to inform other bodies which may have your personal data about rectification or completion, as well as your right to be informed of which bodies have received your data.

  • The right to object

    You have the right to object to the processing of personal data on the basis of your particular situation when the processing of the data is done on the basis of very specific situations. These are situations in which the processing takes place in the exercise of official authority which Cphbusiness has been entrusted with.

    Please note that this means that you cannot object to all processing of your personal data but only to certain types of processing. For example, you cannot object to us processing information about your enrolment when you are a student at Cphbusiness.

    When you have objected to the processing, and if Cphbusiness finds that the processing in question is covered by your right of objection, Cphbusiness must, as a general rule, no longer process the personal data unless there are very specific and compelling reasons for doing so, including any legal claims. If Cphbusiness finds that there are very specific and compelling reasons for the processing of your personal data to continue despite your objection, Cphbusiness must demonstrate this.

    In the case of direct marketing from Cphbusiness, you have the right at any time to object to the processing of your personal data for this purpose. Therefore, if you object to direct marketing, we will immediately discontinue processing your personal data for this purpose.

    If you believe that Cphbusiness is processing personal data about you in a manner that violates applicable law, you may, of course, always demand that this processing be terminated. Please contact Cphbusiness about this.

    Cphbusiness has a duty to make a determination regarding the case within one month of receiving your request.

    You will receive a decision on the case, and if your request has not been met, you will receive instructions on how you can appeal against the ruling.

    What to do

    You object to the processing of your personal data by sending the request from a secure site, specifying what you object to.

    You can object here.

    We will need your name and personal identification number (CPR-nummer) in order to process your objection.

    Where do the rules come from?

    The right to object is set out in Article 21 of the General Data Protection Regulation.

  • The right to restrict processing

    You have the right to request a restriction of processing in the following cases:

    • If you believe that your personal data is incorrect, the processing should be restricted until the data controller has been able to determine whether it is correct or not.
    • If the processing of your personal data is unlawful, you can request that your personal data be used to a limited extent instead of being deleted.
    • If the data controller no longer needs the personal data for processing, but it is required in order for a legal claim to be determined, invoked or defended, you can ask for limited processing.
    • If you have objected to the processing of your personal data, you can request limited processing during the period of an investigation into whether your legitimate interests have priority over those of the data controller.

    Cphbusiness has a duty to make a determination regarding the case within one month of receiving your request.

    If your request is accepted, you will be notified before any revocation of the restriction.

    What to do

    You request restriction on the processing of your personal data by sending the request from a secure site, specifying what you object to.

    You can request restriction here.

    We will need your name and personal identification number (CPR-nummer) in order to process your objection.

    Where do the rules come from?

    The right to object is set out in Article 18 of the General Data Protection Regulation.

  • The right not to be subject to profiling

    Profiling means fully automated processing of your personal data for the purpose of assessing certain facts about you and, for example, making an automatic decision that has legal effect for you or otherwise affects your situation significantly.

    Typical examples of profiling are automatic profiles that can be used for credit assessment by a bank or mortgage institution.

    You have the right to access information collected about you, including information used for profiling purposes. You have the right not to be subject to a decision that includes profiling.
    Cphbusiness does not use these types of automated decisions.

    Where do the rules come from?

    The right not to be subject to profiling is set out in Article 22 of the General Data Protection Regulation.

  • Guidelines for information on data processing

    Cphbusiness has a duty to inform data subjects (students, employees, examiners, members of the public) about our processing of data pertaining to them.

    When we collect the data directly from the data subject

    Situation: When we collect data about people directly from the person (e.g. in connection with an application), we must inform them that we are doing so.

    How: Cphbusiness is obliged to inform these individuals on its own initiative. There is no requirement to do this in writing, but since we must be able to demonstrate that we have provided the information, that will be an advantage.

    Exception: However, if the data subjects are already aware of the information, we are not required to inform them.

    When: We inform people no later than at the time of collecting the data.

    What do we give information about?

    • The data controller and its contact details (possibly for a representative).
    • The DPO's contact details. (DPO = Data Protection Officer).
    • The purpose of the processing of the data collected and the legal basis for the processing.
    • Recipients or categories of data recipients.
    • If Cphbusiness intends to transfer the data to a third country, and an indication of its level of security.
    • The time period for which the data will be stored.
    • Right of access, rectification and deletion, as well as restriction of processing and objection.
    • The right to withdraw consent in the case of processing on the basis of consent given.
    • The right to complain to the supervisory authority.
    • Whether the data subject is required by law or contractually to provide the data, and the consequences for the data subject of not providing the data.
    • The use of automated decisions, including profiling, and the logic of the automated decisions.
    • If Cphbusiness wishes to further process the personal data for a purpose other than that for which it was collected, information about this must be given.

    When we do not collect the personal data directly from the data subject

    Situation: When we receive data about a person who has not personally provided it to us, we are obliged to inform the person of this.

    Exceptions: If the data subjects are already aware of the information, or it is impossible or will require a disproportionate effort to inform them (especially in connection with archival purposes or research), then it is not a requirement that we inform them.

    Furthermore, in the case of collection or disclosure expressly provided for by EU or national law, they do not need to be informed.

    When:

    • The information below must be provided within a reasonable period after collection, but not later than one month (taking account of the specific conditions under which the information is processed).
    • If the personal data is to be used to communicate with the data subject, information must be provided no later than at the time of the first communication with the data subject.
    • If the data is intended to be transferred to another recipient, information must be given no later than when the personal data is disclosed for the first time.

    What do we give information about?

    Generally, information is given about the same details as when the data has been collected from the data subject.

    • The data controller and its contact details (possibly for a representative).
    • The DPO's contact details. (DPO = Data Protection Officer).
    • The purpose of the processing of the data collected and the legal basis for the processing.
    • The categories of personal data concerned (different from the categories we have collected from the data subject).
    • Recipients or categories of data recipients.
    • If Cphbusiness intends to transfer the data to a third country, and an indication of its level of security
    • The time period for which the data will be stored.
    • Right of access, rectification and deletion, as well as restriction of processing and objection.
    • The right to withdraw consent in the case of processing on the basis of consent given.
    • The right to complain to the supervisory authority.
    • The source of the personal data, and an indication of whether there are public sources.
    • The presence of automated decisions, including profiling, and the logic of the automated decisions;
    • If Cphbusiness wishes to further process the personal data for a purpose other than that for which it was collected, information about this must be given.

    Where do the rules come from?

    Cphbusiness' information obligations are set out in Articles 13 and 14 of the General Data Protection Regulation.