2 Data Controller
The organisation responsible for processing your personal data is:
Mellemfolkeligt Samvirke − ActionAid Denmark
DK-2200 Copenhagen N
+45 7731 0000
CVR number: 18243717
The general legal framework for our processing of personal data is EU Directive 2016/679 of the European Parliament and Council of April 27 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, including regulation. Additionally, it is expected that a new act will be passed, on the basis of a bill introduced on 25 October 2017 on supplemental provisions to the directive on the protection of natural persons in connection with the processing of personal data and on the free movement of such data.
The general legal framework for our processing of personal data is EU Directive 2016/679 of the European Parliament and Council of April 27 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, including regulation. In addition, the Danish Data Protection Act, No. 502 of 23 May 2018, contains additional provisions to the Regulation on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Exchange of Such Information (Databeskyttelsesloven).
All queries regarding this Policy, the processing of your data and any suspicion of non-compliance should first be directed to:
Head of People & System Development
Some of the main terms related to personal data are defined below:
Any information relating to an identified or identifiable natural person, i.e. any information which, directly or indirectly, alone or together with other data, can be used to identify a particular natural person.
The natural or legal person, public authority, institution or other body which, alone or together with others, decides to which purpose and with which tools processing of personal data may be carried out.
The natural or legal person, public authority, institution or other body that processes personal data on behalf of the Data Controller.
Any activity or series of activities that involve(s) the use of personal data, including collection, registration, systematisation, modification, search, comparison and handing over of or disclosure to private individuals, public authorities, companies, etc. outside the Organisation.
Special Categories of Personal Data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, data concerning health or a natural person's sex life or sexual orientation and biometric data for the purpose of uniquely identifying a natural person (sensitive data).
The Personal Data Regulation
EU Directive 2016/679 of the European Parliament and Council of April 27 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, including regulation.
Act on the Protection of Personal
Data Danish Law No. 502 of 23/05/2018 - “Lov om supplerende bestemmelser til forordning om beskyttelse af fysiske personer i forbindelse med behandling af personoplysninger og om fri udveksling af sådanne oplysninger (databeskyttelsesloven)”.
4 Purpose of Processing your Personal Data
Depending on whether you are a member or a contributor, client or traveller, volunteer or course participant or perhaps just a user of our website, we are under an obligation to process your personal data to the extent necessary to provide you with the services you request and in order to fulfil our obligations as a member association. This applies both in terms of managing any contributions from you − unless you decide to contribute anonymously − any services or products you purchase from us and/or any subscriptions or memberships you hold with us. Our processing may also include your use of our web shop and/or our customer services, and/or promoting our services/products to you, signing up for our newsletter, courses or trips, or in other ways share your personal data with us.
5 The Personal Data about you that we Process
Personal data we collect directly from you:
If you are a member, client, traveller, volunteer, course participant or contributor with us, we collect the following personal data from you: Name, address, postal code, city, telephone number, e-mail address, registration and account number. Depending on your relationship with us we collect information about your civil registration number, for example for you to get deductions for any contributions, or if we are subject to a notification duty.
If you are going to travel with Global Contact, ActionAid Denmark’s travel program, we may need to process your health information, which belongs to the Special Categories of Personal Information (sensitive information). If you give your explicit consent, this information is processed and shared with the partner organization at the travel destination. Health information is obtained solely for the benefit of travelers' health.
In some cases, we need to collect information about you from others, for example information from the Danish Civil Registration System, Teledata and Post Nord. We collect such information in order to keep your contact details up-to-date so as to ensure that you can receive materials from us. We also collect it in order to complement the information we have about you, for example if we need your address.
7 How we Process your Personal Data
Specifically, we use your personal data for a number of purposes, depending on whether you are a member, contributor, client, traveller, volunteer or course participant, or perhaps just a user of our website.
If you are a member, we use your personal data to:
- manage your membership
- contact you regarding your membership and our work via post, e-mail, telephone and social media platforms
- report any contributions other than your membership fee to the Danish tax authorities (SKAT) to ensure that your contribution will appear on your tax return
- use your e-mail address to target advertisements on social media platforms.
If you are a contributor, we use your personal data to:
- manage your contributions
- contact you with the necessary information about your contribution(s) and our work via post, e-mail, telephone and social media platforms
- report your contribution(s) to the Danish tax authorities (SKAT) to ensure that it will appear on your tax return
- send you marketing materials to the extent that it complies with the marketing legislation in force at the time
- use your e-mail address to target advertisements on social media platforms
If you are a client or traveller, we use your personal data to:
- make functions on our website, including our web shop, available to you
- send you order confirmations
- respond to any questions you may have and comply with your requests
- execute your orders
- manage our customer relationship with you
- send you marketing materials to the extent that it complies with the marketing legislation in force at the time
- support you in any application for visa/work permit in relation to your trip
- create your membership if this is a requirement for you to travel with us.
If you are a volunteer or course participant, we use your personal data to:
- offer and manage courses
- create and manage your volunteer profile
- communicate with you and coordinate internally
- share your data with selected ActionAid partners after obtaining your consent.
If you are just a user of our website, we use your personal data to:
- make functions on our website available to you
- prepare statistics on your behaviour on our website
- optimise the appearance of our website
- target advertisements on social media platforms
8 Why we May Process your Personal Data (Basis of Data Processing)
When you become a member with us, make a contribution, purchase a product in our web shop or enter into some sort of agreement with us, we process your ordinary personal data for exactly that purpose. We may also process your personal data if, for example, you have a query prior to entering into an agreement with us. The legal basis of processing your personal data is Article 6(1)(b) of the Danish Personal Data Regulation, as processing your data is necessary for us to fulfil our agreement with you or for us to handle inquires etc. prior to you entering into an agreement with us.
We may also process your ordinary personal data because we have a legitimate interest in processing your data, cf. Article 6(1)(f) of the Danish Personal Data Regulation, unless your right to have your ordinary personal data protected takes precedence over our legitimate interest in processing your data.
We have a legitimate interest in processing your personal data for marketing purposes. This means that our legitimate interest consists of knowing your preferences so as to better customise our offers to you and, ultimately, deliver the products and services that best meet your needs and preferences. Of course, we also comply with all provisions of the Danish Marketing Practices Act. In accordance with this provision, we also carry out statistics on the number of members, purchases, contributions, use of the website etc.
In certain cases we may also be under a legal obligation to process personal data about you, for example in connection with documentation of audit trails, pursuant to the provisions of the Danish Bookkeeping Act. The Act stipulates, among other things, that we are obliged to keep accounting records for up to five years from the end of the accounting year covered by such accounting records. Examples also include reporting to the Danish tax authorities in order for you to get deductions for any contributions you have made to us. Your civil registration number must be included when reporting to the Danish tax authorities, cf. the Danish Tax Control Act, and is therefore the basis of our processing of information about your civil registration number.
We are able to process travelers' health information, which belongs to the Special Categories of personal data, in accordance with Article 9, 2 (a) of the General Data Protection Regulation where we obtain explicit consent. Health information is obtained solely for the benefit of travelers' health.
9 Sharing your Personal Data
We may share your personal data with the suppliers and partners that assist us in performing your order, or assist us with our IT operations, hosting, payment services, travel agency and telemarketing.
We may also share your data with other ActionAid Organisations to the extent that this is permitted by law.
If you participate in one of our online campaigns, we may publish your name in campaign materials. You will always be informed before you information is processed.
In addition to the above, we share your data to the extent that we are obliged to do so, for example due to requirements to report to public authorities such as the Danish tax authorities (SKAT).
10 Sharing your Personal Data with Recipients outside of the EU/EEA
Some of our service providers, as well as several of our sister organisations, are located outside of the EU/EEA. Therefore, occasionally, we share your personal data with recipients in countries outside of the EU/EEA. This, however, requires that:
- the relevant country or international organisation has a sufficient level of protection as defined by the European Commission
- we have agreed on standard data protection provisions passed by the European Commission with the recipient receiving your personal data
- the relevant recipient is certified according to Article 42 of the Danish Personal Data Regulation
- the relevant recipient has adopted a set of approved Binding Corporate Rules.
We may also ask for your consent to share your personal data with recipients located outside the EU/EEA, or this may be required due to an agreement with you or measures taken according to agreement with you. These exceptions of sharing are covered by Article 49 of the Danish Personal Data Regulation.
You may at any time request information about or a copy of the required guarantees that form the basis of sharing personal data with recipients outside of the EU/EEA and, if exceptions apply according to the description in Article 49 of the Danish Personal Data Regulation, the exceptions forming the basis for any such sharing of Personal Data.
11 Storing and Deletion of your Personal Data
We store and process your personal data if there is a legal and legitimate reason for doing so. Wherever possible, we use automated deletion and anonymisation processes in our systems. Where our systems do not allow us to use such automated deletion and anonymisation processes, we have established ongoing controls to ensure that personal data is reviewed and deleted/anonymised.
If you are a client or traveller, we will retain your personal data for five years plus the current year in accordance with the Danish Bookkeeping Act.
If you are a member, we will retain your personal data for five years plus the current year as per your withdrawal in accordance with the Danish Bookkeeping Act.
If you are a contributor, we will retain your personal data for five years plus the current year as per your withdrawal in accordance with the Danish Bookkeeping Act.
If you are a volunteer or course participant, we will retain your personal data for a maximum of five years after the relationship has ended.
If you are a user of our website and are neither a client, member, former member nor contributor, we will retain your personal data for up to 12 months. Personal data processed in Google Analytics will be retained for 26 months.
12 Your Rights
You are entitled to gain insight into the personal data we process about you. You may request insight into the personal data we have registered about you, including the purposes for which such data has been collected, by writing to us at the above address; see section 2.1. We will comply with your request for insight as soon as possible.
12.2 Correction and deletion
You are entitled to request that the personal data we process about you be corrected, further processed, deleted or blocked. We will comply with your request as soon as possible to the extent necessary. If for some reason we are not able to comply with your request, we will contact you.
12.3 Limitation of processing
In certain circumstances you are entitled to have the processing of your personal data limited. Please contact us if you wish to opt for a limitation of the processing of your personal data.
12.4 Data portability
You are entitled to receive your personal data (only information about yourself that you have provided to us) in a structured, commonly used and machine-readable format (data portability). Please contact us if you wish to make use of the opportunity for data portability.
12.5 Right to complain
You are entitled to ask us not to process your personal data in cases where the processing is based on Article 6(1)(e) (in the public interest or exercise of authority) or Article 6(1)(f) (legitimate interest). The extent to which we process your data for such purposes appears from this Policy. You may at any time exercise your right to complain by contacting us.
12.6 Revocation of consent
If the processing of your personal data is based on your consent, you may revoke your consent at any time. Your revocation does not affect the legitimacy of the processing that was carried out prior to revoking your consent. Please contact us if you wish to revoke your consent.
If you wish to revoke your consent to receive promotional information and offers in general, including by ordinary post, e-mail, text, telephone or other electronic means, you may do so at any time by writing to us at firstname.lastname@example.org. If we are unsure of your identity, we may ask you to identify yourself. This is free of charge, except for the ordinary costs of communication.
You may write to us at email@example.com to exercise one or more of the above rights.
There may be conditions or limitations attached to the exercise of the above rights. This means that you may not have the right to data portability in that particular case − it depends on the specific circumstances of the processing activity in question.
13 Potential Consequences of not Providing Personal Data
If you are obliged to provide us with personal data about yourself, it will appear in places where we collect such data. If you do not wish to provide us with the personal data we request, the consequence may be that we are not able to provide you with the services you request, complete your order, create you as a contributor etc.
Internally in our Organisation, our processing of personal data is subject to our IT and Security Policy. Our IT and Security Policy also contains rules for the conduction of a risk assessment and an impact assessment of existing, new or changed processing activities. We have implemented internal rules and procedures to ensure an appropriate level of security from the time of collecting personal data until deletion, and the processing of personal data is always carried out by Data Processors maintaining an appropriate level of security and protection.
15 Complaints to Supervisory Authority
If you are not satisfied with our processing of your personal data, you are entitled to file a complaint with the Danish Data Protection Agency:
Datatilsynet, Borgergade 28, 5th floor, DK-1300 Copenhagen K, telephone +45 3319 3200, e-mail: firstname.lastname@example.org
16 Updating this Policy
Mellemfolkeligt Samvirke complies with the basic principles of personal data and data protection. Therefore, we regularly review this Policy to ensure that it is up-to-date and complies with applicable principles and legislation. This Policy may be changed without notice. Significant changes in this Policy will be published on our website together with an updated version of the Policy.
Any future changes in the Policy will be published on this site and can be sent to you by e-mail if you so wish.
This Policy was last updated on 31 January 2019