How we process personal data

Privacy policy for people whose personal data is processed by the Red Cross, i.e. when you participate in an activity, are an asylum seeker, are a contributor, a member, are seeking employment, are a customer, a supplier, an authority employee or are a user of our services, including being a visitor on our website

Version 0.8 - last updated 12. october 2018.

THE POLICY DESCRIBES HOW THE RED CROSS PROCESSES YOUR PERSONAL DATA AND EXPLAINS YOUR RIGHTS WHEN WE PROCESS YOUR PERSONAL DATA

Content

  1. In general
    1. Data controller
  2. The personal data we process about you
    1. Asylum seeker
    2. Visitors to the Red Cross websites (cookies)
    3. Contributors
    4. Participant in activities
    5. Participant in competitions, surveys, petitions, etc.
    6. Collector
    7. Job applicant
    8. Customer
    9. Supplier
    10. Member
    11. Authority
  3. Sharing your personal data
  4. Your rights
    1. Overview of rights
    2. Limited rights
  5. Security of processing
  6. Legislation, data protection rules, and avenues of complaint
    1. Legislation
    2. Complaints to regulatory authority
    3. Update of this policy
  7. Glossary

 

1 In general

This privacy policy applies to the personal data you give to the Red Cross and/or we collect about you when you participate in an activity, are an asylum seeker, a contributor, member, are seeking employment, are a customer, a supplier, an authority employee or a user of our services, including being a visitor on our website. In the policy, you can read more about which personal data we collect, how we process your data and how long we store data about you. 

You can always find the current version of the policy www.rodekors.dk.

 

1.1 Data controller

The data controller organisation for processing your personal data is:

Landsforeningen Røde Kors i Danmark

Blegdamsvej 27
2100 København Ø
+45 3525 9200
info@rodekors.dk
VAT No.: 20 70 02 11

(Hereinafter called ”the Red Cross”)

The Red Cross data protection officer (DPO) is responsible for supervising that the Red Cross complies with the general data protection regulation and the present data protection policy. All questions about the policy, the processing of your personal data and suspicion of noncompliance must be directed to:

Helen Bernt Rasouli
Data protection officer (DPO)
Finance and administration department

+45 3525 9352
DPO@rodekors.dk

 

2 The personal data we process about you

In this section, you can see which personal data we process about you – depending on your connection to the Red Cross. Please note we may process personal data about you in various connections, e.g. you may be both a member, a contributor and a participator in an activity.

 

2.1 Asylum seeker

Purpose of collecting your personal data

We collect data about you as an asylum seeker, when you stay at a Red Cross asylum centre, as to ensure the quality of our interaction with you in order to ensure you get the support and ser-vices you need and are entitled to as an asylum seeker, e.g. for healthcare benefits, childcare, services, competence clarification and special measures. The authorities require the registration and disclosure of a number of circumstances about you as an asylum seeker, and of course, we must comply.

Which personal data do we process?

The data we register, use and may disclose can include all circumstances relevant to your stay, your asylum application and the services you receive. 

We may have registered data about you regarding the following:

  • Ordinary personal data, e.g. contact information 
  • Social and family circumstances, marital status, etc.
  • Finances
  • Education, qualifications, competencies 
  • Confidential and sensitive personal data, e.g. ID number, data about race, ethnicity, political, religious or philosophic views, health and criminal offences
  • Traffic data about internet use
  • Camera surveillance at chosen locations with the purpose of creating safety and security.
  • Why are we allowed to process your personal data?
  • Processing your data is necessary for us to comply with the contract we have with the Danish Immigration Service and the laws applying to asylum seekers and with that deliver the relevant services to you as an asylum seeker. 
  • If we need to process your data and it is not required by law or the contract with the Danish Immigration Service, we will first obtain your consent for such a processing. 

Storing and deleting your personal data

We only store your personal data as long as it is necessary to serve the purposes for which they are collected. The above data will only be disclosed to authorities or other external partners, such as another asylum operator or municipalities, if we are bound by law to do so.
 

 

2.2 Visitors to the Red Cross websites (cookies)

The Red Cross has a number of websites which collects personal data. These websites are www.rodekors.dk, www.mitrødekors.dk and the websites of the Red Cross departments.

Purpose of collecting your personal data

We deliver a number of services to you as a user of our websites, including registration for con-ferences, the possibility of seeking a job (see also section 2.7) and signing up as a volunteer. 

If you are a contributor: We process your personal data in order to manage your payments, send you necessary information on your contribution(s), report your contribution to the tax authorities, if agreed with you, and send you marketing material.

When you use your websites, various data is collected if you accept that we use cookies. You can read more about which data is collected and how long they are stored at https://www.rodekors.dk/vi-bruger-cookies.

Which personal data do we process?

As a visitor on the Red Cross websites, we process your name, contact information and banking information, if relevant. If you accept that we report your contribution to the tax authorities, we must register and disclose your civil registration number to the tax authorities.

We also process contact information like address and preferences for volunteer work to enable us to obtain the best match between volunteer and recipients of Red Cross services.

Why are we allowed to process your personal data?

As processing your data is necessary for us to deliver the right services to the users, comply with our agreements with the users and handle requests and the like before signing agreements with the Red Cross. If relevant, we will ask for your consent before processing your data.

How long do we store your personal data?

If you have given your consent to the Red Cross, we will store your personal data for the time you are associated with the Red Cross.
 

 

2.3 Contributors

We use the term contributors about people who give a contribution, are donors, business partners, or contact person for a foundation.

Purpose of collecting your personal data

In the Red Cross, we use your personal data as contributor for the following:

  • If you are a contributor: We process your personal data in order to manage your payments, send you necessary information on your contribution(s), report your contribution(s) to the tax authorities, if agreed with you, and send you marketing material in accordance with current marketing legislation.
  • Donor: We process your personal data in connection with a number of project-related tasks, including contract management, financial management, and internal reporting, for donors, recipient countries and organisations.  
  • Foundation: We process your personal data in the Red Cross’ application to your foundation and to the following management of the contract with the foundation.
  • Business partner: We process your personal data in order to manage your payments, send you necessary information on your contribution(s), report your contribution(s) to the tax authorities, if agreed with you, and send you marketing material, if it is in accordance with current marketing legislation.

Which personal data do we process?

It applies to all that we process your name and your contact information and, if relevant, your title. For contributors, we also process your banking information and your civil registration number, if you have chosen for us to report your contribution to the tax authorities. For businesses, we also process your banking information and your VAT number, if you have chosen for us to report to the tax authorities. Conversations are recorded, when we call you for marketing purposes and this is due to quality assurance and for training and educational use.

Why are we allowed to process your personal data?

Processing your data is necessary for us to comply with our contract with a foundation, a donor, or a business partner. It is also in the legitimate interest of the Red Cross to register contacts for foundations, donors, and business partners, when we ask for contributions for the Red Cross or enter into a partnership.

It is in the legitimate interest of the Red Cross to store data about contributors. According to the Danish Bookkeeping Act, we are also required to save data about contributors for five years after the current year. 

How long do we store your personal data?

If you are a contributor to the Red Cross, we will store your personal data for the time you are as-sociated with the Red Cross and five years after the current year from your last donation accord-ing to the Danish Bookkeeping Act. Contributors are registered in a central database at the Red Cross. Personal data about contacts for donors, foundations, and business partners are kept as long as it is relevant.
 
If you have signed a payment agreement, the Danish Payment Service Act requires for the Red Cross to sign an agreement up to 13 months after the termination of the contractual relationship. 
 

 

2.4 Participant in activities

Participation in a Red Cross activity may happen in Denmark or in the countries where the Red Cross are carrying out development and emergency aid. The Red Cross activities have a wide scope, and therefore, the personal data we process will vary from one activity to the next.

Purpose of the data collection

If you participate in a Red Cross activity, we use your data for completing the task you have approached the Red Cross about, e.g. for getting a voluntary visitor, being part of a network, healthcare, counselling, etc. 

For chosen activities such as development, emergency aid and Christmas support, we also need to be able to document our use of resources.

Which personal data do we process?

When you participate in our activities, we typically need your name and contact information, so we can coordinate and communicate with you about the activity. 

If you participate in activities where we cooperate with the authorities or public bodies, we may need secure identification of you. In such cases, we will ask for your civil registration number or identification number.

For chosen activities such as the health clinic, doss-house and counselling, we also process data necessary for participating in the activity in question. This may include data about interests, occupation, social circumstances, family situation, health details, etc. We always collect the data from you, so you know exactly what data we have on you.

Why are we allowed to process your personal data?

It is in the legitimate interest of the Red Cross to process the data necessary for completing the activity in question. If we do not have your name or your contact information, we cannot com-municate or coordinate with you about your participation in our activities. 

The collection of data may also be governed by contractual or legal requirements, e.g. require-ment of documentation of participation in the activity.

If you participate in activities we organise with the authorities, we may need your civil registration number or identification number to ensure we are cooperating with the same person.

How long do we store your personal data?

Your data is stored with the person who manages/coordinates the activity you participate in. 
When the activity is ended or you tell the Red Cross you no longer want to be part of the activity, we will delete your data. However, this does not apply to participants in our healthcare activities, where we keep records for 10 years according to the Danish Health Act.

Concerning chosen data for development and emergency aid projects, it is a donor requirement that data is kept up to 12 years.  
 

2.5 Participant in competitions, surveys, petitions, and public teledata etc. 

Purpose of collecting your personal data 

If you have participated in a competition, given your consent in a survey, signed a petition, if we have purchased your data in public registers, or if we have signed another type of agreement, we will use your personal data to: 
 

  • Recruit members or ask for donations through telemarketing, text messages, emails, let-ters, and other marketing 
  • Notify you if you have won when participating in competitions 
  • Send you marketing material and other communication 

We purchase the following ordinary personal data from public registers with the purpose of re-cruiting members: name, address, postcode, city, telephone number. 
 
If you are contacted to be recruited or to give a donation or similar, we use your personal data to:

  • Be able to contact you  
  • Be able to send a receipt for your application for membership  
  • Be able to register if we can contact you in future  

Which personal data do we process? 

At the Red Cross, we process your name, address, postcode, city, mobile number, email address, and other contact information, if any, when we have purchased data or you have participated in petitions, competitions, surveys, etc. Conversations are recorded, when we call you for marketing purposes and this is due to quality assurance and for training and educational use.

We use automatic decisions as part of our direct marketing. As an example, this means that we use the ordinary personal data we collect about you to create a profile of you. The logic behind this is the following: We use existing data about our user to create a profile on e.g. Facebook – a socalled indirect profile as we cannot track the user’s activity other than announcing content targeted at the user. We have the opportunity of importing and exporting data to and from Facebook in the shape of name, email address, telephone number, and profile ID. However, we can only ob-tain the profile ID with socalled fundraisers, where the users collect money in favour of the Red Cross on Facebook on their own initiative. Also, engagement (likes, comments, sharing, video views, sign ups) from the users is tracked internally by Facebook and gives the advertiser (us) a better opportunity to target our content.  

Why are we allowed to process your personal data? 
Because the processing of your data is necessary for us to fulfil our agreement with you (e.g. with competitions or petitions) or for us to handle requests and the like before you sign an agreement with us.  When you sign another type of agreement with us, we process your ordinary personal data for that particular purpose. 

 
Storing and deleting your personal data 

If you have given your consent to us or we have obtained your data from a public register, we will store your personal data for the time you are associated with the Red Cross. Your data is regis-tered in our data model/master data. 

As a fundraising organisation we use the data provided for in relation to the data protection law § 13, para. 2, if the data protection regulation article 6, para. 1, litra f is met. Organisations approved by § 8A of the Tax Assessment Act with a valid fundraising license can perform fundraising and outreach activities in order to attract donors with a basis in the Consumer Contracts Act § 4, para. 2 and the Marketing Practices Act § 10, para. 2.
 

 

2.6 Collector

Once a year, the Red Cross organise a nationwide collection. Everybody collecting for the Red Cross on that day is referred to as collectors.

Purpose of the data collection

When you collect for the Red Cross, we use your personal data to:

  • Register you to know who we have given a collection box to
  • Send you an email with your personal result of the collection (only in Copenhagen)
  • Contact you to ask if you want to be a collector again
  • Contact and send you marketing material, if it is in accordance with current marketing legislation.


Which personal data do we process?

We collect the following personal data from you: Name, address, postcode, city, telephone number, and email address. 

Why are we allowed to process your personal data?

The Red Cross has a legitimate interest in registering your data to fulfil the above purposes.

How long do we store your personal data?

We store your personal data as long as you have a connection to the Red Cross. We store your data in a database for collectors. 
 

 

2.7 Job applicant

Purpose of the data collection

When you apply for a job at the Red Cross, we use your personal data to:

  • Communicate with you as an applicant
  •  Share data with members of the appointments committee
  • Evaluate your competencies, qualifications, and experience
  • Take references when you have given contact information and permission

Which personal data do we process?

We process your name and contact information and other data you choose to share with the Red Cross in your CV and application.

If you apply for an international job, your personal data may be transferred and shared with part-ners in a third country, where the EU data protection regulation does not apply.

Why are we allowed to process your personal data?

If you apply for a job at the Red Cross, you also give your consent for us to process your data.

How long do we store your personal data?

Your data is registered in our HR systems and is only accessible for employees in the appoint-ments committee. Your data is deleted after six months unless you have given your consent for us to store it longer.

If you apply for a position in the categories National Office, Emergency task force and International Development, you may at any time use the "edit my profile" feature on your EasyCruit account, if you want to delete, upload, and edit your data. 

EasyCruit may use automated decisions and automatic response to the applicant if competencies and qualifications do not match the requirements in the job posting.

If you apply for a position in the Asylum category, you can log on your profile and change your registered data by clicking Edit. Here, you can also delete your profile with the Delete my profile feature.
 


 

2.8 Customer

If you shop in our web shop, ask for a firstaider or buy a first aid course, we regard you as a customer in the Red Cross.

Purpose of the data collection

If you are a customer, we use your personal data as follows:

  • Web shop customer: personal data is used to answer any questions, carry out your order, and manage your customer relationship 
  • First aid course participants: We use your personal data to manage your signup and participation in the course, issue the course diploma and inform the authorities about course participants for us to receive subsidies
  • Purchase of company courses: We use your data to manage the agreement with your company
  • Asking for a firstaider: We use your data to manage our agreement with your company or organisation

Which personal data do we process?

Depending on the service you are buying from us, we collect the following personal data from you: name, address, telephone number, email address and civil registration number. 

Why are we allowed to process data?

It is the legitimate interest of the Red Cross to process your data, when you enter into a customer relationship. We must also store the data according to the Danish Bookkeeping Act.

How long do we store your personal data?

We store your data for five years plus the current year according to the Danish Bookkeeping Act. In connection with first aid course participants, we store your personal data as long as you have a connection to the Red Cross. If you are a company or an organisation asking for a firstaider or buying a company course, we store your personal data as long as it is relevant for the customer relationship.
 

2.9 Supplier

Purpose of collecting your personal data

If you are a current or possible supplier, we use your personal data to:

  • Manage the contract with you as a supplier
  • Be able to contact you about a future collaboration

Which personal data do we process?

We collect and store the supplier’s company name, contact information, contracts, and signatures in business documents.

Why are we allowed to process your personal data?

When we have signed a contract, we are allowed to collect and store personal data about the suppliers. For possible suppliers, it is in the legitimate interest of the Red Cross to store data until we have chosen a supplier or if we want to contact the supplier again.

Storing and deleting your personal data

Personal data about suppliers are deleted when they are obsolete or no longer relevant to the Red Cross. Signatures in contracts etc. are not deleted, unless the contract has expired.
 

2.10 Member

Purpose of collection of personal data

If you are a member of the Red Cross, we use your personal data to:

  • Be able to manage your membership
  • Contact you about membership
  • Be able to send you necessary information about your membership
  • Give you voting rights at the annual meeting of your Red Cross department
  • Be able to send you marketing material 
  • We process your personal data to administer your deposits, send you the necessary in-formation regarding your membership and contact and send you marketing material, if it is in accordance with current marketing legislation.

Which personal data do we process?

We process name and contact information, and if relevant your title. Furthermore we process your transaction details, your social registration number, if you set up an agreement about pay-ment service. Conversations are recorded, when we call you for marketing purposes and this is due to quality assurance and for training and educational use.

Why are we allowed to process your personal data?

When you sign an agreement about membership, it is in the legitimate interest of the Red Cross to register your membership, so we can manage your membership and ensure that you can vote at the annual meeting of your Red Cross department.

As a charitable organisation, the Red Cross is allowed to contact people with the purpose of signing a membership agreement with the organisation, cf. the Marketing Practices Act.

How long do we store your personal data?

We store your data for five years plus the current year after you have resigned membership of the Red Cross. We do this because it is a requirement in the Danish Bookkeeping Act. We register your data in a central database.

Have you entered an agreement about payment service, then current legislation requires the Danish Red Cross to document, that an agreement has been made 13 months after the end of the agreement.
 

 

 

2.11 Authority

Purpose of the data collection

If you are an authority employee, we process your data to be able to contact you to fulfil requirements from the authority in question and to complete the collaboration we have with the authorities.

Which personal data do we process?

We process name, title, and contact information.

Why are we allowed to process your personal data?

We are allowed to do this as part of a contract with an authority or to meet a legal requirement. If a collaboration is not governed by a contract or a legal requirement, it is part of the legitimate in-terest of the Red Cross to process the above personal data.

How long do we store your personal data?

We store your personal data as long as it is necessary to fulfil the agreement we have with the authority in question and to fulfil contractual and legal requirements.
 

 

3 Sharing your personal data

For processing personal data, it may be necessary to share your personal data with suppliers, col-laborators, and authorities. This could be suppliers hosting our IT solutions or assisting the Red Cross in our IT operation. We also share your data to the extent we are bound by law to report to public authorities, such as the Danish tax authorities or the Danish Immigration Service. 

A few of our service suppliers are outside the EU/EEA, and some of our sister organisations are al-so outside the EU/EEA. Therefore, it happens that we share your personal data with recipients in countries outside the EU/EEA. However, this assumes that:

  • The country or international organisation in question has a sufficient protection level as es-tablished by the European Commission
  • Standard data protection conditions adopted by the European Commission have been agreed to between the Red Cross and the concerned recipient of your personal data

We may also ask for your consent to transfer data to recipients outside the EU/EEA, or this may be necessary as a result of an agreement with you or measures taken in connection with an agreement with you, e.g. if you apply for a job at the Red Cross internationally. These exceptions for data transfer are covered by General Data Protection Regulation, article 49.

You may at any time have information about or perhaps a copy of the necessary guaranties that form the basis for transferring personal data to recipients outside the EU/EEA, or about the excep-tions that make the basis for a data transfer if exceptions are used as mentioned in the General Data Protection Regulation article 49.
 

 

4 Your rights

When we process your personal data, you can use a number of rights. These are reviewed below. If you wish to use one or more of these rights, please email the Red Cross at DPO@rodekors.dk. We will answer your request as soon as possible. Complaints will be archived for three years as documentation and then deleted.

If you are required to hand out data about yourself to the Red Cross, it will be stated where we collect the data. If you do not want to give the personal data we ask for, it may have the conse-quence that we cannot deliver the services you ask for, complete your orders, create you as a contributor, etc. 
 

 

4.1 Overview of rights

Access

You have right of access to the personal data we process about you and right to know for which purposes they are collected. 

Correction, deletion, and restriction of processing

You have the right to ask for correction, additional processing, deletion, or blocking of the person-al data we process about you. In extraordinary circumstances, you have the right to restrict the processing of your personal data. 

Data portability 

You have the right to receive your personal data (only data about yourself, as given to the Red Cross) in a readable format. 

Right of objection

You have the right to ask the Red Cross not to process your personal data in cases where the processing is based on the legitimate interest of the Red Cross.

Withdrawal of consent 

If you have given your consent for us to process certain personal data about you, you have the right to withdraw you consent for the data included in the consent. Your withdrawal of your con-sent does not change the lawfulness of the processing performed before you withdrew your consent. 

If you want to withdraw your consent to receive promotional information and offers in general, including by surface mail, email, text messages, telephone, or other electronic media, you can do this at any time by emailing to fastbidrag@rodekors.dk. 

For other types of consent, please email to dpo@rodekors.dk.
 

4.2 Limited rights

Conditions and/or limitation may be associated with the above rights. Therefore, it may not be certain that you e.g. have the right to data portability in the case at hand – it depends on certain circumstances for the processing in question.

In certain cases, we are also bound by law to process personal data about you. An example could be for use as documentation of transaction trails and the like pursuant to the rules in the Danish Bookkeeping Act. Among other things, we must store accounting records for five years plus the financial year the accounting records concern. It could also be in connection with reporting to the Danish tax authorities for you get a tax reduction for your contribution to the Red Cross. There-fore, in some instances we cannot meet your request to have data deleted.

If you want to use your rights, and the information you provide does not match with what we have in our system, then we are required to ask you to further identify yourself, e.g by asking to see a picture ID. Apart from the normal communication costs, this is free of charge.

If you do not want to be contacted for marketing purposes by the Red Cross in the future, we can register you on our nocontact list. It is the only way for us to ensure that we do not contact you again. 
 

5 Security of processing

I Røde Kors er vores behandling af persondata underlagt vores informationssikkerhedspolitik. Vi opdaterer løbende vores interne regler og procedurer for opretholdelse af passende sikkerhed fra det tidspunkt, hvor vi indsamler persondata frem til sletning, ligesom vi alene overlader vores behandling af persondata til databehandlere, som opretholder et tilsvarende passende sikkerhedsniveau.

 

6 Legislation, data protection rules, and avenues of complaint

In this section, you can read about the legislation that forms the basis for the processing of per-sonal data at the Red Cross and your avenues of complaint if you are dissatisfied with our processing of your data.

 

6.1 Legislation

The overall legal framework for our processing of personal data is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 

Apart from this, there is The Danish Act on additional provisions to regulation for the protection of natural persons in connection with the processing of personal data and on the free exchange of such data (Data Protection Act) enacted on 17 May 2018.

The Red Cross is also bound by other legislation in connection with the processing of personal da-ta, e.g. the Danish Bookkeeping Act and the Danish Health Act. Thus, the Data Protection Regula-tion does not repeal the duties and rights that the Red Cross has according to other legislation.
 

6.2 Complaints to regulatory authority

If you are dissatisfied with our processing of your personal data, you can complain to the Danish Data Protection Agency:

Danish Data Protection Agency

Borgergade 28, 5th floor
1300 Copenhagen K
+45 3319 3200
dt@datatilsynet.dk

Read more about the complaint procedure here: www.datatilsynet.dk
 

 

 

6.3 Update of this policy

The Red Cross is required to respect the fundamental data protection principles. Therefore, we regularly review this policy to keep it up-to-date and in agreement with current principles and leg-islation. This means that this policy may be changed without notice. Updated versions will be shared at www.rodekors.dk.

7 Glossary

Below are definitions of some of the most important data protection concepts:

Personal data    

Any type of data about an identified or identifiable natural person. This is data that may identify a certain natural person, either directly or indirectly, alone or combined.
 

Legal basis (authority)

Lawfulness of processing is a legal concept indicating whether it is lawful to carry out a planned processing of personal data. Authority to process personal data at the Red Cross is typically legis-lation, a contract, the legitimate interest of the Red Cross or a consent. Legitimate interest deals with a data processing necessary for completing a task in the interest of the Red Cross.

    
Data controller    

The person responsible for how data is processed in the Red Cross, i.e. the person deciding which purpose we base the processing of personal data on and which tools we use.

Data processor 

The supplier or public authority processing personal data on behalf of the Red Cross.

Data subjects

All the people we register personal data on. 

Processing    

Any activity or series of activities involving the use of personal data, i.e. to view, read, collect, register, organise, store, search for, use, pass on or delete.

Special personal data categories    

Data on race or ethnicity, political, religious, or philosophic views or labour union association, ge-netic data, health or data about a natural person’s sexual circumstances or sexual orientation and data in the shape of biometric data, if biometric data is processed with the purpose of unequivocal identification of a natural person (sensitive data).

Donor

In the Red Cross, we use the word donor for authorities or organisations donating money to Red Cross projects. 

General Data Protection Regulation    

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Danish data protection act    

The Danish Act on additional provisions to regulation for the protection of natural persons in connection with the processing of personal data and on the free exchange of such data (Data Protection Act) enacted on 17 May 2018.