Data protection policy

Business Academy Aarhus will ensure that everyone registered with us is guaranteed the transparency that the European Data Protection Act entitles you to.

In our overall policy for the processing of personal data, we have made it clear that we only collect and process data that is needed to administer your study programme (and similar) – and so that we can run Business Academy Aarhus successfully.

We only process personal data for this purpose, and if we need it for another purpose, we will inform you first.

As mentioned above, Business Academy Aarhus’ primary goal is only to process data that we have the legal right to process, but if we need to get your permission first, we only will process this data once we have received consent, and we will stop as soon as you retract your permission.

Transparency is also ensured by the fact that you have the right to full disclosure of information concerning which personal data we have registered about you, and how we use it.
We will, however, ask that you do not abuse this possibility too often, and only with ‘reasonable time intervals’, as mentioned in the Data Protection Act.

Where do the rules come from?

The Data Protection Act, article 5 describes the principles for the processing of personal data, which everyone, including Business Academy Aarhus, must comply with. Article 12 of the Act describes a data protection officer’s (DPO) responsibility to ensure transparency of data processing.

Processing of personal data, as part of our authority

As a student at Business Academy Aarhus, and as a partner, you must be aware that we treat process your personal data. We do this in order to enrol you as a student so that you can get teaching, take exams and get SU. We will also process personal data in order to be able to cooperate with other partners. 
This means that you do not have to give permission (= consent) for Business Academy Aarhus to process this type of information.

Business Academy Aarhus, as an educational institution is allowed (= has authority) to process information about you as a student, when this is done according to the legal obligations for Business Academy Aarhus, as well as when this processing falls within public authority functions, which are imposed on Business Academy Aarhus. 
For future and existing students, this means that we process your application for admission, your registration information, your application for SU as well as any potential applications for exemption and/or complaints.

The processing of personal information, where you must give consent

In some situations, Business Academy Aarhus does not have the authority to process your personal data.  In such situations, we will always ask you for permission to process your information. This could be for example, taking photos we want to publish or if you give us an interview about your programme for our website. 
If we ask for your consent to process your personal data, you are allowed to say no. If you give your consent, you are also allowed to withdraw it later. Read more about consent further down.

For former employees

When you are no longer employed at Business Academy Aarhus, there may be situations where the Academy still needs to process your personal data for a while afterwards.

This could for example, be information that needs to be given to SKAT and Feriekonto, HR-relevant information (e.g. about an senior lecturer qualification), personal data in other systems and documents that have been in used in connection with your employment (e.g. references etc) - as well as news stories etc. on our intranet and website, in which you appear.

Your employee profile (on the intranet and website) will be deleted.

Where do the rules come from?

The Data Protection Act, article 6 describes the criteria for lawful processing of ordinary personal data, and Business Academy Aarhus’ processing usually falls within article 6, 1 (c) and (e) (authority) and a (consent).
The processing of sensitive personal data is done with the authority from the Act’s article 9, 2 (a) (consent) and (b) (protection of rights in for e.g. a negotiation).

There is data processing Business Academy Aarhus can do because we have the authority for it, and then there is data processing that requires consent.

In these cases, we can only use personal data with your consent:

• Portrait photos (including model photos)
• Adding your contact information to member lists
• Lending exam papers

You have the right to withdraw your consent at any time.

For marketing purposes, e.g. in brochures or on the website, etc., we can be use situation photos from classes and the study environment.

How do you give consent

Your consent must be a clear confirmation that involves a voluntary, specific, informed and unequivocal assertion from you where you agree that Business Academy Aarhus can process this personal data.

You must give consent for each individual purpose that we want to process your data according to, but Business Academy Aarhus will try to ensure that, as far as possible, this all happens at the same time.

It is Business Academy Aarhus’ policy that all consent must be written, and preferably electronic. This gives you the greatest degree of security, and it makes it easier for us to manage.

You can give consent here (link will follow shortly).

How to retract your consent

You have the right to withdraw your consent at any time.

Please be aware that you can't withdraw your consent retroactively. The data processing that we have already done with your consent cannot be cancelled.

You can retract your consent here (link will follow shortly).

Where do the rules come from?

The Data Protection Act article 7 describes the conditions for consent, and the registered rights and obligations of the DPO in connection with this. In article 6 of the Act, the lawful processing of personal data is described, and it is stated here that data processing is lawful, if consent has been given for one or more purposes by the relevant party.

You have the right to, with ‘reasonable intervals’, to learn which personal data we have on you and how we process it.

If you ask for disclosure of information, you have the right to access the personal data we have on file about you, and you have the right to receive the following information:

• How we process it.
• The aim of the data processing.
• Which categories of personal data we have.
• Who we potentially disclose your personal data to.
• Where we have the data from, if we didn’t get it from of you.
• How long we will keep it – or if it is not possible to say exactly, then information on the criteria used to determine this period.
• Information on the right of rectification.
• Information on the right to delete.
• The right to complain to Datatilsynet.

Business Academy Aarhus has a duty to respond to your request for the disclosure of information ‘without undue delay.’ Business Academy Aarhus’ policy is that the processing of your request must be made within one month from the receipt of your request.

Business Academy Aarhus will work to ensure that access to your disclosure of information will be as easy as possible. 

How to get disclosure of information

At the moment, you must send an email to persondata@eaaa.dk.

We are working on allowing you to apply for disclosure of information by sending the request from a secure site, where you can ask to get disclosure of information into which personal data we have about you. 

We will need your name and your CPR number in order to find the correct personal data.

Where do the rules come from?

Article 15 of the Data Protection Act describes your right to disclosure of information concerning the information which a DPO processes about you.  Article 12 of the Act describes the DPOs obligations to, among other things, comply with requests for disclosure of information.

You have the right get your personal data deleted, if it is no longer required to fulfil the purpose of keeping it, if you have withdrawn your consent, or if it is not treated in accordance with the EU’s Data Protection Act

Business Academy Aarhus has an obligation to delete this personal data ‘without undue delay.’
Business Academy Aarhus’ policy is that the processing of your request and deletion of your information must be made within one month from the receipt of your request.

Please be aware that a large amount of information cannot be deleted because Business Academy Aarhus is obliged via other laws and ordinances  to store data relating to students and employees.

What to do

You must request deletion of personal data by sending an e-mail to persondata@eaaa.dk and specify the personal data that you want deleted.

We will need your name and your CPR number in order to be able to process your objections.

We are working on a system that will allow you to request this from a secure site.

Where do the rules come from?

The Data Protection Act article 17 describes your right for deletion (‘right to be forgotten’).

Personal data must be accurate, and Business Academy Aarhus must take all reasonable steps to ensure that personal data that is not correct in relation to the purposes for which it is further processed, be rectified.

If you become aware of the fact that there are errors in the personal data that Business Academy Aarhus has registered about you, you have the right to have the error corrected as soon as possible. You also have the right to rectify all the information, if you become aware that Business Academy Aarhus has registered incorrect information about you. Contact Business Academy Aarhus and make us aware of the mistake, or where the information is incorrect.

Business Academy Aarhus has a duty to respond to your request for disclosure of information within one month after your request has been received.

If your information has been disclosed to other authorities, Business Academy Aarhus will inform them of the changes in your information, so that your information can also be corrected there. You have the right to be informed of which other authorities have received your information. Contact Business Academy Aarhus about this.

Please be advised that you have the right to rectify actual mistakes or supplement information that is deficient. You cannot alter factual conditions or add information that has occurred after you graduated, for e.g. from Business Academy Aarhus or similar.

What to do

You request that your personal data is rectified by sending an email to persondata@eaaa.dk and clarify what needs to be corrected, where.

We will need your name and your CPR number in order to be able to process your request.

We are working on a system that will allow you to request this from a secure site.

Where do the rules come from?

The right of rectification is defined in the Data Protection Act, article 16, and article 19 describes Business Academy Aarhus’ duty to notify other authorities that may have your personal data, to rectify or complete your data, as well as your right to get information concerning which authorities have received your information.

You have the right to object to the processing of personal data based on your specific situation, when the processing of the information is based on authority in very specific situations. By this we mean situations where the processing takes place in the context of public authority functions, which have been imposed on Business Academy Aarhus.

Please be aware that this means that you can only object to certain types of processing of your personal data, and not all data processing.  For example, you cannot object that we process information about your admission when you are a student at Business Academy Aarhus.

If you have objected to processing of data, and if Business Academy Aarhus finds that the particular processing is covered by your right to object, Business Academy Aarhus must not process your personal data any longer, unless there are specific and serious reasons for this for example, grounds for any legal claims. If Business Academy Aarhus finds that there are specific and serious reasons that require the continuing processing of your personal data despite your objection, Business Academy Aarhus must prove this.

In the case of direct marketing from Business Academy Aarhus, you always have the right to object to the processing of your personal data for this purpose. If you object to direct marketing, we will therefore immediately cease processing your personal data for this purpose.

If you believe that Business Academy Aarhus is processing personal data about you in a manner that is contrary to the applicable laws, you can obviously always require that this processing stops. Contact Business Academy Aarhus about this at persondata@eaaa.dk

Business Academy Aarhus has a duty to make a decision within one month after your request has been received. You will receive your case’s decision, and if your request has not been fulfilled, you will receive supervision on how you can appeal against the decision.

What to do

You objet to the processing of your personal data by sending an email to persondata@eaaa.dk and clarify what you are objecting to.

We will need your name and your CPR number in order to be able to process your objections.

We are working on a system that will allow you to request this from a secure site.

Where do the rules come from?

The right to object is imposed in article 21 of the Data Protection Act.

You have the right to request limitation of processing in the following cases:

• If you believe that your personal data is not correct, the processing of your data must be limited until the DPO has had the opportunity to determine whether it is correct or not.
• If the processing of your personal data is illegal, you can request that your personal data only be used to a limited extent instead of deleting it.
• If the DPO no longer needs your personal data for processing, but it is necessary to determine whether a legal claim can be established, be invoked or defended, then you can ask for limited processing.
• If you have objected to the processing of your personal data, then you can request limited processing during the period in which it is being determined whether your legitimate interests take precedence over the DPO’s.

Business Academy Aarhus has a duty to make a decision within one month after your request has been received. If your request is accepted, you will be notified before the restriction is possibly revoked again.

What to do

You request the limitation of processing of your personal data by sending an email to persondata@eaaa.dk and clarify what you are objecting to.  

We will need your name and your CPR number in order to be able to process your objections.

We are working on a system that will allow you to request this from a secure site. 

Where do the rules come from?

The right to object is imposed in article 18 of the Data Protection Act.

By profiling, we mean fully automatic processing of your personal data in order to evaluate certain facts about you and, for example, take an automatic decision which would automatically produce legal effects for you or could otherwise affect your situation considerably.

Typical examples of profiling are for example automatic profiles that can be used for credit evaluation with a bank or mortgage lender. You have the right to disclosure of information which has been collected about you, including information that is used for profiling purposes. You also have the right not to be a subject of a decision, which includes profiling.

Business Academy Aarhus does not use such any of these types of automatic decisions.

Where do the rules come from?

The right not to be a subject of profiling is defined in the Data Protection Act, article 22.

Business Academy Aarhus has a duty to inform anyone registered (students, employees, co-examiners, citizens) about our processing of data concerning them.

When we collect personal data directly from a registered person

Situation: When we collect information about individuals directly from the person (e.g. by signing up for a newsletter or an application), we must inform you that we are doing this.

How: Business Academy Aarhus has a duty to inform people that they are providing us with their personal data.  There is no requirement to do this in writing, but because we must be able to document that we have provided this information, it would be an advantage.

Exception: However, if the registered party is already aware of this, we are not required to inform them again.

When: We inform people no later than when the information is gathered.

What do we inform about?

• The DPO and their contact information (which may be a representative).
• The DPO's contact information. (DPO = Data Protection Officer).
• The purpose of the processing of the data which is gathered and the legal basis for the processing.
• Any recipients or categories of recipients of the information.
• Whether Business Academy Aarhus intends to transfer the data to a third country, and an indication of their level of security.
• The time span that the data will be stored for.
• The right to the disclosure of information, rectification and deletion, as well as the limitation of processing and objection to information.
• The right to withdraw consent, in the case of processing on the basis of previously provided consent.
• The right to complain to the supervisory authority.
• Whether it is required by law or authority in a contract that a registered person must provide information, and the consequences for the registered person if they do not provide such information.
• Whether we use automatic decisions, including profiling, and the logic behind the automatic decisions.
• If Business Academy Aarhus wants to further process personal data for a purpose other than that for which it was collected, you must be informed.

When we don’t collect personal data directly from a registered party

Situation: When we receive information about a person who has not personally provided it to us, we have a duty to inform them about it.

Exceptions: If you are already registered or are familiar with the information, or it is impossible or would require a disproportionate effort to inform (particularly in the context of archival purposes or research), then it is not a requirement that we inform.
In addition, in the case of gathering or disclosing information which is expressly laid down by EU legislation or national legislation, we do not need to inform.

When:

Information included in this must be given within a reasonable time period  after gathering it, and no later than a month (for the sake of specific conditions in which the information is processed under).

Personal data is to be used to communicate with the registered person, they must be informed no later than the time of the initial communication with the registered person.

The information is intended for disclosure to another recipient, they must be informed no later than when the personal data is disclosed for the first time.

What do we inform about?

We inform according to more or less the same conditions as when the information is collected from the registered person.

• The DPO and their contact information (which may be a representative).
• The DPO's contact information. (DPO = Data Protection Officer).
• The purpose of the processing of the information which is gathered and the legal basis for the processing.
• The affected categories of personal data (different from the categories, we’ve collected from the registered person).
• Any recipients or categories of recipients of the data.
• Whether Business Academy Aarhus intends to transfer data to a third country, and an indication of their level of security.
• The time span that the data will be stored for.
• The right to the disclosure of information, rectification and deletion, as well as the limitation of processing and objection to information.
• The right to withdraw consent, in the case of processing on the basis of previously provided consent.
• The right to complain to the supervisory authority.
• The source of the personal data, and an indication of whether there are any public sources.
• Whether we use automatic decisions, including profiling, and the logic behind the automatic decisions.
• If Business Academy Aarhus wants to further process personal data for a purpose other than that for which it was collected, you must be informed.

Where do the rules come from?

Business Academy Aarhus’ duty to disclose is laid down in articles 13 and 14 of the Data Protection Act.

For inquiries concerning personal data at Business Academy Aarhus, for the vast majority of cases, you must send an email to persondata@eaaa.dk

If you need to contact our Data Protection Consultants, here is the contact data for Business Academy Aarhus’ DPO team (Data Protection Officer):

The DPO team at Business Academy Aarhus
E-mail: GDPR@efif.dk 
Phone: 8936 3280
Address: Sønderhøj 28, 8260 Viby J, Denmark

Flemming Rasmussen
Data Protection Consultant, EFIF
Mobile: 2060 1942
Mail: fr@efif.dk