Below is a description of how we collect, process and store personal data about you as a visitor to our website, as a course participant receiving language training, or as a participant in one of our events. Our clear goal is to be transparent with regard to the way we handle personal data and to protect data in accordance with legislation.
2. What personal data do we process and what is the purpose?
We only process data that are objectively necessary to comply with legislation and provide our course participants with services (contract fulfilment) including course enrolment, invoicing, sending out relevant course information and training and sending participant information to local authorities in accordance with the Danish Public Information Act and local authority rules on subsidies and contracts with adult education centres.
These data include:
- Name and surname
- Date of birth/civil registration number (CPR)
- Email address
- Telephone number
- Payment details (through payment gateway)
- Geo data and video (such as via Zoom)
- Photo, if relevant (voluntary in Moodle – see below)
We generally do not process sensitive personal data. However, we may sometimes process individual pieces of data about allergens and disabilities if this is relevant to participation in an event or a course.
This may be particularly relevant in relation to the learning platform Moodle, which all course participants are granted access to. Here, you can communicate with your teacher and the other course participants in your class.
Moodle requires some personal data in order to work, such as your name and email address, and you can choose to upload a photo of yourself. Your name and your photo, if any, will be disclosed to your class and your teacher. It is possible to communicate through Moodle. In this connection, we ask you not to write any sensitive data in Moodle, such as information on your health, your religion, philosophical convictions or other sensitive or confidential information.
3. How do we collect data?
The collection of personal data is carried out in one of the following ways:
- Via the website, where you enter personal data in an online form.
- Email contact where your data will be copied to our administrative systems by school staff.
- Telephone contact where your data will be entered into our administrative systems by school staff.
- Personal attendance where your data will be entered into our administrative systems by school staff.
4. How long do we store data?
Studieskolen generally stores personal data for as long as there is an active relationship between the school and the data subject in which it is in the interest of the data subject that Studieskolen processes the data. Data will be erased when this relationship ends. Of course, erasure will only be effected to the extent that Studieskolen does not have statutory authority or other objective reasons to store the data for a longer period.
In line with section 10 of the Bookkeeping Act, we store personal data for five years, reckoned from the end of the relevant financial year in which the course was completed.
In line with section 33 of the Executive Order on Exams, we store personal data on persons who have participated in an exam or a test for 30 years after the end of the exam or test.
5. Who has access to the data?
Only trusted staff members who need access for objective reasons have access to all or part of the stored personal data. These are:
- The school’s administrative staff, who are responsible for enrolments, booking and invoicing of participants.
- The school’s administrative staff, who are responsible for accounting regarding subsidies, bookkeeping and communication with authorities.
- The school’s teachers, who are informed about names and other limited relevant data regarding the formation of attendance lists, meeting minutes and meeting cards.
6. Disclosure of data
In order to process payments, we only disclose data essential to completing the payment and identifying the payer. Information about the payer’s ID, course ID and amount is passed on to A/S Scannet, which we use for payment gateway services.
At the same time, we disclose data to public authorities in accordance with current legislation. Names and contact data may be disclosed to local authorities under the Danish Public Information Act, the subsidy rules.
Civil registration numbers (CPR) are disclosed to local authorities under the rules on reimbursements between local authorities and to adult education centres under the Executive Order on Preparatory Adult Education.
A solemn declaration may be disclosed to the local authority under the local authority rules on payment of supplementary grants (reduced course fees).
7. Data Storage and Data Processors
Studieskolen has entered into data processing agreements with its usual IT providers. These agreements ensure that the data passed on to the individual systems (such as payment gateways, email and file systems, website hosts, course participant management systems, etc.) are processed and stored in a secure manner as these providers guarantee that they will comply with GDPR legislation.
8. Cookies and log files
- Which pages visitors visit and when they visit.
- Visitors’ IP addresses.
- Location in the country and which country visitors come from.
- The language used by the visitor’s computer.
- The browser and OS used by visitors.
- The keywords visitors have used to generate content.
- The page visitors have just come from (external and internal links).
- The links visitors have clicked on.
- Visitors on our website indicate their acceptance of these statistics cookies. If you turn off cookies in your browser, you will still be able to use our website. Instructions on how to delete or block cookies are usually found in your browser’s help file.
If you use one of our IT services that require a login, your actions will be registered in our log files. This registration is in accordance with current legal requirements regarding the registration of activities in IT systems in order to prevent misuse and hacking. These digital trails are stored for a maximum of five years in accordance with the agreement with our data processors.
9. Your rights
Under current legislation, everyone is guaranteed the following rights:
- The right to receive information about how your personal data have been processed (duty of disclosure).
You have the right to know who is responsible for the data, the purpose of the processing, and who receives/processes the data.
- The right to access your personal data (right of access).
You have the right to be informed about what sort of data we are processing as well as any printouts or copies of the collected data that may have been made.
- The right to have incorrect personal data corrected (right to rectification).
If you believe that any data we have are incorrect, inaccurate or inadequate, you may request the data to be corrected.
- The right to have your personal data erased (right to be forgotten).
If you believe that the data we have are not necessary for the purpose for which they were originally collected, you may request that the data be erased. Please be aware, however, that we have a duty and a right to store certain personal data in order to comply with the rules of the law.
- The right to move your personal data (data portability).
You have the right to receive information about yourself in a structured, commonly used and machine-readable format, and you have the right to transfer this information to another company.
- The right to object
You have the right to object to the use of personal data for things like direct marketing and profiling. However, we do not use profiling, and any marketing will always be preceded by explicit consent.
If you contact us regarding one of the above points (access, rectification, erasure, etc.), within one month, you will be notified about what we intend to do with regard to your enquiry. For example, if you request your data to be corrected or deleted, we will usually check whether all relevant conditions are met, including whether there is a legal basis for the continued processing of data. If we conclude that the objection is justified, we will comply with the request.
For enrolments, invoicing and bookkeeping, we do not need to obtain consent to process data as its lawfulness (see Article 6 of the EU General Data Protection Regulation) is derived from the necessity of processing data to be able to fulfil the contract.
However, in order to collect personal data for other purposes, e.g. supplementary information regarding a course or for signing up to receive our newsletter, we may request consent if necessary.
Consent may be in writing or oral, but we must be able to document that consent has been given. In most cases, this consent will take the form of a ticked box on our website or during the enrolment process when our IT systems will record the time and form. Consent may also be given via email or other digital communication.
When giving consent, you will be informed about the details, including the purpose and the retraction process.
Of course, we ensure that data are stored safely and discreetly. Our security measures are divided into organisational and technical measures.
The organisational security measures mean that only the school’s trusted persons with a relevant objective purpose have access to your personal data. This is in connection with course enrolments, course administration, invoicing and communication. In addition, our teachers have limited access to your personal data. This is only data that are relevant for conducting the course (see point 6 above).
Our staff are guided and instructed about data security on an ongoing basis. This includes how to handle and protect data. We also keep track of our data processing activities, which are under the control of the Danish Data Protection Agency.
The technical security measures are linked to our use of IT systems for the registration and administration of group and participant data. Our data are securely stored and have the required level of protection. All communication (for example, enrolments and payment) that occurs on our website is protected by authenticated security certificates with a 256-bit encryption key. A backup of the data is performed daily.
Our internal IT systems (PCs, etc.) are further protected with passwords, updated antivirus programs and a firewall, while any physical materials are kept under lock. In the event of destruction or repair of IT equipment, every effort is made to ensure that data cannot be accessed by unauthorised persons.
12. Complaints and contact details
Borgergade 12, 1300 Copenhagen K
You can file a complaint about Studieskolen’s processing of your data with the Data Protection Agency. The contact details of the Data Protection Agency can be found at the Agency’s website, www.datatilsynet.dk.