Data Protection Policy

We care about your digital privacy.

POLICY FOR PROCESSING AND PROTECTING PERSONAL DATA

The data protection policy applies to the Dybbøl Banke History Centre, which is operated by the Dybbøl Banke Foundation.

Centre Manager Bjørn Østergaard has been appointed as responsible for implementing the data protection policy.

The policy is intended to help ensure and document that the foundation protects its personal data in accordance with the rules for the processing of personal data. The policy also contributes to the foundation providing information about the processing and use of the registered personal data.

The policy is reviewed annually.

LIST OF PROCESSING PERSONAL DATA

The foundation processes personal data about:

  • Employees
  • Customers
  • Suppliers

The foundation has prepared a list of the processing of personal data. The list provides an overview of the processing for which the Foundation is responsible.

The personal data is a prerequisite for the Foundation to enter into employment, customer and supplier contracts.

PURPOSE AND LAWFULNESS OF THE PROCESSING

Personal data is processed and archived in connection with:

  • Human resources administration, including recruitment, employment, termination and payment of wages
  • Master data for customers
  • Master data for suppliers
  • Contracts
  • Alarm
  • Video surveillance

The processing is lawful pursuant to the legal basis as stated in the attached list.

The Foundation does not use personal data for purposes other than those listed. The Foundation does not collect more personal data than is necessary in relation to fulfilling the purpose.

STORAGE AND DELETION

The Foundation has implemented the following general guidelines for the storage and deletion of personal data:

  • Personal data is stored in physical folders.
  • Personal data is stored in IT systems and on server drives.
  • Personal data is not stored longer than is necessary for the purpose of the processing.
  • Personal data for employees is deleted five years after employment ends, and personal data about applicants is deleted after six months or for a longer period upon receipt of consent.

DATA SECURITY

Based on the attached risk assessment, the Foundation has implemented the following security measures for the protection of personal data:

  • Only employees who have a work-related need to access the registered personal data have access to this either physically or through IT systems with rights management.
  • All computers have passwords, and employees must not give their passwords to others.
  • Computers must have a firewall and antivirus program installed that is updated regularly.
  • Personal data is deleted in a safe manner when phasing out and repairing IT equipment.
  • USB keys, external hard drives, etc. with personal data must be stored in a locked drawer or cabinet.
  • Physical folders are located in a locked office or in locked cabinets.
  • Personal data in physical folders is deleted by shredding.
  • All employees must receive instructions on what they are allowed to do with personal data and how personal data must be protected.

DISCLOSURE

Personal data about employees may be disclosed to public authorities, such as the Danish Tax and Customs Administration and pension companies, as well as to the police in the event of suspected theft.

DATA PROCESSORS

The Foundation only uses data processors if the data processors provide the necessary guarantees that they will implement the appropriate technical and organizational security measures to meet the requirements of personal data protection law. All data processors sign a data processing agreement before processing is initiated.

RIGHTS

The Foundation safeguards the rights of the data subject, including the right to access, withdrawal of consent, correction and deletion, and informs the data subjects about the Foundation’s processing of personal data. Data subjects also have the right to complain to the Danish Data Protection Agency.

PERSONAL DATA BREACH

In the event of a personal data breach, the Foundation will report the breach to the Danish Data Protection Agency as soon as possible and within 72 hours. Center Manager Bjørn Østergaard is responsible for ensuring that this happens. The notification describes the breach, which groups of persons it concerns and what consequences the breach may have for these persons, as well as how the Foundation has or will remedy the breach. In cases where the breach involves a high risk for the persons about whom the Foundation processes personal data, the Foundation will also notify them. The Foundation documents all breaches of personal data security on a restricted server drive on its own server, which is physically stored at the Foundation.