Personal data policy

1. General

This Personal data policy applies to all the information you provide to us and/or that we collect about you, either as part of a support, member or contributor relationship or as a user of our services, including when you are active on our website. In the policy you can learn more about what information we collect, how we handle your information and the period we store information about you. You should read this policy and contact us if there is information in the policy that you cannot accept.

2. Data responsible and data protection officer

The data-responsible organisation for processing your personal data is:
Oxfam IBIS
Vesterbrogade 2B
DK- 1620 Copenhagen V
35 35 87 88
oxfamibis@oxfamibis.dk
CVR 88 13 64 11

The overall legal framework for our processing of personal data is the Personal Data Protection Scheme (EU 2016/679) and the Data Protection Act (DK Act No 502).
The Organisation's Data Protection Officer ("DPO") is responsible for ensuring compliance with the Privacy Policy, the Privacy Regulation and the Data Protection Act. All questions relating to this personal data, the processing of your data and suspected non-compliance must be addressed in the first instance to DPO Ole Møs, which can be contacted on persondata@oxfamibis.dk.

3. Definitions

The following are definitions of some of the main concepts of personal data law:

Personal data: Any form information about an identified or identifiable physical person. That is, any information which can identify, directly or indirectly, alone or in combination, a physical person.

Data responsible: The physical or legal person, public authority, institution or other body which alone or together with others determines for what purposes and for which means personal data may be processed.

Data processor: The physical or legal person, public authority, institution or other body processing personal data on behalf of the Data responsible.

Processing: Any activity or series of activities involving the use of personal data, such as collection, registration, systematization, modification of, search, grouping, entrustment or disclosure to persons, authorities, companies, etc. outside the organization.

Specific categories of personal data: Information on ethnic origin, political, religious or philosophical beliefs or trade union affiliation, genetic data, health data or information on the sexual or sexual orientation of a physical person, as well as information in the form of biometric data, provided that biometric data is processed for the purpose of uniquely identifying a physical person (sensitive information).

The GDPR (General Data Protection Regulation): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free exchange of such data and repealing Directive 95/46/EC and related regulation.

Data Protection Act: Law 502 of 24 May 2018: Law on additional provisions for the Regulation on the protection of individuals regarding the processing of personal data and on the free exchange of such data.

4. Purpose of processing your personal data

Depending on whether you are a member of the association, support member, contributor, signer or perhaps simply use of our website, we are obliged to process your personal data to such an extent that we can provide you with the services you demand and that we can comply with the obligations we have as a charity. This applies both to handling your contributions – unless you choose to contribute anonymously – your possible purchases of services from us and/or when we manage your subscriptions or memberships with us. It may also be when using our petitions and similar campaigns, our member service and/or in connection with our marketing to you.

5. The personal data we process about you

We collect this information directly from you:
As a starting point, when you support us as either join member, support member or contributor, we collect the following common personal data from you: first name  and  surname, address, zip code, city, mobile number, email address, registration  and  account number. In petitions, we collect first name, last name, email address and any mobile number.

In addition, we collect your CPR No. if you give it in connection with the facts that you want tax deduction of any contribution.

We also collect your IP address when you visit our websites.

We buy phone numbers of potentially interested persons with the aim of enlisting members.

If you support via text messages from a phone number, that we have not already connected to our database with a first and last name, we will associate your phone number with your first and last name if this information is publicly available.

We collect information about which school you are linked when you sign up for an event or order materials for schools, as well as when you deposit a collection from a school.

As a rule, we do not collect any sensitive personal data about you.

6. Cookies

Our website uses cookies to manage login as well as to collect web statistics and enable marketing to visitors. A cookie is a small text file that is sent from our server to your browser and stored on your computer's hard drive or mobile device. Cookies mean that you can use the website more efficiently and more easily. We do not process information about user behaviour collected through cookies in a way that can connect user behaviour with specific individuals.

You can set your browser to inform you when you receive a cookie so that you always have the option to decide if you want to accept it. You can also choose to completely turn off the function. However, if you do, the website will not work optimally. The cookies do not contain personal data, such as information about your email address, user ID, or other personal information, other than what is stated in this Policy. You can read our cookie policy here oxfamibis.dk/cookie-politik

7. How we process your Personal Data

Specifically, we use your personal data for several different purposes depending on whether you are an association member, support member, contributor, volunteer, signer or job applicant with us or whether you are merely a user of our website.

If you are a support member or association member with us, we use your personal data to:

  • manage your membership
  • be able to send you necessary information about your membership and the purposes you support
  • be able to send you marketing materials and contact you for further support through the contact information you provided, if this is also in accordance with the marketing law in force at any time;

If you are a contributor with us, we use your personal data to:

  • manage your contributions
  • be able to send you necessary information about your contributions
  • be able to report your contribution to Tax so that your contribution will appear on your tax return
  • be able to send you marketing materials and contact you for further support through the contact information you provided, if this is also in accordance with the marketing law in force at any time;

If you are using our website only, we use your personal data to

  • be able to make the functionalities on our website available to you
  • develop statistics about your whereabouts on our website
  • optimize our website's décor

If you sign on to our campaigns, we use your personal data to

  • provide you with relevant information about that promotion and the difference your signature font helps to make
  • be able to send you marketing materials and contact you for further support through the contact information you provided, if this is also in accordance with the marketing law in force at any time;
  • pressure to achieve the goal you signed. This means that we pass on your first and last name - not other information - to those in power who are targets of the campaign, as well as show your first name on the signature page to the next visitors.

8. Why are we allowed to process information about you (processing basis)?

When you become a member of the association or member of us, give a contribution or signature to us or enter into any other kind of agreement with us, we process your general personal data for that particular purpose. We may also process your regular personal data if, for example, you have a query or similar that precedes your decision to enter into an agreement with us. The legal basis for processing your personal data is Article 6(1)(b) of the Privacy Regulation(b), since the processing of your data is necessary for us to fulfil our agreement with you or for us to handle inquiries and the like prior to your possible conclusion of an agreement with us.

8.1 We also have the possibility to process your ordinary personal data because, we have a legitimate interest in processing the information about you, as provided for in Article 11(1) of Regulation (EC) No 1049/2001. Article 6(1) (f) of the Privacy Regulation (f), unless your right to obtain protection of your own general personal data takes precedence over our legitimate interest in processing your data.

8.2 We have a legitimate interest in processing your personal data (your name, phone number and your email address) for marketing purposes. Our legitimate interest thus consists in knowing your preferences so that we can better adapt our offer to you and ultimately offer campaigns, donation opportunities and services that better meet your needs and desires. Of course, we also comply with the rules of the Marketing Act. It is also with reference to this provision that we draw up various statistics on the number of members, contributions, use of the website, etc.

8.3 In certain cases, we are also legally obliged to process personal data about you. For example, it may be for the purposes of documentation of transaction tracks and the like under the rules of the Accounting Act. Among other things, we must store accounting material for five years from the end of the financial year to which the accounting material relates. It may also be in connection with reports to Tax so that you can get a deduction of your contribution to us. Taxes reports shall be made, indicating CPR No. tax control law, and that is why this is the basis for our processing of information on your CPR No.

8.4 As a charity within the meaning of Paragraph 8a of the Law on Equation, we can contact persons with the aim of entering into an agreement on membership of our organisation, as provided for in The Collection Act chapter. 1(2) and § 8 and § 11(3).

8.5 If you are not a customer, member or contributor with us, but for example simply the user of our website, we need to manage to a limited extent the information that you provide for example, cookie handling. Read more in our cookie policy at  oxfamibis.dk/cookie-politik In some cases we can record which IP addresses have visited our website. An IP address can be personal information, and if we process your IP address, it will be done on the same basis as described above.

9. Sharing your personal data

We may share your personal data with the suppliers and partners who assist us, for example, in the performance of your donation or fixed support, or who assist us in our IT operations, hosting, etc. This means that we can share your information with, for example, our service providers, our technical support and our bank. In paragraph 14 it is stated how we can share your data in order to be able to make remarketing that makes use of automatic decisions/profiling

In the case of petitions, we also can share your information with our main organization Oxfam International to the extent that this is legal. This is necessary as they administer our signature websites.
In addition to the above, we share your information to the extent we are obliged to do so, for example as a result of reporting requirements to public authorities such as tax.

10. Sharing your information with recipients outside the EU/EEA

Some of our service providers are outside the EU/EEA. It therefore happens that we share your personal information with recipients in countries outside the EU/EEA. However, this presupposes that:

  • the country or international organisation concerned has an adequate level of protection as established by the European Commission;
  • whereas, between us and the recipient of your personal data, standard data protection provisions adopted by the European Commission have been concluded;
  • the recipient concerned is certified in accordance with article 42 of the GDPR; Or
  • the recipient concerned has a set of approved binding corporate rules.

We may also request your consent to transfer to recipients located outside the EU/EEA or that this is necessary as a result of an agreement with you or measures taken on agreement with you. These exemptions for transfer are covered by Article 49 of the GDPR.

You may at any time be informed or, where appropriate, a copy of the necessary safeguards on the basis of the transfer of personal data to recipients outside the EU/EEA or, where derogations referred to in Article 49 of the GDPR are used, the exceptions used for any transfer.

11. Storing and deleting your personal data

We store your personal data in accordance with the following rules:

If you are a member or support member with us, we will keep your personal data during the time you are permanently supported by us and up to five years after your last donation under the Bookkeeping Act. The five years also apply if you have made a single contribution. Personal data on registration and account number will be deleted 13 months. after your Payment Service Agreement has been terminated with NETS, according to the Payment Service Act of 2009, which requires us to be able to demonstrate that an agreement has been reached up to 13 months after the end of the contractual relationship.

If you are a user of our website and at the same time neither customer, member, former member or contributor, we will keep the information we have registered about you for up to 2 years.

If we have purchased personal data and contacted you in order to become a member, we will store your information indefinitely in the event that you have declined to receive marketing materials or be contacted by Oxfam IBIS at all, so that we can take your requirement into account. If we don't get in touch with you, we'll delete your data after 24 months.

12. Your rights

Insight: You have the right to gain insight into the personal data we process about you. By writing to us (at the above address – see section 2.1), you can request access to the personal data for which we have registered about you, including the purposes for which the information was collected. We will comply with your insight request as soon as possible.

Rectification and deletion: You have the right to request correction, additional processing, deletion or blocking of the personal data we process about you. We will comply with your request as soon as possible to the extent necessary. If we cannot meet your request for any reason - we will contact, you.

Restriction of processing: You have the right under exceptional circumstances, to have the processing of your personal data restricted. Please contact us if you wish to restrict the processing of your personal data.

Data portability: You have the right to receive your personal data (information relating to yourself that you have provided to us only) in a structured, commonly used and machine-readable format (data portability). Please contact us if you want to take advantage of the possibility of data portability.

Right of objection: You have the right to ask us not to process your personal data in cases where the processing is based on Article 6(1)(e) (task in the public interest or public authority exercise) or Article 6(1)(f) (legitimate interest). This policy shows the extent to which we process your information for such purposes. You can exercise the right to object at any time by contacting us.

Withdrawal of consent
If the processing of your personal data is based on your consent, you shall at any time have the right to withdraw your consent. Your withdrawal does not affect the legality of the processing that was completed before you withdrew your consent. Please contact us if you wish to withdraw your consent.

If you wish to withdraw your consent to receive contribution-enhancing information and offers in general, including by regular mail, email, via SMS, by telephone or through other electronic means, you can do so at any time by writing to persondata@oxfamibis.dk. If we are unsure about your identity, we may ask you to identify yourself. Apart from the general communication costs, this is free of charge.

You can write to our Data Protection Advisor Ole Møs on persondata@oxfamibis.dk  to make use of one or more of the above rights.

There may be conditions or restrictions attached to the exercise of the above rights. It is therefore not certain that, for example, you are entitled to data portability in the specific case - it depends on the specific circumstances of the processing activity in question.

13. Any consequences of not providing personal data

If you are obliged to provide information about yourself to us, it will appear where we collect the information. If you do not want to provide the personal data we ask for, then it may have the consequence that we cannot provide the services to you that you demand, start a membership, make a donation, give a signature, etc. Necessary information according to the purpose of the processing will be marked with * on the websites where we collect your personal information.

14. Using automatic decisions / profiling

We use automatic decisions as part of our marketing through Facebook and Google. This means that we can use the common personal data we collect by uploading a list of contact information to Facebook or Google to remarketing. This allows us to show relevant ads to you and others who have an interest in supporting our cause. This also tracks your commitment (like, comment, sharing, etc.) from users within Facebook and gives us as an advertiser better opportunity to target our content to them.

15. Security

In the organization, our processing of personal data is subject to our IT and security policy. Our IT and security policy also include rules for carrying out risk assessment and impact assessment of existing, as well as new or modified processing activities. We have implemented internal rules and procedures for maintaining appropriate security from the time we collect personal data until deletion, and we only leave our processing of personal data to data processors who maintain a corresponding appropriate level of safety.

16. Complaint to the supervisory authority

If you are unhappy with our processing of your personal data, you can complain the Danish Data Protection Agency:

The Danish Data Protection Agency
Borgergade 28, 5. Sal
DK- 1300 Copenhagen K.
Phone 3319 3200
E-mail:  dt@datatilsynet.dk

17. Updating this policy

Oxfam IBIS is committed to respecting the basic principles of the protection of personal data and data protection. We therefore regularly review this policy in order to keep it updated and in accordance with applicable principles and legislation. This policy is subject to change without notice.

Significant policy changes will be published on this website along with an updated version of the policy.
Any changes we may make to this policy in the future will be made public on this page and may be notified to you by email.

This Personal Data Policy has been last updated on 25 February 2020.