1. The Aarhus Art Academy’s policy concerning personal data
The Aarhus Art Academy collects, processes, and stores personal data. We aim to be open about our personal data processing and to protect data in compliance with the EU data protection law.
This personal data policy will be updated as required.
2. What are personal data?
Personal data comprise any kind of information relating to an identified or identifiable natural person. There are two types of personal data: Sensitive Personal Data and Personal Data.
Sensitive Personal Data reveal information on racial or ethnic origin, political opinion, religious or philosophical belief, trade-union membership, genetic and biometric data, information concerning the health, sex life, or sexual orientation of a natural person. The Aarhus Art Academy neither processes nor stores sensitive personal data.
Personal Data reveal information on all other data that are not ’sensitive’. This includes information concerning name, address, financial circumstances, customer relationships, etc. Pursuant to the EU data protection law, Article 11, CPR nos. may be processed if required by legislative or regulative measures subject to current legislation and are not considered sensitive information.
3. Which kind of personal data are processed and for what purpose?
In order to provide services to our students, e.g. course/programme enrolment, invoicing, sending out course-related information and documentation, and for reporting entrant-related information to local authorities in compliance with the Act on Adult Education and municipal grant regulations, the Aarhus Art Academy only processes the factual information necessary to provide the service in compliance with applicable legislation.
Such data comprise:
- Name and surname
- Date of birth/CPR no.
- E-mail address
- Telephone no.
- Municipal affiliation (including the acting local authority, the paying local authority, and the local authority of residence).
Unless explicitly required to do so by local authorities, we do not process sensitive personal data.
4. How are the data collected?
Personal data may be collected as follows:
- From our website when you enter your personal data into an online form.
- From telephone or personal enquiries when your data are entered into an administrative program by the Aarhus Art Academy staff.
- From e-mail contact when your data are copied into an administrative program.
5. How long do we store your data?
Pursuant to the Act on Bookkeeping, Article 10, personal data are stored for 5 years counting from the end of the financial year in which a study programme has most recently been completed.
6. Who can access the data?
Only trusted people will, in the course of their work, have access to some or all of the stored personal data. These include:
- The Aarhus Art Academy administrative staff responsible for enrolment, booking, invoicing of students, grants administration, bookkeeping, and communication with local authorities.
- Aarhus Art Academy teaching staff who will be informed of names and other data required in order to prepare lists of participants, attendance lists, and attendance cards.
7. Passing on data
- In order for us to meet purchase agreements, etc., we will pass on the data required to fulfil the agreement and to identify the students/payers. Further, we will pass on data to public authorities in compliance with applicable legislation.
- Data about payer ID, course/programme ID, and amounts will be passed on to NETS/ePay in order to effectuate payments.
- Names and contact information may be passed on to the local authority in compliance with the Act of Adult Education and the regulations governing grants.
- CPR-nos. will be passed on to the local authority in compliance with the rules on inter-municipal reimbursement.
- Solemn declarations may be passed on to the local authorities in compliance with local authority rules on payment of supplementary grants (reduced user payment).
8. The storing of data and Data Processors
Data collected in digital form via our website or our administrative programs are, in accordance with our Data Processor Agreement with Dansk Oplysnings Forbund (DOF, the Danish Adult Education Association), stored with their sub-supplier DanDomain. DOF’s trusted IT supporters only have professional access to the data and only to the extent required to be able to provide qualified IT support. Our Data Processor Agreement ensures high standards of information security.
9. Your rights
According to applicable legislation, everyone is guaranteed the following rights:
- The right to information about the processing of personal data (duty of disclosure).
As a rule, you have the right to know the identity of the Data Controller, the purpose of the data processing, and who is to receive/process the information.
In the main, all this information is contained in this personal data policy.
- The right to information about one’s personal data (the right of access).
You can request to know which data the Aarhus Art Academy processes as well as a print or copy of the data collected.
- The right to have incorrect personal data rectified (the right to rectification).
If you think that the data the Aarhus Art Academy has on you are incorrect, inaccurate, or inadequate, you can ask to have the information rectified.
- The right to have personal data deleted (the right to erasure).
If you think that the data the Aarhus Art Academy has on you are unnecessary in relation to the purpose for which they were originally collected, you can ask to have them deleted. Please note that the Aarhus Art Academy has a duty and the right to store certain information in order to comply with the rules laid down by the Act on Adult Education, local authority guidelines, and bookkeeping obligations.
- The right to transfer your personal data (data portability).
As a rule, you have the right to receive data about yourself in a structured, commonly used and machine-readable format and you have the right to transfer such data to another company.
- The right to object
You have the right to object to personal data being used for e.g. direct marketing and profiling purposes. However, we do not use profiling and any marketing activities will always be subject to explicit consent.
When you approach the Aarhus Art Academy concerning one of the above issues (disclosure, rectification, erasure, etc.), you will, no later than one month afterwards, be informed as to the course of action the Aarhus Art Academy intends to take concerning this. If, for example, you ask to have your data rectified or deleted, the Aarhus Art Academy will usually ascertain whether all the conditions have been met, including whether there is a legal basis for the continued processing of data. If the objection is deemed rightful, we will make sure that the request is carried out.
For purposes of normal course/programme enrolment, invoicing, and bookkeeping, we do not need your consent to process data, since the legality of the processing (pursuant to Article 6 in the EU data protection law) relates to the data processing necessary to perform the contract, including course enrolment.
However, in order to collect personal data for other purposes, for example supplementary information regarding a course or in connection with subscribing to our newsletter, we may ask for consent, if necessary.
Consent can be verbal or in writing, but we are required to document that consent has been given. In most cases, this will take the form of a check box on our website or during the enrolment process where our IT systems will register both the time and the form of consent. Consent may also be given via e-mail or another form of digital communication.
In connection with giving your consent, you will be informed of the specific details, including the purpose for which your consent is required and the process of withdrawal of same. Generally, however, withdrawal of consent should be just as easy and accessible as giving it in the first place.
Moreover, consent is always specific with a clear indication of what you are consenting to. This also means that the Aarhus Art Academy, in some cases, will have to obtain consent several times over from each person, depending on the purpose. For example, ’supplementary information’ on individual students and ’subscribe to newsletter’ will require consent to be given on two separate occasions.
It is important to stress that consent is always voluntary. In practice, this means that we will never make any particular student’s participation in a course subject to accepting e.g. a newsletter.
As a matter of course, the Aarhus Art Academy will ensure that data are stored securely and discreetly. Our security measures are divided into organisational and technical measures.
The organisational security measures mean that only trusted staff from the Aarhus Art Academy have access to your personal data for professional purposes. This typically occurs in connection with course/programme enrolment, course administration, invoicing, and communication. Additionally, our teaching staff have limited access to your personal data, and only such data that are relevant to conducting the course/programme (see also section 6).
The Aarhus Art Academy staff are continually being trained and instructed on data security, including how to process and protect data. We also log our data processing activities, which are subject to control by the Danish Data Protection Agency.
The technical security measures relate to our use of IT systems for the registration and administration of class and student data. We use an internal IT system owned and developed by DOF and hosted by DanDomain in Randers. Our Data Processor Agreement with DOF ensures that data are placed in a secure place with the necessary level of protection. Your data are encrypted on our server and all communication via our website (e.g. when enrolling and paying via our website) is protected by approved Comodo security certificates using a 256-bit encryption key. Backup of your data is made on a daily basis.
Our internal IT systems (PCs, etc.) are further protected by passwords, an updated antivirus program and a firewall and any physical material is stored in a locked-up space. We ensure that data will not fall into the hands of unauthorised people when IT equipment is either destroyed or repaired.
12. Complaints and contact information.
Complaints about the Aarhus Art Academy’s processing of personal data, any objections and questions on the policy on personal data should be addressed to:
8000 Aarhus C