Privacy Policy – CPH ID card holders, crews and visitors

Latest update: 16 January 2020

In this Privacy Policy we describe how Copenhagen Airports A/S (CPH) processes your personal data, when you apply for and use a CPH ID Card, visit CPH as crew or visitor without a CPH ID card, use the CPH Now service platform, or other services which refer to the Policy. The Policy also applies to the processing of personal data, as part of your access to and traffic on CPHs areas. The Policy supplements, but does not substitute, any other policies or terms and conditions laid down with respect to the use of individual services provided by CPH.

The Policy applies for Copenhagen Airport, Kastrup and Roskilde Airport.

You will find a separate Privacy Police that applies to the use of the airport and our services as a passenger here: CPH.dk/privacy

It is essential to CPH that you feel secure about our processing of the personal data that we obtain about you when you are at the airport, use your CPH ID card, sign up for or use one of our services, among other things.

Data controller

Your personal data are processed by Copenhagen Airports A/S, Box 74, Lufthavnsboulevarden 6, DK-2770 Kastrup, Denmark as data controller.

Data protection officer

CPH has appointed a Data Protection Officer (DPO), and you are welcome to contact our DPO with any questions or other queries you may have about our processing of personal data. You can contact our DPO at privacy@cph.dk.

Mandatory information

Information listed below is mandatory. If you do not disclose such information, the consequence is that CPH will not be able to issue an ID card to you.

Your rights

You are, of course, entitled to request access to, rectification or erasure of any personal data about you that CPH processes. You also have the right to object to the processing of your personal data and to have the processing of your personal data restricted. If you are not satisfied with the way we process your personal data, you naturally also have the right to file a complaint with the Danish Data Protection Agency.

In particular, you have an unconditional right to object to processing of your personal data for direct marketing purposes. If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of your consent will not affect the lawfulness of processing of data before your withdrawal. You have the right to receive the personal data you have provided in a structured, commonly used, machine-readable format (data portability).
These rights may be subject to conditions or restrictions. Accordingly, you may not have the right to data portability in a given case – it depends on the specific circumstances of the processing activities.

Data collected from other sources

When we collect data from other sources than yourself, such source(s) may be:

Your employer
Public authorities, including the police

Transfer to Third Countries

CPH primarily processes your personal data within the European Economic Area ("EEA").

However, we may transfer personal data to third countries, i.e., countries outside the EU/EEA, when we use data processors and sub-processors established in third countries.

This is the case, for example, in relation to our use of ServiceNow, HubParking, and their sub-processors.

The third countries to which we transfer personal data include:

USA
Australia
Japan
Canada
India
Switzerland
Israel

If the European Commission has not made a decision that the level of protection in the respective third country is adequate, or, in the case of the USA, is not part of the EU-US Data Privacy Framework in accordance with the General Data Protection Regulation article 45, we use the Commission's standard contractual clauses in accordance with Article 46(2)(c) of the Regulation.

You have the option to request a copy of our standard contractual clauses by sending an email to privacy@cph.dk.

Privacy policy updates

We will make changes to this Privacy Policy as required. You can see this by checking the date at the top of the page. In case of significant changes to the Privacy Policy we will inform you directly about the changes and the consequences hereof.

By clicking the icons below, you can see the processing of personal data that applies to the various parts of CPH.

1. Application for ID card and administration hereof

In connection with ID cards, CPH process several personal data. This applies both to the application process and the following administration, including access control.

1.1 The personal data processed is the following:

Basic information*: ID card data, including name, address, e-mail, telephone no., CPR no., place of birth, gender, employer, title, work assignments, nationality, ID card no., expiry date, picture etc.
ID card*: 1) Approval from the Police to issue an ID card, 2) ID card access rights and log information, 3) courses and permits, including access rights.
Visitor*: Name, address, company, date, purpose of visit and length, visitor responsible, ID, and picture.

1.2 Purpose

CPH process the data to the following purpose:

To comply with the regulatory requirements currently in force (including the Danish Air Navigation Act, Regulation (EC) No. 300/2008, etc.) which imposes on CPH control of access and traffic on CPH’s area,
Maintenance of records regarding necessary training and courses, including access control.

1.3 Basis of processing

Observe a legal obligation (Article 6(1)(c) of the GDPR)

In according to the Danish Air Navigation Act, CPH is required, as mentioned above, to register a number of information when you apply for and receive an ID card.
Issuing of an ID card is based on approval from Danish Police.

1.4 Recipients

Public authorities to the extent necessary; including the police for the processing of your application.
If it follows from a court order or if required or authorized by applicable law.
Your employer.

Information provided by you or your employer in connection with your application for an ID card, will be disclosed to and evaluated by the Police in order for approval.

1.5 Erasure

General information will be deleted 5 years after you have submitted your ID card.
Visitor: Information will be deleted no later than 5 years after your visit.

2. Reports, sanctions and legal claims

In connections with reports and possible sanctioning following violations of Local Regulations, Appendix 16, CPH process personal data. This also applies in cases, where liability needs to be established in events on the airport area, including liability for damages.

2.1 CPH may process the following personal data:

Personal data can be collected in connections to registration of Security, incident and Safety reports, including name, ID card No., employer, description of event, etc.
Information about sanction issued due to the violations of Local Regulations, Appendix 16
Liablity in connection with events on the airport area, including liability for damages. CCTV may be used in this connection.

2.2 CPH may process the following sensitive personal data:

Health conditions: CPH process, to the extent necessary, information on health conditions, including partiular information about accidents and incidents that may involve information about health conditions and any use and abuse of alcohol or drugs.

2.3 The CPH may process the following personal data concerning criminal offences:

Information on criminal offences may occur in connection with any reports from the CPH whistle blower scheme or in connection with the handling of incidents in CPH that violate the rules set by CPH or by the authorities.

2.4 Purpose

CPH process the data to the following purposes:

to register and enforce violations of Local Regulations, Appendix 16,
to document Security and Safety related events,
to investigate possible criminal offenses in connection with reports from CPH's whistleblower hotline, and
establishment, exercise or defence of legal claims.

2.5 Basis of processing

CPH process general personal data, based on the following basis of processing:

Observe a legal obligation (Article 6(1)(c) of the GDPR)

According to the Danish Air Navigation Act, CPH is required, as mentioned above, to register a number of information when you receive an ID card.
Reporting to authorities, including the Traffic, Building and Housing Agency, etc.

CPH process sensitive personal data, based on the following basis of processing:

Processing is necessary for essential social interests based on EU law or the national law of the Member States, including the Danish aviation rules to which CPH is subject (Article 9 (2)(g) of the GDPR)

CPH process personal data regarding criminal offences, based on the following basis of processing:

The processing takes place for the protection of important private interests, cf. the Danish Data Protection Act section 8 (3), cf. Article 10 of the GDPR.

2.6 Recipients

CPH may transfer relevant personal data to the following categories of recipients:

Public authorities to the extent necessary; including the police.
If it follows from a court order or if required or authorized by applicable law.
Your employer, if necessary for operational or Safety/Security considerations or if necessary for the establishment, exercise or defence of legal claims.
Lawyers and insurance companies to the extent necessary, in connection with legal claims.

2.7 Erasure

Data, in report will be erased after no later than 5 years. Data can in specific cases be processed for a longer period, if they for example are relevant in training/education.
Data regarding issued sanctions following Local Regulations, Appendix 16, will be erased in accordance herewith.

3. Security/Safety and CCTV surveillance

Security and Safety is important to CPH, and in order to meet the requirements imposed on CPH in this regard, CPH processes various data about you when you use and move around CPH.

The airport area, both landside and airside are covered by CCTV surveillance. The CCTV sur-veillance can be used in connection with reports, sanctions, training/education purposes and legal claims, cf. the above section.

3.1 The personal data processed is the following:

Control of access to the access to the airport area, including logging*
CCTV monitoring of the airport areas*

3.2 Purpose

CPH processes the data to the following purposes:

to comply with the regulatory requirements currently in force (including the Danish Air Navigation Act, Regulation (EC) No. 300/2008, etc.) which imposes on CPH control of access and traffic on CPH’s area.
to comply with current Security and Safety related requirements.
to support the operation on the airport area, including coordination between the airport collaborators.
establishment, exercise or defence of legal claims.
to be disseminated as training/education materials with a sole purpose of sharing les-sons learned and improving safety.

3.3 Basis of processing

CPH process general personal data, based on the following basis of processing:

Observe a legal obligation (Article 6(1)(c) of the GDPR)

According to the Danish Air Navigation Act, CPH is required, as mentioned above, to register a number of information when you receive an ID card.
Reporting to authorities, including the Police and Traffic, Building and Housing Agency, etc.

Establishment, exercise or defence of legal claims (Article 9(2)(f) of the GDPR)

In case of complians or legal claims, data is processed – both general and sensitive – in accordance with Article 9(2)(f) of the GDPR.

3.4 Recipients

CPH may transfer relevant personal data to the following categories of recipients:

Public authorities to the extent necessary; including the police.
If it follows from a court order or if required or authorized by applicable law.
Your employer, if necessary for operational or Safety/Security considerations or if necessary for the establishment, exercise or defence of legal claims.
Lawyers and insurance companies to the extent necessary, in connection with legal claims.

3.5 Erasure

CCTV footage filmed within CPH’s area is subject to the requirements under the Danish Data Pro-tection Act regarding storage of such footage. Footage is erased within 30 days. In special circum-stances and relating to specific cases, such data may be stored for a longer period, e.g. if data are relevant in training/education.

3.6 Limitation of your rights

In relation to CCTV recordings within CPH’s area, your rights following the GDPR Chapter III, including article 15 regarding access, are restricted following § 22 (2), litra 3 and 4 of The Danish Data Protection Act. If your interest in access to the CCTV recordings does not exceed the following considerations, you do not have the right to access the CCTV monitoring:

public security reasons in Copenhagen Airport
the prevention, investigation, detection or prosecution of criminal offences
the safeguarding against and the prevention of threats to public security in Copenhagen Airport

We ask you to provide specific reasons for your interest in access to the CCTV recording, for example if the recordings (or parts hereof) show information of particular interest to you, e.g. an accident involving personal injury. We refer to the Danish Data Protection Authority's decision in the Danish Metro case (Journal number 2018-832-0009), where right to access was denied.

4. CPH Now platform and CPH services

For Application for ID card, service requests to CPH, error messages etc., you will use our service platform CPH Now.

4.1 The personal data processed is the following:

1) Name, username, password, 2) ID card No., 3) employer, 4) information concerning purchase or delivery of CPH services or goods, as well as error messages via CPH Now, 5) records of training and courses

4.2 Purpose

CPH behandler oplysningerne til følgende formål:

to inform you about practical matters related to your work-related presence in CPH, including targeted business information and CPH news via electronic mail, push-messages (in CPH Now app).
to provide you with the services that you or your employer are requesting, including handing orders and error messages.
maintenance of records regarding necessary training and courses.

4.3 Basis of processing

Interest-weighting rule (Article 6 (1)(f) of the GDPR)
CPH can process information about ID cardholders in connection with orders of services, goods or services from CPH.

The purpose of the pursuit is:

Compliance with CPH's agreements with CPH collaborators

4.4 Recipients

CPH may transfer relevant personal data to the following categories of recipients:

Suppliers and collaborators with whom CPH cooperates and who assist our company (understood as service providers, technical support, deliveries).
In connection with ordering, purchase, sale or assignments at CPH Now.
(Your employer, if necessary.

4.5 Erasure

General information will be deleted 5 years after you have submitted your ID card.

5. Newsletters, competitions and surveys

As a user of CPH you can subscribe to our newsletters and participate in our competitions and surveys.

5.1 The personal data processed is the following:

Name, address, e-mail address and telephone no.
Any information you provide that is necessary for CPH to administrate competitions or send newsletter
Survey replies

5.2 Purpose

The purpose of processing data is for CPH to send newsletters, administrate competitions and receive replies on surveys.

5.3 Basis of processing

Data are solely used subject to your consent in accordance with Article 6(1)(a) of the GDPR. Naturally you have the right to withdraw your consent at any time.

5.4 Recipients

Relevant information can, when necessary in connection with competitions, be disclosed to business partners such as shops, restaurants, airlines etc.

5.5 Erasure

Information processed in connection with newsletters will be processed until you may unsubscribe.
Information processed in connection with competitions, are processed until the winner(s) is/are found and will be deleted hereafter, unless special conditions for the specific competition apply.
Information processed in connection with surveys, will be deleted or anonymized no later than 1 year after collection.

6. Training of shop employees (CPH Academy)

In connection with the issuance of ID cards for shop employees, CPH conducts teaching at CPH Retail Academy.

6.1 The personal data processed is the following:

Courses and training
Date of update

6.2 Purpose

The purpose is to train shop employees and to register employees who have completed courses at CPH Retail Academy and follow up on them.

6.3 Basis of processing

Interest-weighting rule (Article 6 (1)(f) of the GDPR)

CPH can process information about ID cardholders in connection with the CPH Retail Academy.
The purpose of the pursuit is:

Training and education of employees.

6.4 Recipients

CPH may transfer relevant personal data to the following categories of recipients:

Suppliers and collaborators with whom CPH cooperates and who assist our company (understood as service providers, technical support, deliveries)
Your employer, if necessary

6.5 Erasure

Information will be deleted 5 years after you have submitted your ID card.

7. CPH Web Trak (environmental inquiries)

CPH regularly handles different types of environmental inquiries, including especially complaints about noise. In that regard, CPH has published information about arriving and departing planes in Copenhagen Airtport, Kastrup, via an online portal to make it easier to identify the plane, a specific complaint is about. In connection with working on the portal, CPH has supposed that this included processing of personal data. Information about planes can be found on CPH Web Trak.

7.1 The processed personal data are:

Plane registration no.*
Noise measurements*
Information in a flight plan, including altitude and destination*
Location data via radar*

7.2 Purpose

The purpose of the processing is to deal with complaints regarding air traffic, including complaints about noise and in this regard to be able to assign the complaint to a specific plane.

7.3 Legal basis

Information processed in connection with complaints about air traffic are processed pursuant to Article 6.1.C of the General Data Protection Regulation, due to Danish aviation regulation and pursuant rules and Article 6.1.E, as processing is necessary for the performance of a task carried out in the public interest. The public interest is to provide information to the public about a public activity, including making it possible to complain about flights. The public interest is also that CPH can answer and manage complaints about air traffic in the Copenhagen Airport, as well as accurately determine which aircraft a specific complaint is about.

7.4 Recipients

To the extent that CPH is required to do so, relevant data may be disclosed to relevant public authorities, including the Transport, Construction and Housing Authority and relevant Municipalities.

7.5 Erasure

Information in CPH Web Trak are available for the public for the previous 2 months. Data processed in connection with environmental inquiries, will be deleted or anonymized no later than 5 years after closure.

8. Visiting CPH’s offices

When you visit CPH’s offices we may collect and process your personal data, in order to admin-istrate your visit, including issuing guest card and necessary follow-up.

8.1 The processed personal data can be:

Name*
Company*
Information regarding the meeting; date, time and subject*
CPH contact*

8.2 Purpose

CPH processes your personal data in order to administrate your visit, including issuing guest card and necessary follow-up.
CPH bruger dine personoplysninger til at administrere dit besøg, herunder udstedelse af gæstekort og evt. opfølgning herpå.

8.3 Legal basis

Interest-weighting rule (Article 6 (1)(f) of the GDPR)

CPH can process information about information about your visit.
- The purpose of the pursuit is:
  - Administration of visit and necessary follow-up.

8.4 Recipients

CPH may transfer relevant personal data to the following categories of recipients:

Public authorities to the extent necessary; including the police.
If it follows from a court order or if required or authorized by applicable law.

8.5 Erasure

The collected personal data is erased/anonymized no later that 3 months after your visit.

9. Employee parking

CPH collects information about you in connection with the issuance and your use of the employee P-card. This processing supplements the general processing of your personal data, which occurs in connection with the use of our parking facilities. More details on this are available on our website.

9.1 Issuing the Employee P-Card

Upon issuing the employee P-card, CPH collects certain data points about you to manage the agreement with your employer. The information we collect for this purpose includes:

Your name
Your employer or company name

9.1.1 Purpose

The purpose of the processing is to administer and provide P-cards to employees working at the airport.

9.1.2 Basis of processing

Data processed in connection with issuing your employee P-card is based in our legitimate interest to efficiently manage the P-card as per the agreement with your employer, in accordance with GDPR Art. 6.1.f.

9.1.3 Recipients

We may share your personal data, such as your name and employer, with our IT service providers and support teams to assist in our business operations. This includes HUB Parking, the supplier of our parking system.

9.1.4 Erasure

Data collected in connection with your employee P-card will be deleted two years after the card's return. We retain this information to report P-card usage to your employer and for the establishment or defense of legal claims.

Data required to comply with the Danish Bookkeeping Act will be kept for up to five years, plus the current year.

9.2 Using the Employee Parking Card

Personal data processed when you use the employee P-card at CPH's parking facilities include:

The times of your entry and exit
The number of your employee P-card

9.2.1 Purpose

The processing of this data aims to manage the employee parking arrangement between CPH and your employer. The purpose of this activity is to ensure that the card is used solely for work-related purposes.

9.2.2 Legal basis

The processing of your data related to the use of your employee P-card is based on our legitimate interest in ensuring that the card is used only for work purposes, as per GDPR art. 6.1.f.

If the data is shared with your employer, it is to establish or defend legal claims, in accordance with GDPR art. 6.1.f.

9.2.3 Recipients

Your personal data may be shared with our IT service providers and support teams, including HUB Parking, for operational assistance.

In cases of suspected misuse of your employee P-card, we may also share usage information with your employer.

9.2.4 Erasure

Data collected from your use of the employee P-card will be deleted two years after your last use. This information is retained to report card usage to your employer and to establish or defend legal claims.

Data necessary for compliance with accounting regulations will be kept for up to five years, including the current year.