DPA's (Danish Producer Responsibility) policy on personal data protection
According to the General Data Protection Regulation (GDPR) a personal data policy ensuring compliance with the GDPR must be adopted. To secure the protection of the rights and freedom of individuals in connection with the processing of personal data, suitable technical and organisational precautions are called for to ensure that the requirements of the regulation are complied with.
General Data Protection Regulation
According to the General Data Protection Regulation (GDPR) a personal data policy ensuring compliance with the GDPR must be adopted. To secure the protection of the rights and freedom of individuals in connection with the processing of personal data, suitable technical and organisational precautions are called for to ensure that the requirements of the regulation are complied with. In order to demonstrate compliance with the regulation, DPA must adopt internal policies and implement measures meeting the principles of data protection through the design and data protection through standard settings and in the development of IT systems.
These measures consist in the minimisation of the processing of personal data, pseudonymisation of personal data, and transparency in relation to the function and processing of personal data in order that the data subject can follow this data processing and that DPA can provide and continuously improve the necessary data security.
Collection and purpose
The collection and processing of personal data is necessary in connection with case handling, in contracting and agreements on employment or other purposes that are in accordance with our statutory purpose and duty to record and retain information under the rules on national archives. We only collect such personal data that are necessary to comply with our statutory obligations.
The data we collect and process are primarily data in the form of:
- name
- address
- phone number
- user id
- CPR number
- CVR number
- IP address
- domain name
- invoice numbers
- credit note number
- information about companies, attributable to a specific individual
DPA collects and processes data in connection with the use of the self-service solutions made available by DPA.
DPA may at our own initiative contact you in connection with the control of contact information and identity of data subjects as well as validation of contact information. This is done to ensure that the personal data about you that we process are correct; this is a requirement according to the legislation on bookkeeping and the General Data Protection Regulation.
Confidentiality policy
Our confidentiality policy protects data by regulating DPA’s use of the data that you put at our disposal by transferring it to us. DPA is obliged to protect all confidential information. The purpose of our confidentiality policy is to set up clear guidelines for DPA’s way of processing data.
Consent
You give your consent that we collect and use your personal data in accordance with this confidentiality policy. We commit to publishing a regularly updated version of our confidentiality policy on our website, with a specification of the update.
Information safety
In DPA information safety has high priority. We have strict focus on how to protect data, systems, and services. Our high standards for information safety mean, among others, that we protect critical and sensitive information and information systems against compromise and other unauthorised use. We make sure that your personal data are not lost, changed, published without authorisation, and that unauthorised individuals do not get access to or knowledge of them.
To protect your data in the best possible way we make an assessment as to whether our processing of your data entails a high risk for you, e.g., if data in question are sensitive personal data. DPA does not store sensitive personal data.
Processor agreement
We enter processor agreements with suppliers processing personal data on our behalf, and we make sure that our processors comply with the required high standard for information safety and data protection.
Deletion of personal data
We delete your personal data when they are no longer necessary in relation to the purposes that caused us to collect, process, and store them; this is done with regard to our recording obligation in pursuance of the Public Administration Act and transfer to the National Archives in pursuance of the rules on archiving. This means that we may not delete information even when, e.g., you withdraw your application or disagree with a decision made by us and you are subsequently proved right, since we are obliged to document our case history. If, for instance, data in question are needed to establish a legal claim further to a contractual relation, or if other legislation requires longer storing, we can keep information longer than five years. We will regularly review our need for storing of data to make sure that we do not keep more than absolutely necessary.
Provision of data and right of access
DPA does not transfer personal data to third parties in view of marketing or for other commercial uses. You have the right to be informed of the personal data we have registered concerning you. In our communication about access to own data we demand documentation of your identity in respect of you and to avoid unauthorised access. On your request we provide you with information on the data we process concerning you. However, the access to data may be limited due to the privacy of other individuals, commercial confidentiality, commercially sensitive information, or intellectual property rights.
If you wish to get access to your personal data, please contact info@producentansvar.dk, stating ”Access to personal data” in the subject line.
Right to erasure or request for rectification of personal data
If you find that we process personal data concerning you that are inaccurate you have the right to rectification. In this case we kindly ask you to contact us with information about the inaccurate data and how they should be rectified. In some cases, we are obliged to erase your personal data. If you find that your personal data are no longer necessary in relation to the purposes for which we collected them, you can ask us to erase them. You can also contact us if you find that your personal data are processed in breach of legislation or other legal obligations. When you contact us with a request for rectification or erasure of your personal data, we check whether the conditions are met and, if so, we rectify or erase data as soon as possible.
Right to objection
You have the right to object against our processing of your personal data. If your objection is justified, we cease processing of your personal data. However, it should be noted that the processing of your personal data may be a prerequisite for entering a contract with DPA or for having your case handled or as part of an employment; in our capacity of an authority, we may be obliged to collect data such as tax information.
During the time when an objection or a request for erasure/rectification is treated DPA is obliged to limit our processing of the data in question. Generally, we may only use data in connection with requests for access to documents, but we can ask for your permission to use data for other purposes. In this case, your written acceptance is requested.
DPA, November 2021
Contact information
DPA is the controller and has the following contact information:
Danish Producer Responsibility (DPA)
Vester Farimagsgade 3, 2.
DK-1608 Copenhagen V
E-mail: info@danskproducentansvar.dk
Tel. no. +45 39 15 51 61
Complaints about DPA’s processing of personal data should be directed at:
Data Protection Agency
Borgergade 28, 5.
DK-1300 Copenhagen K
E-mail: dt@datatilsynet.dk