Privacy Policy – CPH ID card holders and crews/visitors

Latest update: 03 January 2019

In this Privacy Policy we describe how Copenhagen Airports A/S (CPH) processes your personal data, when you apply for and use a CPH ID Card, visit CPH as crew or visitor without a CPH ID card, use the CPH Now service platform, or other services which refer to the Policy. The Policy also applies to the processing of personal data, as part of your access to and traffic on CPHs areas. The Policy supplements, but does not substitute, any other policies or terms and conditions laid down with respect to the use of individual services provided by CPH.

The Policy applies for Copenhagen Airport, Kastrup and Roskilde Airport.

You will find a separate Privacy Police that applies to the use of the airport and our services as a passenger here: CPH.dk/privacy

It is essential to CPH that you feel secure about our processing of the personal data that we obtain about you when you are at the airport, use your CPH ID card, sign up for or use one of our services, among other things.

Data controller

Your personal data are processed by Copenhagen Airports A/S, Box 74, Lufthavnsboulevarden 6, DK-2770 Kastrup, Denmark as data controller.

Data protection officer

CPH has appointed a Data Protection Officer (DPO), and you are welcome to contact our DPO with any questions or other queries you may have about our processing of personal data. You can contact our DPO at privacy@cph.dk.

Mandatory information

Information listed below is mandatory. If you do not disclose such information, the consequence is that CPH will not be able to issue an ID card to you.

Your rights

You are, of course, entitled to request access to, rectification or erasure of any personal data about you that CPH processes. You also have the right to object to the processing of your personal data and to have the processing of your personal data restricted. If you are not satisfied with the way we process your personal data, you naturally also have the right to file a complaint with the Danish Data Protection Agency.

In particular, you have an unconditional right to object to processing of your personal data for direct marketing purposes. If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of your consent will not affect the lawfulness of processing of data before your withdrawal. You have the right to receive the personal data you have provided in a structured, commonly used, machine-readable format (data portability).
These rights may be subject to conditions or restrictions. Accordingly, you may not have the right to data portability in a given case – it depends on the specific circumstances of the processing activities.

Data collected from other sources

When we collect data from other sources than yourself, such source(s) may be:

  1. Your employer
  2. Public authorities, including the police

Transfer to third countries

The information we collect will preferably and whenever possible be processed and stored within the EU and the European Economic Area ("EEA"). In certain situations, information is processed in third countries (countries outside the EU/EEA). For transfers to third countries, which are considered unsafe, we have taken adequate measures, for example by ensuring that the recipient is bound by EU Commissions model clauses or regarding transfers to USA, covered by the Privacy Shield scheme. In other cases, we have taken the adequate measures in accordance with Article 49(1) (b-e) of the GDPR. You can obtain a copy of relevant transfer basis by contacting our DPO, cf. section above.

Privacy policy updates

We will make changes to this Privacy Policy as required. You can see this by checking the date at the top of the page. In case of significant changes to the Privacy Policy we will inform you directly about the changes and the consequences hereof.

By clicking the icons below, you can see the processing of personal data that applies to the various parts of CPH.

The policy applies to the following areas:

1. Application for ID card and administration hereof
 

In connection with ID cards, CPH process several personal data. This applies both to the application process and the following administration, including access control. 

1.1 The personal data processed is the following:

  • Basic information: ID card data, including name, adress, e-mail, telephone no., CPR no., place of birth, gender, employer, title, work assignments, nationality, ID card no., expiry date, picture etc.
  • ID card: 1) Approval from the Police to issue an ID card, 2) ID card access rights and log information, 3) courses and permits, including access rights.

1.2 Purpose

CPH process the data to the following purpose:

  • To comply with the regulatory requirements currently in force (including the Danish Air Navigation Act, Regulation (EC) No. 300/2008, etc.) which imposes on CPH control of access and traffic on CPH’s area,
  • Maintenance of records regarding necessary training and courses, including access control.

1.3 Basis of processing

Observe a legal obligation (Article 6(1)(c) of the GDPR)

  • In according to the Danish Air Navigation Act, CPH is required, as mentioned above, to register a number of information when you apply for and receive an ID card.
  • Issuing of an ID card is based on approval from Danish Police.

1.4 Recipients

  1. Public authorities to the extent necessary; including the police for the processing of your application.
  2. If it follows from a court order or if required or authorized by applicable law.
  3. Your employer.

Information provided by you or your employer in connection with your application for an ID card, will be disclosed to and evaluated by the Police in order for approval.

1.5 Erasure

General information will be deleted 5 years after you have submitted your ID card.

2. Reports, sanctions and legal claims
 

In connections with reports and possible sanctioning following violations of Local Regulations, Appendix 16, CPH process personal data. This also applies in cases, where liability needs to be established in events on the airport area, including liability for damages.

2.1 CPH may process the following personal data:

  • Personal data can be collected in connections to registration of Security, incident and Safety reports, including name, ID card No., employer, description of event, etc.
  • Information about sanction issued due to the violations of Local Regulations, Appendix 16
  • Liablity in connection with events on the airport area, including liability for damages. CCTV may be used in this connection.

2.2 CPH may process the following sensitive personal data:

  • Health conditions: CPH process, to the extent necessary, information on health conditions, including partiular information about accidents and incidents that may involve information about health conditions and any use and abuse of alcohol or drugs.

2.3 The CPH may process the following personal data concerning criminal offences:

  • Information on criminal offences may occur in connection with any reports from the CPH whistle blower scheme or in connection with the handling of incidents in CPH that violate the rules set by CPH or by the authorities.

2.4 Purpose

CPH process the data to the following purposes:

  • to register and enforce violations of Local Regulations, Appendix 16,
  • to document Security and Safety related events,
  • to investigate possible criminal offenses in connection with reports from CPH's whistleblower hotline, and
  • establishment, exercise or defence of legal claims.

2.5 Basis of processing

CPH process general personal data, based on the following basis of processing:

Observe a legal obligation (Article 6(1)(c) of the GDPR)

  • According to the Danish Air Navigation Act, CPH is required, as mentioned above, to register a number of information when you receive an ID card.
  • Reporting to authorities, including the Traffic, Building and Housing Agency, etc.

CPH process sensitive personal data, based on the following basis of processing:

  • Processing is necessary for essential social interests based on EU law or the national law of the Member States, including the Danish aviation rules to which CPH is subject (Article 9 (2)(g) of the GDPR)

CPH process personal data regarding criminal offences, based on the following basis of processing:

  • The processing takes place for the protection of important private interests, cf. the Danish Data Protection Act section 8 (3), cf. Article 10 of the GDPR.

2.6 Recipients

CPH may transfer relevant personal data to the following categories of recipients:

  1. Public authorities to the extent necessary; including the police.
  2. If it follows from a court order or if required or authorized by applicable law.
  3. Your employer, if necessary for operational or Safety/Security considerations or if necessary for the establishment, exercise or defence of legal claims.
  4. Lawyers and insurance companies to the extent necessary, in connection with legal claims.

2.7 Erasure

Data, in report will be erased after no later than 5 years. Data can in specific cases be processed for a longer period, if they for example are relevant in training/education.
Data regarding issued sanctions following Local Regulations, Appendix 16, will be erased in accordance herewith.

3. Security and CCTV surveillance
 

Security is important to CPH, and in order to meet the security requirements imposed on CPH, CPH processes various data about you when you use and move around CPH.

The airport area, both landside and airside are covered by CCTV surveillance. The CCTV surveillance can be used in connection with reports, sanctions and legal claims, cf. the above section.

3.1 The personal data processed is the following:

  • Control of access to the access to the airport area, including logging
  • CCTV monitoring of the airport areas

3.2 Purpose

CPH process the data to the following purposes:

  • to comply with the regulatory requirements currently in force (including the Danish Air Navigation Act, Regulation (EC) No. 300/2008, etc.) which imposes on CPH control of access and traffic on CPH’s area.
  • to comply with current Security and Safety related requirements.
  • to support the operation on the airport area, including coordination between the airport collaborators.
  • establishment, exercise or defence of legal claims.

3.3 CPH process the following personal data:

  • to comply with the regulatory requirements currently in force (including the Danish Air Navigation Act, Regulation (EC) No. 300/2008, etc.) which imposes on CPH control of access and traffic on CPH’s area.
  • to comply with current Security and Safety related requirements.
  • to support the operation on the airport area, including coordination between the airport collaborators.
  • establishment, exercise or defence of legal claims.

3.4 Basis of processing

CPH process general personal data, based on the following basis of processing:

Observe a legal obligation (Article 6(1)(c) of the GDPR)

  • According to the Danish Air Navigation Act, CPH is required, as mentioned above, to register a number of information when you receive an ID card.
  • Reporting to authorities, including the Police and Traffic, Building and Housing Agency, etc.

Establishment, exercise or defence of legal claims (Article 9(2)(f) of the GDPR)

  • In case of complians or legal claims, data is processed – both general and sensitive – in accordance with Article 9(2)(f) of the GDPR.

3.5 Recipients

CPH may transfer relevant personal data to the following categories of recipients:

  1. Public authorities to the extent necessary; including the police.
  2. If it follows from a court order or if required or authorized by applicable law.
  3. Your employer, if necessary for operational or Safety/Security considerations or if necessary for the establishment, exercise or defence of legal claims.
  4. Lawyers and insurance companies to the extent necessary, in connection with legal claims.

3.6 Erasure

CCTV footage filmed within CPH’s area is subject to the requirements under the Danish Data Protection Act regarding storage of such footage. Footage is erased within 30 days. In special circumstances and relating to specific cases, such data may be stored for a longer period.

3.7 Limitation of your rights

In relation to CCTV footage within CPH’s area, your rights following GDPR Chapter III are restricted, by Article 23(1)(c) and (d) of the GDPR. Therefore you do not have the right to access the CCTV footage, due to

  • public security reasons in Copenhagen Airports,
  • the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and
  • safeguarding against and the prevention of threats to public security in Copenhagen Airports
4. CPH Now platform and CPH services
 

For Application for ID card, service requests to CPH, error messages etc., you will use our service platform CPH Now.

4.1 The personal data processed is the following:

1) Name, username, password, 2) ID card No., 3) employer, 4) information concerning purchase or delivery of CPH services or goods, as well as error messages via CPH Now, 5) records of training and courses

4.2 Purpose

CPH behandler oplysningerne til følgende formål:

  1. to inform you about practical matters related to your work-related presence in CPH, including targeted business information and CPH news via electronic mail, push-messages (in CPH Now app).
  2. to provide you with the services that you or your employer are requesting, including handing orders and error messages.
  3. maintenance of records regarding necessary training and courses.

4.3 Basis of processing

Interest-weighting rule (Article 6 (1)(f) of the GDPR)
CPH can process information about ID cardholders in connection with orders of services, goods or services from CPH.

The purpose of the pursuit is:

  • Compliance with CPH's agreements with CPH collaborators

4.4 Recipients

CPH may transfer relevant personal data to the following categories of recipients:

  1. Suppliers and collaborators with whom CPH cooperates and who assist our company (understood as service providers, technical support, deliveries).
  2. In connection with ordering, purchase, sale or assignments at CPH Now.
  3. (Your employer, if necessary.

4.5 Erasure

General information will be deleted 5 years after you have submitted your ID card.

5. Newsletters, competitions and surveys
 

As a user of CPH you can subscribe to our newsletters and participate in our competitions and surveys.

5.1 The personal data processed is the following:

  • Name, address, e-mail address and telephone no.
  • Any information you provide that is necessary for CPH to administrate competitions or send newsletter
  • Survey replies

5.2 Purpose

The purpose of processing data is for CPH to send newsletters, administrate competitions and receive replies on surveys.

5.3 Basis of processing

Data are solely used subject to your consent in accordance with Article 6(1)(a) of the GDPR. Naturally you have the right to withdraw your consent at any time.

5.4 Recipients

Relevant information can, when necessary in connection with competitions, be disclosed to business partners such as shops, restaurants, airlines etc.

5.5 Erasure

Information processed in connection with newsletters will be processed until you may unsubscribe.
Information processed in connection with competitions, are processed until the winner(s) is/are found and will be deleted hereafter, unless special conditions for the specific competition apply.
Information processed in connection with surveys, will be deleted or anonymized no later than 1 year after collection.

6. Training of shop employees (CPH Academy)
 

In connection with the issuance of ID cards for shop employees, CPH conducts teaching at CPH Retail Academy.

6.1 The personal data processed is the following:

  1. Courses and training
  2. Date of update

6.2 Purpose

The purpose is to train shop employees and to register employees who have completed courses at CPH Retail Academy and follow up on them.

6.3 Basis of processing

Interest-weighting rule (Article 6 (1)(f) of the GDPR)

CPH can process information about ID cardholders in connection with the CPH Retail Academy.
The purpose of the pursuit is:

  • Training and education of employees.

6.4 Recipients

CPH may transfer relevant personal data to the following categories of recipients:

  1. Suppliers and collaborators with whom CPH cooperates and who assist our company (understood as service providers, technical support, deliveries)
  2. Your employer, if necessary

6.5 Erasure

Information will be deleted 5 years after you have submitted your ID card.

7. CPH Web Trak (environmental inquiries)
 

CPH regularly handles different types of environmental inquiries, including especially complaints about noise. In that regard, CPH has published information about arriving and departing planes in Copenhagen Airtport, Kastrup, via an online portal to make it easier to identify the plane, a specific complaint is about. In connection with working on the portal, CPH has supposed that this included processing of personal data. Information about planes can be found on CPH Web Trak.

7.1 The processed personal data are:

  • Plane registration no.*
  • Noise measurements*
  • Information in a flight plan, including altitude and destination*
  • Location data via radar*

7.2 Purpose

The purpose of the processing is to deal with complaints regarding air traffic, including complaints about noise and in this regard to be able to assign the complaint to a specific plane.

7.3 Legal basis

Information processed in connection with complaints about air traffic are processed pursuant to Article 6.1.C of the General Data Protection Regulation, due to Danish aviation regulation and pursuant rules and Article 6.1.E, as processing is necessary for the performance of a task carried out in the public interest. The public interest is to provide information to the public about a public activity, including making it possible to complain about flights. The public interest is also that CPH can answer and manage complaints about air traffic in the Copenhagen Airport, as well as accurately determine which aircraft a specific complaint is about.

7.4 Recipients

To the extent that CPH is required to do so, relevant data may be disclosed to relevant public authorities, including the Transport, Construction and Housing Authority and relevant Municipalities.

7.5 Erasure

Information in CPH Web Trak are available for the public for the previous 2 months. Data processed in connection with environmental inquiries, will be deleted or anonymized no later than 5 years after closure.