Privacy Policy – CPH ID card

Latest update: 23 May 2018

In this Privacy Policy we describe how Copenhagen Airports A/S (CPH) processes your personal data, when you apply for and use a CPH ID Card, use the CPH Now service platform, or other services which refer to the Policy. The Policy also applies to the processing of personal data, as part of your access to and traffic on CPHs areas. The Policy supplements, but does not substitute, any other policies or terms and conditions laid down with respect to the use of individual services provided by CPH.

The Policy applies for Copenhagen Airport, Kastrup and Roskilde Airport.

You will find a separate Privacy Police that applies to the use of the airport and our services as a passenger here: CPH.dk/privacy

It is essential to CPH that you feel secure about our processing of the personal data that we obtain about you when you are at the airport, use your CPH ID card, sign up for or use one of our services, among other things.

1. Data controller

Your personal data are processed by Copenhagen Airports A/S, Box 74, Lufthavnsboulevarden 6, DK-2770 Kastrup, Denmark as data controller.

2. Data protection officer

CPH has appointed a Data Protection Officer (DPO), and you are welcome to contact our DPO with any questions or other queries you may have about our processing of personal data. You can contact our DPO at privacy@cph.dk.

3. Categories of personal data

CPH may process the following personal data about you:

  1. General personal data:
    • Basic information: ID card data, including name, adress, e-mail, telephone no., CPR no., place of birth, gender, employer, title, work assignments, nationality, ID card no., expiry date, picture etc.
    • ID card: 1) Approval from the Police to issue an ID card, 2) ID card access rights and log information, 3) courses and permits, 4) username and password, 5) information regarding purchases and delivery of goods and services and error reportings via CPH Now.
    • CCTV: CCTV footage of CPH’s areas, due to Security, Safety and operational reasons.
    • Reports: Personal data can be collected in connections to registration of Security, incident and Safety reports.
    • Sanctions: Information about sanction issued due to the Sanctioning of offences (Local Regulations, Appendix 16).
  2. Sensitive personal data:
    • Health information: CPH process to the extent necessary information on health conditions, including particular information about accidents and incidents that may involve information about any use and abuse of alcohol or drugs.
  3. Criminal offences: Information on criminal offences may occur in connection with any reports from the CPH whistle blower scheme or in connection with the handling of incidents in CPH that violate the rules set by CPH or by the authorities.

4. Mandatory information

Information listed above is mandatory. If you do not disclose such information, the consequence is that CPH will not be able to issue an ID card to you.
Information provided by you or your employer in connection with your application for an ID card, will be disclosed to and evaluated by the Police in order for approval.

5. Data collected from other sources

When we collect data from other sources than yourself, such source(s) may be:

  1. Your employer
  2. Authorities, includes the Police

6. Purposes

CPH process your personal data for a number of purposes. Mainly the information is used to administrate your ID card and your use hereof. More specifically your information is used for the following purposes:

  1. To comply with the regulatory requirements currently in force (including the Danish Air Navigation Act, Regulation (EC) No. 300/2008, etc.) which imposes on CPH control of access and traffic on CPH’s area,
  2. To provide you with the services that you or your employer are requesting, including handing orders and error messages,
  3. To inform you about practical matters related to your work-related presence in CPH, including targeted business information and CPH news via electronic mail, push-messages (in CPH Now app),
  4. Newsletters with offers and other marketing, if you have subscribed hereto,
  5. To improve the operation in CPH, including by keeping statistics on the physical traffic in CPH,
  6. Maintenance of records regarding necessary training and courses,
  7. Register violations of Local Regulations, Appendix 16,
  8. To document Security and Safety related events,
  9. Investigation of possible criminal offenses in connection with reports from CPH's whistleblower hotline, and
  10. To train shop employees, including to register employees who have completed courses at CPH Retail Academy and follow up on them.

7. Basis of processing

CPH processes data about you as described above under item a based on the following treatment basis:
General personal data:

  • Consent (Article 6(1)(a) of the EU General Data Protection Regulation (GDPR))
    • If you have given your consent to a processing, e.g. in connection with newsletters, CPH will process relevant information.
  • Observe a legal obligation (Article 6(1)(c) of the GDPR)
    • According to the Danish Air Navigation Act, CPH is required, as mentioned above, to register a number of information when you receive an ID card.
    • Reporting to authorities, including the Traffic, Building and Housing Agency, etc.
  • Interest-weighting rule (Article 6 (1)(f) of the GDPR)
    • CPH can process information about ID cardholders in connection with orders of services, goods or services from CPH or in connection with the CPH Retail Academy.
      • The purpose of the pursuit is:
        • Compliance with CPH's agreements with CPH collaborators
        • Training and education of employees


CPH processes data about you as described above under item b based on the following treatment basis:
Sensitive personal data

  • Treatment is necessary for essential social interests based on EU law or the national law of the Member States, including the Danish aviation rules to which CPH is subject (Article 9 (2)(g) of the GDPR)

CPH processes data about you as described above under item c based on the following treatment basis:
Criminal offences

  • The processing takes place for the protection of important private interests, cf. the Danish Data Protection Act section 8 (3), cf. Article 10 of the GDPR.

8. Transfer of your personal data

CPH may disclose relevant information to the following categories of recipients:

  1. Suppliers and collaborators with whom CPH cooperates and who assist our company (understood as service providers, technical support, deliveries)
  2. Public authorities to the extent necessary; including the police for the processing of your application
  3. If it follows from a court order or if required or authorized by applicable law
  4. In connection with ordering, purchase, sale or assignments at CPH Now
  5. Your employer, if necessary for operational or Safety/Security considerations

9. Transfer to third countries (outside EU/EEA)

CPH do not transfer your personal data to countries outside EU/EEA, under this Policy.

10. Erasure

General information will be deleted 5 years after you have submitted your ID card.
Information contained in recorded reports is deleted after 5 years at the latest.
Information on sanctions according to local regulations, Appendix 16 is deleted in accordance herewith.

11. Your rights

You have the following rights:

  • You are entitled to request access to, rectification or erasure of any personal data about you that CPH processes.
  • You also have the right to object to the processing of your personal data and to have the processing of your personal data restricted.
  • If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of your consent will not affect the lawfulness of processing of data before your withdrawal.
  • You have the right to receive the personal data you have provided in a structured, commonly used, machine-readable format (data portability).
  • If you are not happy with the way we process your personal data, you have the right to file a complaint with the Danish Data Protection Agency.

You can make use of these rights by contacting privacy@cph.dk.
These rights may be subject to conditions or restrictions. Accordingly, you may not have the right to data portability in a given case – it depends on the specific circumstances of the processing activities.
In relation to CCTV footage within CPH’s area, your rights following GDPR Chapter III are restricted, by Article 23(1), litra c. and d. of the GDPR. Therefore you do not have the right the access to CCTV footage, due to public security reasons and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

12. Privacy Policy updates

We will make changes to this Privacy Policy as required. You can see this by checking the date at the bottom of the page. In case of significant changes to the Privacy Policy we will inform you directly about the changes and the consequences hereof.