Personal data policy for au pairs

As the data controller, FOA takes your data protection seriously. We process personal data and have therefore drawn up this personal data policy, which explains how we process your data. We also ensure that your personal data is processed in accordance with the General Data Protection Regulation/the Danish Data Protection Act.

Contact details for FOA:

• FOA Forbundet, Staunings Plads 1–3, 1790 Copenhagen V

If you have any questions about how FOA processes your personal data, you are always welcome to contact FOA’s Data Protection Officer (DPO), who is Birgitte Lundblad.

You can do this as follows:

• By email: dpo@foa.dk
• By telephone: 4697 2393
• By letter: Attn. “Data Protection Officer (DPO)”, FOA Forbundet, Staunings Plads 1–3, 1790 Copenhagen V

FOA endeavours to process the least possible data about you and for the minimum time possible. FOA’s need to process and store data will nevertheless always be assessed in relation to your specific cases and the administration of your membership, where applicable.

We only process data about you that is relevant and adequate for the purposes defined above. The purpose is important in terms of determining which type of data about you is relevant to us. The same applies to the scope of the personal data that we use. We do not, for example, use more information than we need for the specified purpose.

We collect, process and store only the personal data that is necessary in order to fulfil our specified purposes. Legislation may also stipulate which type of personal data we need to collect and store for our processing.

FOA strives to protect personal data in all contexts, using both technical and organisational measures. In this respect, FOA is fully aware that the processing of your personal data may fall under the special category of personal data that is sensitive data and it is therefore important that this is processed accordingly.

If you wish to exercise your rights, please contact FOA’s Data Protection Officer (DPO).

3.1 Access to your data

You have the right to be informed, at any time, about which personal data we process about you, where it originated and what we use it for. You can also receive information about how long we store your personal data and who receives personal data about you, insofar as we disclose data.

3.2 Rectification of your data

If you believe that the personal data we process about you is incorrect or inaccurate, you have the right to have it rectified. You will need to contact FOA’s Data Protection Officer (DPO) and inform us about the inaccuracies and how they can be rectified.

3.3 Erasure of your data

In some cases, we will have an obligation to erase your personal data. This may be the case, for example, if you choose to withdraw your consent or unsubscribe. You can also request that your personal data be erased if you believe that it is no longer necessary for the purpose for which we obtained it. You can also contact FOA’s Data Protection Officer (DPO) if you believe that your personal data is being processed in violation of legislation or other legal obligations.

When you contact us with a request to rectify or erase your personal data, we will check whether the conditions are met and, if they are, we will implement changes or erasure as soon as possible.

We will only store your personal data for as long as we have a purpose for doing so. As a basic principle, you have the right to have your personal data erased, but there may be cases where FOA has the right to store your personal data, because of legal requirements, for example.

The right to have your personal data erased is intended to protect your right to privacy. The assessment of the storage of your personal data will include whether such storage involves a real risk of infringing on your right to the protection of your privacy.

The more sensitive the personal data – individually or in combination with general information – the more overriding is your interest in having the personal data erased. In some cases, legislation may require us to store personal data for a longer period, because of logging, bookkeeping or auditing requirements, for example.

3.4 Objection and restriction

You have the right to object to our processing of your personal data. If your objection is justified, we will ensure that we stop processing your personal data.
You have the right for the processing of your personal data to be restricted, in certain cases. If you have the right to have your processing restricted, we will in future only be able to process the data – with the exception of storage – with your consent or for the establishment, exercise or defence of legal claims, or for the protection of a person or important public interests.

3.5 Transfer of your data

In certain cases, you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transfer this personal data from one controller to another without hindrance; this is known as data portability.

4.1 You as a data subject

Data about you is collected and recorded for the administration of your membership, including any member benefits.

4.2 Data and purposes

Necessary and relevant data is collected for the administration of your membership.
The data processed includes both non-sensitive data covered by Article 6 of the General Data Protection Regulation and by Section 6 of the Danish Data Protection Act (e.g. name and address, telephone number, email address, courses), as well as CPR numbers regulated by Section 11 of the Danish Data Protection Act, and sensitive data covered by Article 9 of the General Data Protection Regulation and by Sections 7 and 8 of the Danish Data Protection Act – including, in particular, data concerning trade union membership.

This also applies to processing within finance and accounts in relation to subscriptions/travel expenses, etc.
In the vast majority of cases, the data is collected from you by email or via the website. In individual cases, the files are received by post.

4.3 Exchange of data

During the membership period, data may be exchanged between FOA and its departments, and potentially with the unemployment insurance fund, public authorities, employers, audit firm and the Danish Trade Union Confederation (FH) and FH’s partners, including Plus and FIU.
If you have given consent, FOA also works with PenSam Bank, PenSam Forsikring, PenSam Pension, Folkeferie.dk and Forbrugsforeningen.

4.4 Collection of the personal data of non-members

FOA also processes data about non-members if there is an objective purpose for this. This may be, for example, in a situation where we provide advice or represent a person’s interests in a case. Examples include information about previous employees (au pairs, domestic staff) who have had the same employer (host family). FOA stores data about the person in question for as long as there is an objective purpose for this.

The person concerned shall be notified of this by FOA, if possible at the time the data is received.

When we provide you with advice and assistance, we collect personal data about you. In many instances, data is also collected about and from third parties that are linked to your case. Third parties may be witnesses in the form of friends, previous au pairs, and other parties such as immigration authorities, doctors, police, etc.

5.1 Data and purposes

Necessary and relevant data is collected for use in providing you with assistance and advice in the particular case.
The data processed includes both non-sensitive data covered by Article 6 of the General Data Protection Regulation and by Section 6 of the Danish Data Protection Act, as well as CPR numbers regulated by Section 11 of the Danish Data Protection Act, and sensitive data covered by Article 9 of the General Data Protection Regulation (such as health data relating to a particular case) and by Sections 7 and 8 of the Danish Data Protection Act.

Data about other parties connected with your case may also include both general data and data that falls under the special category regulated by Article 9 of the General Data Protection Regulation and Sections 7 and 8 of the Danish Data Protection Act.

The scope and nature of data about third parties will depend entirely on their role in the case. For example, data about representatives, case officers, doctors and consultants, etc., will largely only include their name and job title, as their involvement in the case is generally connected solely with their function and not with any other relationship.

In the vast majority of cases, the data is collected by email from you or from your host family. In individual cases, the files are received by post.
When the case is in progress, data is also collected from external parties, such as via secure mail from the immigration authorities.

5.2 Exchange of data

During the processing of your case, data is exchanged with all parties involved. These may include employers, work injury authorities and other government authorities, insurance companies, external lawyers and any witnesses. This also includes FOA’s partners in the Au Pair Network, i.e. KIT – Churches’ Integration Ministry and Caritas.

When you register, we will record and process your data on the basis of your consent. If you consent, we will also send you member information and offers.
Access to the processing of data – including collecting, recording and disclosing data – may also be assessed in accordance with Articles 6 (1) and 9 (2) of the General Data Protection Regulation, as well as under Sections 7 and 8 of the Danish Data Protection Act.

These provisions include the legal basis for processing general data where this is necessary for the performance of a contract to which the data subject is party (Article 6 (1) (b)), or for pursuing a legitimate interest which overrides the interests of the data subject (Article 6 (1) (f)).

The provisions also provide the legal basis for processing sensitive data where this is necessary in order to comply with, among other things, employment law obligations and specific rights (Article 9 (2) (b)), or where the processing is carried out by an association and as part of the legitimate activities of the association (Article 9 (2) (d)), or for the establishment, exercise or defence of legal claims (Article 9 (2) (f)).

In accordance with the law on supplementary provisions to the General Data Protection Regulation (Danish Data Protection Act), data concerning criminal offences may be processed on the basis of Article 9 of the General Data Protection Regulation and also where the controller has a vital interest which clearly overrides the data subject’s interest in not processing the data.

FOA considers that, within the framework of these provisions, there is a legal basis for processing the data necessary for the purpose of assisting in the specific cases and in connection with your membership.

Through your membership, we obtain your consent where necessary, for marketing purposes, for example.

Your consent is voluntary and you can withdraw it at any time by contacting us.

FOA has implemented a number of technical and organisational security measures to protect your personal data from misuse. Specifically, measures have been taken to protect against accidental or unlawful destruction, the loss or impairment of your data, or your data becoming known to unauthorised persons, or misused or otherwise processed in contravention of data protection legislation.

We protect data using advanced firewalls and anti-virus systems, and encryption is used for communication with external parties. To manage access to the self-service function on our website www.foa.dk, we use the latest version of MitID, which provides the highest level of security in terms of preventing access to your personal data by unauthorised persons.

We have also implemented access management in all our systems, so that only employees with a work-related need have access to personal data. We continuously provide training to our employees, and we have developed and implemented a wide range of policies and procedures to ensure that the processing of personal data takes place in accordance with the principles of personal data law.
The security measures are continuously reviewed and revised in line with technological developments. In addition, all FOA employees are bound by a duty of non-disclosure, so you can be sure that your data will be processed confidentially.

If you are unhappy about the processing of your data by FOA, you can submit a complaint to FOA’s DPO, Birgitte Lundblad.

You can do this as follows:

• By email: dpo@foa.dk
• By telephone: 4697 2393
• By letter: Attn. “Data Protection Officer (DPO)”, FOA Forbundet, Staunings Plads 1–3, 1790 Copenhagen V

You can also submit a complaint to the Danish Data Protection Agency at www.datatilsynet.dk or by writing to Datatilsynet, Borgergade 28, 5. sal., 1300 Copenhagen K.