Privacy Policy – The QATO Foundation

In the QATO Foundation (”The QATO Foundation”, ”us”, ”we” or ”our”) we give high priority to data security and confidentiality. In this Privacy Policy you can learn more about, how the QATO Foundation processes your personal information, when you visit our website or interact with us in other ways.

1. Data controller and contact information

QATO Fonden
Koldingvej 2
7190 Billund
Denmark
CVR-nr.: 34643326

If you have questions about the way we process your personal information, please feel free to contact us, phone: [+45] 2835 4455 and e-mail: info@qatofonden.dk

2. Purpose, basis for processing, and types of personal information

Below we have described the purpose of our processing of your personal data, when you interact with the QATO Foundation.

a. Applications
If you apply for a grant, you must apply through our application portal. You will find the link on our website. Subsequently, we will process your personal information to respond to your application and evaluate whether we can meet your application.
Typically, we process the following personal information about you: name, address, e-mail, phone number, and perhaps company name.

In connection with applications to the foundation and our evaluation as to whether we wish to enter into an agreement with you about a grant, we use the GDPR, Art. 6 (1) (b), as our legal basis.

When required by law to process your personal information, we will process under the authority of the GDPR, Art. 6(1)(c) (legal obligations). This can be in connection with e.g., tax or bookkeeping.

We gather the personal information from you directly and only keep them for as long as it is necessary to comply with the above purpose.

If you wish to apply for a grant with the QATO Foundation, we urge you to only state the personal information relevant for the application and not to state sensitive information or information about criminal offences. If you give information about other people, you must not state the names and contact information of these people, unless necessary and agreed upon with the people concerned.

Information stated in connection with the application will be processed by the administration and the board of directors of the QATO Foundation.

Equally, if you apply as a private person, the QATO Foundation will process confidential information about you in the form of your CPR number. This is done to make the QATO Foundation able to report a possible grant to SKAT (the Danish tax
authorities) according to the GDPR, art. 6 (1) (c), and the Danish Data Protection Act, § 11, paragraph 2, number 1.

For the subsequent administration, in case you receive a grant from the QATO Foundation, it will be in our lawful interest to be able to manage the grant or other funding (The GDPR, art. 6 (1) (f)) in accordance with our legal obligations (The GDPR art. 6 (1) (c)) and according to our agreement with you concerning a grant (The GDPR art. 6 (1) (b)).

b. Other enquiries

If you contact us with other enquiries through our website, e-mail etc. we will process your personal information to be able to communicate with you. We apply the rule on legitimate interest in the GDPR, art. 6 (1) (f) as basis for the processing, as this is necessary to be able to reply to your application and communicate with you.

We gather personal information directly from you and only keep the data as long as necessary to comply with the above purpose. Concerning GDPR applications, the information can be kept up to 5 years from the finalization, as this is the retention period according to the Danish Data Protection Act.

c. Use of website
When you visit our website, we use cookies to gather personal information about your activity on our website. You can read more about this and get a link to the Privacy Policies of the third parties in the cookie overview, which can be found
through our Cookie Policy.

We process your personal information in connection with your use of our website as described above, and which is described further in our cookie overview, which ca be accessed through our Cookie Policy based on the GDPR, art. 6 (1) (a) (consent). We can also use the GDPR art. 6 (1) (f) (the rule on legitimate interest) concerning cookies, which are necessary for the functionality of the website. Our lawful interest is to be able to operate the website and ensure the best possible experience for you.

You can read more about the use of cookies in our Cookie Policy.

You can withdraw or change your consent by rejecting cookies in the cookie overview (at the bottom of the cookie overview) or by blocking and deleting cookies in the browser settings.

d. Suppliers
In connection with the contract, contractual discussions, ad-hoc services, or discussions about this, we can process personal information. Typically, we process name, position, e-mail, correspondence, phone number, authority information, and the information from your auto signature.

The purpose of the processing is to manage our contracts with our suppliers, buy goods, research new supplier relationships, and maintain control of potential and future business partners.

We use the GDPR, art. 6 (1) (f) (the rule on legitimate interest) a basis for our processing of your personal information, as it is necessary to register this personal information to be able to contact our existing and future suppliers. We also use the GDPR, art. 6 (1) (b) as basis for our processing of your personal information in connection with new contracts or management of existing contracts.

Generally, we process the information stated by you or your colleagues in the legal entity, which you represent or where you are employed.

When no longer relevant for the purpose stated, personal information will be deleted. This could for example be the case when negotiations do not lead to a contract, 72 months after termination of a contract, or by expiry of a period of
limitation.

3. Recipients

We can share your personal information with independent data controllers, if we are obliged to do so, or if it is necessary to comply with the relevant purpose. The categories of recipients are:

  • Tax authorities
    • Based on the chosen purpose (previously stated in the system) a tax reporting code will be generated, which will be used for reporting to the tax authorities. The chosen purpose will therefore create a predefined tax reporting code. If you think this is wrong, please contact the QATO Foundation. The reporting is in accordance with existing legislation and is necessary to observe an agreement about grants to a project.
  • Auditors
  • Advisers
  • Banks
  • Other public authorities

We can also transfer your personal information to our data processors. Such transfers are governed by a data processing agreement, and the data processor must not use your information for other purposes than the processing on behalf of us. The categories of data processors are:

  • IT-suppliers
  • Consultants
  • The University of Copenhagen
  • Safety providers
  • Other suppliers of services to the QATO Foundation
  • We use NemID/MitID to validate the applicants, either via private or business NemID/MitID. In this connection we receive CPR numbers from private applicants.
4. Processing of personal information outside EU/EØS

The QATO Foundation transfers, keeps, and processes your personal information (including personal information and content) both in and outside Denmark. Wherever in the world your personal information is transferred to, is stored, or processed by us or one of our suppliers on our behalf, we will take reasonable measures to protect your personal information.

In general, we keep data within EU/EØS. Your personal information can, however, be transferred to or accessed by countries outside EU/EØS. If your personal information is transferred to countries outside EU/EØS, the transfer will take place on the following legal basis:

a. Binding Corporate Rules
b. The country is approved by the EU Commission to have a sufficient level of protection, or the recipient is certified under e.g., EU-U.S. Data Privacy Framework
c. If the country is not approved by the EU commission to have a sufficient level of protection, we will ensure the transfer in the following way:

    • By using the standard contractual clauses of the EU Commission
    • By requesting your consent to the transfer
5. Storing of personal information

We keep your personal information as long as necessary to comply with the above purpose.

Applications from private persons:

  • Applications, which are not granted, will be deleted 18 months after rejection.
  • Applications, which are created in the system but not sent, will be deleted after 6
    months.
  • Applications, which lead to grants, will be stored for 10 years after the last payment or finalization of the project. Afterwards they will be made anonymous and stored for archive purposes.
  • We might from time-to-time process and store information for a longer period, if we are legally obliged to store the information.

Applicants with CVR number:

  • Applications, which are not granted, will be made anonymous after 36 months for the sake of evaluation of applications from the same entity.
  • Applications, which lead to a grant, will be stored 10 years from the last payment, after which the information will be transferred to the historical archive of the Foundation for archive purposes.
  • We might from time-to-time process and store information for a longer period, if we are legally obliged to store the information.
6. Withdrawal of consent

You can withdraw any consent given to us at any time. Your consent can be withdrawn by contacting us through the contact information in section 1. If you withdraw your consent, it will not be effective until this point. It will therefore not affect the legality of our processing of information up to the point of time for your withdrawal of consent.

7. Your rights

According to the legislation in the GDPR and the Danish Data Protection Act you have a number of rights.

  • You are entitled to insight into and correction or deletion of the information we process about you.
  • You have the right to object to the processing of your personal information and in some cases to limit the processing of your personal information.
  • You have the unconditional right to object to the processing of your personal information for marketing purposes.
  • You have the right to receive your personal information in a structured, commonly used, and machine-readable format (data portability).

Please note that there might be conditions or limitations in these rights. Therefore, you are not always guaranteed the right to data portability – it depends on the specific circumstances in connection with the processing activity.

You can exercise your rights by contacting us via e-mail: info@qatofonden.dk or the contact information above in section 1. If you contact us via info@qatofonden.dk, it will be necessary to verify your identity for security reasons.

8. Changes to this Privacy Policy

This Privacy Policy will be updated continuously to ensure that you get as precise information as possible and to ensure our compliance with existing legislation. The version of this Privacy Policy in force at any time can be found through this link: Privatlivspolitik.

9. Links to other websites

Our website can contain links to other websites or to integrated sites. We are not responsible for the content on other companies’ websites or the procedures for gathering personal information of such companies. When you visit other websites, you should read their Privacy Policies and other relevant policies.

10. Questions and complaints

If you have questions about the Privacy Policy or wish to complain about our processing of your personal information, please contact us via the contact information in section 1.

You can also complain to:
Datatilsynet
Carl Jacobsens Vej 35
DK-2500 Valby
T: +45 33 19 32 00
E: dt@datatilsynet.dk