In this context, personal data means any information that can be used to identify a person, such as their forenames and last name, private address or other physical address, e-mail address or other contact details, whether concerning a private residence or workplace.
When you visit www.dnm.dk, we do not collect data that can identify you unless you yourself provide such data. If you do provide us with personally identifiable details, we record them securely and process them confidentially.
1. Data responsibility
1.1 We take the protection of your data seriously:
1.2 Contact details:
The Museum of National History is a data controller, and we ensure that your personal data is processed in compliance with the law (including the EU General Data Protection Regulation).
Contact: The Museum of National History Address: Frederiksborg Slot, 3400 Hillerød, Denmark CVR: 12935110
1.3 We ensure fair and transparent data processing:
When we ask you to share your personal data with us, we inform you what data we process and for what purpose. You will receive information about this at the time your personal data is collected.
If we collect data about you from another party, such as a supplier, government authority or commercial partner, we notify you within 10 days of obtaining your personal data. We also inform you of the reason for collecting the data, and the legal basis that allows us to obtain your personal data.
2. Processing of personal data
2.1 We use the following types of data about you:
We use data about you to improve our service and ensure the quality of our products and services, as well as when we contact you.
The data we use includes:
- General personal details
- Internet traffic data
- Transaction data
- Unique numbers of network devices
2.2 We collect and store your personal data for specific purposes:
We collect and store your data for specific purposes or other legitimate commercial purposes.
This occurs when we need to:
- Manage your relationship with us
- Process your purchases and supply our services
- Fulfil your requests for products or services
- Improve our products and services
- Customise our communications with and marketing to you
- Customise our commercial partners’ communications with and marketing to you
- Meet legal requirements
2.3 We only process relevant and necessary personal data:
We only process data about you that is relevant and sufficient for the purposes defined above. The purpose determines the type of data about you that is relevant to us. The same applies to the scope of the personal data that we use. For example, we do not use more data than is necessary for the specific purpose. Furthermore, the type of data that it is necessary to collect and store for our commercial operations may be set out in law. The type and scope of the personal data that we process may also be necessary for fulfilling a contract or other legal obligation.
Before we process your personal data, we investigate whether it is possible for us to minimise the amount of data about you. We also consider whether some of the types of data that we process can be used in an anonymised or pseudonymised form. We can do this if it does not adversely affect our obligations or the service we offer you.
We seek to ensure that we only process personal data that is necessary for each of our specific purposes. It is therefore integral to our IT systems that we collect only the amount of data that is needed. It is also automatically ensured that the extent of the processing is not unnecessarily broad, and the retention time is not excessive.
In order to protect you from unauthorised access to your personal data, we also use solutions that automatically ensure that data is only accessible by relevant employees. There is also built-in protection against an unrestricted number of people gaining access to the data.
2.4 We verify and update your personal data:
We verify that the personal data we process about you is not inaccurate or misleading. We also ensure that we update your personal data continuously.
Since our service depends on your data being correct and up-to-date, we request that you notify us of relevant changes in your data. You can use the contact details above to inform us about changes.
In order to ensure the quality of your data, we have adopted internal rules and established procedures for verifying and updating your personal data.
2.5 We obtain your consent before we process your personal data:
We obtain your consent before we process your personal data for the purposes described above, unless we have legal grounds for processing it. We notify you of any such grounds and of our legitimate interest in processing your personal data.
Your consent is voluntary and you can withdraw it at any time by contacting us. Use the contact details above if you would like further information.
If we wish to use your personal data for a purpose other than the original one, we will notify you of this new purpose and ask for your consent before we begin the data processing. If we have other legal grounds for this new processing, we will notify you of this.
If, in respect of our products and services, we need to process data about a child, we will obtain express consent from a parent. We verify, as far as possible, that the consent is provided by a parent who has parental custody of the child.
2.6 We do not share your personal data without your express consent:
Before sharing your personal data with commercial partners and others, e.g. for marketing purposes, we obtain your express consent and inform you about what your data will be used for. You may at any time object to this form of disclosure.
We do not obtain your consent if we are legally obliged to disclose your personal data, for example as an aspect of reporting to an authority.
We obtain your prior express consent before we share your personal data with commercial partners in third countries. If we share your personal data with commercial partners in third countries, we ensure that their level of personal data protection matches the requirements set out in this policy under applicable legislation. Notably, we define requirements for data processing, for data security and for fulfilment of your rights in respect of, for example, objecting to profiling and lodging complaints with the Danish Data Protection Agency.
2.7 Information about setting you up as one of our customers:
We record the data you yourself enter when ordering through our webshop. We do not record your payment card number or CVC code when you pay using a payment card. Only the payment card type and expiry date are recorded. The payment itself takes place through Nets A/S. When you supply the card number, expiry date and CVC code, the data is recorded in Nets’ systems which provide very high security against unauthorised access to confidential data.
For business customers, this applies to the data provided about the enterprise’s contact person.
We store this data in order to administrate and serve you as a customer, or in order to administrate and serve an enterprise as a customer, as well as to comply with applicable legislation.
If you cease to be our customer, data about you will be stored for five years. Data about your payment card is stored for five years from the end of the accounting year in which the transaction took place, even if you ceased being a customer within that period. This is done so as to comply with applicable legislation.
2.8 Data about use of the dnm.dk website:
3.1 Cookies, purpose and relevance:
Cookies cannot contain harmful code such as viruses.
3.2 We obtain your consent:
Before we store cookies on your device, we ask for your consent. Necessary cookies for ensuring functionality and storing settings may however be used without your consent.
If you do not wish to accept cookies, you can block all cookies, delete existing cookies from your hard disk, or receive a warning before a cookie is saved: see http://minecookies.org/cookiehandtering.
4. Data security
4.1 We protect your personal data and have internal rules concerning data security:
We have adopted internal data security rules that contain instructions and measures to protect your personal data from destruction, loss, alteration and unauthorised disclosure, and from unauthorised persons accessing or gaining knowledge of it.
We have established procedures for granting access rights to those employees who process personal data. We monitor their actual accesses through logging and audits. To avoid data losses, we make continuous backups of our datasets. We also protect the confidentiality and authenticity of your data using encryption.
In the event of a security breach that results in you being put at high risk of discrimination, ID theft, financial loss, reputational loss or other significant inconvenience, we will advise you of the security breach as soon as possible.
5. Your rights
5.1 You have a right to access your personal data:
You have a right at all times to be informed of which data about you we process, where it originates and what we use it for. You can also be informed as to how long we store your personal data and who receives data about you insofar as we share data in Denmark and abroad.
On request, we can inform you about the data we process about you. Access may however be restricted out of concern for protection of the confidentiality of third parties, trade secrets, and intellectual property rights.
You can exercise your rights by contacting us. Our contact details are set out above.
5.2 You have a right to have inaccurate personal data corrected or deleted:
If you believe that the personal data about you that we process is inaccurate, you have a right to have it corrected. You must contact us and inform us of the inaccuracies and how they can be corrected.
In certain cases, we will have an obligation to delete your personal data. This applies, for example, if you withdraw your consent. If you believe that your data is no longer necessary for the purpose for which we collected it, you can ask to have it deleted. You can also contact us if you believe that your personal data is being processed in violation of the law or other legal obligations.
When you contact us with a request to have your personal data corrected or deleted, we investigate whether the conditions for this are fulfilled and, if so, make the changes or deletion as rapidly as possible.
5.3 You have a right to object to our processing of your personal data:
You have a right to object to our processing of your personal data. You can also object to our sharing of your data for marketing purposes. You can use the contact details at the top to
lodge an objection. If your objection is warranted, we undertake to stop processing your personal data.
You have a right to be sent the personal data you have made available to us and the data we have collected about you from other parties based on your consent. If we process data about you as part of a contract to which you are a party, you can also have your data sent to you.
If you wish to exercise your right to data portability, you will receive your personal data from us in a commonly used format.
5.4 Complaints about data collection and processing:
The Museum of National History is subject to the EU General Data Protection Regulation’s provisions on the processing of personal data. The General Data Protection Regulation is administrated in Denmark by the Danish Data Protection Agency.
If you experience a violation of your privacy through your interaction with the Museum of National History, you can complain to the Danish Data Protection Agency.
5.5 Changes to this personal data policy:
This personal data policy is subject to amendment.
At the top of this personal data policy, you can always see when it was last updated and/or amended. Any significant amendments will be notified by means of a prominent message at dnm.dk.