# GDPR & Data Policy The General Data Protection Regulation (GDPR) is the European Union's data protection law, and it applies directly to AIESEC in Denmark. Every LC, the MC, and every individual member who handles personal data must comply with GDPR. Violations can result in significant fines, reputational damage, and legal liability. This page explains what GDPR means for AIESEC in Denmark and how to stay compliant. {% hint style="danger" %} GDPR is law, not a guideline. Non-compliance can result in fines of up to 20 million EUR or 4% of annual turnover (whichever is higher) from the Danish Data Protection Agency (Datatilsynet). While AIESEC in Denmark is unlikely to face maximum penalties, any breach damages trust and reputation. Take data protection seriously. {% endhint %} {% hint style="info" %} AIESEC in Denmark's data policy documents, consent forms, and data processing records are stored in the shared Google Drive under **`06 — Governance/GDPR & Data Policy/`**. {% endhint %} ## What Is GDPR? GDPR regulates how organisations collect, store, use, and share personal data of individuals within the EU. "Personal data" means any information that can identify a person — directly or indirectly. ### Examples of Personal Data in AIESEC | Data Type | Examples | | ----------------------- | ------------------------------------------------------------------------------------------------ | | **Identity data** | Full name, date of birth, nationality, passport number | | **Contact data** | Email address, phone number, home address | | **Digital identifiers** | IP address, cookies, EXPA user ID | | **Financial data** | Bank account details, payment records, invoices | | **Sensitive data** | Health information, dietary requirements (for events), religious affiliation, sexual orientation | | **Communication data** | Emails, Slack messages, application forms, feedback surveys | | **Image and media** | Photos, videos (especially when identifiable individuals are shown) | {% hint style="warning" %} Sensitive personal data (also called "special category data") — such as health information, political opinions, or ethnic origin — has stricter rules under GDPR. Only collect it when absolutely necessary and with explicit consent. {% endhint %} ## GDPR Principles GDPR is built on seven principles that govern all data processing: | Principle | What It Means for AIESEC | | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------ | | **Lawfulness, fairness, and transparency** | You must have a legal basis for processing data (usually consent), and you must tell people what you are doing with their data | | **Purpose limitation** | Collect data only for a specific, stated purpose. Do not use recruitment data for marketing unless you said you would. | | **Data minimisation** | Only collect the data you actually need. Do not ask for passport numbers if you do not need them yet. | | **Accuracy** | Keep data up to date. Delete or correct inaccurate data. | | **Storage limitation** | Do not keep data longer than necessary. Once a member leaves and there is no reason to retain their data, delete it. | | **Integrity and confidentiality** | Protect data from unauthorised access, loss, or damage. Use strong passwords, limit access, encrypt where possible. | | **Accountability** | You must be able to demonstrate compliance — not just be compliant, but prove it. | ## What Data AIESEC in Denmark Collects AIESEC in Denmark collects personal data in several contexts: ### Member Data * Name, email, phone number, university, study programme * EXPA account information * Role and function within AIESEC * Attendance records, survey responses, feedback * Photos and videos from events and conferences ### Exchange Participant Data * Full legal name, date of birth, nationality, passport details * Contact information (email, phone, emergency contacts) * Health information (allergies, medical conditions — for safety purposes) * Exchange programme details (project, dates, partner organisation) * Insurance information * Payment records ### Partner and External Contact Data * Contact person name, email, phone number, organisation * Partnership agreement details * Communication history ### Recruitment and Applicant Data * Name, email, phone number, university * Application form responses * Interview notes and assessment scores ## Data Retention AIESEC in Denmark must not keep personal data longer than necessary. The following are recommended retention periods: | Data Category | Retention Period | Rationale | | ----------------------------------------- | -------------------------------- | ---------------------------------------- | | Active member data | Duration of membership + 1 year | Operational need + transition buffer | | Exchange participant data | Duration of exchange + 3 years | Legal and insurance claim periods | | Financial records | 5 years after the financial year | Danish bookkeeping law (Bogforingsloven) | | Recruitment applicant data (not accepted) | 6 months after decision | Allow for re-application in next cycle | | Event photos and videos | Indefinite (with consent) | Archival and brand use | | Survey responses (anonymised) | Indefinite | No personal data once anonymised | {% hint style="warning" %} These are recommended guidelines. The MC VP F\&L and the Data Protection Officer (DPO) should confirm the official retention schedule. When in doubt, delete data you no longer need. {% endhint %} ## Member Rights Under GDPR Every person whose data AIESEC holds has rights under GDPR. You must be able to fulfil these rights: | Right | What It Means | How to Respond | | -------------------------------------------------------- | ------------------------------------------------------ | -------------------------------------------------------------------------------------------------- | | **Right of access** | "What data do you have about me?" | Provide a copy of all personal data you hold about them, free of charge, within 30 days | | **Right to rectification** | "My data is wrong — please correct it" | Update the data promptly | | **Right to erasure ("right to be forgotten")** | "Delete my data" | Delete all personal data unless you have a legal obligation to retain it (e.g., financial records) | | **Right to restrict processing** | "Stop using my data for this purpose" | Stop the specific processing while keeping the data stored | | **Right to data portability** | "Give me my data in a machine-readable format" | Provide data in a common format (e.g., CSV, JSON) | | **Right to object** | "I do not want my data used for marketing" | Stop the processing immediately for marketing purposes | | **Right not to be subject to automated decision-making** | "Do not make decisions about me using only algorithms" | Ensure a human is involved in significant decisions | ### How to Handle a Data Subject Request 1. **Verify identity.** Confirm that the person requesting is who they say they are. 2. **Log the request.** Record the date, the request, and the person's identity. 3. **Respond within 30 days.** This is a legal requirement. If you need more time (complex requests), you may extend by 60 days — but you must inform the person within the first 30 days. 4. **Escalate if needed.** If you are unsure how to handle a request, escalate to the MC VP F\&L or the DPO. ## Data Protection Officer (DPO) Depending on AIESEC in Denmark's legal structure and data processing activities, a Data Protection Officer (DPO) may be required or voluntarily appointed. The DPO is responsible for: * Advising the MC and LCs on GDPR compliance * Monitoring compliance with data protection policies * Serving as the contact point for the Danish Data Protection Agency (Datatilsynet) * Handling data subject requests and data breach notifications {% hint style="warning" %} The current DPO contact should be confirmed with the MC at the start of each term. If AIESEC in Denmark does not have a designated DPO, the MC VP F\&L typically handles data protection matters. {% endhint %} ## Data Breach Response A data breach is any incident where personal data is accidentally or unlawfully accessed, disclosed, altered, or destroyed. Examples: * A laptop with member data is stolen * A spreadsheet with participant passport numbers is accidentally shared publicly * An email with personal information is sent to the wrong recipient * An EXPA account is compromised ### What to Do If a Breach Occurs 1. **Contain it.** Stop the breach if possible (revoke access, change passwords, delete the exposed data). 2. **Assess the risk.** What data was exposed? How many people are affected? What is the potential harm? 3. **Report internally.** Notify the MC VP F\&L and the DPO immediately. 4. **Notify the authorities.** If the breach is likely to result in a risk to individuals, AIESEC in Denmark must notify the Danish Data Protection Agency (Datatilsynet) within 72 hours. 5. **Notify affected individuals.** If the breach is likely to result in a high risk to individuals, notify them directly. 6. **Document everything.** Record what happened, what data was affected, what actions were taken, and what changes will be made to prevent recurrence. {% hint style="danger" %} The 72-hour notification window for the Datatilsynet is a legal requirement. Do not delay reporting while you "figure things out." Report what you know, when you know it, and update as more information becomes available. {% endhint %} ## Practical GDPR Tips for AIESEC Members 1. **Do not share spreadsheets with personal data openly.** Use access controls. Share with specific people, not "anyone with the link." 2. **Use AIESEC accounts for AIESEC data.** Do not store member or participant data on personal accounts. 3. **Delete data you do not need.** If you have an old spreadsheet with applicant data from two years ago, delete it. 4. **Get consent for photos.** Before posting photos of members or participants on social media, ensure you have their consent. 5. **Use BCC for mass emails.** Never expose members' email addresses to each other in a mass email. 6. **Lock your devices.** Use passwords, screen locks, and encryption on any device that contains AIESEC data. 7. **Think before you share.** Before sending personal data — by email, Slack, or any other channel — ask: does the recipient need this data, and is this channel secure enough? ## Official Documents ### Key Training Materials The following documents provide essential GDPR training for AIESEC members. See the official documents below. {% embed url="" %} READ ME (GDPR 101).xlsx {% endembed %} {% embed url="" %} T1 - Basics \_ Members.pdf {% endembed %} {% embed url="" %} GDPR Denmark.pdf {% endembed %} For the complete GDPR documentation collection -- including all training materials (T1-T5), policies and procedures (P1-P3), business processes (B1-B5), security measures (S1-S8), consent forms, privacy notices, legal documents, data breach procedures, and partner agreements -- see the full Google Drive folder: * **GDPR & Data Policy folder:** `06 — Governance/GDPR & Data Policy/` ## Resources * Danish Data Protection Agency (Datatilsynet) — * GDPR full text — *Last updated: April 2026 · Maintained by: MC VP Finance and Legalities* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hubby.aiesec.dk/governance/gdpr.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.