Skip main menu

Privacy Policy

1. NFA is data controller - Contact information

The National Research Centre for the Working Environment (NFA) is the data controller for the processing of any personal data we receive about you.

If you have questions about how NFA handles your personal data, you are welcome to contact us:

National Research Centre for the Working Environment
Lersø Parkallé 105
2100 Copenhagen Ø
Phone: +45 39 16 52 00
Email: nfa@nfa.dk

You may also seek advice from the joint Data Protection Officer (DPO) of the Ministry of Employment. The DPO can be contacted at dpo@bm.dk or by phone at +45 72 20 50 00 (ask for the DPO).
Alternatively, you can write to:

Ministry of Employment
Holmens Kanal 20
1060 Copenhagen K
Attn.: "The Data Protection Officer"

2. Purposes for the Processing of your Personal Data

NFA is an independent sector research institution under the Ministry of Employment and is primarily tasked with conducting research on the working environment and disseminating knowledge in this area.

NFA processes and registers data about individuals who interact with the institution, including employees, job applicants, guest researchers, participants in research projects, conference or seminar attendees, visitors to our website, social media visitors, or similar.

This may include personal data such as name, email address, CPR number, and in research projects, various other personal data. Both general personal data, sensitive personal data, and confidential data may be collected.

NFA ensures that only the data necessary to fulfil the specific processing purpose are collected and processed.

Below you can read more about the different processing purposes and their legal basis.

2.1. If You Have Been in Contact with NFA

If you have contacted NFA, we will process personal data about you.

Electronic or Physical Correspondence
If you have contacted NFA via email or physical mail, we will process the data contained in your message. As a public authority, NFA is obligated to record correspondence in our case handling system, as required by the Danish Public Administration Act and the Access to Public Administration Files Act.

The processing of general personal data is based on GDPR Article 6(1)(e). The processing of sensitive personal data is based on GDPR Articles 9(2)(j) and 89.

Social media
NFA maintains official pages on Facebook and LinkedIn and profiles on X and Instagram. The purpose of these platforms is to communicate and publish our research activities.

When you visit NFA's profiles or pages on social media, the platform places cookies on your device. This means the platform collects information about you, regardless of whether you have an account on that platform.

Most of the data collected is processed by the social media providers themselves (e.g. for targeted content), and NFA does not have access to these. NFA only has access to visitor statistics and activity data, which is used to improve our use of these platforms and optimise our posts.

Newsletter
You can subscribe to NFA’s newsletter at the bottom of our website, nfa.dk.

If you subscribe to the newsletter, we will process general personal data such as your email address and your areas of interest within the field of working environment research. The purpose is to share the latest research in this domain.

The subscription is managed by Peytz’s newsletter system. Peytz stores data in data centres within Europe, including Denmark, Belgium, Ireland, and Germany.

Your data will be stored until you unsubscribe via our website, after which it will be deleted.

The processing is based on GDPR Article 6(1)(e).

2.2. Cookies

When you visit our website, nfa.dk, we process your personal data.

The first time you visit our website, you will encounter a cookie consent form, where you will need to indicate which cookies you wish to accept.

It is not possible to opt out of cookies that are technically necessary for our website to function properly.

NFA collects and processes data such as your cookie preferences, search terms, the search results you click on, your IP address, and your platform (if you accept all cookies), as well as selected settings and form inputs.

The collection via cookies is based on your consent, GDPR article 6(1)(a). The processing of your personal data collected through cookies is based on GDPR article 6(1)(e) for statistical purposes and in accordance with your consent.

You can read more about NFA’s use of cookies here (insert link).

You may change your cookie consent at any time at the bottom of our website or by clicking here.

2.3. If you have visited NFA

Physical Visit/Attendance at an Event at NFA

If you have physically visited NFA, we process your personal data provided through registration forms, reception check-in, and any data collected via video surveillance.

Registration is managed by AskCody, which then transmits the data to NFA. AskCody is an approved provider procured through the State IT service. During check-in, you are asked to provide your name, email, and possibly your company and phone number. Your data is deleted after 31 days.

The purpose of registration is to prevent security breaches, including criminal activity.

If you registered for an NFA event and completed a registration form, your data will be deleted once the event has concluded, unless there is follow-up communication (e.g. distribution of materials or invitations to a follow-up meeting).

The processing is based on GDPR Article 6(1)(e) and Article 9(2)(f).

Video Surveillance and Doorphone at NFA
NFA uses video surveillance in our reception area, along building facades, and at entry points at Lersø Park Allé 105, 2100 Copenhagen Ø. A doorphone with a camera is installed at the main entrance. The purpose is to enhance staff security and prevent criminal activity.

We process your general personal data from the live doorphone feeds and the video surveillance. If your appearance or attire reveals health information or religious beliefs, this is considered sensitive personal data.

Recordings may also contain evidence of criminal activity. In exceptional circumstances, footage may be shared with the police for investigative purposes.

Recordings are stored for 30 days before automatic deletion. In specific cases, retention may exceed 30 days under the Danish TV Surveillance Act §4c(4–5). Live footage from the doorphone is not recorded or stored.

The processing is based on GDPR Article 6(1)(e) and §2d of the Danish TV Surveillance Act. Sensitive data is processed under GDPR Article 9(2)(f), and data on criminal offences under GDPR Article 10 and §8 of the Danish Data Protection Act.

2.4. Participation in a Research Project

If you are participating or have participated in an NFA research project, we will process your personal data. This may include general or sensitive data such as genetic or biometric data, and health information.

The purpose is to support research of significant societal relevance in the field of working environment.

In most cases, NFA processes data in pseudonymised form—e.g., CPR numbers are stored separately and are often inaccessible to researchers.

The processing is based on:

  • GDPR Article 6(1)(e): processing is in the public interest.
  • GDPR Article 9(2)(j) and §10(1) of the Danish Data Protection Act: processing for scientific research of societal importance.
  • GDPR Articles 6(1)(a) and 9(2)(a): where explicit consent has been given.
  • §11(1) of the Danish Data Protection Act: processing CPR numbers for unique identification.

External Partners
To ensure the highest level of research within the field of working environment, NFA collaborates with external partners on many research projects. This may involve partners assisting with analysis, data collection, or similar tasks. In some cases, NFA delegates tasks to a partner acting on its behalf.

If a partner processes data on NFA’s behalf, where NFA determines the purpose and means of processing, the partner acts as a data processor. If all involved parties jointly determine the purpose and means, this constitutes joint data controllership.

In all cases, NFA ensures that data access is only granted lawfully and only to the extent necessary for the defined purpose. NFA ensures that processing is lawful and secure, and that the data is returned, deleted, or anonymised when the cooperation ends. Regular audits are carried out to ensure compliance with the agreements.

Disclosure
NFA may disclose data collected by NFA for use in other scientific or statistical studies. Disclosure is based on §10(2) of the Danish Data Protection Act. NFA ensures that such disclosures comply with the legal requirements.

2.5. If You Have Applied for a Job or Are Employed at NFA

The Ministry of Employment manages the recruitment process on behalf of NFA. When you apply for a position, we register the information in your application, CV, and any attachments.

The purpose is to assess, contact, and hire qualified candidates for vacancies at NFA. Information on gender and date of birth is used solely for statistical purposes.

All data is automatically deleted six months after submission. Unsolicited applications are forwarded to the Ministry of Employment and deleted by NFA.

The processing is based on GDPR Article 6(1)(e).

Use of Employee Photos, Videos and Personal Data
NFA publishes employee photographs and personal details on its website (nfa.dk) and on the Pure research platform. The purpose is to facilitate contact between potential collaborators and NFA staff, and to promote transparency.

NFA also publishes photos, videos, and similar media of employees on social media. The purpose is to disseminate the outcomes of NFA’s research to society.

The processing is based on GDPR Article 6(1)(a).

3. Your Rights

If NFA processes data about you, you generally have a number of rights under the GDPR.

If your data is part of a research project, your rights may be restricted if fulfilling them would compromise the research purpose. For instance, you may not be able to exercise your right to erasure if deletion would undermine the research objective.

Research data is also subject to the Danish Archives Act and may need to be retained for societal or historical purposes.

To exercise your rights, please contact NFA.

Your rights include:

Right of Access
You have the right to request access to the personal data we process about you.

Right to Rectification
You can request correction of inaccurate data about yourself. However, as a public authority, NFA cannot generally alter or delete information once it has been recorded in a case. Instead, correct information will be added alongside the original.

Right to Erasure
You may request the deletion of your data unless this conflicts with the Access to Public Administration Files Act or the Danish Archives Act.

Right to Restriction of Processing
You may request that we restrict the processing of your data.

Right to Object
You may object to otherwise lawful processing if you believe we have no legitimate reason to use your data.

Right to Data Portability
In certain cases, you may request to receive your data in a structured, commonly used, and machine-readable format and transmit it to another controller.

4. Storage of Your Personal Data

When you interact with NFA—e.g., by email, as part of a research project, or as an employee—we are obliged to retain your data as long as necessary to meet legal obligations or operational needs.

Data stored by NFA is also subject to the Danish Archives Act. Data must be retained until the National Archives assesses whether it should be transferred, deleted, or anonymised (typically stored for at least 5 years).

Most of NFA’s systems and drives are hosted within the State IT (SIT) infrastructure and comply with government security standards. SIT ensures regular system updates and security assessments. Systems managed solely by NFA must also meet technical minimum standards and are hardware-encrypted. NFA is responsible for secure deletion. SIT logs all system activity.

5. Complaint to the Data Protection Agency

As a data subject, you have the right to lodge a complaint with the Danish Data Protection Agency if you are dissatisfied with our handling of your data.

We recommend contacting NFA or the Data Protection Officer first if you believe your rights have been violated. This allows us to explain and address the issue.

You can find the Agency’s contact details at www.datatilsynet.dk.