Privacy Policy

We understand the importance of privacy in the digital age, and we understand that users, partners, and collaborators expect NORDUnet to take due care in respecting and protecting sensitive information that you may provide to use or that we may collect when you attend our events, conferences, and websites.

1. Generally

“NORDUnet”, “we”, “us”, or “our” refers to NORDUnet A/S. NORDUnet is the collaboration hub for the Nordic national research and education networks (NRENs), providing high-capacity network and e-infrastructure services across the Nordic region and internationally.

“You”, “your”, or “data subject” refers to any individual whose personal data is processed by us, including but not limited to event participants, conference attendees, website visitors, and representatives of partner organisations.

The Data Privacy Policy (“Policy”) applies to all data which you provide to and/or which we collect about you from your registration to our events, conferences and your visits to our websites.

The Policy will inform you of the data we collect, how we process your data, how we store it, and for how long, etc.

You are encouraged to familiarize yourself with this Policy and contact us if you find information herein that is unacceptable to you. You will find the latest valid version of this policy at www.nordu.net.

2. Data Controller

2.1 The data controller responsible for the processing of your personal data is:

NORDUnet A/S Kastruplundgade 22,1 DK 2770 Kastrup +45 32 46 25 00 info@nordu.net DK VAT # 17490346

(hereinafter ”NORDUnet”)

The general legal processing framework is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and the attendant rules. In addition, the Danish act which will be passed based on the Danish Bill to introduce supplementary provisions to the EU Regulation on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data which was introduced on 25 October 2017 will apply.

2.2 Questions and requests concerning this Policy:

All questions and requests concerning this Policy, the processing of your data and any suspected non-compliance should initially be directed to our privacy group.

All questions and requests will be handled in a prioritized order and may be rejected if no proof if identity is provided upon request. We will respond to your question or request within 1 month from date of receipt of your request. If, for some reason, we cannot meet your request we will contact you.

Our privacy group can be contacted at:

Privacy@nordu.net

3. Definitions

Some of the most important terms of data protection law are defined below:

3.1 Personal Data

Any information relating to an identified or identifiable natural person. This means all information which, directly or indirectly, alone or when combined, can identify a particular natural person.

3.2 Data Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

3.3 Data Processor

The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller

3.4 Processing

Any operation or set of operations which is performed on Personal Data or on sets of Personal Data such as collection, recording, structuring, alteration, consultation, combination, disclosure by transmission or transfer to persons, public authorities, companies, etc. outside NORDUnet.

3.5 Special Categories of Personal Data

Data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, health data or data concerning a natural person’s sex life or sexual orientation as well as biometric data if such biometric data are processed for the purpose of uniquely identifying a natural person (sensitive data).

3.6 GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and the attendant rules.

3.7 Danish Data Protection Act (databeskyttelsesloven)

[ONLY IN DK] The Danish Act which will be passed based on the Danish Bill to introduce supplementary provisions to the EU Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (Bill no. L68) which was introduced on 25 October 2017

4. Purpose of Processing

Depending on whether you are a customer of ours, a business partner or perhaps just someone who uses our website, we may be required to process your Personal Data or we may need to process your Personal Data to the extent required for us to provide the services you request and comply with the obligations imposed on us. This applies with regard to handling your purchase of products and services like conference participation. This applies also for purposes of our marketing communications towards you.

5. Personal Data we Process about you

5.1 When you participate in events hosted by NORDUnet, we consider you a customer, and we may process the following data about you:

- Personal Data: Name, organization, e-mail, clothing size, phone numbers
- Special Categories of Personal Data: If you require catering of any kind, we will ask about your dietary requirements to safeguard your health and wellbeing.

If you require assistance with mobility issues, we ask for information on how to assist you.

If you require assistance from us to obtain visa or similar, we will collect and process Personal Data and special categories of Personal Data to the level required by the relevant authorities.

We may collect Personal Data about you from third parties if needed. Examples of such third parties could be relevant authorities for visa processing.

5.2 If you are a business partner of ours, we process the following kind of Personal Data about you: Name, e-mail address, phone numbers, organisation, position.

5.3 If you are a user of our media services and received access directly from NORDUnet, we process Personal Data including your name, username, email address, phone number, and IP address.

5.4 If you received access through another organisation, such as an educational institution or a National Research and Education Network (NREN), NORDUnet acts solely as a Data Processor on behalf of that organisation. In such cases, the organisation providing you access determines the purposes and means of processing. You should direct any questions or requests concerning your personal data to that organization.

5.5 If you are a user of our websites, please see clause 6 about cookies.

5.6 If you are / were an applicant for a job position, we process any data you have provided through the application, the CV, tests or through communications such as e-mail correspondence, phone conversations and job interviews.

6. Cookies

Some of our website uses cookies to manage login status or gather web statistics. A cookie is a small text file that is sent from our server to your browser and stored on your computer or mobile device. The use of cookies means increased functionality and service for you. We do not process data about user behaviour collected by cookies in a manner that may link user behaviour to identified persons. You can change your browser settings to alert you when you receive a cookie to enable you to decide whether to accept it in each case. You can also change your settings to block cookies. If you do so, however, this will affect website functionality. The cookies do not contain any Personal Data such as information about your email address, user ID or other Personal Data, except for what is mentioned in this Policy.

7. Why we Process your Personal Data

We use your Personal Data for several different purposes, depending on whether you are a customer of ours, a business partner of ours or just someone who uses our website.

7.1 If you are a customer of ours, we use your Personal Data to:

Enable website functionality
Send order confirmations to you
Answer any questions from you and comply with your requests
Issue confirmation of your participation to the events that you have signed up for
Issue registration badges where relevant
Issue participants lists to administer your participation
Notify you of activities related to your participation
Reply to questions and requests from you
Collect statistics on participation for future planning

7.2 If you are a business partner of ours, we use your Personal Data to:

Contact you in order to give you or ask for information
Arrange meetings

7.3 If you are user of our websites, we use your Personal Data to:

Enable website functionality
Gather statistics about your browsing actions and patterns on our website
Improve website design

7.4 If you are user of our media services, we use your Personal Data to:

Enable system functionality
Improve system design

7.5 If you are / were an applicant for a position, we use your Personal Data to:

Establish whether or not we have a position for you
Communicate with you regarding the position

8. Legal basis for Processing your Personal Data

8.1 When you become a customer of ours or enter into an agreement of some kind with us, we will process your general Personal Data for that specific purpose. We may also process your general Personal Data if,

for example, you have a question or query before deciding whether to enter into an agreement with us. NORDUnet’s specific processing of your personal data is based on the General Data Protection Regulation’s Article 5 (principles of processing personal data). The legal basis of processing is Article 6(1)(b) of the GDPR, as the processing of your Personal Data is necessary for the performance of our agreement with you or in order to take steps at your request prior to entering into an agreement with us.

8.2 We may also process general Personal Data about you because of our legitimate interests in processing such data, see Article 6(1)(f) of the GDPR, unless our legitimate interests are overridden by your fundamental rights and freedoms which require protection of your own general Personal Data.

8.3 We have a legitimate interest in processing your Personal Data (your name and email address) for marketing purposes in connections with events. The legal basis is Article 6 (1) (f). Our legitimate interest is thus our need to know your preferences to allow us to tailor our communications and propositions to you and ultimately offer products and services which better meet your needs and wishes. In addition, we also generate various aggregated statistics data on the number of customers, purchases, website use, etc. on this basis.

8.4 In some cases, we are also legally required to process Personal Data about you. By way of example, this could be for purposes of providing an audit trail etc. in accordance with the provisions of the Danish Bookkeeping Act (bogføringsloven). Among other things, we are required to keep our accounting records for five years after the end of the financial year which the records concern. For projects funded by the European Commission we are required to keep our accounting records for five years after the last pay-out. If the project is funded with State aid, we are required to keep our accounting records for ten years after last pay out.

8.5 If you provide or have provided us with Special Categories of Personal Data (sensitive data), e.g. Personal Data about your health, the basis of our processing is Article 9 of the GDPR. We process Special Categories of Personal Data in the following cases:

If you participate in events that require catering of any kind, we will ask about your dietary requirements to safeguard your health and wellbeing.

If you require assistance from us to obtain visa or similar, we may collect and process special categories of Personal Data to the level required by the relevant authorities to process a visa for you.

If you require assistance with mobility issues, we ask for information on how to assist you.

8.6 If you are not a customer of ours, but just use our website, we have a – limited – need to be able to manage the Personal Data provided by you yourself, e.g. for cookie management purposes. For more details, please read our cookie details in clause 6 above.

8.7 In some cases, we may log the IP addresses of those who visit our website, send us emails etc. An IP address may constitute Personal Data, and if we process your IP address, we will do so on the same basis as described in clause 8.2 above.

9. Sharing your Personal Data

Your personal data will not be shared with sponsors.

We may share your personal data with the suppliers, collaboration partners, and the Nordic NRENs who assist in the execution of your order, and who assist in our IT operations.

In addition, we will share your Personal Data to the extent that we are required to do so, for example as a result of requirements to report information to relevant public authorities.

10. Sharing your Personal Data with non-EU/EEA recipients

A few of our service providers are located outside the EU/EEA. We may therefore sometimes share your Personal Data with non-EU/EEA recipients. However, this will require:

That the country in question or the international company provides an adequate level of protection as determined by the European Commission, or
That the standard contractual clauses on data protection adopted by the European Commission have been entered into between us and the recipient of your Personal Data, or
That the recipient in question is certified in accordance with Article 42 of the GDPR, or
That the recipient in question has adopted a set of Binding Corporate Rules.

We may also sometimes ask for your consent to a transfer to non-EU/EEA recipients, or such transfer may sometimes be necessary for the performance of an agreement with you, or the implementation of pre-contractual measures taken at your request. Such derogations for specific situations are governed by Article 49 of the GDPR.

You are entitled to information about or a copy of any appropriate safeguards which form the basis of the transfer of Personal Data to non-EU/EEA recipients or – in the case of derogations provided under Article 49 of the GDPR – the derogations which form the basis of such transfer.

11. Retention and erasure of your Personal Data

We will retain your Personal Data in accordance with the following rules:

11.1 If you are a customer (participant, speaker, or in other ways submitting your data to NORDUnet conferences, workshops, or similar events) we retain your data for up to 5 years from the date of our last interaction. Clothing size and data about mobility issues and dietary requirements will be retained for 12 months after the event. We store the information for up to two years for statistical purposes of the next event to prevent over buying and keep the environment safe.

11.2 If you are a user of our website without being an existing or former customer, we will retain the Personal Data we have recorded about you for up to 1 year from date of collection.

11.3 If you are a business partner of ours, we retain your data for up to 5 years from expiry of the contract.

11.4 If you are a user of our media services, and you got access to the service directly through NORDUnet, we will retain the Personal Data we have recorded about you for up to 5 years from the date of last interaction. If you got access to the service through another organization, such as an educational institution or an NREN, please note that we are not the Data Controller, and act only as per their instructions, and all questions and requests should be directed to them.

11.5 If you are an applicant for a position, we retain your data for up to 6 months from last date of interaction.

12. Your rights

For any questions and requests regarding your rights, please contact us through our privacy group. Contact details and conditions can be found in clause 2.2.

12.1 Access

You have the right to access the Personal Data we process about you, including the purposes for which the Personal Data were collected.

12.2 Rectification and erasure

You have the right to request rectification, supplementary processing, erasure or blocking of the Personal Data we process about you. We will comply with your request to the extent necessary. If, for some reason, your request cannot be complied with, we will contact you.

12.3 Restriction of Processing

In certain circumstances, you have the right to restrict the processing of your Personal Data. Please contact us if you would like to restrict the processing of your Personal Data.

12.4 Data portability

You have the right to receive your Personal Data (only data about you which you yourself have provided to us) in a structured, commonly used and machine-readable format (data portability). Please contact us if you would like to exercise your rights concerning data portability.

12.5 Right to object

You have the right to ask us not to process your Personal Data in cases where the processing is based on Article 6(1)(e) (performance of a task carried out in the public interest or in the exercise of official authority) or Article 6(1)(f) (legitimate interests). The extent to which we process your Personal Data for such purposes is described in this Policy. You may exercise the right to object at any time by contacting us.

12.6 Withdrawal of consent

If the processing of your Personal Data is based on your consent, you have the right to withdraw consent at any time. If you withdraw consent, this will not affect the legality of the processing that was carried out before such withdrawal. Please contact us if you would like to withdraw consent.

If you wish to opt out of receiving promotional and marketing communications in general, including by ordinary post, email, texts, telephone or other electronic media, please contact us.

Your exercise of the above rights may be subject to conditions or restrictions. For example, you may not be entitled to data portability in all situations – this will depend on the circumstances of the relevant processing activity in each case.

13. Right to Complain to supervisory authority

If you believe that NORDUnet is processing your personal data in violation of applicable data protection laws and regulations, you have the right to lodge a complaint with the Danish Data Protection Agency or another competent supervisory authority.

Any complaint about our processing of your Personal Data may be submitted to the Danish Data Protection Agency:

The Danish Data Protection Agency, Borgergade 28, 5th floor, 1300 Copenhagen K, Denmark, tel.: +45 3319 3200, email: dt@datatilsynet.dk

14. Any consequences of not providing your Personal Data

If you are required to provide us with Personal Data about you, this will be stated clearly where we collect the Personal Data. If you do not wish to provide the Personal Data we request, it may have the consequence that we will not be able to provide the services you have requested, execute your orders, etc.

15. Use of automated decision making / profiling

We do not use automated decision making as part of any of our personal related business processes, marketing, HR, etc. We may use automated decision making / profiling for security investigations which is covered by article 22 of GDPR.

16. Security

At NORDUnet, our processing of Personal Data is governed by our GDPR and IT Security Policies. These policies also govern our risk assessments and impact analysis of existing as well as new or changed processing activities. We have implemented internal rules and procedures to provide and maintain appropriate security from collection to erasure of Personal Data.

17. Data Processors

NORDUnet may use external data processors to process personal data on our behalf. When NORDUnet uses external data processors, we enter into agreements with them to ensure that your personal data is processed in accordance with applicable laws and regulations and that adequate security measures are in place to protect your personal data.

In certain cases, such as where users access NORDUnet media services through an educational institution or NREN, NORDUnet acts solely as a data processor. In these instances, NORDUnet processes personal data only in accordance with the instructions of the relevant Data Controller.

18. Breach Notification

In the event of a personal data breach that may result in a risk to your rights and freedoms, NORDUnet will notify you of the breach without undue delay.

19. Data Protection Officer / Advisor

NORDUnet is not subject to the mandatory obligation under Article 37(1) of the General Data Protection Regulation to designate a Data Protection Officer. However, in the interest of maintaining high standards of accountability and compliance with applicable data protection legislation, including the GDPR and the

Danish Data Protection Act (Databeskyttelsesloven), NORDUnet has voluntarily appointed a Data Protection Advisor (“DPA”).

The DPA is responsible for monitoring NORDUnet’s adherence to relevant data protection obligations, including the provision of guidance on compliance, risk assessment, data protection impact assessments (DPIAs), and cooperation with supervisory authorities where appropriate.

Should you have any questions, concerns, or requests relating to the processing of your personal data by NORDUnet, you are encouraged to contact the Data Protection Advisor via email at: DPA@NORDU.net.

20. Changes to the Privacy Policy

NORDUnet reserves the right to update or modify this privacy policy at any time. NORDUnet is required to comply with the fundamental principles of data protection and privacy law. Therefore, we will review this Policy on a regular basis to keep it up to date and ensure compliance with applicable principles and law. This Policy is subject to change without notice. Material changes will be announced on our website and an updated version of the Policy will be made available.

21. Contact Information

If you have any questions or concerns about how NORDUnet processes your personal data or about this privacy policy, please contact NORDUnet at DPA@NORDU.net.

22. Version

Version 1.6.

This version of the Policy is effective 2025-06-02

Data Privacy Policy of NORDUnet external v.1.6 June 2025

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	12 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Services

Network

Initiatives

Events

Past Events:

Upcoming:

About

About

Services

Network

Initiatives

Events

Past Events:

Upcoming:

About

About

Privacy Policy

The Nordic NRENs