ICARS data protection policy

Approved by the ICARS Board of Directors on 10th June 2022.

Most recently reviewed and approved by the Board of Directors on 14 October 2024.

1. Introduction

Safeguarding the Personal Data of natural persons is an essential aspect of protecting people’s identities, integrity, and dignity.

ICARS is committed to protecting the privacy and security of personal data. In collecting and using data, ICARS is subject to legislation controlling how such activities may be carried out, and the safeguards need to be put in place to protect personal data.

This policy outlines our approach to ensuring that personal data is handled in accordance with applicable data protection laws, such as the EU General Data Protection Regulation (GDPR), and the Danish Data Protection Act 2018.

Relevant EU or national law will take precedence in the event that it conflicts with this Policy, or it has stricter mandatory requirements than this Policy.

2. Purpose

The purpose of this policy is to:

  • Ensure compliance with applicable data protection laws.
  • Protect the rights of natural identifiable
  • Outline our procedures for handling personal data.
  • Establish responsibilities for data protection within ICARS.

3. Scope

This policy applies to all natural persons and entities involved in the handling of personal data for, in conjunction with, or on behalf of ICARS. This includes but is not limited to ICARS employees, executive management, board members, TAF members, advisory committee members, partners, contractors, sub-contractors, sub-subcontractors, interns, volunteers, third parties, as well as all data processers, data sub-processors, and data controllers relevant in processing personal data on or behalf of ICARS.

This policy can apply, under GDPR, to a business which is either a controller or a processor (see definition for controller and processor at 4.) outside of the EU, when the data subject is in the EU. GDPR also applies to data subjects outside of the EU, when the processor or controller is within the EU. As such, consideration is always given in the processing of personal data.

4. Key definitions

Personal data: Any information that relates to an identified or identifiable natural person (data subject). This can include a wide range of data types, such as names, identification numbers, location data, online identifiers, and factors specific to the physical, physiological, or economic identity of that individual.

Sensitive data: Sensitive data, also known as special categories of personal data under GDPR, includes information that reveals an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic and biometric data, health information, and sexual orientation, all of which require heightened protection due to their sensitive nature.

Data Subject: The individual to whom the personal data relates.

Processing:  Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller: Any natural person, public authority, agency, or other body that, alone or jointly, determines the purposes and means of the processing of personal data.

Data Processor: A natural person, public authority, agency, or other body that processes personal data on behalf of the controller.

5. Data Collection

Examples of data collected at ICARS include, but are not limited to:

Personal Identification Information: Names, addresses, phone numbers, email addresses. This may be personal identification information for prospective or current employees, ICARS stakeholders, project partners, or individual persons who subscribe to our newsletter, complete a survey, or wish to be contacted.

Demographic Information: ICARS will, where applicable, collect data related to job titles and location of individuals, with respect to consultancy positions.

Financial Data: Credit card details, payment information, and bank account numbers, applicable to our prospective and current consultants.

Health Information: ICARS processes a variety of scientific health data as part of our projects. The data collected by ICARS through our projects is largely anonymised and thereby not containing information which is able to identify an individual. Due to the sensitive nature of personal health data, the data generated from our projects is routinely reviewed to ensure that no identifiable personal data is being generated.

Usage Data: ICARS may collect information on how users interact with our website through cookie collection. (Further information on cookie collection and cookie consent can be found on our website under our privacy policy).

6. Principles relating to the processing of personal data

ICARS is committed to processing personal data in accordance with the fundamental principles upon which the GDPR is based:

Personal data is processed lawfully, fairly and transparently;

Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes, unless for the purpose of archiving for public interest or under legal obligation.

Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;

Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data is accurate, having regard to the purposes for which it is processed, and erased, or rectified without delay;

Kept for no longer than is necessary for the purposes for which the personal data is  personal data can only be stored after legitimate purpose insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

7. Lawful processing

Personal data shall only be processed where one of the following lawful bases apply:

Consent: The data subject has given consent to the processing of personal data for one or more specific purposes.

Contractual necessity: Processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Legal obligation: Processing necessary for compliance with a legal obligation to which the controller is subject.

Vital interest: Processing necessary in order to protect the vital interests of the data subject or of another natural person.

Public interest: Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Legitimate interest: Processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

ICARS has identified the appropriate basis for processing personal data and has documented all relevant information in two registers: (1) based on systems; and (2) based on the purpose of the processing. Both data mappings will be regularly updated when relevant and reviewed annually by the DPO.

8. Processing based on consent

ICARS acknowledges that when personal data is processed based on consent, that consent must be freely given, explicit, positive, and informed, meaning the data subject must understand what they are consenting to.

Individuals have the right to withdraw their consent at any time. Similarly, communications sent to individuals based on their consent will include an option to opt-out at any time.

Examples of lawful consent requests include, but are not limited to, the following:

  • Signing a consent statement on a form.
  • Clicking an opt-in button or link online.
  • Selecting yes/no options.
  • Choosing settings from a technical preferences dashboard.
  • Responding to an email requesting consent.
  • Providing optional information for a specific purpose (such as filling out optional fields in a form).

Verbally agreeing to a clear consent request (this should ideally be documented, for instance, through a confirmation email, to retain evidence).

9. Processing based on legitimate interests

The legitimate interests of a controller may provide a lawful basis for processing, provided that the rights and freedoms of the data subject are not overriding.

In other words, the conditions generally apply if:

  • there is a specific purpose and clear benefit to the processing i.e. for the purposes of fraud prevention or network security; and
  • the processing is necessary for that purpose (, you cannot achieve the same results in another less intrusive way), and
  • the legitimate interest is not overridden by the individual’s interests, rights, or freedoms (“balancing test”); and
  • the data subject should reasonably expecttheir data to be used in that way.

ICARS recognizes that the existence of a legitimate interest needs careful assessment, including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data, that processing for that purpose may take place. ICARS therefore commits to thoroughly establish and document the justification, when the conditions are met according to the assessment.

10. Transparency

ICARS is committed to transparency in the processing of personal data, through communicating with and informing data subjects as to their rights. The transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of processing.

A GDPR compliant Privacy Notice allows data subjects to make informed decisions about the data ICARS collects and uses. ICARS commits to developing and regularly updating privacy notices for different audiences.

Our ICARS Privacy Notices:

  1. For ICARS website users: Privacy Policy – ICARS (icars-global.org)
  2. For whistleblowers:  ICARS whistleblowing system 

11. Data Subject Rights

ICARS respects rights conferred to Data Subjects to ensure the protection of Personal Data These consist of:

  • The right to be informed: The right to be told how their personal data is used in clear and transparent language.
  • The right of access: The right to know and have access to the personal data we hold about them.
  • The right to rectification: The right to have their personal data corrected where it is inaccurate or incomplete.
  • The right to erasure/ ‘to be forgotten’: The right to have their personal data erased.
  • The right to restrict processing/ purpose limitation: The right to limit the extent of the processing of their personal data.
  • The right to data portability: The right to receive their data in a common and machine-readable electronic format.
  • The right to object: The right to complain and to object to processing.
  • Rights in relation to automated decision making and profiling: The right not to be subject to decisions without human involvement.

ICARS data requests time periods below:

Data Subject Request Period for completion
The right to be informed When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)
The right of access One month
The right to rectification One month
The right to erasure Without undue delay
The right to restrict processing Without undue delay
The right to data portability One month
The right to object On receipt of objection

12. Privacy by design

ICARS has adopted the principle of privacy by design, meaning the planning and management of all newly adopted or significantly changed applications or systems that collect, or process personal data will be subject to consideration of privacy issues, including the completion of one or more data protection impact assessments (DPIA’s).

The DPIA will include:

  • Consideration of how personal data will be processed and for what purpose(s).
  • Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s).
  • Assessment of the risks to individuals in processing personal data.
  • What controls are necessary to address the identified risks and demonstrate compliance with legislation.

ICARS is committed to (1) limiting access to personal data to personnel who need access, (2) regularly reviewing access rights based on the two registers, and (3) ensuring appropriate security measures to avoid unauthorised sharing of information.

13. Determining the Data Processor vs Data Controller

In its role as Data Controller, ICARS will only appoint processors who can provide sufficient guarantees of compliance with GDPR, ensuring the rights of data subjects will be protected. Likewise, ICARS takes its role as Data Controller with utmost importance and has implemented the principles of GDPR in ensuring transparency, compliance, lawfulness, and due care when determining the means for processing personal data.

Where ICARS uses a processor, ICARS will arrange for a Data Processing Agreement (DPA) to be signed between the parties. An overview of all Data Processing Agreements (DPA) in place will be regularly updated.

ICARS may also act as a Processor, or a Data Controller, from time to time. In such cases, ICARS is committed to processing based on instruction from the Data Controller, whilst ensuring the information provided to ICARS is safe, and will be disposed of securely as requested.

The identification of the data controller vs the data processor can be a complex process. The determining of the role in a data process at ICARS will be completed in conjunction with the DPO.

Joint controllership

Entities are jointly responsible for data processing if they jointly determine the purpose and the means of said data processing (joint decision-making).

In cases of joint controllership, the entities involved must enter into an arrangement, stipulating the individual data controllers’ privacy-related obligations in a transparent manner (joint controller arrangement).

14. Transfer of data outside the EU

ICARS collaborates daily with international institutions, both within and outside the EU. The protection provided by the GDPR is applicable wherever the data travels, ensuring that the rules safeguarding personal data remain in effect regardless of its location. This applies even when data is transferred to a third country, which refers to a country that is not a member of the EU.

The GDPR provides different tools to frame data transfers from the EU to a third country:

  • A third country may be declared as offering an adequate level of protection through a European Commission decision (‘Adequacy Decision’), meaning that data can be transferred to another company in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions.
  • In the absence of an Adequacy Decision, a transfer can take place through the provision of appropriate safeguards and on the condition that enforceable rights and effective legal remedies are available for individuals.
  • Finally, if a transfer of personal data is envisaged to a third country that isn’t the subject of an Adequacy Decision and if appropriate safeguards are absent, a transfer can be made based on a number of derogations for specific situations for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.
  • The EU-US Data Privacy Framework (DPF), finalized in July 2023, allows GDPR-compliant data transfers between the EU and the US. An adequacy decision enables certified US companies to transfer data without additional safeguards.

ICARS commits to carefully assess the implications of the GDPR rules on the transfer of data outside the EU before processing data with entities based in third countries.

15. Reporting of breaches

A personal data breach refers to a breach of personal data security leading to accidental, intentional, or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

The ICARS data breach reporting procedure requires that upon discovery or suspicion of a personal data breach, the breach is to be reported to the Data Protection Officer, as well as a member of Executive Management, promptly and without undue delay.

In the event of a data breach, ICARS will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
  • Inform affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
  • Document all data breaches, regardless of their severity.

The DPO will keep a record of all personal data breaches reported and follow up with appropriate measures and improvements to reduce the risk of reoccurrence (via a data breach register).

It is also possible to report serious data protection breaches anonymously or confidentially via the ICARS whistleblowing system. For more information see the ICARS Whistleblowing Policy.

16. Consultation and means of communication

Questions about any data protection issue should be directed to the DPO (dataprotection@icars-global.org) or the Director of Operations.

Personal Data requests from data subjects (e.g. for access, rectification, or deletion of data) should be addressed to dataprotection@icars-global.org.

17. Policy review and training

The ICARS Board of Directors shall oversee and approve a periodic review of the administration of this policy at least every two years.

Any changes to the policy shall be communicated immediately to all ICARS employees and stakeholders. In addition, the most recent version of this policy will be published on the ICARS website.

ICARS employees are provided GDPR training upon commencement at ICARS, as well as additional GDPR compliance training from time to time.