Privacy policy.

**Privacy Policy for www.nfcp.info**

**Last Updated: 2025 August 25

www.nfcp.info (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, disclose, and protect your personal information when you use our website. By accessing or using www.nfcp.info, you agree to the terms of this Privacy Policy.

PRIVACY POLICY

1  1. Legal Basis and Scope

This Data Protection Policy is adopted pursuant to:

• Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”)

• The Danish Data Protection Act (Lov om supplerende bestemmelser til forordning om beskyttelse af fysiske personer i forbindelse med behandling af personoplysninger)

This Policy applies to the processing of personal data by NFCP as a data controller when delivering services via its website (www.nfcp.info), managing member relations, and conducting business operations within the EU.

2. Categories of Personal Data Processed

NFCP shall only collect and process personal data necessary for the specific, explicit, and legitimate purposes set out in Article 4 of this Policy. The following categories of data may be processed:

• Identification Data: Full name, email, address, phone number

• Additional Identification Data (for Sanctions and Negative Media screening): Date of Birth (DOB) - To help ensure compliance with applicable laws and maintain the integrity of our membership network, we conduct periodic sanctions and negative media screenings of current members. For this purpose, we collect and process names and dates of birth. These screenings are performed on a monthly basis using reputable third-party sources and tools.

The legal basis for this processing is our legitimate interest in preventing misuse of our platform and aligning with ethical and regulatory standards. This information is only retained for as long as the individual remains a member. Once membership ends, all related data is [I would say: -automatically-] deleted and no further screening is carried out.”

• Account Data: Login credentials, access logs, service use history

• Billing Data: Invoicing address, payment information

• Usage Data: IP address, cookies, user preferences, device/browser information

• Marketing Data: Communication preferences and consent status

• Social Engagement Data: Testimonials, comments, event photos

• NFCP shall not process special categories of personal data under Art. 9 GDPR unless manifestly made public by the data subject.

3. Lawful Basis for Processing

Processing activities shall be grounded on one or more of the following legal bases as per Art. 6 GDPR:

• Consent (Art. 6(1)(a))

• Performance of Contract (Art. 6(1)(b))

• Legal Obligation (Art. 6(1)(c))

• Legitimate Interests (Art. 6(1)(f)), provided a balancing test is documented

________________________________________

4. Purposes of Data Processing

NFCP processes personal data for:

• Provision of services and contractual performance

• User account administration and technical support

• Compliance with legal obligations (e.g. financial reporting, tax)

• Marketing communications, where lawful consent is obtained

• Website and service improvement through analytics

• Event management and member engagement

5. Data Retention

5.1. Personal data shall be retained only as long as necessary for the purpose for which it was collected or for compliance with legal obligations. Retention periods will be assessed against:

• Contract duration

• Regulatory or tax retention requirements

• Statutory limitation periods (e.g., five years under Danish law)

Data shall be securely deleted or anonymised after expiry of retention periods.

5.2. Detailed Data Retention Periods

NFCP applies purpose-specific retention schedules, based on business needs and legal requirements.

Category Retention Period Legal Basis

User account data 3 years after last activity or termination Legitimate interest; Contractual necessity

Financial/billing records 5 years (or longer per tax law) Legal obligation under Danish Bookkeeping Act

Event registration data 12 months after event completion Legitimate interest; Contractual necessity

Feedback/testimonials Until consent withdrawn or 5 years max Consent; Legitimate interest

Access logs/system logs 120 days Legitimate interest (security, maintenance)

Marketing consent records Duration of subscription + 1 year Legal obligation (consent evidence)

6. International Data Transfers

Where personal data is transferred outside the EU, NFCP shall ensure:

• Transfers occur only to jurisdictions with an adequacy decision (Art. 45 GDPR), or

• Appropriate safeguards are implemented (Art. 46 GDPR), such as Standard Contractual Clauses (SCCs), particularly following Schrems II considerations regarding U.S. data access laws.

7. Data Subject Rights

NFCP shall guarantee the following rights under GDPR:

• Right of access (Art. 15)

• Right to rectification (Art. 16)

• Right to erasure (‘right to be forgotten’, Art. 17)

• Right to restriction of processing (Art. 18)

• Right to data portability (Art. 20)

• Right to object (Art. 21)

• Right not to be subject to automated decision-making (Art. 22)

Data subjects may exercise their rights by contacting: info@nfcp.info

They also have the right to lodge a complaint with Datatilsynet (https://www.datatilsynet.dk).

8. International Representation

In accordance with Article 27 of the UK General Data Protection Regulation (UK GDPR) and Articles 14–15 of the Swiss Federal Act on Data Protection (nFADP), where NFCP processes personal data of data subjects located in the United Kingdom or Switzerland and no physical establishment exists in those jurisdictions, NFCP have appointed local representatives:

• UK Representative: [Insert Name and Contact Information]

• Swiss Representative: [Insert Name and Contact Information]

Such representatives are empowered to act on behalf of NFCP with respect to their respective jurisdictions in all matters relating to data protection compliance.

9. Data Security

NFCP implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Access controls and user authentication

• Encryption and secure hosting

• Breach detection and notification protocols (Art. 33-34 GDPR)

10. System Logging and Monitoring

10.1. Logging Purposes and Data Collected

As per Legal Reference:

⦁ GDPR Article 5(1)(a) – Lawfulness, fairness, and transparency

⦁ GDPR Article 5(1)(e) – Storage limitation

NFCP logs and monitors incoming network traffic to its website and systems for legitimate business purposes, including cybersecurity, fault diagnosis, system administration, fraud detection, and abuse prevention.

The following data may be logged:

• IP address and geolocation (if derivable)

• Timestamp and duration of visit

• Pages accessed and actions performed

• User ID (if authenticated)

• Browser type and operating system

• Member details

10.2. Retention and Security

Logs shall be stored securely and accessed only by authorized personnel. The retention period for log data shall not exceed 120 days after the member as requested to be removed, after which it will be deleted or anonymised unless required for legal or security purposes.

11. Payment Data Processing

11.1. Third-Party Payment Providers

NFCP does not directly store or process complete payment card details. All payments are processed via a certified third-party payment processor compliant with PCI DSS (Payment Card Industry Data Security Standard).

11.2. Data Processed

For transactional and accounting purposes, NFCP may retain as per Legal Reference:

⦁ GDPR Article 6(1)(b) – Processing necessary for the performance of a contract

⦁ GDPR Article 6(1)(c) – Processing necessary for compliance with a legal obligation:

• Transaction ID

• Last four digits of the card number

• Card type (e.g., Visa, Mastercard)

• Bank transfer details

• Billing address

• Date and amount of transaction

Such data is retained only for legal compliance, reconciliation, and refund management.

12. Privacy by Design and Default

12.1. Implementation Principle

NFCP adheres to the principle of privacy by design and default, as set out in Article 25 of the GDPR. This includes implementing appropriate technical and organisational measures at the planning stage of any new processing activity.

12.2. Measures Include:

• Data minimisation and pseudonymisation by default

• Encryption of personal data in transit and at rest

• Role-based access control and audit logs

• Anonymisation for analytics unless identification is necessary

• Regular privacy impact assessments (PIAs) for high-risk processing

13. Security Practices and Certifications

NFCP maintains an appropriate level of security consistent with Article 32 GDPR, including:

• TLS encryption of all website traffic

• Encrypted storage of sensitive records

• 2FA (Two-Factor Authentication) for administrative accounts

• Regular vulnerability scanning and penetration testing

• Periodic third-party audits of systems and access controls

NFCP is in the process of aligning with ISO/IEC 27001:2022 information security standards. Completion and certification status will be published when achieved.

14. Use of Sub-Processors

NFCP may engage third-party service providers (“sub-processors”) to process personal data on our behalf. These sub-processors are carefully selected to ensure they meet our data protection standards and are contractually bound to protect personal information in accordance with applicable data protection laws, including the GDPR.

We only share personal data with sub-processors to the extent necessary for them to perform their services. Below is a non-exhaustive list of our current sub-processors, the services they provide, and their location:

Sub-Processor(s), Service Provided, Location, Data Categories Processed:

  1. Amazon Web Services (AWS), Cloud hosting and infrastructure, Ireland (EU), All stored and transmitted data

  2. Google LLC, Analytics and productivity tools, United States*, Usage data, email (if used)

  3. Cloudflare, Inc., Content delivery & security, United States*, IP addresses, traffic data

  4. Airtable, Database, United States*, Member details (Name, Date of Birth, Employer, Location, Area(s) of Interest, Email, Agreement for sanctions/negative media screening)

  5. spektr, Screening members for sanctions and negative media, Denmark, Member details (same as above)

*Note: The United States is recognized as a third country under GDPR, and appropriate safeguards are applied to data transfers where necessary.

15. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of Denmark, without regard to its conflict of law principles. Any disputes arising out of or in connection with this Privacy Policy, including any questions regarding its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the courts of Copenhagen, Denmark.

HOW TO CONTACT US

You can contact us by post or email if you have any questions about this privacy policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.

Website: www.nfcp.info

Email: info@nfcp.info

---

By using www.nfcp.info, you consent to this Privacy Policy. Thank you for visiting our site and trusting us with your information.

NFCP is currently using Airtable to gather and store membership information. You can find their Privacy Policy here.