Privacy Policy – The QATO Foundation

Data protection and confidentiality are important to us at the QATO Foundation (“we” or “our”). This Privacy Policy sets out clear guidelines on the QATO Foundation's processing of your personal data when you visit our website or apply for funding from us.


1. Data controller and contact information

1.1. The QATO Foundation is data controller for the processing of your personal data:

The QATO Foundation
Koldingvej 2
DK-7190 Billund
Business reg. (CVR) no.: 34643326
Tel.: +45 28 35 44 55


2. Purpose, legal basis and types of personal data

2.1. The QATO Foundation may process your personal data for the following purposes:

  • To assess whether to grant your application. The legal basis for this is our legitimate interest in processing your application (Article 6(1)(f) of the GDPR).
  • To communicate with you. The legal basis for this is our legitimate interest in responding to your enquiries (Article 6(1)(f) of the GDPR).
  • As statutory documentation. The legal basis for this is our legal obligations (Article 6(1)(c) of the GDPR).
  • For subsequent administration if you receive funding from the QATO Foundation. The legal basis for this is our legitimate interest in managing the award of grants or other funding (Article 6(1)(f) of the GDPR) and our legal obligations (Article 6(1)(c) of the GDPR).

2.2. The QATO Foundation only processes general personal data about you to fulfil the above-mentioned purposes. Which personal data we need to process depends on your application, interaction with us and whether we grant your application. The QATO Foundation may, for example, process information about your name, email address, address, telephone number, occupation or educational background (CV), other information contained in the application and your account details.

2.3. If you wish to apply for funding from the QATO Foundation, we encourage you to only provide personal data relevant to the application and to refrain from disclosing any sensitive information or information about criminal offences. If you provide information about others, please do not state their names or contact information. Information provided in connection with your application, will be processed by the QATO Foundation’s board and administration. Applications for the QATO Foundation’s grant (“QATO Fondens Legat”) will also be processed by a selection committee from the University of Copenhagen (in which case, the University of Copenhagen will be data processor, cf. Clause 3 below).


3. Exchange of personal data

3.1. In certain cases, the QATO Foundation will disclose your personal data to independent data controllers, if we are subject to a duty to do so. These recipient categories are:

  • The tax authorities
  • Auditors
  • Banks
  • Other public authorities

3.2. Your personal data will also be disclosed to the QATO Foundation’s data processors. Such disclosure is subject to data processing agreements, and the data processor may not use the data for other purposes than to perform the processing for us. These data processor categories are:

  • IT suppliers
  • The University of Copenhagen


4. Processing of personal data outside the EU/EEA

4.1. In connection with the processing of your personal data for the purposes described in this Policy, your personal data may be transferred to data processors (as set out in Clause 3 above) located in countries outside the EU/EEA. When making such transfers, we will always take reasonable steps to ensure that your personal data are processed confidentially. If your personal data are transferred to countries outside the EU/EEA, such transfer will take place on the following legal basis:

a. The country has been approved by the European Commission as having an adequate level of security

b. If the country has not been approved by the European Commission as having an adequate level of security, we will transfer the data as follows:

  • By transferring to an enterprise certified under the EU-US Privacy Shield
  • By using the European Commission’s standard contractual clauses


5. Deletion of personal data

5.1. Unsuccessful applications will be deleted six months after rejection. Successful applications will be stored for five years after being granted, after which time they will be deleted. However, the data may be processed and stored for longer in an anonymised form, just as we will store data that are not personally identifiable for longer.


6. Your rights
  • You have a right of access to the personal data that we process about you.
  • You have the right to object to our collection and further processing of your personal data.
  • You have the right to have your personal data rectified or erased, subject to certain statutory exceptions.
  • You have the right to ask us to restrict the processing of your personal data.
  • In certain cases, you also have the right to ask for a copy of your personal data and to have your personal data transmitted to another data controller (data portability).


7. Cookies

7.1. Our website uses cookies. You can learn more about our use of cookies in our Cookie Policy here: Read cookie policy


8. Security

8.1. We have implemented security measures to ensure that our internal procedures comply with the security standards adopted and any applicable legal requirements. We endeavour to protect the quality and integrity of your personal data. We have adopted internal information security rules that contain instructions and measures that protect your personal data against destruction, loss, alteration, unauthorised disclosure or unauthorised access to or knowledge of the data.


9. Questions and complaints

9.1. If you have any questions for this Privacy Policy, or if you wish to complain about our processing of your personal data, please contact us using the contact information provided in Clause 1.1.

9.2. You may also complain to:

The Danish Data Protection Agency
Borgergade 28, 5. sal
DK-1300 Copenhagen K
Tel.: +45 33 19 32 00


10. Amendments to this Privacy Policy

10.1. We reserve the right to amend this Privacy Policy at any time. In case of amendments, the date stated at the beginning of the Privacy Policy will be changed. The current Privacy Policy will be available at In case of material amendments, we will notify you by email.