Data Protection Policy

In the Danish Health Data Authority, we process personal data in various contexts. Here, you can read how we collect, process and protect your personal information.

We process information about you if you have been in contact with the Danish Health Data Authority or if we need to do so in order to provide one of our regulatory services.

When the Danish Health Data Authority processes personal data as part of our provision of regulatory services, we are normally the data controller of these data. The Danish Health Data Authority is also data controller in regard to the processing of personal information about you when you have been in contact with the Authority.

Tasks and responsibilities of the Danish Health Data Authority

The Danish Health Data Authority is an agency under the Danish Ministry of the Interior and Health. The main tasks of the Authority are provided for in Paragraph 220a of the Danish Health Act.

The main task of the Danish Health Data Authority is to support the healthcare area by collecting and making available healthcare information for healthcare professionals, decision makers and citizens. We ensure digital coherence and create digital solutions to the benefit of citizens, patients and healthcare professionals; and for management, statistical and scientific purposes in the healthcare and elderly care sectors. 

We are responsible for operating various databases, registers and services, which contain data on healthcare treatments and the health and medicines consumption of the Danish population. Some of this data include personal information that is recorded in connection with patient treatments at hospitals, in municipalities and with general practitioners and reported to the Authority.

Principles guiding the collection of personal data

We collect personal data only for legal purposes and we only collect information needed to comply with the specific objective in question.

Most of the personal data we process are based on other legal provisions than the Danish Data Protection Act - i.e. the Danish Healthcare Act, the Danish Medicines Act and the Danish Tissue Act.

Safe storage and processing of personal data

The Danish Health Data Authority has in place a range of measures to keep your personal data safe when they are being processed by our staff. The safety measures mean that the staff of the Danish Health Data Authority have access to your personal data only when they need access to complete their work tasks. Additionally, staff who work with personal data need to complete annual courses on information security and data protection. 

Other suppliers

In some cases, we ask other suppliers to complete tasks on behalf of the Authority. We do this to be able to present your data to you on sundhed.dk or to operate the Shared Medication Record. When we cooperate with suppliers, we enter into a so-called data processing agreement with the suppliers to ensure that any data processing is done exclusively as instructed by the Danish Health Data Authority. 

Thus, the suppliers only use the data to perform a specific task for the Danish Health Data Authority. Once the suppliers task is completed, the data is deleted and/or returned to the Danish Health Data Authority.

Do you have any questions?

If you have any questions about our processing of personal data or about your rights in this respect, please contact us by sending a mail via Borger.dk.

Go to Borger.dk

In the “Recipient” field, you need to select “Danish Health Data Authority” (Sundhedsdatastyrelsen) and in the “Category” field you need to select “Data protection” (Databeskyttelse).

You may also contact our Data Protection Officer by writing to databeskyttelse@sum.dk. The Data Protection Officer is employed with the department of the Danish Ministry of the Interior and Health. The Officer's tasks include providing advice to the agencies on data protection and data protection provisions.

  • Your data protection rights

    You have various rights, including the right to access personal data about you, the right to have erroneous personal data corrected and the right to have personal data deleted. As most of the processing we do is based on other legal provisions than the Data Protection Act, your rights may in some respects be limited.

    Right of access

    By logging onto sundhed.dk using MitID, you can access part of the health and personal data that the public healthcare system has recorded related to you, including some of the data recorded with the Danish Health Data Authority. You can gain access to your personal health data, including:

    • Medicinal data (the Shared Medication Record)
    • Hospital treatments
    • Your basic personal data
    • Your appointments with the healthcare services

     

    Additionally, the ‘Log’ page at sundhed.dk allows you to see who has had access to your personal data in, e.g., the Shared Medication Record.

    You can also apply for access to the data we process about you - also called ‘own access’ - and thereby learn what data we have on record about you. You may apply for access by contacting us.

    The right to rectification of inaccurate data 

    If you identify any inaccurate data registered about you on sundhed.dk and would like to correct these errors, please contact the hospital or medical practice that recorded the data about you. Please note that the data will typically not be deleted entirely as they have formed the basis for your treatment and are therefore comprised by the healthcare professionals’ duty to keep records.

    If you have applied for access to data about you with the Danish Health Data Authority and find any inaccurate data, you also need to initially contact the hospital or the doctor who registered the data in question.

    The right to erasure of data

    The General Data Protection Regulation in some cases concedes any registered person the right to have their data deleted or to limit any processing of their data. However, there are substantial exceptions to your possibilities of having deleted data about you that are stored with the Danish Health Data Authority.

    In some cases, you are entitled to have data deleted if they are inaccurate or misleading. Please contact us if you would like to have data deleted; we will then assess if the data may be deleted. Please note that only in rare cases may the Danish Health Data Authority delete information about you from the Authority’s registers as we are obliged to keep the data on record.

    The right to restriction of  data processing

    You also have the right to restrict the processing of your personal data, provided one of the following conditions are met:

    • You dispute the correctness of personal data. In this case, we must limit the processing of data until we have had the opportunity to establish if the data is correct.
    • If the data is processed illegally
    • If we assess that your personal data is no longer necessary to complete a processing task but are needed to establish, process or contest a legal claim.
    • You have objected to our processing of your data. We must limit any processing of the data until we have established if our legal interest takes precedence over your interest in limiting our processing of your data.

     

    You may contact us and we will then assess if data processing may be restricted.

    The right to object to data processing

    In some cases, you have a right to object to our - otherwise legal - processing of your personal data. 

    You may then contact us and we will assess if data processing may be limited.

    The right to data portability

    The General Data Protection Regulation does not establish a data portability right - i.e. a right to receive your personal data and request that the personal data be transferred from one data controller to another - when:

    • Data processing is necessary to complete a task of public interest.
    • Data processing forms part of public exercise of authority that the data controller is obligated to complete.
    • A data controller completes public tasks or observes a legal obligation.

     

    This means that the Danish Health Data Authority is not typically obliged to provide data portability.

    The right to withdraw a consent

    Generally, the Danish Health Data Authority processes personal data based on legal provisions. This means that data processing does not require your consent.

  • Have you been in contact with the Danish Health Data Authority?

    If you have contacted the Danish Health Data Authority digitally or by physical letter, we process the data about you that appears from your request. Your data will form part of a case that is entered into our electronic record system.

    If you have contacted us about access to your personal data, deletion of your personal data, etc., please send your request using Digital Post at Borger.dk. We do this for several reasons - to confirm your identity, because it helps us identify your data, to ensure that the data is sent to the right recipient and to keep communication with you safe. 

    You decide if you want to send a request via Digital Post and if you want to provide your civil registration number. If you do not want to do so, we may be unable to respond to your request.

    Use of your personal data and types of personal data

    The objective of the Danish Health Data Authority’s processing of your personal data when you have contacted us is to:

    • observe our public administration obligations pursuant to the Danish Public Administration Act and the Danish Public Records Act
    • process your request
    • achieve an effective and rational case management
    • keep track of the cases processed by the Danish Health Data Authority, for instance to access previous practice.

     

    Depending on the information you provide when contacting the Danish Health Data Authority, the Authority may process any type of personal data.

    Legal basis for the processing of your personal data

    The legal basis for the processing of common personal data is:

    • Article 6(1)(b) of the General Data Protection Regulation - necessary to enter into or observe a contract to which you are a part
    • Article 6(1)(c) of the General Data Protection Regulation - necessary to comply with a legal obligation
    • Article 6(1)(e) of the General Data Protection Regulation - necessary to complete a task of public interest or which forms part of the exercise of public authority imposed on us.

     

    The legal basis for the processing of sensitive personal data is:

    • Article 9(2)(f) of the General Data Protection Regulation - necessary to establish, process or contest a legal claim, particularly in relation to executive Order on Compensation for Occupationally Active Disabled People, etc.>
    • Article 9(2)(h) of the General Data Protection Regulation - necessary to assess the employee’s occupational capacity, medical diagnosis, provision of social services or health-related care, or processing of social services or health-related care
    • Article 9(2)(i) of the General Data Protection Regulation - necessary in pursuance of public health interests
    • Article 9(2)(j) of the General Data Protection Regulation - necessary for public interest archiving purposes, for scientific or historical research purposes or for statistical purposes in pursuance of Article 89(1).

     

    The legal basis for processing information about your civil registration number is provided in Paragraph 11, 1 of the Danish Data Protection Act.

    Furthermore, the Authority processes your data pursuant to Paragraph 220a of the Danish Healthcare Act and the provisions of the Danish Public Administration Act and the Danish Public Records Act.

    Personal data storage

    The Danish Health Data Authority has an obligation to document its activities, and we therefore store the information as long as needed to adhere to this obligation. The Danish Health Data Authority hands over the information stored in the Authority’s electronic record system to the Danish National Archives pursuant to the provisions of the Danish Archives Act.

  • Have you been in contact with the Danish Health Data Authority?

    By applying for a position through the recruitment system of the Danish Health Data Authority, you accept that we process the personal data about you that you register when applying.

    By registering your personal data you consent:

    • that you have read and understood the information provided below about the recruitment system
    • that we may collect and use your information for recruiting purposes in the Danish Ministry of the Interior and Health.

     

    You may at any time withdraw your consent by contacting the Danish Ministry of the Interior and Health or the contacts provided on the job advertisement.

    Below, you will find more information about our processing of your personal data in connection with your job application.

    Data controller and data processor

    The Danish Agency for Public Finance and Management   acts as the system administrator for the Danish State and for the Ministry of the Interior and Health, serving as the employing authority. Therefore, it is the joint data controller responsible for the personal data processed about you in connection with your application. The joint data controller’s responsibility is described in more detail in Service Regulation Description CIS no. 9223 of 23 March 2018 on Joint Data Control of the Joint Public Systems of the Modernisation Authority.

    Use of your personal data

    The processing of the data you have provided in the application process is based on your consent and aims to fill the advertised positions with qualified candidates. Additionally, the Danish Agency for Public Finance and Management may use the data for statistical purposes and to optimise the e-recruitment scheme of the Danish state (Statens eRekruttering). As part of the recruitment process, we may also collect information about you from publicly available sources. In such cases, you will be informed of the categories of information collected and where this information was collected.

    Types of personal data about your that we process

    For recruitment purposes, we typically process only common personal data about you, including your name, address, phone number, email addresses, professional qualifications, education, previous occupation, possibly a personality test, etc.

    Additionally, civil registration numbers may occur if you have not crossed out these in exam certificates, for instance. In your application, if you tick off the field indicating that you are comprised by the provisions on compensation for employed disabled people, etc., this is processed as healthcare information in pursuance of the provisions on sensitive personal data of the General Data Protection Regulation.

    If references are sought as part of the recruitment process, we collect common personal data including assessments of your professional and social competences. No sensitive data or data on criminal matters will be collected.

    The legal basis of data processing

    The legal basis for the processing of common personal data is:

    • Article 6(1)(a) of the General Data Protection Regulation - based on your consent
    • Article 6(1)(b) of the General Data Protection Regulation - necessary to enter into or observe a contract to which you are a part.

     

    The legal basis for the processing of sensitive personal data is:

    • Article 9(2)(a) of the General Data Protection Regulation - based on your consent
    • Article 9(2)(b) of the General Data Protection Regulation - necessary for us to comply with our obligations in pursuance of current labour law, particularly in relation to Executive Order on Compensation for Occupationally Active Disabled People, etc.
    • Article 9(2)(f) of the General Data Protection Regulation - necessary to establish, process or contest a legal claim, particularly in relation to executive Order on Compensation for Occupationally Active Disabled People, etc.

     

    The legal basis for processing information about your civil registration number is provided in Paragraph 11, 1 of the Danish Data Protection Act.

    Sharing of your personal data

    We may share the data with third parties who assist us during the recruitment process. Third parties may, e.g., include external providers of personality tests.

    We may also share your data with public and legal authorities if we are obliged to do so. This may concern data that need to be shared with your municipality of residence if you are disabled and would like to benefit from your right to precedence, or it may concern data that need to be shared with your school if you have applied for an apprenticeship.

    Personal data storage

    We store the data you have provided in connection with your application until the recruitment process concludes. However, your information is not stored for more than six months, unless you specifically state that you would like us to do so. Any persons who have participated in the recruitment process must also destroy any material collected.

  • Have you received prescription medicine?

    According to Paragraph 157 in the Danish Health Act and Executive Order no. 1615 of December 18, 2018, on Access to and Registration, etc. of Medicinal Product and Vaccination Information, the Danish Health Data Authority is responsible for the operating of a system for the electronical recording of each individual citizen’s medicine data, including prescriptions, purchases, dispensing, intake, dose changes and cessation. Furthermore, we record healthcare professionals’ instructions on medicinal use and data related to citizens’ medicine information.

    Use of personal data

    If you have received medicine, your data has been recorded in the Shared Medication Record. The Danish Health Data Authority processes personal data about you to be able to operate the Shared Medication Record and thereby make available the data needed to facilitate your medicinal treatment in Danish healthcare.

    Types of personal data about you that we process

    The following data is recorded in the Shared Medication Record:

    • Basic personal data - i.e. civil registration number, name, address, health insurance group and general practitioner
    • Name, place of employment or organisation and authorisation ID of the healthcare professional who prescribed the medicinal product(s)
    • Prescriptions, including the content of each prescription
    • Dispensed medicines
    • Other data that are relevant to your medication

     

    You can see the Shared Medication Record data recorded about you on sundhed.dk:

    See your medication information on sundhed.dk

    Legal basis for the processing of your personal data

    The legal basis for the processing of common personal data is:

    • Article 6(1)(e) of the General Data Protection Regulation - processing is necessary to complete a task that forms part of the exercise of public authority.

     

    The legal basis for the processing of sensitive personal data is:

    • Paragraph 7, 3 of the Danish Data Protection Act and Article 9(2)(h) of the General Data Protection Regulation - necessary to assess the employee’s occupational capacity, medical diagnosis, provision of social services or health-related care, or processing of social services or health-related care.

     

    Furthermore, the data is processed pursuant to Paragraph 157 in the Danish health Act and Executive Order no. 1615 of 18 December 2018 on Access to and Registration, etc. of Medicinal Product and Vaccination Information.

    The legal basis for processing information about your civil registration number is provided in Paragraph 11, 1 of the Danish Data Protection Act.

    Sharing of your personal data

    Furthermore, the Danish Health Data Authority may pass on medicinal data to the Danish Patient Safety Authority to facilitate the Authority’s supervision of physicians’ and dentists’ prescription of various types of medicines, including addictive medicines and antipsychotic agents and also treating pharmacists’ repeat prescription of some prescription-only medicines and prescription of subsidised dose dispensing of medicines. In special circumstances, the transfer of data may comprise medicinal data and information about medicinal cannabis end products that may be linked to individual citizens.

    Additionally, the Danish Health Data Authority makes available data to the stakeholders of Danish healthcare to ensure that you may receive correct treatments and medicines.

    Personal data storage

    Pursuant to the executive Order, medicine prescriptions are deleted when two years have passed. Prescriptions and data on issuing are deleted two years after being issued/recorded. However, prescriptions are not deleted after two years when the medicine has been dispensed within the past two years or when the treatment includes a medicine that remains active for more than two years after being dispensed.

    Personal data such as name, civil registration number, address and selected general practitioner, etc. are deleted two years after the citizen dies.

  • Have you visited our website?

    If you have visited our website, sundhedsdata.dk, there will only gathered technically required cookies on your computer.

    Read the cookie policy of the Danish Health Data Authority (in Danish)

  • Are you subscribed to one of our newsletters?

    When you subscribe to receive one of the Danish Health Data Authority’s newsletters, we process your personal data.

    Use of your personal data

    When you subscribe to one of our newsletters, you consent that the Danish Health Data Authority collects and processes data about you to be able to send newsletters to you as a subscriber.

    Types of personal data about you that we process

    When you subscribe to one of our newsletters, we collect and process the following information about you as a minimum:

    • The e-mail address you have provided
    • The news items that you want to receive (if the newsletter in question allows you to subscribe to various categories of news items).

     

    Depending on the newsletter in question, we also collect and process the following additional data about you, e.g.:

    • Name
    • Organisation.

     

    The collected data is used only to send news items and to generate statistical information related to our newsletters.

    Legal basis for the processing of your personal data 

    The legal basis for our processing of your personal data is provided in Article 6(1)(a) of the General Data Protection Regulation and is thus based on your consent.

    Sharing of your personal data

    We use Mailchimp to collect and store mail addresses and send out newsletters. When you subscribe to our news service, you also consent that we may transfer your data to Mailchimp and process these data in accordance with the privacy policy of Mailchimp.

    The right to withdraw your consent

    You may, at any time, withdraw your consent by discontinuing your subscription. You can do so by clicking the ‘Unsubscribe’ (Afmeld nyhedsbrev) link provided in the newsletters we send to you.

    If you decide to withdraw your consent, this will only affect the future processing of your personal data but not the legality of the processing that was based on your consent until you withdrew your consent.

    When you withdraw your consent and discontinue your subscription, you will no longer receive newsletters from the Danish Health Data Authority, and your data will be deleted within a two-month period.

  • Lodging a complaint with the Danish Data Protection Agency

    You are entitled to lodge a complaint with the Danish Data Protection Agency if you are dissatisfied with our processing of your personal data. You will find more information about your rights at the website of the Danish Data Protection Agency. The website also provides the contact information of the Danish Data Protection Agency.

    Visit the website of the Danish Data Protection Agency