Privacy Policy on processing of personal data at the SSI

The SSI process personal data when carrying out our tasks as a public authority. The purpose of this Privacy Policy is to describe how we collect, process and protect personal data.

Statens Serum Institut (SSI) is an institute under the Danish Ministry of Health. The main tasks of the SSI are provided for in Section 222 of the Danish Health Act. The tasks comprise:

  • to prevent and fight infectious diseases, congenital conditions and biological threats,
  • to serve as the central laboratory of Denmark with respect to diagnostic analyses, including reference functions and quality functions. This means that the SSI provides species identification and characterisation of various biological samples, contributes with professional expertise and develops novel diagnostic methods,
  • to secure the supply of vaccines, including vaccines for the Danish childhood vaccination programme and vaccines against COVID-19, and preparedness products. The SSI procures vaccines and other laboratory services,
  • to participate in the operational preparedness measures against infectious diseases and biological terrorism and in the veterinary preparedness services. The SSI does so e.g. by monitoring infection by some diseases in the population,
  • the SSI operates regional test centres in order to monitor the spread of virus in the population, including the spread of COVID-19 (TestCenter Danmark),
  • to conduct scientific research and statistics, and
  • to provide advice and consulting services in areas relating to the tasks of the SSI.

If you have been in contact with the SSI or if carrying out one of our tasks as a public authority has made it necessary, we process personal data about you. Here, you can read how the SSI collects, processes and protects your personal data.

When the SSI processes personal data when carrying out our tasks as a public authority, the SSI act as data controller. The SSI also act as data controller for processing of personal data about you when you have been in contact with the SSI.

If you have any questions about our processing of personal data or about your rights in this respect, please contact the SSI via Borger.dk or by sending an e-mail to serum@ssi.dk. You may also contact our Compliance Department at compliance@ssi.dk, which primarily handles questions about processing of personal data.

The Danish Ministry of Health has a joint data protection officer (DPO), Helle Ginnerup-Nielsen, who is employed with the Department of the Danish Ministry of Health. Among others, the DPO is responsible for providing advice to the Ministry and its agencies and authorities about data protection and legal issues relating to data protection. You may contact the DPO by sending an e-mail to databeskyttelse@sum.dk.

The SSI uses a range of data processors to handle tasks on behalf of the SSI. This is done in pursuance of a data processing agreement, among others to ensure that the processing of data is done exclusively following the instructions of the SSI and in agreement with the General Data Protection Regulation and the Data Protection Act. Data processors do not use the data for their own purposes; they use data only to complete a specific task for the SSI. Once the task of the data processor is completed, the data is deleted and/or returned to the SSI.

When carrying out our tasks as a public authority, a wide range of personal data are processed. As data controller, the SSI must adhere to the data protection regulations. Failing to do so, the SSI is liable to a fine.

The employees of the SSI must act in accordance with the SSI’s Privacy Policy, the SSI’s guidelines and must adhere to data protection regulations.

Only authorised employees may have access to personal data and users may not be authorised for uses that are not required in relation to their job function.

All personal data, including data that does not constitute special categories of personal data, to which employees gain access remain confidential. In this context, rules on professional secrecy in the Danish Public Administration Act and in the Danish Penal Code apply. The rules on professional secrecy applies during as well as after termination of employment.

Failure to comply with these provisions may, depending on the circumstances, be punishable by disciplinary or penal sanctions.

You have various rights in under the GDPR

In relation to the SSI’s processing of your personal data, you are entitled to:

  • request access to the data that we process about you
  • request that incorrect data about you are corrected
  • in some cases, to have information about you deleted
  • in some cases, to have the processing of your personal data limited
  • in some cases, to raise an objection to the SSI’s legal processing of personal data about you
  • file a complaint with the Danish Data Protection Agency if you believe that the SSI is processing information about you in ways that are in breach of data protection regulations.

If you want to exercise your rights, please contact the SSI at compliance@ssi.dk. Further contact information is provided in the section below.

Various substantial exceptions apply to the possibilities of having corrected or deleted information about you that is processed with the SSI. Among others, this is so because as a public authority, the SSI may need to document the basis upon which a previous decision or choice was made. In case of incorrect or misleading information, the SSI may instead add the correct data to the file without deleting the original data.

Additionally, various substantial exceptions apply to the possibilities of limiting the SSI’s processing of your personal data. For example, you are not entitled to limit the SSI’s data processing in cases where your data are processed exclusively for statistical or scientific purposes, cf. Section 22, Subsection 5 of the Danish Data Protection Act.

Have you been in contact with the SSI?

If you have contacted the SSI by e-mail or letter, the SSI processes the information about you that appears from your request.

If your request concerns access to personal data about yourself, deletion of data, etc., we will ask you to send your request by e-boks, thereby stating your civil registry number (CPR number). We do this for several reasons; (i) to confirm your identity unequivocally, (ii) to facilitate our retrieval of data about you, (iii) to ensure that we are providing the requested information to the correct recipient and (iv) to be able to communicate securely with you. You decide if you want to send a request via e-boks and if you want to provide your CPR number. If you do not want to do so, we may be unable to respond to your request.

The SSI has an obligation to file any request you make in our case processing system. In this connection, any information you provide is processed in pursuance of the provisions of the Danish Public Records Act, the Danish Public Administration Act and with Article 6(1), litra e) of the General Data Protection Regulation, and Section 7, subsection 3 and Section 11, Subsection 1 of the Danish Data Protection Act. The SSI’s filing system is supplied by an external IT provider, whereas operational services are provided by the Danish Health Data Authority, which forms part of the Danish Ministry of Health. The SSI uses external IT providers who process personal data on behalf of the SSI in pursuance of a data processing agreement entered into by the SSI and the data processor.

The SSI has an obligation to document its activities, and the SSI therefore stores the information as long as needed to adhere to this obligation. Every five years, the SSI hands over the SSI’s records to the Danish State Archives. This is done in pursuance of the provisions of the Danish Archives Act.

Have you visited the SSI?

If you have attended an on-site visit with the SSI, the SSI processes various personal data about you. When arriving to the SSI’s reception, we ask you to register your visit. You are asked to provide personal data like your name, data relating to the visit, which company you represent (if any) and which employee/department you will be visiting. This information is given voluntarily to the SSI. If you do not want to provide the required information, you may not be able to visit the SSI or you may need to be accompanied by an SSI employee during the entire visit.

When on the SSI premises, you may be recorded by the SSI video surveillance system. The SSI processes data about you to the extent that these are evident from the images recorded. The information may comprise personal data like the time of your visit to the video-monitored area. If you commit any criminal acts on the recordings, the processing will include data about criminal offences. If your appearance of the way you dress reveals information about your state of health, your religious beliefs, etc., such information may also be derived from the recordings.

The objective of the registration of information in the reception and of video monitoring is, among others, to prevent and solve crimes. The SSI stores vaccines, houses a veterinary preparedness service and an operational preparedness service against biological terrorism. In this context, the SSI carries an obligation to avoid unauthorised access to selected rooms and areas, e.g. by implementing preventive measures like video monitoring and access control. The obligations follow, among others, from the principles and guidelines for good distribution practice that the SSI has an obligation to follow, cf. Article 80, litra g) of Directive 2001/83/EC. The SSI receives advice from the police concerning security levels at the SSI.

The legal basis for the recording of your visit is provided in Article 6(1), litra c) and e) of the General Data Protection Regulation. The legal basis for the video monitoring made by the SSI is Article 6(1), litra c) and e) and Article 10 of the General Data Protection Regulation and Sections 6 and 8 of the Danish Data Protection Act.

In very special cases, the SSI will pass on image recordings to the police to solve crimes. The legal basis for this is provided in Section 4 c, Subsection 1 of the Danish Video Monitoring Act, cf. Article 6(1), litra f) and Article 10 of the General Data Protection Regulation.

The SSI stores image recordings for 30 days after which they are automatically deleted. In very special cases, storage may be prolonged. The legal basis for this is provided in Section 4 c, Subsections 4 and 5 of the Danish Video Monitoring Act. This includes situations in which storage is required due to a specific dispute or situations in which the information is processed to prevent crime.

Have you had a sample analysed by the SSI?

As part carrying out our tasks as a public authority, the SSI diagnoses a range of biological samples provided by patients. If you have had a sample analysed with the SSI, the SSI will automatically process various personal data about you.

If you have been tested for COVID-19 at one of our regional test stations, you may read more about this in the section about TestCenter Danmark below.

The physical sample is sent to the SSI for analysis. The objective of the analysis is to test for micro-organisms (virus, fungi, bacteria and pesticides). In addition to these micro-organisms, the SSI will process personal data about you like your name, CPR number, general practitioner, etc. The sample may also contain information about your health. If the sample contains human tissue, the sample will also contain information about your genetic material and your genetic condition. Such information will require a special analysis. The SSI does not undertake such an analysis when the sample is analysed by the SSI for diagnostic purposes only. Any residual material from such samples will often be stored in the Danish National Biobank for future research. If the healthcare professional who has ordered the analysis submits relevant information about your health, such data will also be processed by the SSI.

The legal basis for the SSI’s processing of personal data is Article 6(1), litra e) of the General Data Protection Regulation, cf. Section 222 of the Danish Healthcare Act, as the processing is necessary for the performance of a task in the exercise of official authority vested in the SSI.

Furthermore, the legal basis for the processing of special categories of personal data is provided in Section 7, Subsection 3 of the Danish Data Protection Act, in Article 9(2) litra h of the General Data Protection Regulation and in Section 222 of the Danish Healthcare Act, as it is necessary to process the data to prevent illness and prepare medical diagnoses.

The legal basis for the SSI’s processing of your CPR number is provided in Section 11, Subsection 1 of the Danish Data Protection Act, as the processing is needed to identify you uniquely.

When the SSI has analysed your biological sample, the result is sent to the healthcare professional who ordered the analysis and made available at sundhed.dk. The legal basis for this is provided in Section 5, Subsection 1 of Executive Order no. 650 of 13 April 2021 on the Processing of Personal Data in Connection with the Offer of a Test for Coronavirus Disease 2019 (COVID-19) in Relation to Employment, entry into Denmark or as an Offer Given to the Population, etc., unless you have opted out of using sundhed.dk, cf. Section 42 a, Subsection 5 of the Danish Healthcare Act. The legal basis for transfer of data to the person who ordered the analysis is provided in Section 7, Subsection 3 of the Danish Data Protection Act, cf. Section 222 of the Danish Healthcare Act. The result will also be recorded in the Danish Microbiology Database, MiBa, a nationwide, automatically updated database of microbiological test results. If you are admitted to hospital, the treating healthcare worker will be able to look up the result in the MiBa.

The SSI may choose to store any residual material from the diagnostic sample in the Danish National Biobank for future research. The legal basis for this is provided in Section 10 of the Danish Data Protection Act, and any residual material will thus be processed for the sole purpose of carrying out statistical or scientific studies of significant importance to society and where such processing is necessary in order to carry out these studies. The residual material will be stored until it no longer has any statistical or scientific value.

Read more information about the Danish National Biobank here.

Have you been tested for covid-19?

If the virus test was done by TestCenter Danmark

The purpose of TestCenter Danmark (TCDK) is to increase the testing activity in Denmark and support the strategy of the Danish Government in relation to covid-19. In TCDK, symptom-free citizens and citizens with mild symptoms, but who do not need to see a doctor, may be tested to learn if they have become infected with covid-19.

The processing of your personal data is primarily carried out to test if you have become infected with covid-19 at the time of testing. Furthermore, the SSI is tasked with monitoring and hamper spreading of the infection. Therefore, the processing also aims to collect knowledge about the infection risk and about the spread of the infection.

For more information about TestCenter Danmark, please see here.

At www.coronaprover.dk under Se spørgsmål og svar - Behandling af dine personoplysninger (Danish for: See questions and answers - Processing of your personal data), you can read more about the processing of personal data in connection with virus testing in TestCenter Danmark. The same text is also provided at the bottom of the page in the Section Persondatapolitik (Danish for: Personal Data Policy).

If the virus test was carried out at a hospital

If you have been tested for virus at a hospital, typically the hospital will analyse the test sample.

If you want to learn more about your region’s processing of your personal data, feel free to contact your region. You may find your region’s contact information here:

North Denmark Region: www.rn.dk 
Central Denmark Region: www.rm.dk
Region of Southern Denmark: www.regionsyddanmark.dk
Capital Region of Denmark: www.regionh.dk
Region Zealand: www.regionsjaelland.dk

The SSI’s monitoring of infection with covid-19

The SSI is responsible for monitoring, preventing and fighting infectious diseases, including covid-19. This means that the SSI closely monitors the spread of covid-19, studies various virus variants, monitors the severity and consequences of the disease, etc. In this connection, the SSI processes information about infected as well as non-infected persons, information about people who are admitted to hospital, have died, about infection at nursing homes and in specific industries, etc.

The processing of these data is carried out as part of the SSI’s obligation to monitor and hamper spreading of the infection, cf. Section 222 of the Danish Healthcare Act. The processing thus aims to collect knowledge about the risk of infection and of further spreading of covid-19 infection. Furthermore, monitoring may contribute to determining the current covid-19 disease burden in Denmark and thereby to assessing how we should prioritise prevention and control measures. Additionally, monitoring may be used to assess the evolution of different covid-19 variants over time.

If you have been tested for covid-19 by a virus test, antigen test, PCR test or another similar test at a public or private treatment facility or another independent company, the test centre in question has an obligation to submit information to the SSI, cf. the Danish Health Authority’s Executive Order no. 637 of 13 April 2021 on Notification of covid-19 with Subsequent Amendments.

The SSI receives information about personal identification (whenever possible CPR and phone number, alternatively other identifying and contact information), treatment site, facility that analysed the sample (e.g., laboratory or treatment site), the test (including test method, sampling time and sample localisation), the test result (e.g., negative/positive/inconclusive) and your answers to essential questions used for infection tracing and monitoring of the infection.

Some public test sites also analyse the virus variant with which you have become infected. If a public test site has analysed the virus variant (sequencing), the result of the analysis must be submitted to the SSI. If the public test site has not determined the virus variant, the sample must be submitted to the SSI. The SSI then analyses the sample to determine the virus variant. The SSI sequences the samples to discover any new virus variants and follows the development and spread among new virus variants. The SSI separates the virus from the sample and analyses the RNA of the virus. The SSI only studies the genetic material of the virus, not the DNA/genetic material of the person.

The SSI has authority to collect additional personal data about you if this is deemed necessary for monitoring purposes and to limit the spread of covid-19. This personal data can only be collected by doctors who treat patients with confirmed covid-19. It is possible to collect information about (1) the patient’s travel activities, (2) if the patient has come into contact with an infected person, and (3) if the test forms part of a screening of an employee group/place of employment. The SSI’s authorisation to collect this personal data is provided in Section 4 of the Danish Health Authority’s Executive Order no. 637 of 13 April 2021 about covid-19 Notification with Subsequent Amendments.

If your test is positive, residual material from the diagnostic sample will be stored at the SSI to monitor the spread of covid-19. Your test will be stored as long as the SSI needs it to comply with its regulatory tasks in pursuance of the Danish Healthcare Act. Subsequently, residual material will be stored in the Danish National Biobank for future research. The legal basis for this final storage is provided in Section 10 of the Danish Data Protection Act. The residual material will thus be processed for the sole purpose of carrying out statistical or scientific studies of significant importance to society and where such processing is necessary in order to carry out these studies. The residual material will be stored until it no longer has any statistical or scientific value. You can read more under the tab “If residual material from your diagnostic sample is stored in the Danish National Biobank” and more general information is available about the Danish National Biobank here.

The SSI uploads information about virus sequences from positive covid-19 samples to internationally acknowledged databases, including the GISAID database. The purpose of uploading this personal data is mainly to facilitate global monitoring of the pandemic and research related hereto. The legal basis for uploading the data is provided in Executive Order no. 777 of 29 April 2021 on Statens Serum Institut’s Passing on of Gene Sequences and Isolates from Micro-organisms and Associated Personal Data in Connection with the Prevention of and Fight Against the Spread of Infectious Diseases.

The SSI discloses and receives personal data to/from the Danish Patient Safety Authority. The Danish Patient Safety Authority performs tasks related to infection tracing. This follows from Section 52 of the Danish Epidemic Act.

The SSI subsequently receives various items of information from the Danish Patient Safety Authority that were collected in connection with the authority’s infection tracing-related tasks. Among others, these items of information include CPR number or other identification; presumed source of infection; test type used by the infectee; if the infectee has experienced symptoms, including disease onset; if the infectee forms part of a delimited outbreak, previous stays abroad, number of close contacts that the infectee has given to the Danish Patient Safety Authority.

The SSI receives information only when needed to comply with its task relating to the monitoring and prevention of and fight against covid-19.

As a state, Denmark has an obligation to comply with the International Health Regulations (IHR). In this connection, Denmark has a number of duties under Decision no. 1082/2013/EU of the European Parliament and the Council of 22 October 2013 on Serious Cross-border Health Threats and on the Annullment of Decision no. 2119/98/EF. Among others, the member states have an obligation to inform the competent health authorities in the member states and Commission appropriately and timely about outbreaks of infectious diseases, etc., e.g. to facilitate effective infection tracing measures.

The legal basis for the SSI’s processing of personal data is Article 6(1), litra e) of the General Data Protection Regulation, cf. Section 222 of the Danish Healthcare Act, as the processing is necessary for the performance of a task in the exercise of official authority vested in the SSI.

Furthermore, the legal basis for the processing of special categories of personal data is provided in Section 7, Subsection 3 of the Danish Data Protection Act, in Article 9(2) litra h) of the General Data Protection Regulation and in Section 222 of the Danish Healthcare Act, as it is necessary to process the information to prevent illness and prepare medical diagnoses.

The legal basis for the SSI’s processing of your CPR number is provided in Section 11, Subsection 1 of the Danish Data Protection Act, as the processing is needed to identify you uniquely.

The data processed as part of the SSI’s monitoring activities is stored until it is no longer necessary for the SSI to comply with its obligations in pursuance of Section 222 of the Danish Healthcare Act.

Have you been tested for covid-19 by a private test provider?

The SSI is responsible for monitoring, preventing and fighting infectious diseases, including covid-19. This means that the SSI closely monitors the spread of covid-19, studies various virus variants, monitors the severity and consequences of the disease, etc. In this connection, the SSI processes personal data about infected as well as non-infected persons, people who are admitted to hospital, have died, about infection at nursing homes and in specific industries, etc.

The processing of these data is carried out as part of the SSI’s obligation to monitor and hamper spreading of the infection, cf. Section 222 of the Danish Healthcare Act. The processing thus aims to collect knowledge about the risk of infection and of further spreading of covid-19 infection. Furthermore, monitoring may contribute to determining the current covid-19 disease burden in Denmark and thereby to assessing how we should prioritise prevention and control measures. Additionally, monitoring may be used to assess the evolution of different covid-19 variants over time.

If you have been tested for covid-19 by a virus test, antigen test, PCR test or another similar test at a private test provider, the provider in question has an obligation to submit information to the SSI, cf. the Danish Health Authority’s Executive Order no. 637 of 13 April 2021 on Notification of covid-19 with Subsequent Amendments.

The SSI receives information about personal identification (whenever possible CPR and phone number, alternatively other identifying and contact information), treatment site, facility that analysed the sample (e.g., laboratory or treatment site), the test (including test method, sampling time and sample localisation), the test result (e.g., negative/positive/inconclusive) and your answers to essential questions used for infection tracing and monitoring of the infection.

The test result will also be recorded in the Danish Microbiology Database (MiBa), a nationwide, automatically updated database of microbiological test results. If you are admitted to hospital, the treating healthcare professional will be able to look up the result in the MiBa. The test result will be made available to you or your guardian at sundhed.dk unless you have opted out of displaying information at sundhed.dk.

The SSI has authority to collect additional personal data about you if this is deemed necessary for monitoring purposes and to limit the spread of covid-19. This personal data can only be collected by doctors who treat patients with confirmed covid-19. It is possible to collect information about (1) the patient’s travel activities, (2) if the patient has come into contact with an infected person and (3) if the test forms part of a screening of an employee group/place of employment. The SSI’s authorisation to collect this data is provided in Section 4 of the Danish Health Authority’s Executive Order no. 637 of 13 April 2021 about covid-19 Notification with Subsequent Amendments.

The SSI discloses and receives various items of personal data to/from the Danish Patient Safety Authority. The Danish Patient Safety Authority performs tasks related to infection tracing. This follows from Section 52 of the Danish Epidemic Act.

The SSI subsequently receives personal data from the Danish Patient Safety Authority that were collected in connection with the authority’s infection tracing-related tasks. Among others, this personal data include CPR number or other identification; presumed source of infection; test type used by the infectee; if the infectee has experienced symptoms, including disease onset; if the infectee forms part of a delimited outbreak, previous stays abroad, number of close contacts that the infectee has given to the Danish Patient Safety Authority.

The SSI receives information only when needed to comply with its task relating to the monitoring and prevention of and fight against covid-19.

As a state, Denmark has an obligation to comply with the International Health Regulations (IHR). In this connection, Denmark has a number of duties in pursuance of Decision no. 1082/2013/EU of the European Parliament and the Council of 22 October 2013 on Serious Cross-border Health Threats and on the Annullment of Decision no. 2119/98/EF. Among others, the member states have an obligation to inform the competent health authorities in the member states and Commission appropriately and timely about outbreaks of infectious diseases, etc., e.g. to facilitate effective infection tracing measures.

The legal basis for the SSI’s processing of your common personal data is Article 6(1), litra e) of the General Data Protection Regulation, cf. Section 222 of the Danish Healthcare Act, as the processing is necessary for the performance of a task in the exercise of official authority vested in the SSI.

Furthermore, the legal basis for the processing of special categories of personal data is provided in Section 7, Subsection 3 of the Danish Data Protection Act, in Article 9(2), litra h) of the General Data Protection Regulation and in Section 222 of the Danish Healthcare Act, as it is necessary to process the information to prevent illness.

The legal basis for the SSI’s processing of your CPR number is provided in Section 11, Subsection 1 of the Danish Data Protection Act, as the processing is needed to identify you uniquely.

The information processed as part of the SSI’s monitoring activities is stored until it is no longer necessary for the SSI to comply with its obligations in pursuance of Section 222 of the Danish Healthcare Act.

Have you been tested for, or have you had a disease that the SSI monitors, prevents and fights against?

One of the SSI’s tasks is to monitor certain infectious diseases, cf. Section 222 of the Danish Healthcare Act.

If you have been tested for a micro-organism or have had a disease that the SSI monitors in order to prevent and monitor its spreading and development, the SSI processes information about you.

You will find a full overview of the diseases and micro-organisms that the SSI monitors in the information folder “Monitoring of Diseases and Micro-organisms at the SSI”. The folder is available – In Danish.

For example, Danish Doctors have an obligation to notify the SSI of various infectious diseases, including among others: AIDS, cholera, tuberculosis and rabies. This follows from Executive Order no. 277 on the Notification by Physicians of Infectious Diseases, etc. of 14 April 2000 with Subsequent Amendments. You can read the list of individually notifiable diseases here.

Among others, the SSI’s monitoring has the following objectives:

  • to discover new disease outbreaks
  • to assess trends and developments in diseases over time
  • to determine Denmark’s current disease burden to facilitate prevention and control measures
  • to discover changes in bacteria and viruses like the occurrence of resistance to antibiotics.

The SSI will process personal data about you, including name, CPR number, general practitioner, etc. Additionally, the SSI will process healthcare information about you in the form of the test result that establishes if the sample contains the specific condition, bacterium, micro-organism or similar. Furthermore, we will often process other health-related personal data about you to the extent that this is necessary to monitor the disease in question.

The legal basis for the SSI’s processing of personal data is Article 6(1), litra e) of the General Data Protection Regulation, cf. Section 222 of the Danish Healthcare Act, as the processing is necessary for the performance of a task in the exercise of official authority vested in the SSI.

Furthermore, the legal basis for the processing of special categories of personal data is provided in Section 7, Subsection 3 of the Danish Data Protection Act, in Article 9(2) litra h) of the General Data Protection Regulation and in Section 222 of the Danish Healthcare Act, as it is necessary to process the information to prevent illness and prepare medical diagnoses.

The legal basis for the SSI’s processing of your CPR number is provided in Section 11, Subsection 1 of the Danish Data Protection Act, as the processing is needed to identify you uniquely.

Discovering changes in bacteria and viruses will be of great value to health science research. The information may be used to raise research questions and hypotheses about infectious diseases in pursuance of Section 10 of the Danish Data Protection Act. The SSI’s monitoring and research activities are thus closely connected.

Aggregated results from the SSI’s monitoring will often be published in a renowned scientific journal or similar. The objective of doing so is to inform Danish healthcare and the general population of the spread or development of the disease in question, thereby ensuring that the necessary measures may be implemented to slow down the development as much as possible. Furthermore, publication serves to inform other European and international organisations of the development of certain diseases just like the SSI makes use of information published about the developments reported by other countries. In some cases, publication requires authorisation from the Danish Data Protection Agency.

The SSI analyses biological material in connection with its monitoring of specific diseases and micro-organisms. The biological material is stored in the Danish National Biobank and/or in the department at the SSI that monitors the disease/micro-organism.

The information used in the monitoring activities of the SSI are stored until they are no longer of value to the monitoring activities. In most cases, only the virus molecule or the bacterial strain will be stored. This is so because storing the virus molecule or the bacterial strain is often sufficient to monitor the development of the disease. However, in the monitoring registers of the SSI, some personal data will be linked to the sample as we need to know where the virus molecule/bacterial strain comes from. The personal data will typically be a serial number that may be traced back to the person who provided the sample. In other cases, it may be relevant to store the entire human sample to compare with more recent samples and thereby monitor the development of the disease in humans in general.

Have you been vaccinated?

If you have been vaccinated after 15 November 2015, you will generally be comprised by the Danish Vaccination Register (DVR) and the SSI may then process information about you. The Danish Vaccination Register is an electronic solution that gives healthcare professionals and citizens access to information about vaccinations. As from 15 November 2015, all physicians have had an obligation to register all given vaccinations in the DVR.

Additionally, paediatric vaccinations given after 1997 and other vaccines administered as part of a social security service will generally be comprised by the DVR. The SSI’s childhood vaccination register contains information about paediatric vaccinations from the time before the DVR became operational.

If you are interested in reading about the processing of your personal data in connection with vaccination against covid-19, click here.

Vaccination is voluntary and you decide if you want your child to be vaccinated.

The objectives of running the vaccination register is to ensure the quality, safety and effect of the citizens’ treatment in Danish healthcare by providing a macrolevel overview of all given vaccinations. Additionally, the vaccination register makes it easier for citizens to travel to countries that require documentation of any vaccines received.

The SSI has access to the information in the register in order to monitor and assess vaccination coverage and effect and study any associations between vaccination and unexpected reactions or side effects to vaccination. Furthermore, the SSI has access to information in the register in order to send out vaccination invitations and reminders. This follows from Section 157 a, Subsection 6, Point 2 and Subsection 11, Point 1 of the Danish Healthcare Act cf. Section 69, Subsection 1 of the Danish Epidemic Act and Executive Order no. 638 on the Sending of Reminders to Enhance the Coverage of Vaccination Programmes of 13 April 2021.

The information recorded in the DVR includes name, address, social security group, selected general practitioner, information about the healthcare worker who administered the vaccination, the vaccination given (including batch number and associated vaccination course and programmes) and, where relevant, if you were admitted to a hospital at the time of the vaccination, cf. Section 4 of Executive Order no. 1615 of 18 December 2018 on Access to and Registration of Medical Product and Vaccination Information, etc.

The legal basis for the SSI’s processing of this information is Article 6(1), litra e) of the General Data Protection Regulation, cf. Section 157 a, Subsection 1 of the Danish Healthcare Act, as the processing is necessary for the performance of a task in the exercise of official authority vested in the SSI.

Furthermore, the legal basis for the processing of special categories of personal data is provided in Section 7, Subsection 3 of the Danish Data Protection Act, in Article 9(2) litra h) of the General Data Protection Regulation and in Section 222 of the Danish Healthcare Act, as it is necessary to process the information to prevent illness and prepare medical diagnoses.

The legal basis for the SSI’s processing of your CPR number is provided in Section 11, Subsection 1 of the Danish Data Protection Act, as the processing is needed to identify you uniquely.

The SSI is authorised to actively process information stored in the vaccination register in a number of specific cases, cf. Section 157 a, Subsection 6 of the Danish Healthcare Act.

The SSI has an obligation to pass on vaccination data to the Danish Medicines Agency for the agency’s processing of reports on adverse effects, and to the Danish National Prescription Registry. This follows from Section 3, Subsections 6 and 7 of Executive Order no. 1615 of 18 December 2018 on Access to and Registration, etc. of Medicinal Product and Vaccination Information.

You can check what personal data are stored about you in the DVR via www.sundhed.dk, cf. Section 5, Subsection 1 of Executive Order no. 1615 of 18 December 2018 on Access to and Registration, etc. of Medicinal Product and Vaccination Information. Furthermore, you can register information about any vaccinations you have received yourself. These registrations may subsequently be validated by a physician, cf. Section 5, Subsection 4.

Vaccination information is deleted two years after the citizen dies, cf. Section 14, Subsection 2 of Executive Order no. 1615 of 18 December 2018 on Access to and Registration, etc. of Medicinal Product and Vaccination Information.

Have you applied for employment with the SSI?

If you have applied for a position at the SSI, the SSI processes personal data about you to process your application and inform you of the result.

The recruitment procedure is generally handled by Corporate HR, which handles HR tasks for the Danish Ministry of Health.

Your personal data will generally be stored only in the recruitment system (HR manager) of the Danish Ministry of Health and in the SSIs filing system 360. Only relevant persons who are engaged in the recruitment procedure are given access to see the documents submitted by candidates.

By applying for a position through the recruitment system of the Danish Ministry of Health, you accept at the bottom of the page that we process the personal data about you that you register when applying.

In most cases, we only process personal data about you like your name, address, phone number, email-addresses, professional qualifications, education, previous occupation, etc.

Additionally, CPR numbers may occur if you have not overlined this information in exam certificates, for instance. In your application, if you tick off the field indicating that you are comprised by the provisions of Executive Order no. 1174 of 25 November 2019 on Compensation for Employed Handicapped People, etc. this is processed as healthcare information. In special cases, we may collect information about you from publicly available sources. In such cases, you will be informed of the categories of information collected and where this information was collected.

The legal basis for processing of your personal data is provided in Article 6(1) litra a) of the General Data Protection Regulation as you have consented to the processing, and in Article 6(1) litra b) of the General Data Protection Regulation, as the processing is necessary to reply to a request made by the candidate for the position.

We store the information you have provided in relation to your application in our recruitment system until the recruitment process is concluded. However, your information is not stored for more than six months, unless you specifically state that you would like us to do so. Furthermore, the persons who have participated in the recruitment process must destroy any collected material.

Have you visited our website?

When you visit the SSI’s website, www.ssi.dk, we process various personal data about you to keep a statistical record of the use of our website. The purpose hereof is to facilitate further development and improvements of the SSI’s website.

The SSI uses Siteimprove Analytics provided by the Danish software provider Siteimprove. The data processing is based on a data processing agreement entered into by the SSI and Siteimprove.

The SSI has decided not to collect IP addresses and therefore the information collected is not identifiable to a particular person without further processing. However, we cannot exclude that personal data may be processed because of the search criteria entered.

You can read more about how the SSI processes personal data from the visitors to our website here

If you form part of a research project at the SSI

Conducting research is a core task at the SSI. The objective of the SSI’s research activities is, among others, to ensure effective preparedness measures against infectious diseases and congenital illness. Furthermore, the results from the SSI’s research activities will contribute to solving the challenges that Denmark and the international community face now and in the future.

The SSI’s research activities comprise epidemiology, which includes risk factors of importance for the development of diseases. For example, the SSI’s research project “Better Health Through Generations” (Danish title: Bedre Sundhed i Generationer) has contributed with knowledge about how the effects that a human being is exposed to in the first years of life may impact the development of diseases later in life. The SSI’s epidemiological research community is among the strongest in Europe and enjoys widespread international recognition.

Additionally, the SSI conducts vaccine research and research in the field of infection preparedness. The vaccine research forms part of various important tasks relating to the vaccine preparedness service and provisions, whereas the epidemiological research may serve to strengthen preparedness measures against emerging diseases (e.g., SARS), antibiotic resistance, airway infection, etc.

A considerable share of the SSI’s research is based on public registers. For example, researchers at the SSI may use data from the national healthcare registers like the National Patient Registry, The Register for Selected Chronic Diseases, the Registry of Healthcare Providers, the Central Office of Civil Registration, etc. Additionally, the Danish National Biobank supports Danish health science research by providing a unique national research infrastructure.

The SSI’s researchers may use biological material containing human tissue in research projects. To do so, each research project must have been approved by a scientific-ethical committee. Additionally, a health-science research project at the SSI may process special categories of data, including data concerning health, genetic information, data revealing racial or ethnic origin, a natural person's sex life or sexual orientation, etc., to the extent that this is relevant to the research project in question.

Research projects at the SSI include personal data about you such as your name, CPR number, etc. In the overwhelming majority of cases, the SSI will process personal data in a pseudonymised form. This means that your CPR number does not directly form part of the data set. Rather, it is stored separately and often the individual researcher will not have access to it.

The legal basis for the SSI’s processing of common personal data is Article 6(1), litra e) of the General Data Protection Regulation, cf. Section 222 of the Danish Healthcare Act, as the processing is necessary for the performance of a task in the exercise of official authority vested in the SSI.

The legal basis for the processing of special categories of personal data is provided in Article 9(2) litra h) of the General Data Protection Regulation and Section 10, Subsection 1 of the Danish Data Protection Act, as it is necessary to process the information for scientific research purposes. Depending on the circumstances, the provisions in the Danish Act on Research Ethical Processing of Health Science Research Projects and Health Data Science Research Projects may also apply.

The legal basis for the SSI’s processing of your CPR number is provided in Section 11, Subsection 1 of the Danish Data Protection Act.

If the SSI uses a data processor as part of a research project, the SSI will prepare a data processing agreement to ensure that the processing of data is carried out exclusively following the authorisation of the SSI and in agreement with the General Data Protection Regulation and the Danish Data Protection Act. Data processors do not use the data for their own purposes. They use data only to carry out a specific task for the SSI, e.g., to perform a specific analysis. Once the task of the data processor is completed, the data is deleted and/or returned to the SSI.

Aggregated results from the SSI’s research projects will often be published in a recognised scientific journal or similar. The objective is to inform Danish healthcare and the general population of the spread or development of the disease in question, thereby ensuring that the necessary measures may be implemented to slow down the development as much as possible. Furthermore, publication serves to inform other European and international organisations of the development of certain diseases just like the SSI makes use of information published about the developments reported by other countries. In some cases, publication requires authorisation from the Danish Data Protection Agency.

The SSI generally stores the information until the research project is concluded. Subsequently, the information is deleted at the SSI and in some cases transferred to the Danish State Archives in pursuance of the provisions of the Danish Archives Act. However, the information may also be used in another research project. When this is the case, the information will be deleted when the other research project are concluded, etc.

Personal data that are processed solely for scientific or statistical purposes cannot subsequently be processed for non-statistical or non-scientific purposes.

If you do not want that biological material you provide during treatment is used for future research, you can opt out of such use by registering in the Register for Use of Tissue (Danish Language: Vævsanvendelsesregisteret), cf. Section 29 of the Danish Healthcare Act. You can read more about the Register for Use of Tissue and learn how to register here.

Once you have registered, you have various rights relating to our processing of your personal data. Among others, you are entitled to gain access to the information we process about you and to have data deleted, etc. If you want to exercise these rights, please contact us at compliance@ssi.dk.

Sharing information from research projects

In special cases, the SSI passes on biological material and discloses personal data to external research projects. The SSI has legal authority to pass on such information when this is necessary for the sole purpose of carrying out statistical or scientific studies of significant importance to society, cf. Section 10, Subsection 1 of the Danish Data Protection Act. In order to pass on and disclose data, a number of requirements must be met in pursuance of Executive Order 1509 of 18 December 2019 on the Passing on of Personal Data Comprised by Section 10, Subsections 1 and 2 of the Danish Data Protection Act.

The passing on of data is done observing the obligations that appear from the executive order. This includes, among others, that the SSI has in place adequate safety measures and ensures that the data are used for research purposes exclusively. Data may be passed on to research projects located outside of the EU only with the permission of the Danish Data Protection Agency.

Passing on of biological material from the Danish National Biobank or from a research project requires prior authorisation from the Danish Data Protection Agency. Additionally, the receiving project must be approved by a scientific-ethical committee.

Aggregated information which cannot, directly or indirectly, be traced back to individual persons (anonymised information), cf. Article 4(1) of the General Data Protection Regulation, is not comprised by the data protection regulations, cf, the Article 2(1) of the General Data Protection Regulation, and may be shared with external parties when agreed with the SSI.

Funding of research projects

The SSI conducts research projects that are funded in full or in part by public and private Danish and International foundations. This practice facilitates and strengthens the quality of the research conducted at the SSI. Funding is allocated either to individual research projects or to the SSI in its capacity as an authority conducting research itself.

Research foundations who provide funding for projects have no role or say in the planning or implementation of the project or in the processing of personal data, including the collection, analysis or interpretation of personal data. This serves to avoid conflicts of interest and ethical issues related to the research projects.

You can read more about the research conducted at the SSI here.

If residual material from your diagnostic sample is stored in the Danish National Biobank

The SSI may choose to store any residual material from the diagnostic sample in the Danish National Biobank. We note that some testing procedures employ all of the biological material, leaving no residual material to store.

The legal basis to store the residual material is provided in Section 10 of the Danish Data Protection Act and the residual material will thus be processed for the sole purpose of carrying out statistical or scientific studies of significant importance to society and where such processing is necessary in order to carry out these studies.

The purpose of storing the residual material is (i) to avoid that this invaluable resource for future research is discarded, and (ii) to facilitate statistical and scientific research of significant importance to society that may generate important new knowledge and enhanced medical treatments to the benefit of current and future citizens.

In the Danish National Biobank biological material is stored that includes human tissue. When analysed, human tissue may constitute special categories of personal data, including data concerning health, data revealing racial or ethnic origin and genetic data. A number of supplementary data are processed along with the sample as the National Biobank Register can link biological samples to data from various Danish registers. For example, data may be processed from the Central Office of Civil Registration about sex, date of birth, etc. and information from the National Patient Registry including hospital-related information about the date and time of admission to and discharge from hospital, diagnosis and surgery, etc. Additionally, the SSI processes personal data about you like your name, CPR number, etc.

The Danish National Biobank may pass on biological material to other researchers to facilitate research of considerable social importance. Passing on information to external researchers requires prior authorisation from the Danish Data Protection Agency and approval of the research project by a scientific-ethical committee.

The biological material in the biobank will be stored until it no longer has any statistical or scientific value.

Our contact information

The SSI is the data controller for the processing of your personal data. You will find our contact information below.

Statens Serum Institut
Artillerivej 5
2300 Copenhagen S
CVR no. 46837428
Phone.: 32683268
Email: serum@ssi.dk

If you have any questions about our processing of personal data or about your rights in this respect, please contact SSI via Borger.dk or send an e-mail to serum@ssi.dk. You may also contact our Compliance Department at compliance@ssi.dk, which primarily handles questions about processing of personal data.

The Danish Ministry of Health has a joint data protection officer (DPO), Helle Ginnerup-Nielsen, who is employed with the Department of the Danish Ministry of Health. Among others, the DPO is responsible for providing advice to the Ministry and its agencies and authorities about data protection and legal issues relating to data protection. You may contact the DPO by sending an e-mail to databeskyttelse@sum.dk.