Information about processing of personal data in connection with vaccination against novel coronavirus/COVID-19
Here you will find information about how Statens Serum Institut processes your personal data in connection with the vaccination against novel coronavirus/COVID-19.
We are the data controller – how do you contact us?
Statens Serum Institut Artillerivej 5 DK-2300 Copenhagen S
CVR no.: 46837428
You are always welcome to contact our DPA function at firstname.lastname@example.org or +45 4046 0083 if you have any other questions about how SSI processes your personal data.
Please contact SSI via e-Boks if you have any questions regarding your rights. You can find information (in Danish) on how to use e-Boks at the webpage Sikker kommunikation med SSI.
Purpose of the processing of personal data
Part of the processing is performed for research and statistical purposes only.
Categories of personal data and the lawfulness of processing of personal data
We process the following categories of personal data about you in the Danish vaccination register:
Common, non-sensitive personal data:
Health insurance category
Own doctor’s healthcare provider number
Common, confidential personal data:
Civil registration (CPR) number
Sensitive personal data:
Health data that you have been vaccinated.
Moreover, SSI will process data about underlying diseases and occupational conditions, among other things, which are necessary for SSI to identify whether you are among the target groups for vaccination. SSI also uses the data to be able to perform its tasks of monitoring the public’s acceptance and the effect of vaccination and examining any causality between vaccination and unexpected reactions or side-effects of vaccination.
SSI is responsible for monitoring and combating the spread of diseases in collaboration with the rest of the public health service, and for monitoring and assessing the public’s acceptance and the effect of vaccination and examining any causality between vaccination and unexpected reactions or side-effects of vaccination, see section 222 of the Danish Health Act (Sundhedsloven) and, in more detail, section 157 a(6) of the Danish Health Act. SSI is also responsible for recording data on individual citizens’ vaccinations and related data in the Danish vaccination register, see section 157a of the Danish Health Act.
We thus process your personal data in accordance with Article 6(1)(e)1 of the General Data Protection Regulation, as the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in SSI. Furthermore, we process your personal data in accordance with Article 9(2)(h) and (i), as the processing is necessary for the purpose of management of health or social care systems and services and for reasons of public interest in the area of public health.
We process your civil registration (CPR) number in accordance with section 11(1)2 of the Danish Data Protection Act (Databeskyttelsesloven), as the processing is necessary to enable us to identify you clearly.
1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (EEA-relevant text).
2) Act no. 502 of 23 May 2018 on supplementary rules to the Regulation on protection of natural persons in connection with the processing of personal data and the free exchange of such data.
Sources of personal data
As part of our monitoring of the public’s acceptance and the effect of vaccination as well as studies relating to the security of vaccines, we also receive various data about you, for instance about chronic diseases and employment relationships, from public registers, including Landspatientregistret (Danish national patient register), [RUKS], STAR, the DREAM register, etc. In this connection, SSI also looks at any COVID-19 test results.
Recipients or categories of recipients
SSI discloses your personal data to the Region in which you live, partly to enable you to receive the vaccination, and partly for the vaccination to be recorded in your patient records and in the Danish vaccination register.
Your Region or your general practitioner is responsible for recording and reporting of vaccinations in the Danish vaccination register. Please contact your general practitioner or your Region, if you want to know more about your general practitioner’s or your Region’s processing of personal data. You can find contact details here:
Region Nordjylland (Region of Northern Denmark): www.rn.dk
Region Midtjylland (Central Denmark Region): www.rm.dk
Region Syddanmark (Region of Southern Denmark): www.regionsyddanmark.dk
Region Hovedstaden (Capital Region of Denmark): www.regionh.dk
Region Sjælland (Region Zealand): www.regionsjaelland.dk
SSI also discloses your personal data to the Danish Medicines Agency; this is necessary to enable the Danish Medicines Agency to perform its task of monitoring the security of vaccines, including side-effects. Please contact the Danish Medicines Agency at www.lmst.dk, if you want to know more about the Agency’s processing of your personal data.
SSI discloses personal data to our data processors, including the Danish Health Authority. We have entered into data processing agreements with our data processors and supervise the data processors’ compliance with the data processing agreements in accordance with the applicable rules.
Transfer to recipients in third countries, including international organisations
Storage of your personal data
Under the General Data Protection Regulation, you have a number of rights in relation to our processing of your personal data. Please contact SSI to exercise your rights.
A number of limitations apply to your rights under the General Data Protection Regulation when personal data is used for research and statistical purposes only. For instance, you do not have the rights of access to and rectification and restriction of, objection to and erasure of your personal data included in the processing. The limitation of your rights follows from section 22(5) of the Danish Data Protection Act (Databeskyttelsesloven) and article 17(3)(d) of the General Data Protection Regulation.
However, certain limitations may also apply to other cases in which you have the following rights:
Right to access data (right of access)
You have a right to access the data we process about you as well as a number of additional information.
Right to rectification (correction)
You have the right to have inaccurate data about you corrected.
Right to erasure
In exceptional cases, you have the right to have data about you erased before we normally erase such data.
Right to restriction of processing
In some cases, you have the right to have the processing of your personal data restricted. If you have the right to restriction of our processing, this means that, in future, we may only process the data – with the exception of storage – with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
Right to object
In certain cases, you have the right to object to our otherwise lawful processing of your personal data.
You can read more about your rights in the Danish Data Protection Agency’s guide on the rights of data subjects, which you can find at www.datatilsynet.dk.
Please contact SSI via e-Boks if you have any questions regarding your rights. You can find information (in Danish) on how to use e-Boks at the webpage Sikker kommunikation med SSI
The Data Protection Officer’s contact details
You can contact our Data Protection Officer in the following ways:
By email: email@example.com
By letter: Holbergsgade 6, DK-1057 Copenhagen K, attn. ‘Data Protection Officer’ (databeskyttelsesrådgiver)
Lodging a complaint with the Danish Data Protection Agency