Notice regarding the processing of personal data at SSI
SSI processes personal data when carrying out our tasks as a public authority. The purpose of this notice is to describe how we collect, process, disclose and protect personal data.
Statens Serum Institut (SSI) is an institute under the Danish Ministry of the Interior and Health. The main tasks of SSI are provided for in Section 222 of the Danish Health Act. The tasks comprise:
- To prevent and fight infectious diseases, congenital conditions and biological threats.
- To serve as the central laboratory of Denmark with respect to diagnostic analyses, including reference functions. This means that SSI provides species identification and characterisation of various biological samples, contributes with professional expertise and develops novel diagnostic methods.
- To handle tasks pursuant to international obligations in relation to cross-border health risks.
- To secure the supply of vaccines for public vaccination programmes and preparedness products through procurement, storage and distribution.
- To participate in the operational preparedness measures against infectious diseases and biological terrorism and in the veterinary preparedness services. SSI does so e.g. by monitoring infection by particular diseases in the population.
- SSI operates regional test centres in order to monitor the spread of viruses in the population, including the spread of COVID-19 (TestCenter Danmark).
- To conduct scientific research and statistics, and
- to counsel and provide assistance in areas relating to the tasks of SSI.
If you have been in contact with SSI or if carrying out one of our tasks as a public authority has made it necessary, we process your personal data. Here, you can read how SSI collects, processes, discloses and protects your personal data.
When SSI processes personal data when carrying out our tasks as a public authority, SSI acts as data controller. SSI also acts as data controller when processing your personal data when you have been in contact with SSI.
If you have any questions about our processing of personal data or about your rights in this respect, please contact SSI’s department for Data Protection and Information Security by sending an e-mail to ssidatabeskyttelse@ssi.dk.
If your request contains confidential information about yourself or any other person, you should always send your request to SSI as Secure mail/Digital Post for example via Borger.dk. Here you can read more about secure communication with SSI.
The Danish Ministry of the Interior and Health has a joint data protection officer (DPO), Helle Ginnerup-Nielsen, who is employed by the Department of the Danish Ministry of the Interior and Health. The DPO is responsible for, among other thing, providing counsel to the Ministry and its agencies and authorities about data protection and legal issues relating to data protection.
SSI uses a range of data processors to handle tasks on behalf of SSI. This is done in accordance with a data processing agreement, in order to ensure, among other things, that the processing of data is only performed on instructions from SSI and in agreement with the General Data Protection Regulation and the Data Protection Act. Data processors do not use the data for their own purposes; they use data only to complete a specific task for SSI. Once the task of the data processor is completed, the data is deleted and/or returned to SSI.
The responsibility for the basic IT-operations for all organizations under the auspices of the Danish Ministry of the Interior and Health, including SSI, was transferred to the Danish Ministry of Finance. The Agency for Governmental IT Services has been given this responsibility by Royal Resolution of 8 September 2021. This means that the Agency for Governmental IT Services will act as data processor for SSI in many situations, and will therefore process personal data on behalf of SSI. The Royal Resolution has been published by the executive order no. 1845 of 23 September 2021.
All personal data that employees at SSI have access to is to be processed confidentially. In this respect, SSI has to ensure that the rules on confidentiality in the Danish Public Administration Act and the Danish Criminal Code are respected. The duty of confidentiality has to be respected both during and after the employment at SSI. Depending on the circumstances, a violation of the rules can lead to disciplinary or criminal sanctions.
You have various rights under the GDPR
In relation to SSI’s processing of your personal data, you are entitled to:
- request access to your personal data that we process
- request that incorrect data about you are corrected
- in some cases, to have your personal datadeleted
- in some cases, to have the processing of your personal data limited
- in some cases, to raise an objection to SSI’s lawful processing of your personal data
- file a complaint with the Danish Data Protection Agency if you believe that SSI is processing your personal data in ways that are in breach of data protection regulations.
If you want to exercise your rights, please contact SSI by secure mail/Digital Post for example borger.dk or send an e-mail to ssidatabeskyttelse@ssi.dk. Further contact information can be found in the section below.
Various substantial exceptions apply to your rights under the GDPR. It is not any information that you have the right to access – this is the case for, among other things, information only used for scientific and statistical purposes.
SSI does not always have the right to delete your personal data. One reason being, that as a public authority, SSI will often be obligated to document the basis for its rulings or decisions. In case of incorrect or misleading data, SSI may instead add the correct data to the file without deleting the original data.
Additionally, various substantial exceptions apply to the possibilities of limiting SSI’s processing of your personal data. For example, you are not entitled to limit SSI’s data processing in cases where your data are processed exclusively for statistical or scientific purposes, cf. Section 22, Subsection 5 of the Danish Data Protection Act.
Have you been in contact with SSI?
If you have contacted SSI by e-mail or letter, SSI processes the information about you that appears in your request.
If your request concerns access to personal data about yourself, deletion of data, etc., we will ask you to send your request by e-Boks, thereby stating your civil registry number (CPR number). We do this for several reasons; (i) to confirm your identity unequivocally, (ii) to facilitate our retrieval of data about you, (iii) to ensure that we are providing the requested information to the correct recipient and (iv) to be able to communicate securely with you. You decide if you want to send a request via e-Boks and if you want to provide your civil registry number (CPR number). If you do not want to do so, we may be unable to respond to your request.
SSI has an obligation to file any request you make in our case processing system. In this regard, any information you provide is processed in pursuance of the provisions of the Danish Public Records Act and the Danish Public Administration Act. When processing personal data in the context of a request regarding a party’s or general access to documents, this is done within the limits of Article 86 of the General Data Protection Regulation.
The legal basis for SSI’s processing of personal data is in Article 6(1), litra c) and e) of the General Data Protection Regulation and in regards to CPR number, section 11, Subsection 1 of the Danish Data Protection Act. Section 222 of the Danish Health Care Act, cf. Article 9(2), litra f) and j) provides SSI the legal ground to process sensitive personal data.
SSI’s filing system is provided by the Danish Health Data Authority which forms part of the Danish Ministry of the Interior and Health. The system is supplied to the Danish Health Data Authority by a contractor.
SSI has an obligation to document its activities, therefore, SSI stores the information as long as needed to adhere to this obligation. SSI hands over the records to the Danish State Archives in accordance with the Danish Archives Act.
Have you visited SSI?
If you have attended an on-site visit with SSI, SSI processes various personal data concerning you. When arriving at SSI’s reception, we ask you to register your visit. You are asked to provide personal data like your name, the date of the visit, which company you represent (if any) and which employee/department you will be visiting. This information is given voluntarily to SSI. If you do not want to provide the required information, you may not be able to visit SSI or you may need to be accompanied by an SSI employee during the entire visit.
When on SSI’s premises, you may be recorded by SSI’s video surveillance system. SSI processes data about you to the extent that these are evident from the images recorded. If the recordings show you committing any criminal acts, the processing will include data about criminal offences. If your appearance or the way you dress reveals information about your state of health, your religious beliefs, etc., such information may also be deduced from the recordings.
The objective of the registration in the reception and of video monitoring is, among other things, to prevent and solve crimes. SSI stores vaccines, houses a veterinary preparedness service and an operational preparedness service against biological terrorism. In this context, SSI carries an obligation to avoid unauthorised access to selected rooms and areas, e.g. by implementing preventive measures like video monitoring and access control. The obligations follow, among others, from the principles and guidelines for good distribution practice that SSI has an obligation to follow, cf. Article 50 c of the Danish Medicines Act which implements the Directive 2001/83/EC of the European Parliament. SSI receives counsel from the police concerning the necessary level of security at SSI.
The legal basis for the registering of your visit is provided in Article 6(1), litra c) and e) of the General Data Protection Regulation. The legal basis for SSI’s video monitoring is Article 6(1), litra c) and e) and Article 10 of the General Data Protection Regulation and Sections 6 and 8 of the Danish Data Protection Act.
In very rare cases, SSI will pass on video footage to the police to solve crimes. The legal basis for this is provided in Article 6(1), litra e) and Article 10 of the General Data Protection Regulation.
SSI stores video footage for 30 days, at which point it is automatically deleted. In very special cases, storage may be prolonged. The legal basis for this is provided in Section 4 c, Subsections 4 and 5 of the Danish Video Monitoring Act. This includes situations in which storage is required due to a specific dispute or situations in which the information is processed to prevent crime.
Have you had a sample analysed by SSI?
As a part of carrying out our tasks as a public authority, SSI analyses a range of biological samples provided by patients. If you have had a sample analysed by SSI, SSI will process various personal data about you.
The physical sample is sent to SSI for analysis at SSI’s laboratory. The objective of the analysis is to test for viruses and microorganisms or antibodies against viruses and microorganisms. In addition to these microorganisms, SSI will process your personal data, such as your name, CPR number, general practitioner, etc. If the health professional who initiated the analysis sends SSI relevant data concerning your health condition, such data will be processed by SSI.
The sample can also contain information about your health condition. If the sample contains human tissue, the sample will also contain information about your genetic material and your genetic condition. Such information will require a special analysis. SSI does not undertake such an analysis when the sample is analysed by SSI for diagnostic purposes only.
Any residual material from such samples will often be stored in freezers so that SSI can undertake a new analysis if necessary. If this is the case, SSI only analyses the viruses and microorganisms and the products of the viruses and microorganisms which is found in the sample. In other words, SSI does not analyse or look at the human DNA. Furthermore, SSI can use the samples when necessary in order to carry out the task of preventing and combatting infectious diseases. If this is the case, SSI only analyses the viruses and microorganisms and does not analyse or look at the human DNA. For example, this might happen if SSI has to adjust a PCR-test so the new PCR-test can test for new variants of Covid-19, or if SSI has to research if a new serious outbreak had started sooner than the Danish health authorities currently believe.
The residual material can also be used in specific scientific research projects. This requires an authorisation by the Committee on Research Ethics. You can read more about this topic in the section below about storage of diagnostic residual material in the Danish National Biobank.
The legal basis for SSI’s processing of personal data is Article 6(1), litra e) of the General Data Protection Regulation, cf. Section 222 of the Danish Healthcare Act, as the processing is necessary for the performance of a task carried out in the exercise of official authority vested in SSI.
Furthermore, the legal basis for the processing of special categories of personal data is provided in Section 7, Subsection 3 of the Danish Data Protection Act, in Article 9(2) litra h of the General Data Protection Regulation and in Section 222 of the Danish Healthcare Act, as it is necessary to process the data for preventive disease control, medical diagnosis and public health interests.
The legal basis for SSI’s processing of your CPR number is provided in Section 11, Subsection 1 of the Danish Data Protection Act, as the processing is needed to identify you uniquely.
When SSI has analysed your biological sample, the result is sent to the healthcare professional who ordered the analysis and made available at sundhed.dk. The legal basis for this is provided in Section 7, Subsection 3 of the Danish Data Protection Act, cf. Section 222 of the Danish Healthcare Act. The result will also be recorded in the Danish Microbiology Database, MiBa, a nationwide, automatically updated database of microbiological test results. If you are admitted to hospital, the medical staff treating you will be able to look up the result in MiBa.
You can read more about the surveillance of infectious diseases under the section “Have you been tested for, or have you had a disease that SSI monitors, prevents and fights against?”.
The use of, including the disclosure of, residual material for scientific research has its legal basis in Section 10 of the Danish Data Protection Act. Moreover, the scientific research project has to be authorised by the Danish Research Ethics Committee. The residual material will therefore be used to carry out statistical and scientific studies of significant importance to society and where such processing is necessary in order to carry out the study.
The residual material will be stored until a time where it no longer necessary for the aforementioned purposes. When the material is no longer used to carry out SSI’s tasks, the information will be used exclusively for future health science research. When the material no longer has statistical or scientific value, the material will be destroyed. If you do not wish for your residual material to be used for research, you can choose to register yourself in the National Database of Non-Consent to the Use of Tissue Samples for Scientific Purposes. Here you can find more information about the Danish National Biobank. Here you can also read about your option to request the destruction of the residual material.
Have you been tested for covid-19?
The last covid-19 testing centres closed onmarch 31, 2023. Therefore, it is only possible to get a PCR-test if a physician deems it necessary. Read more under the section: “Have you had a sample analysed by SSI?”
Here you can read about SSI’s processing of personal data, if you have been tested for covid-19.
One of SSI’s tasks is to monitor, prevent and fight infectious diseases, including covid-19. This means that SSI continues to monitor the spread of covid-19, keep an eye on different variants of the virus, monitor the severity and consequences of the disease etc. You can read more about how SSI monitors infectious diseases under the section: “Have you been tested for, or have you had a disease that SSI monitors, prevents and fights against?”.
Have you been tested for, or have you had a disease that SSI monitors, prevents and fights against?
One of the tasks at SSI is to monitor, prevent and fight infectious diseases. Among other things, this means that SSI carefully monitors the spread of certain diseases and the severity and consequences of said diseases, keeps an eye on different variants of viruses, bacteria, parasites and fungi, looks at the significance of test activity etc. In this context, SSI looks at information about both people who are infected and not-infected, inpatients and number of deaths, infections among people at nursing homes and in particular industries. If you have been tested for, or have had a disease, that SSI is responsible for surveilling, SSI will process your personal data.
Danish physicians have an obligation to notify SSI of various infectious diseases, including: AIDS, cholera, tuberculosis and rabies. This follows from Executive Order no. 277 on the Notification by Physicians of Infectious Diseases, etc. of 14 April 2000 with Subsequent Amendments. Here you can see the list of diseases where notification is obligatory.
The objective of processing your personal data is to collect knowledge about the risk and spread of infections for the diseases. Furthermore, the monitoring can contribute to determining Denmark’s current disease burden to facilitate prevention and control measures. Moreover, the monitoring is used to assess changes in the microorganisms which induce the diseases. As an example, SSI monitors the incidences of resistance to antibiotics.
Some public test sites also analyse the virus or microorganism with which you have become infected. If a public test site has analysed the variant (sequencing), the result of the analysis will in some instances be submitted to SSI. If the public test site has not determined the variant, the sample must be submitted to SSI. SSI then analyses the sample to determine the variant. SSI sequences the samples to discover any new variants and follows the development and spread among new variants. SSI separates the virus or microorganism from the sample and analyses the RNA of the virus or microorganism. SSI only studies the genetic material of the virus or microorganism, not the DNA/genetic material of the person.
SSI also conducts investigations related to certain outbreaks of diseases. In this context, SSI will gather information about the course of the outbreak, how the contagion appeared, and how the contagion has spread. The purpose of the investigation of outbreaks is to obtain knowledge about the outbreak so that a similar situation can be prevented.
When monitoring infectious diseases, SSI can detect changes in viruses and microorganisms that can have significant importance for health research. Therefore, SSI can use this information to form research questions and hypotheses about infectious diseases. SSI’s monitoring of of infectious diseases and research activities are closely linked.
SSI processes personal data based on Article 6(1), litra e) of the General Data Protection Regulation (GDPR), in accordance with Section 222 of the Danish Health Act, as the processing is necessary for the performance of a task that SSI is required to carry out.
The processing of sensitive personal data is carried out based on Article 9(2), litra g) and i) of the General Data Protection Regulation, cf. Section 222 of the Danish Health Act, as it is necessary to process the information for significant public interest reasons in the field of public health.
SSI processes information about your social security number (CPR number) based on Section 11, Subsection 1 of the Danish Data Protection Act, as the processing is necessary to identify you uniquely.
SSI discloses and receives personal data to/from the Danish Patient Safety Authority. This follows from Section 52 of the Danish Epidemic Act.
SSI can receive various data from the Danish Patient Safety Authority that were collected in connection with the authority’s infection tracing-related tasks. This includes CPR number or other identification; presumed source of infection; test type used by the infectee; if the infectee has experienced symptoms, including disease onset; if the infectee forms part of a delimited outbreak, previous stays abroad, information about the number of close contacts, provided by the infectee to the Danish Patient Safety Authority.
SSI receives information only when needed to comply with its task relating to the monitoring and prevention of and fight against infectious diseases.
Aggregated results from the monitoring of infectious diseases are often published in scientific journals or similar publications. The objective of publication is to make the healthcare sector and the general population aware of the spread or development of the specific disease so the necessary measures can be taken to minimize its progression. In addition, publishing the results from the monitoring of infectious diseases aims to inform other European and international organisations about the development of specific diseases, just like SSI makes use of knowledge published about the developments in other countries.
In certain situations, SSI may share information about microorganisms from positive analyses with internationally recognized databases, including the GISAID database, when necessary for the prevention and control of the spread of infectious diseases. The objective of uploading this information is primarily to enable global pandemic surveillance and related research. The upload has its legal basis in the Executive Order no. 777 of 29 April 2021 on Statens Serum Institut’s Passing on of Gene Sequences and Isolates from Micro-organisms and Associated Personal Data in Connection with the Prevention of and Fight Against the Spread of Infectious Diseases.
In relation to preventing and fighting infectious diseases, SSI receives patient’s samples (biological material). The biological material is stored in freezers at SSI.
In many instances, only the virus molecule itself or the bacterial strain is stored. This requires that it is possible to separate the virus or microorganism from the original sample (the patient’s sample).
Various personal data will however be in the monitoring register at SSI as it is necessary to know where the virus molecule/the bacterial strain stems from. In other cases, it may be relevant to store the sample as a whole with the objective to compare the sample with later samples and to be able to monitor the development of the disease in humans in general. SSI does not look at the genetic material/DNA of the person.
As a state, Denmark has an obligation to comply with the International Health Regulations (IHR). In this connection, Denmark has a number of duties under Decision no. 1082/2013/EU of the European Parliament and the Council of 22 October 2013 on Serious Cross-border Health Threats and on the Annulment of Decision no. 2119/98/EF. Among others, the member states have an obligation to inform the competent health authorities in the member states and Commission appropriately and timely about outbreaks of infectious diseases, etc., e.g. to facilitate effective infection tracing measures.
The information included in the surveillance conducted by SSI is stored until it is no longer necessary for the performance of the tasks at SSI, including the task to prevent and fight infectious diseases.
Are you born after the year 1975?
When a child is born in Denmark, parents are offered the option to have a heel blood sample taken from the child (PKU card) within 48-72 hours after birth. This blood sample is sent to SSI for screening analysis. The newborn is tested for a range of serious congenital diseases that can be treated. This screening program was introduced in 1975.
This means that if you or your child has had a heel blood sample taken as part of this screening program, SSI has received your, or your child’s PKU card for diagnostic examination and other purposes.
Here you can read more about the PKU card.
SSI receives the physical sample in order to perform analyses aimed at examining the blood for signs of congenital diseases. In addition to the analysis results, SSI registers personal data about you, such as name, CPR number (personal identification number), sampling time, place of birth and gestational age (the age of the fetus in the womb). The legal basis for the processing of personal data Article 6(1), litra e) of the General Data Protection Regulation, cf. Section 222 of the Danish Health Act, as the processing is necessary for SSI in order to carry out our tasks as a public authority.
Furthermore, the legal basis for the processing of special categories of personal data is provided in Section 7, Subsection 3 of the Danish Data Protection Act, in Article 9(2) litra g) of the General Data Protection Regulation and in Section 222 of the Danish Healthcare Act, as it is necessary to process the for preventive disease control, medical diagnosis and for public health interests.
The legal basis for SSI’s processing of your CPR number is provided in Section 11, Subsection 1 of the Danish Data Protection Act, as the processing is needed to identify you uniquely.
When SSI has analysed your biological sample, the result is sent to the healthcare professional or the specialized department who ordered the analysis. The result is made available via. The menu titled ”Sundhedsjournalen” at sundhed.dk, which authorized health professionals can access when treating patients. The transfer of the results to the party who requested the analysis is done based on the legal basis provided in Section 7, Subsection 3 of the Danish Data Protection Act.
After the analysis is completed, the PKU card is stored in freezers at SSI. This procedure has been in place since 1982, such that heel blood samples taken thereafter are stored at SSI. The PKU card will not be stored at SSI if your parents have requested its destruction. The sample material is primarily used for clinical purposes such as prevention, diagnosis, and treatment. It can also be used for ongoing quality assurance of the screening of newborns, development of new analysis and screening methods as well as health scientific research.
The sample material is a limited resource, and its usage is prioritized as follows:
- priority: use for the child and family.
- priority: use for ongoing quality assurance of the screening of newborns and development of new analysis and screening methods.
- Priority: use for health scientific research.
The PKU card can only be handed over for research purposes if the project has been approved by a research ethics committee and when it is necessary for the conduct of health scientific studies with significant importance, cf. Section 10, Subsection 1 of the Danish Data Protection Act. However, the biological material cannot be handed over for research if you are registered in the National Database of Non-Consent to the Use of Tissue Samples for Scientific Purposes. Here you can read more about the National Database of Non-Consent to the Use of Tissue Samples for Scientific Purposes.
You have the option to have your or your child's PKU card destroyed. If you wish to do so, you must communicate this via secure mail via. borger.dk. Search for SSI as the recipient and select SSI's main mailbox. Please note that if want a child's PKU card destroyed, the child's legal guardians must submit a request for the destruction of the sample before it can be destroyed.
Have you been vaccinated?
If you have been vaccinated after 15 November 2015, you will generally be registered in the Danish Vaccination Register (DDV), in which case SSI will process your personal data. The Danish Vaccination Register is an electronic solution that gives healthcare professionals and citizens access to information about vaccinations. From 15 November 2015 all Danish physicians have had an obligation to register all given vaccinations in the DDV.
Additionally, paediatric vaccinations given after 1997 and other vaccines administered as part of the Danish public health insurance will generally be registered in DDV. SSI’s childhood vaccination register contains information about paediatric vaccinations from the time before the DDV became operational.
Here you can read about the processing of your personal data in connection with vaccination against covid-19.
Vaccination is voluntary and you decide if you want your child to be vaccinated.
The objectives of running the vaccination register is to ensure the quality, safety and effect of the citizens’ treatment in Danish healthcare by providing an overview of given vaccinations. Additionally, the vaccination register makes it easier for citizens to travel to countries that require documentation of received vaccines.
SSI has access to the information in the register in order to monitor and assess vaccination coverage and effect. SSI also examines any associations between vaccination and unexpected reactions or side effects to the vaccination. Furthermore, SSI has access to information in the register in order to send out vaccination invitations and reminders. This follows from Section 157 a, Subsection 6, Point 2 and Subsection 11, Point 1 of the Danish Healthcare Act cf. Section 69, Subsection 1 of the Danish Epidemic Act and Executive Order no. 1615 on the Sending of Reminders to Enhance the Coverage of Vaccination Programmes of 9. September 2022.
The information recorded in DDV includes name, address, social security group, selected general practitioner, information about the healthcare professional who administered the vaccination, the vaccination given (including batch number and associated vaccination course and programmes). Additionally, DDV will contain information about whether you were admitted to a hospital at the time of the vaccination, cf. Section 4 of Executive Order no. 1615 of 18 December 2018 on Access to and Registration of Medical Product and Vaccination Information, etc.
The legal basis for SSI’s processing of this information is Article 6(1), litra e) of the General Data Protection Regulation, cf. Section 157 a, Subsection 1 of the Danish Healthcare Act, as the processing is necessary for the performance of a task in the exercise of official authority vested in SSI.
Furthermore, the legal basis for the processing of special categories of personal data is provided in Section 7, Subsection 3 of the Danish Data Protection Act, in Article 9(2) litra g) and i) of the General Data Protection Regulation and in Section 222 of the Danish Healthcare Act, as it is necessary to process the information to prevent illness, prepare medical diagnoses and for public health interests.
The legal basis for SSI’s processing of your CPR number is provided in Section 11, Subsection 1 of the Danish Data Protection Act, as the processing is needed to identify you uniquely.
SSI has an obligation to disclose vaccination data to the Danish Medicines Agency for the agency’s processing of reports on adverse effects, and to the Danish National Prescription Registry. This follows from Section 3, Subsections 6 and 7 of Executive Order no. 1615 of 18 December 2018 on Access to and Registration, etc. of Medicinal Product and Vaccination Information.
Where it is necessary in order to carry out the tasks as a public authority, and in accordance with data protection laws, SSI can disclose the personal data to others.
You can check what personal data about you is stored in DDV via www.sundhed.dk, cf. Section 5, Subsection 1 of Executive Order no. 1615 of 18 December 2018 on Access to and Registration, etc. of Medicinal Product and Vaccination Information. Furthermore, you can register information about any vaccinations you have received yourself. These registrations may subsequently be validated by a physician, cf. Section 5, Subsection 4.
Vaccination information is deleted two years after the citizen dies, cf. Section 14, Subsection 2 of Executive Order no. 1615 of 18 December 2018 on Access to and Registration, etc. of Medicinal Product and Vaccination Information.
If you have – or later acquire – a residential address in Greenland, SSI will disclose the information about your vaccination against covid-19, additionally the number of vaccinations you have received, to the Greenlandic Health Authority. The purpose of the disclosure is to support the efforts of the Greenlandic Self-Government in combating the novel coronavirus/covid-19. Greenland is a country outside the EU/EEA, and the transfer to the Greenlandic Health Authority is therefore carried out in accordance with an agreement that ensures an equivalent level of data protection as in the EU/EEA. The agreement is based on the EU Commission's standard contractual clauses, cf. Article 46(2), litra c) of the General Data Protection Regulation.
Have you applied for a job with SSI?
If you have applied for a job at SSI, SSI processes your personal data to process your application and inform you of the result.
The recruitment process is primarily handled by the Department of Employees, Well-being, and Development, which is responsible for HR tasks at SSI.
Your personal data will generally be stored only in the recruitment system (HR manager) of the Danish Ministry of Health and in SSI’s filing system. Only relevant persons who are engaged in the recruitment procedure are given access to see the documents submitted by you.
By applying for a position through the recruitment system of the Danish Ministry of Health, you accept at the bottom of the page that we process your personal data that you register when applying. In most cases, we only process personal data such as your name, address, phone number, email-addresses, professional qualifications, education, previous occupation, etc.
Additionally, CPR numbers may occur if you, for instance, have not crossed out this information in exam certificates. In your application, if you tick off the field indicating that you are covered by the provisions of Executive Order no. 1174 of 25 November 2019 on Compensation for Employed Handicapped People, etc., this is processed as data concerning health. In special cases, we may collect information about you from publicly available sources. In such cases, you will be informed of the categories of information collected and where this information was collected.
The legal basis for processing of your personal data is provided in Article 6(1) litra a) of the General Data Protection Regulation as you have consented to the processing and in Article 6(1) litra b) of the General Data Protection Regulation, as the processing is necessary to reply to a request made by the candidate for the position.
We store the information you have provided in relation to your application in our recruitment system until the recruitment process is concluded. However, your information is not stored for more than six months, unless you specifically state that you would like us to do so. Furthermore, the persons who have participated in the recruitment process must destroy any collected material.
Have you visited our website?
When you visit SSI’s website, www.ssi.dk, we process various personal data about you to keep a statistical record of the use of our website. The purpose of this is to facilitate further development and improvements of SSI’s website.
SSI uses Siteimprove Analytics provided by the Danish software provider Siteimprove. The data processing is based on a data processing agreement entered into by SSI and Siteimprove.
SSI has decided not to collect IP addresses and therefore the information collected is not identifiable to a particular person without further processing. However, we cannot rule out that personal data may be processed because of the text contained in searches made by you.
If SSI analyses a sample from your herd
Under the name Danish Veterinary Consortium (DK-VET), SSI, in collaboration with the University of Copenhagen (KU), performs analyses of veterinary samples aimed at detecting livestock diseases caused by bacteria, viruses, parasites, and prions. SSI and KU have entered into an agreement with the Danish Veterinary and Food Administration to handle the veterinary authority tasks which include advisory services, research and diagnostics related to emergency preparedness and national surveillance programs. The Danish Veterinary and Food Administration has the overall responsibility for emergency preparedness and surveillance and has the responsibility to follow up on the results if necessary. DK-VET is responsible for the laboratory part of the research. Thus, SSI contributes by analyzing the samples taken from herds, after which the test results are delivered to the Danish Veterinary and Food Administration, who then contacts the herd owner.
DK-VET has been appointed by the Danish Veterinary and Food Administration as the national reference laboratory in accordance with Regulation 217/625 of March 15, 2017, on official controls and other official activities to ensure the application of food and feed law, rules on animal health and welfare, plant health, and plant protection products.
An agreement on joint controllership has been concluded between SSI and KU to describe the respective responsibilities of the parties for compliance with the obligations under the General Data Protection Regulation. Additionally, SSI has entered into a consortium agreement with KU with the objective to specify the terms of collaboration in relation to providing the relevant services in the veterinary field.
Here you can find an overview of the analyses offered by SSI. The overview is regularly updated.
SSI receives, along with the sample, a completed requisition form, which is filled out by the submitter (a veterinarian, livestock owner or company). The information on the form includes the specific analyses that SSI needs to perform, as well as details related to the Central Livestock Husbandry Register (CHR register), herd address, the recipient's email, phone number, practice number, animal species, purpose of the examination (e.g., suspicion of notifiable disease, surveillance, specified diagnostics), etc. The information pertains to the herd and can be traced back to the livestock owner and is therefore considered personal data.
The information processed by SSI in connection with the veterinary authority agreement also includes data obtained from the Danish Veterinary and Food Administration's CHR register. Among other, this information includes the name of the livestock owner and address, animal species, number of animals, establishment date of the herd, associated veterinary practice and in some cases, the name and address of the user (the person taking care of the animals).
SSI processes this information based on the legal basis provided by Article 6(1), litra e) of the General Data Protection Regulation (GDPR), cf. Section 222 of the Danish Health Act and Regulation 217/625 of 15 March 2017 on official controls and other official activities to ensure the application of food and feed law, rules on animal health and welfare, plant health and plant protection products. The processing is necessary for the performance of a task carried out in the exercise of official authority vested in SSI.
If you have requested SSI for an unregistered vaccine or autovaccine for the veterinary field
SSI will process information about veterinarians if they have requested SSI for an unregistered vaccine or autovaccine for the veterinary field. SSI will also process information about herd owners if the vaccines are to be used for their herds.
In special cases and in limited quantities, SSI can upon request sell or deliver sera, vaccines, specific immunoglobulins and other immunological test preparations which are not covered by the marketing authorization. The legal basis to do so is Section 20 of the Danish Medicines Act and the permission is granted to offer treatment for diseases in animals where suitable registered preparations are not available on the Danish market.
When the veterinarian orders unregistered vaccines and sera, the veterinarian fills out a prescription with the necessary information, including the name of the herd owner, address, CHR number and phone number. Additionally, the veterinarian's name, practice number, authorization number and information about the requested vaccine are specified.
The legal basis for the processing of personal data is Article 6(1), litra e) of the General Data Protection Regulation, cf. Section 30 of the Danish Medicines Act and Section 222 of the Danish Health Act as the processing is necessary to carry out as a public authority.
As a general rule, SSI will only process ordinary personal data about the herd owner.
If you are included in a research project at SSI
Conducting research is a core task at SSI which is also mentioned in Section 222 of the Danish Health Act, in which it is stated that SSI conducts scientific research. The objective of the research activities at SSI is, among other things, to ensure effective preparedness measures against infectious diseases and congenital illness. Furthermore, the results from the research activities will contribute to solving the challenges that Denmark and the international community face now and in the future.
Here you can read more about the currently active research projects at SSI.
SSI’s research activities comprise epidemiology, which includes risk factors of importance for the development of diseases. For example, SSI’s research project “Better Health Through Generations” (Danish title: Bedre Sundhed i Generationer) has contributed with knowledge about how the effects that a human being is exposed to in the first years of life may impact the development of diseases later in life.
Additionally, SSI conducts vaccine research and research in the field of infection preparedness. The vaccine research forms part of various important tasks relating to the vaccine preparedness service and provisions, whereas the epidemiological research may serve to strengthen preparedness measures against emerging diseases (e.g., SARS), antibiotic resistance, airway infection, etc.
A considerable share of SSI’s research is based on public registers. For example, researchers at SSI may use data from the national healthcare registers like the National Patient Registry, The Register for Selected Chronic Diseases, the Registry of Healthcare Providers, the Central Office of Civil Registration, etc. Additionally, the Danish National Biobank supports Danish health-science research by providing a unique national research infrastructure.
SSI’s researchers may use biological material containing human tissue in research projects. To do so, each research project must have been approved by a research ethics committee. Additionally, a health-science research project at SSI may process special categories of data, including data concerning health, genetic information, data revealing racial or ethnic origin, a natural person's sex life or sexual orientation, etc., to the extent that this is relevant to the research project in question.
Research projects at SSI include ordinary personal data such as your name, CPR number, etc. In the overwhelming majority of cases, SSI will process personal data in a pseudonymised form. This means that your CPR number does not directly form part of the data set. Rather, it is stored separately and often the individual researcher will not have access to it.
The legal basis for SSI’s processing of ordinary personal data is Article 6(1), litra e) of the General Data Protection Regulation as the processing is necessary for the performance of a task in the exercise of official authority vested in SSI.
The legal basis for the processing of special categories of personal data is provided in Article 9(2) litra j) of the General Data Protection Regulation and Section 10, Subsection 1 of the Danish Data Protection Act, as it is necessary to process the information for scientific research purposes. The rules of Act no. 1338 of 1 September 2020, regarding the procedures surrounding research ethics in health-science research projects and health data science research projects with Subsequent Amendments (the Danish Committee Act) will, depending on the circumstances, also apply.
The legal basis for SSI’s processing of your CPR number is provided in Section 11, Subsection 1 of the Danish Data Protection Act.
If SSI uses a data processor as part of a research project, SSI will prepare a data processing agreement to ensure that the processing of data is carried out exclusively following the authorisation of SSI and in agreement with the General Data Protection Regulation and the Danish Data Protection Act. Data processors do not use the data for their own purposes. They use data only to carry out a specific task for SSI, e.g., to perform a specific analysis. Once the task of the data processor is completed, the data is deleted and/or returned to SSI.
Aggregated results from SSI’s research projects will often be published in an established scientific journal or the like. The objective is to inform the Danish society of the spread or development of the disease in question, thereby ensuring that the necessary measures may be implemented to slow down the development as much as possible. Furthermore, publication serves to inform other European and international organisations of the development of certain diseases just like SSI makes use of information published about the developments reported by other countries. In some cases, publication requires authorisation from the Danish Data Protection Agency.
Generally, SSI stores the information until the research project is concluded. Subsequently, the information is deleted at SSI and in some cases transferred to the Danish State Archives in pursuance of the provisions of the Danish Archives Act. However, the information may also be used in another research project. When this is the case, the information will be deleted when the other research project is concluded, etc.
Personal data that are processed solely for scientific or statistical purposes in accordance with Section 10 of the Danish Data Protection Act cannot subsequently be processed for non-statistical or non-scientific purposes. If you do not want that biological material you provide during treatment is used for future research, you can opt out of such use by registering in the National Database of Non-Consent to the Use of Tissue Samples for Scientific Purposes (In Danish: Vævsanvendelsesregisteret). Here you can find more information about the register and the procedure for registration.
In special cases, SSI passes on biological material and discloses personal data to external research projects. SSI has legal authority to pass on such information when this is necessary for the sole purpose of carrying out statistical or scientific studies of significant importance to society, cf. Section 10, Subsection 1 of the Danish Data Protection Act. In order to pass on and disclose data, a number of requirements must be met in pursuance of Executive Order 1509 of 18 December 2019 on the Passing on of Personal Data Comprised by Section 10, Subsections 3 of the Danish Data Protection Act.
Aggregated information that cannot be directly or indirectly attributed to individuals (anonymous information) according to Article 4(1) of the General Data Protection Regulation is not subject to data protection rules, cf. Article 2(1) of the General Data Protection Regulation, and can be shared with external parties if agreed upon by SSI.
SSI carries out research projects fully or partially financed by public and private, Danish and foreign foundations. This enables and strengthens the quality of SSI's research. Funding is either granted for individual research projects or to SSI as a research-performing institution.
Research foundations that have provided financial support to the project have no role or influence in the planning, execution or processing of personal data, including data collection, analysis or interpretation. This ensures that there are no conflicts of interest or ethical problems associated with the conduct of research.
Here you can read more about the research conducted at SSI.
Regarding Clinical Trials with Medicinal Products and Medical Devices
Clinical trials with medicinal products and medical devices examine the effects of a medicinal product in order to assess its safety and/or efficacy. These trials can involve both new medicinal products as well as medicinal products already on the market. The objective of clinical trials is to contribute knowledge about medicines and to develop new, effective and safe medicinal products.
A clinical trial with medicinal products can be conducted by testing them on volunteer subjects. These individuals receive oral and written information about the trial and provide informed consent to participate in the study before the project begins, a so-called "consent to participate" As a citizen, you are therefore not in doubt about whether you are participating in a clinical trial or not. However, your parents or legal guardian may have given consent on your behalf. Your personal information may be included in the project as part of a control group without your being asked or informed about it.
Clinical trials differ from other research projects in several ways. For example, approval from the Danish Medicines Agency is required before the project can commence, cf. Section 11 of Act No. 620 of 8 June 2016, on clinical trials with medicinal products. Additionally, it is a requirement that trial participants provide informed consent to participate in the project, as specified in Article 28(1), litra c) of Regulation No. 536 of 16 April 2014 on clinical trials with medicinal products for human use. Furthermore, clinical trials must always be notified to the the Committee on Research Ethics, which predominantly evaluates the ethical and scientific aspects of the trial, cf. Section 14 and Section 2, No. 2 of the Danish Committee Act.
It is required that essential documents from a clinical trial (compiled in a so-called "Master File") must be retained for 25 years after the trial has been concluded, cf. Article 58 of the Regulation on Clinical Trials with Medicinal Products for human use. The objective of this is to assess how the trial was conducted and the quality of the obtained data.
If the residual material from your diagnostic sample, or your sample from previous research, is used for research (The Danish National Biobank)
Under the section “Have you had a sample analysed by SSI?”, you can read what happens with the residual material from your diagnostic sample, additionally, that the residual material may be used for specific research projects.
The Danish National Biobank (DNB) is the name of SSI’s combined freezer-infrastructure. DNB is one of the world's largest and most advanced biobanks and works to strengthen Danish health research. SSI achieves this by securely storing the samples, guiding researchers on how to utilize the biobank and providing the biological material to approved research projects. Within the DNB, there are also samples that SSI has received solely for future research purposes and are not residual material from SSI's own diagnostic analyses.
The human tissue in the residual material contains a lot of information about the individual from whom the tissue originates. This can include health information, race and ethnic origin, and genetic information. The samples are registered with a unique identifier that can be linked to the CPR number (personal identification number) of the person the sample originates from.
If the residual material is to be used for a specific research project, permission from the Committee on Research Ethics is required. When SSI discloses residual material for research, the legal basis is Section 10 of the Danish Data Protection Act. The residual material will thus be processed for the sole purpose of carrying out statistical or scientific studies of significant importance to society and where such processing is necessary in order to carry out these studies.
You can choose to register yourself in the National Database of Non-Consent to the Use of Tissue Samples for Scientific Purposes if you do not wish for the residual material from your samples to be used for research.
Here you can read more about DNB. On the site you can also read about your choice to request the destruction of the residual material.
The residual material in DNB will be stored until it no longer has any statistical or scientific value.
The Danish Biobank Register
SSI operates a register called the Danish Biobank Register which makes it possible to link biological samples with the data from various Danish registries for research purposes. For example, data from the Danish Central Person register regarding gender, date of birth, citizenship etc., as well as information from the National Patient Registry regarding hospital-related information such as dates and time of admission and discharge, treatments, diagnosis and surgeries etc.
Our contact information
SSI is the data controller for the processing of your personal data. You will find our contact information below.
Statens Serum Institut
Artillerivej 5
2300 Copenhagen S
CVR no. 46837428
Phone.: 32683268
Email: serum@ssi.dk
If you have any questions about our processing of personal data or about your rights in this respect, please contact the department at SSI for Data Protection and Information Security by sending an e-mail ssidatabeskyttelse@ssi.dk.
If your request concerns confidential information about yourself or any other person, you should always send your request to SSI as Secure mail/Digital Post for example via. Borger.dk. Here you can read more about secure communication with SSI.
The Danish Ministry of the Interior and Health has a joint data protection officer (DPO), Helle Ginnerup-Nielsen. To contact the DPO, send an email to databeskyttelse@sum.dk. Here you can read more about how to contact the DPO.