Notice regarding the processing of personal data at Statens Serum Institut

When SSI processes your personal data, you have certain rights under the General Data Protection Regulation (GDPR).

You have the right to:

• Request access to the personal data that SSI processes about you.
• Request the correction of inaccurate personal data about you.
• In certain cases, request the deletion of your personal data.
• In certain cases, request the restriction of the processing of your personal data.
• In certain cases, object to the processing of your personal data.

File a complaint with the Danish Data Protection Agency (Datatilsynet) about the processing of your personal data if, for example, you believe SSI processes your data in violation of data protection regulations.

If you wish to exercise your rights, you must contact SSI via Digital Post. This is necessary for us to confirm your identity unequivocally using your CPR number. We require your CPR number to locate the information about you related to your request. Furthermore, by using your CPR number as a means of communication through Digital Post, the exercise of your rights occurs via secure transmission and ensures that the data is delivered to its rightful owner. It is voluntary to contact SSI via Digital Post and to provide your CPR number. However, if you choose not to do so, it may mean that we cannot respond to your inquiry.

If your inquiry does not contain confidential information or require your CPR number, you may also send an email to ssidatabeskyttelse@ssi.dk, where you can also request a callback. Additional contact information can be found at the bottom of the page.

If the processing involves children, legal guardians can assist the child in exercising their rights.

There are several significant exceptions to your rights. For example, the right does not apply access all personal data. For instance, the right to access does not apply to personal data that is processed solely for scientific or statistical purposes.

Furthermore, SSI is not always permitted to delete personal data about you. This is because, as a public authority, SSI is often obligated to document the basis on which a decision or other determination was originally made. If incorrect or misleading information is involved, SSI can instead note the correct information in the case without deleting the original data.

Additionally, there are significant exceptions to the possibility of restricting the processing of your personal data. For example, you do not have the right to restrict the processing of data that is processed solely for scientific or statistical purposes, as stated in Section 22, Subsection 5 of the Danish Data Protection Act.

If you have contacted SSI by e-mail, e-post or letter or visited SSI or others on SSI’s premises, SSI processes personal data about you.

If you have contacted SSI electronically or via physical mail, SSI processes the information included in your inquiry. If your inquiry was sent via Digital Post, SSI also processes your CPR number.

As a public authority, SSI is obligated to document communications from you in our case management system. This obligation arises from the Public Administration Act and the Danish Public Access to Information Act. The processing of personal data in this context is carried out under the authority of Article 6(1)(e) of the GDPR, in conjunction with Section 15 of the Public Administration Act. Special categories of personal data, such as health information, are processed under Article 9(2)(f) of the data protection regulation. The processing of CPR numbers is carried out under Section 11(1) of the Danish Data Protection Act.

When processing personal data in the context of a request regarding a party’s or general access to documents, this is done within the limits of Article 86 of the General Data Protection Regulation.

SSI’s case management system is provided by the Danish Health Data Authority, part of the Ministry of the Interior and Health. The system is supplied to the Health Data Authority by an external provider.

SSI is required to document its activities and retains the information as long as necessary for this purpose. SSI transfers documented information to the Danish National Archives in accordance with the Archiving Act.

Physical Visits

If you visit SSI or others on SSI’s premises, SSI processes the personal data you provide during registration at reception and any data captured in CCTV footage on the premises.

Upon arrival at SSI’s reception, you will be asked to register your visit. Registration is managed by ISS, which forwards the information to SSI. You will be asked to provide your name, the date of your visit, the company you may represent, and the employee or department you are visiting. Providing this information is voluntary, but refusal may prevent you from visiting SSI or others on SSI’s premises or require you to be accompanied by an SSI employee throughout your visit.

While on SSI’s premises, you may appear in CCTV recordings. SSI processes data about you to the extent you are captured in these recordings. If criminal acts are documented, the information may include details of criminal offenses. Additionally, if your appearance or attire reveals health conditions, religious beliefs, or similar sensitive information, this may also be visible on the recordings.

The purpose of visit registration and CCTV monitoring is, among other things, to prevent and investigate criminal activity. SSI stores vaccines, operates a veterinary preparedness unit, and maintains operational readiness against biological terrorism. SSI is therefore obligated to prevent unauthorized access to specific areas and employs preventive measures such as CCTV monitoring and access control. These obligations stem from the principles and guidelines of good distribution practice, which SSI is required to follow under Section 50c of the Danish Medicines Act, implementing Directive 2001/83/EC of the European Parliament. SSI receives security advice from the police to maintain necessary safety standards on its premises.

The processing of personal data related to visit registration is carried out under Articles 6(1)(c) and (e) of the Danish Data Protection Act. The processing of personal data in connection with CCTV monitoring is also conducted under Articles 6(1)(c) and (e). The processing of special categories of personal data is carried out under Article 9(2)(f) of the GDPR, while the processing of data regarding criminal offenses is carried out under Article 10 of the GDPR and Section 8 of the Danish Data Protection Act.

SSI may, in exceptional cases, disclose CCTV footage to the police for investigative purposes. SSI is authorized to do so under Articles 6(1)(e) and 10 of the Danish Data Protection Act.

SSI retains CCTV recordings for 30 days, after which they are automatically deleted. In exceptional cases, recordings may be retained for a longer period under Sections 4c(4) and (5) of the Danish CCTV Act. This applies in situations where retention is necessary for a specific dispute or for crime prevention purposes.

If you have been vaccinated after 15 November 2015, you will generally be registered in the Danish Vaccination Register (DDV), in which case SSI will process your personal data. The Danish Vaccination Register is an electronic solution that gives healthcare professionals and citizens access to information about vaccinations. From 15 November 2015 all Danish physicians have had an obligation to register all given vaccinations in the DDV. A vaccination record may also have been created for you if you have been invited for vaccination.

If you were vaccinated as part of a public health service before November 15, 2015, including childhood vaccinations, vaccines administered since 1996 have also been registered in the Danish Vaccination Register (DDV).

As SSI is responsible for operating the Danish Vaccination Register (DDV), this means that SSI processes personal data about you in such cases.

The objectives of the electronic vaccination register DDV is to ensure the quality, safety and effect of the citizens’ treatment in Danish healthcare by providing an overview of given vaccinations. Additionally, the vaccination register makes it easier for citizens to travel to countries that require documentation of received vaccines.

What personal data is processed, and what is it used for?

The information recorded in DDV includes name, address, social security group, selected general practitioner, information about the healthcare professional who administered the vaccination, the vaccination given (including batch number and associated vaccination course and programmes). Additionally, DDV will contain information about whether you were admitted to a hospital at the time of the vaccination, cf. Section 4 of Executive Order no. 191 of 27. February 2024 on Access to and Registration of Medical Product and Vaccination Information, etc. SSI receives the information from the CPR register and your treatment provider, including your general practitioner or regional healthcare authority.

If you do not accept the vaccination offer, your refusal will not be recorded. However, your vaccination record, including any absence of entries, will be visible in the Danish Vaccination Register (DDV).

SSI processes your personal data to create a vaccination record for you in the DDV and to offer you relevant vaccines. SSI also processes your personal data as part of follow-up on vaccination invitations and related matters.

Additionally, SSI processes your personal data in connection with the operation and management of the DDV. SSI is also responsible for monitoring and assessing vaccination coverage and effectiveness, as well as investigating the correlation between vaccination and unexpected reactions or side effects.

Why are SSI allowed to process the personal data?

SSI’s authority tasks are outlined in Section 157a, subsections 1 and 6, and Section 222 of the Danish Health Act, and further regulated by Executive Order No. 1019 of September 3, 2024, on sending reminders to improve participation in vaccination programs, pursuant to Section 157, subsection 11, 1st sentence, of the Danish Health Act and Section 69, subsection 1, of the Epidemic Act.

Based on this, SSI processes personal data under the legal basis provided by Article 6(1)(e) of the General Data Protection Regulation, in conjunction with Section 157a, subsections 1 and 6, and Section 222 of the Danish Health Act, as the processing is necessary to perform a task carried out in the exercise of official authority vested in SSI.

The processing of special categories of personal data is additionally based on Article 9(2)(g) of the GDPR, in conjunction with Section 157a, subsections 1 and 6, and Section 222 of the Danish Health Act, as the processing is necessary for reasons of substantial public interest on the basis of the Health Act.
SSI processes your CPR number under Section 11, subsection 1, of the Danish Data Protection Act, as the processing is necessary to unequivocally identify you, e.g., in connection with creating a vaccination course, issuing invitations to vaccinations, and ensuring the correct registration of any vaccinations.

Are there others who receive the personal data?

SSI provides personal data about you to your region if you need the option to book a vaccination appointment outside of your general practitioner’s office.

Healthcare professionals and certain authorities have access to DDV for specific purposes, including the reporting of vaccinations. You can learn more about who has access to DDV and for what purposes in Section 157a of the Danish Health Act.

In certain situations, SSI may also disclose personal data for scientific and statistical studies of significant societal importance under Section 10 of the Danish Data Protection Act.

You can access the information registered about you in DDV via www.sundhed.dk, as specified in Executive Order No. 1615 of December 18, 2018, on access to and registration of pharmaceutical and vaccination information, Section 5(1). Additionally, you can register information about received vaccines yourself. These entries can later be corrected by a doctor, as stated in Section 5(4).

How long is personal data processed?

The data in DDV is processed until it is no longer relevant for SSI to offer you vaccinations or monitor vaccinations. SSI continually assesses the necessity of processing and will delete or anonymize the personal data when it is no longer deemed necessary. Ultimately, the personal data will be deleted two years after the individual’s death, as specified in Section 14(2) of Executive Order No. 1615 of December 18, 2018, on access to and registration of pharmaceutical and vaccination information.

If you currently reside – or in the future move – to Greenland, SSI will share information about your COVID-19 vaccination, including the number of COVID-19 vaccinations you have received, with the Greenland Health Authority. The purpose of this transfer is to support the Greenland Self-Government’s efforts against newly evolved coronavirus/COVID-19 variants.

As Greenland is outside the EU/EEA, the transfer to the Greenland Health Authority occurs under an agreement that ensures an equivalent level of data protection to that within the EU/EEA. The agreement is based on the EU Commission’s standard contractual clauses, pursuant to Article 46(2)(c) of the GDPR.

You will receive a notification from SSI in Digital Post if SSI has received a sample from you for analysis at SSI’s central laboratory within the past month.

On Sundhed.dk, you can also see the details of each of your test results, including where a sample has been analyzed. Under "Details," the laboratory responsible for the test result is specified.

As the national central laboratory, SSI conducts laboratory tests for the Danish healthcare system, including routine diagnostics, specialized analyses, and reference functions such as technical expertise and advisory services. General practitioners and hospitals may send samples to SSI for analysis. These may include tests that the doctor or hospital cannot perform themselves or cases where SSI’s laboratory possesses special expertise in performing the analysis.

In some cases, SSI may receive samples directly from citizens, such as through home test kits. If SSI receives a sample taken from you in any case, SSI processes your personal data.

What personal data is processed, and what is it used for?

SSI acts as the central laboratory for diagnostic analyses, including reference functions, as stipulated in Section 222(1) of the Danish Health Act.

The purpose of a diagnostic analysis is to examine the sample for infectious diseases. Therefore, the sample is analyzed for viruses, microorganisms, or their products or antibodies against them.

SSI processes information about your name, CPR number, details about your general practitioner or the hospital where you are receiving treatment, and other relevant details. Additionally, SSI processes health-related information in the form of laboratory test results. If the attending physician submits supplementary information about your health condition relevant to the laboratory analysis, SSI will also process this information.

The sample may contain other information about your health status, which would require additional laboratory analyses to uncover. If the sample includes human tissue, it will also contain information about your genetic material and genetic condition. However, special analyses would be required to reveal such information. SSI does not conduct such analyses when analyzing a sample for the diagnosis of infectious diseases.

If there is residual material from the sample after laboratory analysis, it is often stored in freezers at SSI. The purpose of this is to enable SSI to perform a reanalysis if necessary. In such cases, SSI will not analyze or examine human DNA but only the microorganisms, viruses, or their products or antibodies found in the sample.

SSI may also use residual material when necessary for its public health duties to prevent and combat infectious diseases. For instance, this has been necessary when SSI adjusted a PCR test to detect new COVID-19 variants. It may also be required to investigate whether a serious outbreak started earlier than the health authorities were aware of. In such cases, SSI will not analyze or examine human DNA but only the microorganisms and viruses in the sample.

You can read more about SSI’s monitoring of infectious diseases under the section: "Have you been tested for an infectious disease that SSI is tasked with monitoring, preventing, and combating?"

Why are we allowed to process personal data?

SSI processes personal data under the authority of Article 6(1)(e) of the General Data Protection Regulation in conjunction with Section 222 of the Danish Health Act, as the processing is necessary for performing a task carried out in the public interest or in the exercise of official authority vested in SSI.

The processing of special categories of personal data, including health information, is carried out under the authority of Article 9(2)(h) of the GDPR in conjunction with Section 7(3) of the Danish Data Protection Act and Section 222 of the Danish Health Act, as SSI conducts diagnostic analyses for the healthcare sector. Processing is also authorized under Article 9(2)(b), (i), and (g) of the GDPR in conjunction with Section 222 of the Danish Health Act, as it is necessary for preventive disease control and in the interest of public health and societal interests.

SSI processes CPR numbers under Section 11(1) of the Danish Data Protection Act, as this is necessary for uniquely identifying you.

Are there others who receive your personal data?

When SSI has analyzed a sample, the result is sent to the treating physician. This is done under the authority of Article 9(2)(h) of the GDPR, in conjunction with Section 7(3) of the Danish Data Protection Act and Section 222 of the Danish Health Act, as the processing is necessary for medical diagnosis and patient treatment.

Additionally, the test result is reported to the Danish Microbiology Database (MiBa) and made accessible on the Health Journal at sundhed.dk, where the treating healthcare professional can view the result. This is authorized under Article 9(2)(h) of the GDPR, in conjunction with Section 7(3) of the Danish Data Protection Act and Section 222 of the Danish Health Act, as well as Article 9(2)(b), in conjunction with Section 222 of the Danish Health Act and the executive order on the Danish Microbiology Database (MiBa). This processing is necessary for medical diagnosis, patient treatment, and the support of the healthcare system’s operations.

Learn more about the processing of personal data in MiBa under the section: "Has your test result been reported to the Danish Microbiology Database (MiBa)?"

Furthermore, any remaining material from the sample may, under certain conditions, be transferred to specific research projects. Learn more about the transfer of personal data for research purposes under the section: "If residual material from you is stored in the Danish National Biobank."

How long are personal data processed?

SSI retains personal data for as long as necessary for the aforementioned purposes. Once it is no longer necessary to store the data for SSI’s statutory responsibilities, the data will only be used for future health science research projects. Any remaining material from samples will be destroyed when it no longer holds scientific value. You have the option to register in the Tissue Utilization Register (Vævsanvendelsesregisteret) if you do not wish for remaining material from you to be used for research purposes.

You can read more about SSI’s storage of residual material in the Danish National Biobank (Danish Language), where you can also learn about your option to request the destruction of biological material related to you.

When a child is born in Denmark, the parents will be offered a heel prick test (PKU card) for the baby 48–72 hours after birth, which is sent to SSI for screening analysis. This blood test checks the infant for several serious congenital diseases that can be treated. This offer was introduced in 1975.

This means that if you or your child underwent a heel prick test as part of this screening program, SSI has received your PKU card for diagnostic examination, among other purposes.

Read more about the PKU card on the Newborn Screening website.

Learn more about SSI’s processing of personal data related to newborn screening for congenital diseases (PKU) (Danish language).

Under Executive Order No. 1260 of October 27, 2023, regarding the reporting of infectious diseases, physicians, healthcare facilities, and clinical laboratories are required to report certain infectious diseases to SSI. These include diseases such as AIDS, cholera, tuberculosis, and rabies. In some cases, laboratories may also be obligated to submit sample materials. Annex 1 of the Reporting Order contains a list of reportable diseases.

As stipulated in Section 222 of the Health Act, SSI is tasked with preventing and combating infectious diseases, including monitoring these diseases. SSI is also responsible for conducting scientific research in this field. As part of its monitoring duties, SSI manages the national systems for reportable diseases.

If you have been tested for a reportable disease, your test result has been reported to SSI, and SSI is therefore processing personal data about you.

Which personal data, and what are they used for?

As part of SSI's surveillance task, SSI closely monitors the spread of certain infectious diseases and keeps track of various virus, bacteria, and fungus variants. SSI also examines the severity and consequences of these diseases, the impact of testing activity, and other factors. SSI looks at information about both infected and non-infected individuals, those hospitalized, those who have died, as well as infection rates in nursing homes and specific industries.

This surveillance task requires that information about infectious diseases is cross referenced with national registers, as it is necessary to include certain population data to understand where infections are occurring. Additionally, it may be necessary to examine microorganisms more closely for mutations or other changes. For example, SSI monitors antibiotic resistance among bacteria.

The purpose of processing your personal data is to contribute to the collection of knowledge about the risk of infection and the spread of infectious diseases. This monitoring allows SSI to assess Denmark's current disease burden, which is crucial for decisions about how Denmark should prioritize the prevention and control of infectious diseases.

SSI processes personal data such as your name, CPR number, the treating doctor, and other relevant information. Furthermore, SSI processes health information, including test results from laboratory analyses related to diagnosing infectious diseases. If your doctor has included relevant notes on the disease reporting, SSI will also process these details, such as information on how you were infected or your travel history. If SSI finds it necessary for disease monitoring or to prevent the spread of a disease, it may collect further information from your doctor.

For certain infectious diseases, the microorganism causing the infection is examined for mutations or changes. This allows SSI to detect new variants and track the development and spread of these variants, such as those of SARS-CoV-2. This analysis involves sequencing the microorganism's genetic material. SSI isolates the microorganism from the patient sample and only analyzes the microorganism's genetic material, not the human DNA.

In some cases, clinical laboratories in the regions perform the analyses and send the results to SSI, while in other cases, they send the sample or the isolated microorganism to SSI. In these instances, SSI also processes information about the microorganism that caused your disease. This information is linked to an ID number that allows SSI to associate the microorganism with you, as understanding the origin and symptoms of the microorganism is crucial for disease monitoring.

SSI is also involved in the operational preparedness for infectious diseases. SSI investigates outbreaks of diseases to prevent similar occurrences in the future. For instance, in foodborne diseases, where people are infected with viruses or bacteria from food, SSI collects information about how the infection started and spread.

In cases where the Danish Patient Safety Authority has conducted contact tracing based on reports of infectious diseases to SSI, SSI can request additional information from the authority that was collected during the contact tracing process. This information supplements the data SSI has received from the reports and is necessary for SSI's tasks related to the prevention and control of infectious diseases.

When SSI monitors infectious diseases, it may detect changes in microorganisms that lead to research questions and hypotheses relevant to the surveillance of infectious diseases and health scientific research. SSI’s surveillance of infectious diseases is closely tied to scientific research that contributes to improving the monitoring, prevention, and control of these diseases.

Why Are We Allowed to Process Personal Data?

SSI processes personal data under the authority of Article 6(1)(e) of the General Data Protection Regulation (GDPR), in conjunction with Section 222 of the Danish Health Act, as the processing is necessary for the performance of a task assigned to SSI.

The processing of special categories of personal data, including health data, is further authorized under Article 9(2)(b), (g), and (i) of the GDPR, in conjunction with Section 222 of the Danish Health Act. This is because the processing is essential for significant public interests, including in the area of public health, as well as for the purposes of surveillance, prevention, and control of infectious diseases.

SSI processes your CPR number under the authority of Section 11(1) of the Danish Data Protection Act, as this processing is necessary to uniquely identify you.

Are There Others Who Receive Personal Data?

SSI discloses personal data to the Danish Patient Safety Authority under the provisions of Section 52 of the Epidemics Act, including for purposes of contact tracing. This disclosure is authorized under Article 6(1)(e) and Article 9(2)(b), (g), and (i) of the General Data Protection Regulation (GDPR), in conjunction with Section 222 of the Danish Health Act and Section 52 of the Epidemics Act. The processing is necessary for significant public interests, including public health, as well as for the surveillance, prevention, and control of infectious diseases.

As part of its infectious disease surveillance, SSI conducts scientific and statistical analyses. Aggregated statistics (anonymous data) are often published in scientific journals or similar outlets. These publications aim to inform the healthcare sector and the general public about the spread or development of specific infectious diseases, enabling measures to curb the disease's progression effectively. Additionally, the publications serve to alert European and international organizations to the development of specific infectious diseases, while SSI utilizes published information on developments in other countries.

In certain situations, SSI also shares information about infectious microorganisms with internationally recognized databases, such as GISAID, when necessary to prevent and combat infectious diseases. The primary purpose is to facilitate global pandemic monitoring and related statistical and scientific studies. This sharing is authorized under Article 6(1)(e) and Article 9(2)(g) and (i) of the GDPR, in conjunction with Executive Order No. 777 of April 29, 2021, regarding SSI’s disclosure of genetic sequences, isolates of microorganisms, and associated personal data in relation to the prevention and control of infectious diseases, as well as Section 7(5) of the Danish Data Protection Act.

Denmark, as a country, is obligated to comply with the International Health Regulations (IHR), binding international guidelines aimed at limiting health threats that can rapidly spread across countries. This includes SSI’s responsibility for reporting to the World Health Organization (WHO). Denmark also has obligations under Regulation (EU) 2022/2371 of November 23, 2022, on serious cross-border health threats, which includes timely and appropriate reporting of infectious disease outbreaks to the European Commission.

How long are personal data processed?

SSI processes personal data for as long as it is necessary to carry out its public authority tasks. SSI's monitoring of infectious diseases relies heavily on scientific and statistical analyses, making it essential to observe patterns over time, including decades. For example, valuable knowledge can be gained by comparing infectious diseases today with those before the advent of antibiotics.

When the data is no longer needed for SSI's tasks, it is transferred to the Danish National Archives in accordance with the Danish Archives Act, which governs the documentation of public authority activities.

In some cases, SSI receives biological samples or isolated microorganisms (isolates). These are stored in freezers at SSI. In most cases, only the microorganism is preserved, depending on whether it is possible to isolate the microorganism from the sample.

If you have undergone testing as part of medical treatment in the healthcare system, your test result may have been reported to the Danish Microbiology Database (MiBa).

This is because the country’s clinical laboratories are required to report information on microbiological as well as certain biochemical and immunological tests in accordance with Executive Order No. 282 of March 17 regarding the Danish Microbiology Database (MiBa Executive Order). Additionally, doctors, healthcare facilities, and clinical laboratories are obligated to report certain infectious diseases to SSI under Executive Order No. 1260 of October 27, 2023, on the notification of infectious diseases, which are also recorded in MiBa.

SSI is responsible for the operation and management of MiBa and is the data controller for the processing of personal data in MiBa, pursuant to Section 222 of the Danish Health Act. Therefore, if you have undergone testing as part of medical treatment and the result has been reported to MiBa, SSI processes personal data about you.

What personal data is processed, and for what purpose?

MiBa is a nationwide, automatically updated database that contributes to addressing three main tasks in the healthcare system:

1. Treatment and diagnosis, enabling healthcare professionals to access test results when necessary for patient care.
2. Surveillance and management of infectious diseases at local, regional, and national levels.
3. Providing citizens with digital access to their test results via sundhed.dk.

SSI processes personal data in connection with the operation and management of the database for the above purposes.

This includes processing personal data for disease surveillance, prevention, epidemic control, and research.

SSI processes data such as your name, CPR number, and the performing laboratory, among others. It also processes health information in the form of test results. If the treating physician has included clinical notes relevant to the performing laboratory, SSI processes this information as well.

Why is SSI allowed to process personal data?

SSI processes personal data under the authority of Article 6(1)(e) of the GDPR, in conjunction with Section 222 of the Health Act and the MiBa Executive Order, as the processing is necessary for the performance of a task assigned to SSI.

The processing of special categories of personal data, including health information, is carried out under Article 9(2)(h) of the GDPR, in conjunction with Section 7(3) of the Danish Data Protection Act, Section 222 of the Health Act, and the MiBa Executive Order, as it is necessary for medical diagnosis and patient care. SSI also processes special categories of personal data under Article 9(2)(b), (i), and (g) of the GDPR, in conjunction with Section 222 of the Health Act and the MiBa Executive Order, as the processing is necessary for significant public interests, including public health.

SSI processes information about your CPR number under Section 11(1) of the Danish Data Protection Act, as this is necessary to uniquely identify you.

Who else can access personal data?

Data in MiBa is made available to healthcare system actors, including authorized healthcare professionals, who may access the data within the framework of Chapter 9 of the Health Act. This means your doctor can access your information when necessary for patient care. Such data sharing is authorized under Article 6(1)(e) and Article 9(2)(h) of the GDPR, in conjunction with Section 7(3) of the Danish Data Protection Act, Section 222 of the Health Act, and the MiBa Executive Order.

Similarly, the Danish Patient Safety Authority has access to data in MiBa when necessary for its tasks under Chapter 5 and Section 44 of the Epidemic Act or the Executive Order on the Notification of Infectious Diseases. This sharing is authorized under Article 6(1)(e) and Article 9(2)(b), (g), and (i) of the GDPR, in conjunction with Section 222 of the Health Act and the MiBa Executive Order.

On sundhed.dk, you can see who has accessed your information through the Health Journal.

MiBa data may also be used for specific research projects at SSI or shared with external researchers for specific projects, as authorized under Article 6(1)(e) and Article 9(2)(g) of the GDPR, in conjunction with Section 10(1) of the Danish Data Protection Act.

How long is personal data retained?

SSI retains personal data in MiBa as long as it is necessary for the above-mentioned purposes. SSI’s surveillance of infectious diseases heavily relies on scientific and statistical studies, making it necessary to analyze trends over extended periods, including decades. For example, significant insights can be gained by comparing infectious diseases today with those before the advent of antibiotics.

Read about why and for which purposes SSI stores residual material in the Danish National Biobank (DNB), as well as your rights in connection with the processing of personal data about you - frequently asked questions (Danish language) or a shorter version at Information about storage of samples (English language)

SSI, as a sector research institution, is one of the country's largest health-related research institutions. Research at an international level is essential for SSI to contribute to solving the challenges faced by Denmark and the international community, both now and in the future, in the field of health. Therefore, SSI conducts research projects, including those in collaboration with international partners.

SSI carries out health science research in populations. Research projects are often based on very large populations derived from public health registers, among other sources. If information about you is relevant to a research project at SSI, your data may be included in a research project at SSI. Thus, SSI may process your personal data for such research purposes.

You can find a list of active research projects at SSI (PDF) (Danish language)

In some research projects, it may be necessary for the scientific investigation to analyze biological material. Learn more about the release of biological material from Denmark’s National Biobank to research projects (Danish language), including your option to register in the Tissue Use Register if you do not want your biological material used in research projects.

What personal data is processed, and for what purposes?

Research at SSI can generally be divided into four main areas: epidemiological research, vaccine research, research on infectious disease preparedness, and research on congenital diseases. Read more about SSI’s research.

Some research projects contribute to strengthening efforts in areas where SSI has government responsibilities, while others contribute to advancements in other areas.

Within epidemiological research, for example, the research project "Better Health Across Generations (BSIG)" has contributed knowledge about how the exposures humans experience in their early years can affect the development of diseases later in life.

Additionally, research projects at SSI are often based on public registers. For example, SSI researchers may use data from national health registers such as the National Patient Register, the Chronic Disease Register, the Central Person Register, and others. In a research project, common personal data such as your name, CPR number, etc., may be included. However, in most cases, SSI will process personal data in a pseudonymized form, meaning your CPR number will not be directly included in the dataset but will be stored separately and typically without access by individual researchers. Your CPR number is used solely for linking different pieces of information about you, and this is usually done on a so-called researcher machine, where the information is pseudonymized and linked by the machine, which can retrieve data from public registers upon request by the researcher.

Research projects typically involve special categories of personal data, such as health data, genetic data, racial or ethnic origin, sexual relations, and orientation, as relevant for the specific research project.

It is typically only relevant to look at patterns in large populations, which often include all or large parts of the Danish population. It is rarely relevant to focus on information about individuals. Therefore, personal data about you will most often be part of large datasets where it is not possible to directly trace the data back to you.

SSI researchers may also, under certain conditions, use biological material containing human tissue in a specific research project. However, this requires that the research project has been approved by an ethical committee to ensure that health science research projects are carried out ethically. You can read more about the release of biological material from Denmark’s National Biobank to research projects, as well as your rights in this context, under Frequently Asked Questions.

Additionally, SSI researchers may conduct clinical trials involving medicines and medical devices, including vaccines, on voluntary participants. These individuals receive both oral and written information about the trial and give informed consent before the trial begins. As a citizen, you would not be confused about whether you are participating in a clinical trial. However, your parents or guardians might have given consent on your behalf. Your personal data may, however, be part of a control group in the project without you being asked or informed about it.

Research funds that have contributed financial support to a project play no role or have no say in the planning, execution, or processing of personal data, including in the collection, analysis, or interpretation of personal data. This ensures that there are no conflicts of interest or ethical issues related to the research execution.

Why can we process personal data?

SSI processes personal data based on Article 6(1)(e) of the General Data Protection Regulation (GDPR), as the processing is necessary for the performance of a task in the public interest.

The processing of special categories of personal data is carried out based on Article 9(2)(j) of the GDPR, in conjunction with Section 10(1) of the Danish Data Protection Act, as it is necessary for performing statistical or scientific research.

If biological material is involved in a research project, the rules of the Danish Act no. 1338 of 1 September 2020 on the ethical handling of health science and health data science research projects (Ethical Committee Law) also apply. According to these rules, the research project must be approved by an ethical committee before the processing can take place.

If the project is a clinical trial, it must be approved by the Danish Medicines Agency before it can begin, according to Section 11 of Act no. 620 of 8 June on clinical trials with medicinal products. Furthermore, participants must give informed consent before joining the trial, according to Article 28(1)(c) of Regulation 536/2014 on clinical trials with human medicinal products. Clinical trials are always reported to the Ethical Committee, which primarily evaluates the ethical and professional aspects of the trial.

SSI processes your CPR number to uniquely identify you under Section 11(1) of the Danish Data Protection Act.

Who else receives your personal data?

SSI may collaborate with public authorities, research institutions, or private companies in a research project. This could be because the investigation of a research question requires various specialties, or another institution may have specific expertise in conducting a statistical or scientific analysis that can contribute to SSI’s research project. If SSI shares joint responsibility for data with other collaborators, a joint data responsibility agreement is made in accordance with Article 26 of the GDPR, which transparently establishes the respective parties' responsibilities in complying with the obligations of the GDPR. Personal data will only be shared to the extent necessary for the research, and where possible, will be processed pseudonymized.

If the collaborator only provides an analysis for SSI’s project, the collaborator acts as a data processor, and SSI will enter into a data processing agreement according to Article 28 of the GDPR. This ensures that the data processor processes personal data only according to SSI’s instructions, does not use the data for its own purposes, and deletes or returns the data after the task is completed.

Aggregated results (anonymous data) from SSI’s research projects are often published in recognized scientific journals or similar platforms. This aims to inform the public about the spread or development of a specific disease to enable necessary measures to be taken to slow its progression. Furthermore, publication serves to alert other European and international organizations to disease developments in Denmark, while SSI also uses published knowledge about developments in other countries. Such publication may require approval from the Danish Data Protection Agency. This disclosure is not covered by the data protection regulations under Article 2(1) of the GDPR and can be shared with external parties in agreement with SSI.

SSI may, under certain conditions, disclose personal data to external research projects. SSI is authorized to share this data when necessary for performing statistical and scientific research of significant societal importance, according to Section 10(1) of the Danish Data Protection Act. This disclosure may need to meet certain requirements under the regulation on disclosure of personal data (December 2019). In some cases, this disclosure may also require approval from the Danish Data Protection Agency, under Section 10(3) of the Data Protection Act. The data must not later be used for anything other than statistical and scientific purposes.

How long are personal data stored?

SSI generally stores personal data until the research project concludes. Afterward, the data will be deleted from SSI and, in some cases, transferred to the National Archives in accordance with archival law. However, the data may be reused in another research project and will be deleted at the conclusion of that project, etc.

There is a requirement that the most essential documents from a clinical trial (collected in a so-called 'Master File') be stored for 25 years after the conclusion of the trial, according to Article 58 of the Clinical Trials Regulation for human medicinal products. The purpose is to evaluate the trial's execution and the quality of the data obtained.

If you have applied for a position at SSI, the institute processes your personal data to evaluate and respond to your application.

The recruitment process is primarily handled by the Department of Employees, Well-being, and Development (MTU), which manages HR tasks for SSI.

Your personal data will generally only be stored in the Ministry of the Interior and Health's recruitment system (HR Manager) and SSI’s documentation system. Only relevant individuals involved in the recruitment process will have access to view the documents you have submitted.

When you apply through the Ministry of the Interior and Health's HR Manager system, you accept at the bottom of the page that SSI processes the personal information you provide as part of your application. In most cases, SSI only processes general personal data about you, such as your name, address, phone number, email address, professional qualifications, education, and prior employment.

Additionally, CPR numbers may appear in cases where you have not redacted them in documents such as transcripts. If you indicate in your application that you are covered by the rules outlined in Executive Order No. 1174 of November 25, 2019, with subsequent amendments regarding "compensation for persons with disabilities in employment, etc.," this is treated as health information. In certain cases, information about you may be obtained from publicly available sources. In such cases, you will be informed about the categories of information collected and their source.

The processing of your personal data is based on Article 6(1)(a) of the GDPR, as you have provided consent, and Article 6(1)(b), as the processing is necessary to respond to a request initiated by the job applicant.

SSI retains the information you provide through HR Manager until the recruitment process concludes. However, your information will not be retained for more than six months unless you explicitly request otherwise. Additionally, any materials collected by individuals involved in the recruitment process must be destroyed.

When you visit SSI’s website, we process certain information about you to generate statistics on website usage. The purpose of this is to further develop and improve SSI’s website.

SSI uses Siteimprove Analytics, a tool provided by the Danish software company Siteimprove. This processing is conducted under a data processing agreement between SSI and Siteimprove.

SSI has opted not to collect IP addresses, ensuring that the data collected is not directly attributable to individuals. However, it cannot be ruled out that personal data may be processed as a result of entered search terms or similar information.

You can read more here about how SSI processes personal data from visitors to our website (Danish language).

Under the Danish Veterinary Consortium (DK-VET), SSI, in collaboration with the University of Copenhagen (KU), performs analyses of veterinary samples to detect livestock diseases caused by bacteria, viruses, parasites, and prions. SSI and KU have an agreement with the Danish Veterinary and Food Administration (Fødevarestyrelsen) to handle veterinary authority tasks, which, in addition to advisory services and research, include diagnostics for emergency response and national monitoring programs. Fødevarestyrelsen has overall responsibility for emergency preparedness and monitoring, as well as any follow-up on results. DK-VET is responsible for the laboratory part of the investigations. SSI contributes by analyzing livestock samples, after which the test results are provided to Fødevarestyrelsen, which then contacts the livestock owner.

DK-VET has been appointed by Fødevarestyrelsen as the national reference laboratory under the Control Regulation (Regulation 2017/625 of March 15, 2017, on official controls and other official activities to ensure compliance with food and feed laws and the rules on animal health and welfare, plant health, and plant protection products).

A joint data responsibility agreement has been established between SSI and KU to define the parties' respective responsibilities for compliance with the obligations under the General Data Protection Regulation (GDPR). Additionally, SSI has entered into a consortium agreement with KU to outline the terms of cooperation regarding the provision of veterinary authority services.

Here you can find an overview of the analyses offered by SSI. This overview is continuously updated.

SSI receives a completed requisition form with the sample, filled out by the sender (a veterinarian, livestock owner, or business). The information on the form includes the analyses to be performed by SSI as well as details such as the Central Livestock Register (CHR) number, livestock address, recipient’s email, phone number, practice number, animal species, purpose of the analysis (e.g., suspicion of notifiable disease, monitoring, specific diagnostics), etc. These details pertain to the livestock and can be traced back to the livestock owner, and are therefore considered personal data.

The information processed by SSI in connection with the veterinary authority agreement also includes data from Fødevarestyrelsen's CHR database. This data includes, for example, the livestock owner's name and address, animal species, number of animals, date of livestock establishment, associated veterinary practice, and, in some cases, the name and address of the person responsible for animal care.

SSI processes this information under the legal basis of Article 6(1)(e) of the GDPR, in conjunction with Section 222 of the Danish Health Act and Regulation 2017/625 of March 15, 2017, on official controls and other activities to ensure compliance with food and feed laws and the rules on animal health and welfare, plant health, and plant protection products, as the processing is necessary for performing a task carried out in the public interest or in the exercise of official authority.

SSI processes information about veterinarians who request an unregistered vaccine or autovaccine for veterinary purposes. SSI also processes information about livestock owners if the vaccines are intended for use in their herds.

Under Section 30 of the Danish Medicines Act, SSI is authorized to sell or provide, upon request, in special cases and limited quantities, sera, vaccines, specific immunoglobulins, and other immunological test preparations that are not covered by a marketing authorization. This authorization is granted to enable the treatment of animal diseases for which suitable registered preparations are not available on the Danish market.

When a veterinarian orders unregistered vaccines or sera, they complete a prescription form that includes various details, such as the livestock owner’s name, address, CHR number, and phone number. Additionally, the veterinarian’s name, practice number, authorization number, and information about the requested vaccine are recorded.

SSI processes personal data under the legal basis of Article 6(1)(e) of the General Data Protection Regulation (GDPR) in conjunction with Section 30 of the Danish Medicines Act and Section 222 of the Danish Health Act, as the processing is necessary for performing a task carried out in the exercise of public authority.

As a general rule, SSI only receives standard personal data about the livestock owner.

The last COVID-19 testing centers closed on March 31, 2023. PCR testing is now only available if deemed necessary by a doctor. You can read more under the section “Has a Sample From You Been Analyzed at SSI?”.

Here you can learn about SSI’s processing of personal data if you have been tested for COVID-19 (Danish language).

SSI is responsible for monitoring, preventing, and combating infectious diseases, including COVID-19. This means that SSI continues to monitor the spread of COVID-19, keep track of various virus variants, monitor the severity and consequences of the disease, and more.

You can read more about SSI’s monitoring of infectious diseases in the section: “Have You Been Tested for an Infectious Disease That SSI Is Responsible for Monitoring, Preventing, and Combating?

The Statens Serum Institut (SSI) is the data controller for any processing of personal data within the Coronapas app. However, the Coronapas app is currently inactive, meaning no personal data is being processed in connection with the operation of the app.

Data Processors and Confidentiality

SSI utilizes various data processors to perform tasks on its behalf. This is done in compliance with data processing agreements to ensure that the processing of data occurs strictly according to SSI's instructions and in adherence to the General Data Protection Regulation (GDPR) and the Danish Data Protection Act. A data processor does not use the data for their own purposes but solely for performing a specific task for SSI. Once the processor’s task is completed, the data is deleted and/or returned to SSI.

Responsibility for basic IT operations within the Ministry of the Interior and Health, including SSI, was transferred to the Ministry of Finance through a Royal Resolution on September 8, 2021. Statens IT was assigned responsibility for basic IT operations as per this resolution. Consequently, Statens IT will, in many cases, act as a data processor for SSI and process personal data on behalf of SSI. The Royal Resolution has been published in Executive Order No. 1845 of September 23, 2021.

All personal data accessed by SSI employees must be treated confidentially. This includes compliance with the rules on confidentiality under the Danish Public Administration Act and the Penal Code. Confidentiality obligations apply both during and after employment. Violations may, depending on the circumstances, result in disciplinary or criminal sanctions.