Information about processing of personal data in connection with  vaccination against novel coronavirus/COVID-19

Here you will find information about how Statens Serum Institut processes your personal data in connection with the vaccination against novel coronavirus/COVID-19.

We are the data controller – how do you contact us?

Statens Serum Institut (SSI) is the data controller of the processing of the personal data we process about you. You can find our contact details below.

Statens Serum Institut Artillerivej 5 DK-2300 Copenhagen S
CVR no.: 46837428
Tel.: 32683268
Email: serum@ssi.dk

You are always welcome to contact our DPA function at compliance@ssi.dk or +45 4046 0083 if you have any other questions about how SSI processes your personal data.

Please contact SSI via e-Boks if you have any questions regarding your rights. You can find information (in Danish) on how to use e-Boks at the webpage Sikker kommunikation med SSI.

Purpose of the processing of personal data

We process your personal data for the purposes of offering vaccination and setting up vaccination processes for selected target groups and for monitoring the public’s acceptance and the effect of vaccination and examining any causality between vaccination and unexpected reactions or side-effects of vaccination. This is part of SSI’s tasks as a public authority and of our efforts to prevent and monitor the spread of coronavirus/COVID-19. 

Part of the processing is performed for research and statistical purposes only.

Categories of personal data and the lawfulness of processing of personal data

We process the following categories of personal data about you in the Danish vaccination register:

Common, non-sensitive personal data:

  • Name

  • Address

  • Health insurance category

  • Own doctor’s healthcare provider number

  • Regional code

Common, confidential personal data:

  • Civil registration (CPR) number

Sensitive personal data: 

  • Health data that you have been vaccinated.

Moreover, SSI will process data about underlying diseases and occupational conditions, among other things, which are necessary for SSI to identify whether you are among the target groups for vaccination. SSI also uses the data to be able to perform its tasks of monitoring the public’s acceptance and the effect of vaccination and examining any causality between vaccination and unexpected reactions or side-effects of vaccination. 

SSI is responsible for monitoring and combating the spread of diseases in collaboration with the rest of the public health service, and for monitoring and assessing the public’s acceptance and the effect of vaccination and examining any causality between vaccination and unexpected reactions or side-effects of vaccination, see section 222 of the Danish Health Act (Sundhedsloven) and, in more detail, section 157 a(6) of the Danish Health Act. SSI is also responsible for recording data on individual citizens’ vaccinations and related data in the Danish vaccination register, see section 157a of the Danish Health Act.

We thus process your personal data in accordance with Article 6(1)(e)1 of the General Data Protection Regulation, as the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in SSI. Furthermore, we process your personal data in accordance with Article 9(2)(h) and (i), as the processing is necessary for the purpose of management of health or social care systems and services and for reasons of public interest in the area of public health.

We process your civil registration (CPR) number in accordance with section 11(1)2 of the Danish Data Protection Act (Databeskyttelsesloven), as the processing is necessary to enable us to identify you clearly.

1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (EEA-relevant text).

2) Act no. 502 of 23 May 2018 on supplementary rules to the Regulation on protection of natural persons in connection with the processing of personal data and the free exchange of such data.

Sources of personal data 

We have received information about your CPR number from the CPR Register and information about your name, address, health insurance category, your doctor’s healthcare provider number and the regional code from the Danish Health Data Authority. We also receive further data about you, for example age and gender, from public registers, including the CPR Register. 

As part of our monitoring of the public’s acceptance and the effect of vaccination as well as studies relating to the security of vaccines, we also receive various data about you, for instance about chronic diseases and employment relationships, from public registers, including Landspatientregistret (Danish national patient register), [RUKS], STAR, the DREAM register, etc. In this connection, SSI also looks at any COVID-19 test results. 

Recipients or categories of recipients

SSI discloses your personal data to the Region in which you live, partly to enable you to receive the vaccination, and partly for the vaccination to be recorded in your patient records and in the Danish vaccination register. 

Your Region or your general practitioner is responsible for recording and reporting of vaccinations in the Danish vaccination register. Please contact your general practitioner or your Region, if you want to know more about your general practitioner’s or your Region’s processing of personal data. You can find contact details here:

Region Nordjylland (Region of Northern Denmark): www.rn.dk 
Region Midtjylland (Central Denmark Region): www.rm.dk
Region Syddanmark (Region of Southern Denmark): www.regionsyddanmark.dk
Region Hovedstaden (Capital Region of Denmark): www.regionh.dk
Region Sjælland (Region Zealand): www.regionsjaelland.dk

SSI also discloses your personal data to the Danish Medicines Agency; this is necessary to enable the Danish Medicines Agency to perform its task of monitoring the security of vaccines, including side-effects. Please contact the Danish Medicines Agency at www.lmst.dk, if you want to know more about the Agency’s processing of your personal data. 

SSI discloses personal data to our data processors, including the Danish Health Authority. We have entered into data processing agreements with our data processors and supervise the data processors’ compliance with the data processing agreements in accordance with the applicable rules.

Transfer to recipients in third countries, including international organisations

We will not transfer your personal data to recipients outside the EU and EEA.

Storage of your personal data

We store your personal data from the time it is collected in order to be able to offer vaccination/set up vaccination processes, and we store the data for as long as necessary and relevant for the performance of SSI’s public authority tasks under sections 222 and 157a of the Danish Health Act. 

Your rights 

Under the General Data Protection Regulation, you have a number of rights in relation to our processing of your personal data. Please contact SSI to exercise your rights. 
A number of limitations apply to your rights under the General Data Protection Regulation when personal data is used for research and statistical purposes only. For instance, you do not have the rights of access to and rectification and restriction of, objection to and erasure of your personal data included in the processing. The limitation of your rights follows from section 22(5) of the Danish Data Protection Act (Databeskyttelsesloven) and article 17(3)(d) of the General Data Protection Regulation.

However, certain limitations may also apply to other cases in which you have the following rights: 

Right to access data (right of access)
You have a right to access the data we process about you as well as a number of additional information.

Right to rectification (correction)
You have the right to have inaccurate data about you corrected. 

Right to erasure
In exceptional cases, you have the right to have data about you erased before we normally erase such data.

Right to restriction of processing
In some cases, you have the right to have the processing of your personal data restricted. If you have the right to restriction of our processing, this means that, in future, we may only process the data – with the exception of storage – with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

Right to object
In certain cases, you have the right to object to our otherwise lawful processing of your personal data.

You can read more about your rights in the Danish Data Protection Agency’s guide on the rights of data subjects, which you can find at www.datatilsynet.dk.

Please contact SSI via e-Boks if you have any questions regarding your rights. You can find information (in Danish) on how to use e-Boks at the webpage Sikker kommunikation med SSI

The Data Protection Officer’s contact details

If you have any questions about our processing of your data, you are always welcome to contact the Danish Ministry of Health’s joint Data Protection Officer, Helle Ginnerup-Nielsen.
You can contact our Data Protection Officer in the following ways:
By email: databeskyttelse@sum.dk
By letter: Holbergsgade 6, DK-1057 Copenhagen K, attn. ‘Data Protection Officer’ (databeskyttelsesrådgiver)

Lodging a complaint with the Danish Data Protection Agency

You have the right to lodge a complaint with the Danish Data Protection Agency if you are dissatisfied with the way we process your personal data. You can find the Danish Data Protection Agency’s contact details at www.datatilsynet.dk.