Personal data policy

In the Capital Region of Denmark, we use information about citizens, users and patients as part of our day-to-day work. This personal data policy will explain how we process and protect personal data.

What is personal data?

Personal data is any information that relates to an identifiable natural person, for example:

name
address
civil registration number (CPR number)
health information
genetic data
ethnic origin
religion
marital status
social aspects
criminal convictions.

How we obtain personal data

The Capital Region of Denmark receives your personal data if you are admitted to one of our hospitals or if you are in contact with the region in some other way. We also receive your personal data from others outside of the region, such as public registers, private hospitals, hospitals in other regions, doctors with a private practice, municipalities or other public authorities.

In accordance with our duty to provide information, we will inform you whenever we receive or collect information about you. We will always provide you with the information you are entitled to receive, such as the basis and reason for why we are processing your data.

Why does the region need your personal data?

The Capital Region of Denmark collects personal data for a number of purposes as part of our routine work on the following, for example:

Patient treatment

Our core tasks at the Capital Region of Denmark are to run hospitals, services for the disabled and social programmes. We use personal data in these tasks to ensure a good process for citizens and patients.

Processing of personal data for patient treatment is regulated in health legislation, social legislation, Article 6(1)(e) of the General Data Protection Regulation and sections 7(3) and 11 of the Data Protection Act.

Research

Research and innovation are important routes to new knowledge and better patient treatment. The Capital Region of Denmark uses personal data in research activities.

Remnant blood and tissue samples from patient treatment may be used for research.

Processing of personal data in connection with research is regulated in the Health Act, the Committee Act (komitéloven), the Medicines Act (lægemiddelloven), the Medical Devices Act (lov om medicinsk udstyr), sections 10 and 11 of the Data Protection Act, as well as Article 6(1)(a) and Article 9(2)(a) of the General Data Protection Regulation.

Administration and staff

During recruitment processes and job interviews, the Capital Region of Denmark collects information about candidates and employees for administrative purposes,

Processing of personal data in connection with administration and staff is regulated in employment law regulations including the Public Officials Act (tjenestemandsloven), the Employers' and Salaried Employees' Act (funktionærloven), the Working Environment Act, Article 6(1)(a), (b), (c) and (e) and Article 9(2)(a), (b), (d) and (f) of the General Data Protection Regulation, as well as sections 8, 11 and 12 of the Data Protection Act.

Other case processing

The Capital Region of Denmark also uses personal data in connection with Regional Council elections, environment, training and financial purposes, as well as enquiries from citizens and to provide legal access to documents.

Processing of personal data in connection with the Region's other case processing is regulated in the health legislation, social legislation, environmental legislation, public administration legislation and data protection legislation.

How we process personal data

The Capital Region of Denmark is responsible for ensuring that the processing of personal data is done according to legislative principles. This means that we must process personal data legally, fairly and transparently.

Therefore, we only process your personal data if this is permitted by legislation or if you have given your consent. Consent is always voluntary and you are free to retract consent at any time.

We collect and process personal data for specific purposes, for example patient treatment, health planning and social sheltered housing.

We only process personal data that is relevant, sufficient and necessary to achieve the purpose for which the data was collected.

The personal data we process as part of our day-to-day routines must be correct and up-to-date. When we become aware of mistakes in personal data, we will rectify them.

We will erase your personal data when we no longer need it. However, we will store personal data for a longer period if the law requires us to do so, for example personal data in patient records.

As part of the day-to-day routines at the Capital Region of Denmark, we sometimes transfer personal data to parties outside of the region. We will only share personal data on the basis of legislation, your consent or at your request.

We collect and process personal data in a manner that ensures protection of your privacy. The Joint Regional Information Security Policy is the framework of the region’s own policies, guidelines etc. on information security.

See The Joint Regional Information Security Policy

What processing your data means

Processing is the activity or activities your data is used for. For example, data collection, registration, processing, storage, publication, adjustment/amendment, searches, transfers, comparing/merging and erasure.

Data transfer to recipient countries outside the EU and EEA

The Capital Region of Denmark transfers personal data to data processors outside the EU and EEA in situations where it is appropriate and where it helps ensure you the get best possible course of treatment. Transfers cover both actual transfers, for example when X-ray images are submitted for analysis in a country outside the EU and EEA, and they cover reading access in connection with support, for example from the US in connection with the Region's work on the Health Platform, or if a supplier of diagnostic imaging equipment uses sub-processors outside the EU and EEA.

The Capital Region of Denmark also works with researchers abroad in many contexts. Before the Region initiates research with collaboration partners in third countries, it is ensured that the rules for the specific type of research are followed, and that it is legal to transfer data about individuals to the relevant country outside the EU and EEA.

Transfers to third countries always depend on a specific assessment, and the basis for the transfer is secured by concluding the European Commission's standard contract with the data processor.

Security breach

We will notify you as quickly as possible should there be a personal data security breach that we determine entails a high risk to your rights, including discrimination, identity theft or fraud, financial loss, damage to reputation or social consequences.

Your rights

We are obligated to inform you of your rights when we process your personal data. For example, you have

the right to access information regarding the region's processing of your personal data
the right to correct incorrect personal data about you
the right to restrict the processing of your personal data (i.e. if the accuracy of the data is unclear)
the right to object.

Complaints

You can lodge a complaint directly to the Danish Data Protection Agency if you believe that the Capital Region of Denmark is not processing your personal data correctly according to the protection of personal data legislation.

However, you should always contact the Capital Region of Denmark first if you believe the region is processing your personal data in contravention of the protection of personal data legislation.

Visiting websites

The Capital Region of Denmark's websites use cookies to improve the user experience and to collect statistics. A cookie is a file that is saved on the device (computer, smartphone, tablet or other device) you use when you access the region's websites.

The region's websites contain links to other websites. The region is not responsible for the content on those websites.

Contact our data protection officer

You can write securely to our data protection officer via Digital Post at borger.dk (login with your MitID)

If your inquiry does not contain any sensitive or confidential information, you can write to our data protection officer via normal e-mail

Companies can write securely to our data protection officer via Digital Post at virk.dk (login with your MitID)

The Danish version of the personal data policy has been prepared in cooperation between the Capital Region of Denmark, Region Zealand, Region of Southern Denmark, Central Denmark Region and North Denmark Region

The personal data policy was approved by the Capital Region of Denmark 18th of May 2023.

Please notice that the English version of the policy is translated for the Capital Region of Denmark.

Responsible editor

Christian Hult