Personal data policy

In the Capital Region of Denmark, we use information about citizens, users and patients as part of our day-to-day work. This personal data policy will explain how we process and protect personal data.

What is personal data?

Personal data is any information that relates to an identifiable natural person, for example:

name
address
civil registration number (CPR number)
health information
genetic data
ethnic origin
religion
marital status
social aspects
criminal convictions.

How we obtain personal data

The Capital Region of Denmark receives your personal data if you are admitted to one of our hospitals or if you are in contact with the region in some other way. We also receive your personal data from others outside of the region, such as public registers, private hospitals, hospitals in other regions, doctors with a private practice, municipalities or other public authorities.

In accordance with our duty to provide information, we will inform you whenever we receive or collect information about you. We will always provide you with the information you are entitled to receive, such as the basis and reason for why we are processing your data.

Why does the region need your personal data?

The Capital Region of Denmark collects personal data for a number of purposes as part of our routine work on the following, for example:

Patient treatment

Our core tasks at the Capital Region of Denmark are to run hospitals, services for the disabled and social programmes. We use personal data in these tasks to ensure a good process for citizens and patients.

Processing of personal data for patient treatment is regulated in health legislation, social legislation, Article 6(1)(e) of the General Data Protection Regulation and sections 7(3) and 11 of the Data Protection Act.

Research

Research and innovation are important routes to new knowledge and better patient treatment. The Capital Region of Denmark uses personal data in research activities.

Remnant blood and tissue samples from patient treatment may be used for research.

Processing of personal data in connection with research is regulated in the Health Act, the Committee Act (komitéloven), the Medicines Act (lægemiddelloven), the Medical Devices Act (lov om medicinsk udstyr), sections 10 and 11 of the Data Protection Act, as well as Article 6(1)(a) and Article 9(2)(a) of the General Data Protection Regulation.

Administration and staff

During recruitment processes and job interviews, the Capital Region of Denmark collects information about candidates and employees for administrative purposes,

Processing of personal data in connection with administration and staff is regulated in employment law regulations including the Public Officials Act (tjenestemandsloven), the Employers' and Salaried Employees' Act (funktionærloven), the Working Environment Act, Article 6(1)(a), (b), (c) and (e) and Article 9(2)(a), (b), (d) and (f) of the General Data Protection Regulation, as well as sections 8, 11 and 12 of the Data Protection Act.

Other case processing

The Capital Region of Denmark also uses personal data in connection with Regional Council elections, environment, training and for financial purposes, as well as for enquiries from citizens in case processing regarding complaints, to provide legal access to documents and general questions.

Processing of personal data in connection with the Region's other case processing is regulated in the health legislation, social legislation, environmental legislation, public administration legislation and data protection legislation.

How we process personal data

The Capital Region of Denmark is responsible for ensuring that the processing of personal data is in accordance with legislative principles. This means that we must process personal data legally, fairly and transparently.

Therefore, we only process your personal data if this is permitted by legislation or if you have given your consent. Consent is always voluntary and you are free to retract consent at any time.

We collect and process personal data for specific purposes, for example patient treatment, health planning, research and social sheltered housing.

We only process personal data that is relevant, sufficient and necessary to achieve the purpose for which the data was collected.

The personal data we process as part of our day-to-day routines must be correct and up-to-date. When we become aware of mistakes in personal data, we will rectify them.

We will erase your personal data when we no longer need it. However, we will store personal data for a longer period if the law requires us to do so, for example personal data in patient records.

As part of the day-to-day routines at the Capital Region of Denmark, we sometimes transfer personal data to parties outside the region. We will only share personal data on the basis of legislation, your consent or at your request.

What processing your data means

Processing is the activity or activities your data is used for. For example, data collection, registration, processing, storage, publication, adjustment/amendment, searches, transfers, comparing/merging and erasure.

Security

The Capital Region of Denmark collects and processes personal data in a manner that ensures protection of your privacy. The common regional information security policy is the framework of the region's own policies, guidelines etc. on information security.

The Capital Region of Denmark is responsible for a number of essential functions, including operating hospitals and patient treatment. Therefore, in cooperation with relevant national bodies, the region monitors its digital infrastructure and processes personal data for security purposes.

Data transmission to recipient countries outside the EU and EEA

The Capital Region of Denmark transmits personal data to recipients outside the EU and EEA in situations where it is appropriate and where it helps ensure you the get best possible course of treatment. Transmission includes both actual transmission of personal data and read-only access for support.

The Capital Region of Denmark works with researchers abroad in many contexts. Before the Region initiates research with collaboration partners in third countries, it ensures that the rules for the specific type of research are followed, and that it is legal to transmit personal data to the relevant country outside the EU and EEA.

Transmissions to third countries always depend on a specific assessment in accordance with Part 5 of the General Data Protection Regulation.

Data transmission by the Capital Region of Denmark to recipient countries outside the EU and EEA

The Capital Region of Denmark secures the basis for transmission by using standard EU contracts, and by observing supplementary technical and organisational measures.

The patient record system (Sundhedsplatform) for the Capital Region of Denmark is operated on servers located in Denmark, in which data is stored and processed. For support purposes, personal data is transmitted to the system supplier, EPIC, in the US.

The Capital Region of Denmark transmits data to third countries in connection with the use and support of different types of medico-technology e.g. Latitude, which is included in treatment for heart patients who have received a pacemaker/ICD, Abbott pacemaker/ICD, and Panther Link. Furthermore, the region transmits X-ray images sent for analysis to countries outside the EU and the EEA.

Public cloud

The Capital Region of Denmark uses a number of systems which use public cloud services (Microsoft Azure and Amazon Web Services (AWS)) for transmissions to countries outside the EU/EEA.

These systems are used to a very limited extent in patient treatment: Examples include: Care Orchestrator, which is used in the treatment of patients with respiratory diseases, Tidepool and Glooko, which are used in the treatment of patients with diabetes, Carelink, which is used to monitor patients at home who have a pacemaker/ICD, Cochlear Link, which is used to synchronize hearing settings for patients with cochlear implants, and AIDOC, which is used to help in decisions regarding identification of injury on X-ray images.

In research, the region uses Cortrium APEX, for example, for ECG measurements and diagnostics of cardiac problems.

The region also uses public cloud-based systems for administration, personnel and training, e.g. Microsoft O365, the HR-manager recruiting system, the Optima shift-planning system, Kursusportalen, and SimCapture, which is used in simulation training for clinicians.

Security breach

We will notify you as quickly as possible should there be a personal data security breach which we determine entails a high risk to your rights, including discrimination, identity theft or fraud, financial loss, damage to reputation or social consequences.

Your rights

We are obligated to inform you of your rights when we process your personal data. For example, you have:

The right to access information regarding the region's processing of your personal data
The right to correct incorrect personal data about you
The right to restrict the processing of your personal data (e.g. if the accuracy of the data is unclear)
The right to object
The right to have your personal data stored by the region erased. However, note that, as a public authority, we are required to be able to document the basis on which we have based a ruling or a decision, and therefore we only have limited access to erase personal data.

Complaints

Contact the Capital Region of Denmark if you are dissatisfied with the way in which we process your personal data.

You can also lodge a complaint directly with the Danish Data Protection Agency if you believe that the Capital Region of Denmark is processing your personal data contrary to data protection legislation. You should always contact the Capital Region of Denmark first.

Visiting websites

The Capital Region of Denmark's websites use cookies to improve the user experience and to collect statistics. A cookie is a file that is saved on the device (computer, smartphone, tablet or other device) you use when you access the region's websites.

The region's websites contain links to other websites. The region is not responsible for the content on those websites.

Contact the Capital Region of Denmark

Capital Region of Denmark

Kongens Vænge 2

3400 Hillerød
Denmark

You can write to us securely via Digital Post at borger.dk (login with your MitID)

If your inquiry does not contain any sensitive or confidential information, you can write to our web editor via normal e-mail

Contact our data protection officer

See information about how to contact the data protection officer at the Capital Region of Denmark.

More contact options for the Capital Region of Denmark

This personal data policy has been prepared in cooperation between the Capital Region of Denmark, Region Zealand, the Region of Southern Denmark, the Central Denmark Region and the North Denmark Region.

This personal data policy was approved by the Capital Region of Denmark on 18 December 2023.

How the Centre for HR and Education processes personal data about employees during and after employment in the Capital Region of Denmark

Last updated: 11. March 2025

Responsible editor

Christian Hult