Version 1.8
Information about our processing of your personal data when using MitID
1. The Agency for Digital Government is the data controller
The Danish Agency for Digital Government is the data controller for the processing of your personal data in connection with the use and operation of MitID.
If you are a business user and use a special dedicated MitID for business use, please refer to the privacy notice for MitID Erhverv at mitid-erhverv.dk
You can find our contact details below.
Danish Agency for Digital Government
Landgreven 4
DK-1301 Copenhagen K
CVR no. 34 05 11 78
Telephone: +45 33 92 52 00
E-mail: digst@digst.dk
2. Contact details of the Data Protection Officer
If you have any questions about our processing of your data, you are welcome to contact our Data Protection Officer.
You can contact our Data Protection Officer in the following ways:
- By Digital Post: Send a message to the Danish Agency for Digital Government in Digital Post with "Att. Data Protection Officer" in the subject field.
- By email: dpo@digst.dk. If you wish to contact the Data Protection Officer via email, please do not provide your civil registration number or other sensitive/confidential information.
- By letter: Danish Agency for Digital Government, att.: Data Protection Officer, Landgreven 4, 1301 Copenhagen K, Denmark
- By phone: +45 33 92 52 00
3. The legal basis for the Agency for Digital Government's processing of your personal data
- The processing of your personal data is based on the General Data Protection Regulation, Article 6(1)(e) on the exercise of public authority, cf. the Executive Order on MitID and NemLog-in (Consolidated Act no. 333 of 19 March 2025).
- The processing of information about civil registration numbers is done for the purpose of unique identification, cf. section 11(1) of the Danish Data Protection Act.
- The processing of data for the purpose of carrying out statistical or scientific studies of significant importance to society is authorised by section 10 of the Danish Data Protection Act.
4. The purposes of processing of your personal data
The purpose of the Danish Agency for Digital Government's processing of your personal data is to ensure the correct issuance and administration of MitID. The processing of your personal data is also to prevent misuse when using your MitID.
The purpose of the Danish Agency for Digital Government's processing of your data is also to develop the MitID solution, including for scientific studies of significant societal importance.
5. Categories of personal data
The Danish Agency for Digital Government processes personal data in the following general categories:
- Identity data
- Contact details
- Registration data
- Identity documentation
- Log data, etc.
Identity and contact data concerns information about your full name, date of birth, residential address and civil registration number, as this information is primarily retrieved from the Central Person Register (‘CPR registret’). In addition, information about your stated MitID user ID and information about your telephone number and e-mail address is also processed if you have provided this information.
When creating your MitID identity and the subsequent registration of your MitID authenticators, information about your ID documentation is processed. This could be information from your passport or driving licence. If you have identified yourself by answering questions from the Central Person Register or with the help of a witness, this information will also be processed.
When using the MitID solution via the digital self-service solution (MitID app), information about your face will also be processed in order to verify image information from your used ID documentation.
In addition, detailed information about the use of your MitID is processed, including information about when, how and what you use your MitID for. In this context, IP address information is included, including geographical location information based on the registered IP address.
When using the MitID app as an authenticator, information about the device from which you access your MitID app is also processed. This includes information such as the device's serial number, operating system and version number and whether the phone is jail-broken.
6. Recipients or categories of recipients of personal
The Danish Agency for Digital Government will only disclose your personal data if it is required to do so by law.
In certain cases, the Danish Agency for Digital Government may be required to transfer data to other public authorities. The transfer will be limited to the personal data necessary for the exercise of official authority.
As part of the MitID solution, the Danish Agency for Digital Government also discloses personal data to the MitID broker, which forwards the authentication of digital identities to the service provider. A broker acts as a link between the service provider and the MitID solution. For example, NemLog-in fulfils the role of broker for all public authorities in Denmark. A broker becomes an independent data controller with regard to data that the broker receives from the MitID solution.
If the service provider has entered into an agreement with its MitID broker to share personal data, the service provider may also receive information about you. The data is disclosed for validation purposes and to ensure the appropriate level of security.
The Danish Agency for Digital Government transfers your personal data to the agency's data processor, IN Groupe Denmark A/S, which also assists with the operation and administration of IT systems related to the MitID solution.
7. Recipients in third countries, including international organisations
We do not transfer your personal data to recipients outside the EU/EEA. However, please note that if you get MitID in Greenland or the Faroe Islands, your personal data will be transferred there.
When transferring personal data to Greenland, the transfer basis is the EU Commission's standard contractual clauses on data protection, cf. the GDPR’s Article 46(2)(c).
When transferring personal data to the Faroe Islands, the transfer basis is Article 45 and Article 46(2)(c) of the GDPR.
8. Retention of your personal data
The Danish Agency for Digital Government will store and process your personal data for as long as necessary for the purpose of issuing, administering and using MitID in order to access digital services and secure against misuse.
9. The origin of your personal data
The Citizen Service unit or bank where you request the creation of MitID collects your personal data directly from you.
Through your potential ordering of a physical authenticator when ordering online prior to or in connection with your creation as a MitID user, your personal data is collected directly from you.
Your personal data is also collected directly from you if you use the MitID app to complete verification of your identity.
During administration of your use of MitID, your master data is continuously updated by synchronisation with your CPR data or by your own updating of optional additional information on alternative address, mobile number and e-mail address.
Part of the processing of personal data includes obtaining information from central public registers such as the passport/driving licence register, the CPR and the Danish address register.
10. Automated decision-making, including profiling
Automated decisions on the suspension of authenticators
The Danish Agency for Digital Government uses automated decisions in certain cases of MitID suspension.
This would be the case, for example, when a MitID code is entered incorrectly a certain number of times. In this case, the MitID solution will systemically suspend the electronic authenticator for a limited period of time. The duration of the suspension period depends on the number of incorrect entries.
The Danish Agency for Digital Government also uses automatic decisions when you use the self-service solution to create a MitID identity.
11. Right of access, rectification, erasure, restriction, objection and data portability
Below you can read about your rights to access, rectification, erasure, restriction, objection and data portability.
You can also read more about your rights in the Danish Data Protection Agency’s guide on the rights of data subjects, which you can find at www.datatilsynet.dk
If you want to exercise your rights, please contact the Danish Agency for Digital Government.
Right to see information (right of access)
You have the right to access the data that we process about you and a number of additional information.
You can also view the personal data that the Danish Agency for Digital Government has registered about you regarding your active MitID at any time. This is done via self-service at MitID.dk, where you can see the information registered in MitID about you.
Right to rectification (correction)
You have the right to have incorrect information about yourself corrected. You also have the right to have further information added to your data if this will make your personal data more complete and/or up to date.
Right to erasure
In certain cases, you have the right to have data about you deleted before the Danish Agency for Digital Government's general deletion schedule.
Right to restrict processing
In some cases, you have the right to restrict the processing of your personal data.
If you have the right to restrict the processing, in the future the Danish Agency for Digital Government may only process data – except for storage – subject to your consent or for the establishment, exercise or defence of legal claims or to protect a person or important public interests.
However, restricting the processing of your personal data may mean that you cannot use MitID.
Right to object
In some cases, you have the right to object to the Danish Agency for Digital Government’s otherwise lawful processing of your personal data.
Right to transmit data (data portability)
This right does not apply to MitID as the processing is carried out in the exercise of official authority vested in the controller by law.
12. Complaint to the Danish Data Protection Agency
If you wish to complain about the Agency for Digital Government's processing of your personal data, you must send your complaint to the Danish Data Protection Agency.
You can find the contact details of the Danish Data Protection Agency at datatilsynet.dk