Siden er ikke tilgængelig på det valgte sprog
Siden er ikke tilgængelig på dit ønskede sprog. De tilgængelige sprog er nævnt nedenstående.
dansk English
The page is not available in the selected language
Unfortunately, the page is not available in the selected language. The page is available in the languages listed below.
dansk English

Privacy notice

Version 1.5

Information about our processing of your personal  data, etc.

Introduction

This privacy notice for MitID describes how the Danish Agency for Digital Government processes your personal data in relation to the use of MitID, and your rights in that regard.

If you are a business user and is using a separate MitID for business, you are referred to the privacy notice for MitID Erhverv at mitid-erhverv.dk

1. We are the data controller - how to contact us?

The Danish Agency for Digital Government is the data controller for the processing of your personal data. You will find our contact information below:

The Danish Agency for Digital Government
Landgreven 4
1301 København K
CVR no..: 34 05 11 78
Phone: +45 33 92 52 00
Mail: digst@digst.dk

2. Contact information of the Data Protection Officer

The Ministry of Digital Government and Gender Equality has appointed a Data Protection Officer who provides guidance on the data protection regulation within the area of the Ministry of Digital Government and Gender Equality. The task of the Data Protection Officer is to support the Ministry of Digital Government and Gender Equality’s compliance with the rules on the processing of personal data.

The Data Protection Officer can guide you on your rights in relation to the processing of your personal data within the area of the Ministry of Digital Government and Gender Equality.

If you have questions about our processing of your personal data, you are always welcome to contact our Data Protection Officer. You can contact our Data Protection Officer in the following ways:

  • Via Digital Post. Send the mail to the Danish Agency for Digital Government in the Digital Post solution. Write 'Attention: Data Protection Officer' in the subject field.
  • Via email: dpo@digst.dk. If you wish to contact the Data Protection Officer via email, please refrain from providing your CPR number or other sensitive/confidential information.
  • Via letter: Danish Agency for Digital Government, Attention: Data Protection Officer, Landgreven 4, 1301 Copenhagen K.

3. Purpose and legal basis of the processing of your personal data

The purpose of the Danish Agency for Digital Government's processing of your personal data is:

  • The issuance, administration and use of MitID in order to access digital services.

The legal basis for our processing of your personal data is based on:

  • The Law on MitID and NemLog-in (law no. 783 of May 4th, 2021, regarding MitID and NemLog-in, as amended by law no. 1559 of December 12th, 2023) and the EU General Data Protection Regulation Article 6, para 1, litra e, related to the processing of ordinary personal data and the Danish Data Protection Act § 11, para 1, litra 1, related to the processing of the Danish Civil Registration number (CPR number).

The Danish Agency for Digital Government does not process your personal data for purposes that are not related to the issuance, administration and use of MitID.

4. Categories of personal data

We are processing the following categories of personal data about you:

  • Full name (mandatory)
  • Date of birth (mandatory)
  • User ID (mandatory)
  • Contact information
    • Email address (optional)
    • Mobile phone number (mandatory when using the MitID app)
    • Address of residence (retrieved automatically from CPR)
    • Alternative address (optional)
  • Information about the identification documents used when getting MitID
  • Pseudonymized value of identification document number, e.g., passport number, driver's license number or residence permit number.
  • Data used for verification of an identity or reactivation of a temporarily blocked authenticator through MitID app:
    • Photo and personal data from the photo page in a passport (or other ICAO compatible identification).
    • Video for detection of whether a real face is used (liveness) for verification.
    • 3D facial recognition attributes.
  • Risk data
    • Log-in location information, the device used for log-in, network information and identity and recent usage information.
  • Authentication response
    • Contains your name, your unique identification key, unique session ID, your used session authenticators, risk data, and other attributes in the form of contact data, identity data and authentication data.
  • Information from The Danish Civil Registration System (CPR)

4 A. Witness

  • If you are a witness for a person applying for MitID
    • Information about witnesses include e.g. identification document type, identification document number, the Danish Civil Registration number (CPR number), Danish Central Business Register number (CVR), and witness type.

5. Recipients or categories of recipients

We transfer or hand over your personal data to the following recipients:

In certain cases, the Danish Agency for Digital Government may be obliged to transfer information to other public authorities. The transfer will be limited to the personal data necessary for the exercise of authority.

Nets DanID A/S is the data processor for the Danish Agency for Digital Government and the supplier of the MitID solution.

The Danish Business Authority is the data processor in relation to handling support.

RA’s are Registration Authorities and data sub processors in the MitID solution.

In certain situations, MitID Brokers are also data sub processors in relation to the MitID solution.

The Danish Agency for Digital Government transfers information about risk data and authentication responses about the specific and individual transaction to a public authority or a company in the role of MitID Broker for validation and securement of appropriate level of security.

The Danish Agency for Digital Government hands over your personal data to the data processors of the Danish Agency for Digital Government, who assist with the operation and administration of IT systems related to the MitID solution.

The Danish Agency for Digital Government discloses IP addresses, URL for visited websites including timestamps (related to an IP address), geographic location based on IP addresses and information about browser version/engine, and operating system version/engine to Akamai Denmark (Akamai Technologies Denmark ApS, CVR number 36 02 66 50) for the purpose of Akamai's traffic and security analysis of traffic to MitID, aiming at continuous improvement of their overall solution to prevent cyber attacks on MitID and for problem resolution and support. This is carried out, in particular, to ensure that Akamai can deliver its service correctly.

6. Transfer to recipients in third countries, including international organizations

In general, we do not transfer your personal data to recipients outside the EU and the EEA.

Please notice, if your MitID is issued in Greenland or the Faroe Islands: When transferring personal data to Greenland or the Faroe Islands, the legal basis is standard data protection clauses pursuant to EU General Data Protection Regulation Article 46, paragraph 1, litra c).

The Danish Agency for Digital Government uses the data sub processor, Inverid Software B.V, to process personal data read from a passport that has not been issued in Denmark when verifying your identity in the MitID app or in case you need support via phone. Data that are processed by Inverid for the purposes of verification will be stored at a maximum of 15 minutes, after which they are deleted by Inverid. The Inverid solution is hosted on an Amazon Web Services (AWS) cloud-platform in Ireland. AWS does not have technical access to any personal data in clear text as data are encrypted by using strong encryption. In case it is necessary for AWS to disclose personal data (encrypted) in order to comply with a legal obligation under law or order from a public authority in the USA, personal data cannot be disclosed by AWS in clear text, as the encryption key is unavailable for AWS.

7. Collection of your personal data

The Citizen Service unit or bank, where you request the registration of MitID, collects your personal data directly from you.

If you are ordering an authenticator online prior to, or in connection with, your registration as MitID user, your personal data is collected directly from you. Your personal data is also collected directly from you if you use the MitID app to complete the verification of your identity.

In relation to the administration of your use of MitID, your basic data is synchronized with your CPR information or by your own update of optional additional information such as an alternative address, mobile number, and email address.

As part of the processing of your personal data, information is also obtained from central public registries like the passport/driver’s license registry, CPR registry, and the Danish Address Registry.

8. Storage of your personal data

The Danish Agency for Digital Government stores and processes your personal data for as long as it is necessary in relation to the issuing, administering, and using MitID for accessing digital services.

When verifying an identity through the MitID app, personal data from registration of liveness and 3D face recognition, as well as personal data from the photo page in a passport (or other ICAO compatible identification) that has not been issued in Denmark, is stored encrypted for a maximum of one day, after which the data are deleted. Personal data from the photo page in a passport issued in Denmark is stored encrypted in temporary memory while the session is active, and for a maximum of one hour, after which the data is deleted.

9. Processing of personal data in connection with the support of MitID

The Danish Agency for Digital Government also acts as the data controller regarding any personal data processed about you if you contact MitID Support. MitID Support helps users find information about MitID and how to use the MitID solution. With MitID Support, users can receive help via phone, e-mail, screen sharing, and live chat. As a user, you also have the option to receive a customer satisfaction survey in connection with your contact with MitID Support. If you give consent, the call is also included in an anonymized survey of trends in the phone calls that MitID Support receives.

The purpose of The Danish Agency for Digital Government’s processing of personal data when users contact MitID Support is: Provision of support in relation to the use of MitID and improvement of support services.

The legal basis for our processing of your personal data is based on:

  • The legal basis for our processing of your data in relation to inquiries via phone, mail or live chat is based on the EU General Data Protection Regulation Article 6, paragraph 1, litra e, related to the processing of ordinary personal data in the exercise of public authority.
  • The legal basis for processing your personal data in relation to the customer satisfaction survey, including the anonymized survey of trends in the phone calls, screen sharing and/or phone recordings follows Article 6 of the Data Protection Regulation, paragraph 1, litra a, on consent.
  • The legal basis for our processing of your data, if you enter your CPR number in the support's phone menu, is section 11 of the Data Protection Act, paragraph 1, for processing of CPR.

In relation to screen sharing, the supporter will be able to see the personal information that may appear on the page where you need support.

In relation to the customer satisfaction survey and/or screen sharing, you can withdraw your consent at any time. If you choose to withdraw your consent it does not affect the legality of our processing of your personal data based on your previously given consent up to the time of withdrawal. If you withdraw your consent, it will be in effect from the time of withdrawal.

E-mails that are misdirected to MitID Support are, to the extent that is possible, forwarded to the appropriate authority/unit.

Retention of your personal information in relation to MitID support

  • With consent, the phone call is recorded and stored for 30 days, after which it is deleted. The call is recorded for training and quality assurance purposes.
  • With consent to receive a customer satisfaction survey, your phone number is deleted after 90 days, and your comment is deleted after 180 days. The customer satisfaction survey is sent based on your call.
  • If you choose to enter your CPR number in the support phone menu, your CPR number will be displayed to the supporter when your call comes through. Your CPR number will not be saved and will disappear from the supporter's screen when the call is terminated.
  • In the data processor's phone system, call data is deleted after 90 days (data includes phone number, date and time, call duration, queue selection, any callbacks, wait time, and supporter's name).
  • For statistical purposes, data is stored in anonymized form for up to 5 years.
  • With consent for screen sharing in the screen sharing tool, the video session is stored for 90 days, after which it is automatically deleted. The session is recorded for training and quality assurance purposes.
  • All written inquiries are stored for 6 months and then deleted.
  • With consent to receive a customer satisfaction survey in relation to written inquiries, your email is deleted after 90 days, and your comment in the customer satisfaction survey is deleted after 180 days. The customer satisfaction survey is sent based on your written inquiry.
  • All written inquiries (including live chat) that MitID Support forwards to another authority are archived and stored. Any complaints will also be logged and stored.
  • In the live chat system, data is deleted after 6 months (data includes the conversation between the citizen and supporter, as well as the name entered by the customer in the field).
  • The data processor uses a data sub processor to analyze trends in user calls. This is done to improve the service of the support. The conversations are transferred to the sub-processor, that immediately converts the speech to text and anonymizes the text. The anonymized text is then used for trend analysis. The sub-processor retains the audio recording of the conversation for 30 days, after which it is deleted.

10. Your rights

You have a number of rights under the data protection regulation regarding our processing of data about you.

If you want to make use of your rights, you need to contact us.

Right to access information (right of access)

You have the right to access the information we process about you, as well as additional information.

You can send a request to the Danish Agency for Digital Government in one of the following ways:

  • Via Digital Post to the Danish Agency for Digital Government.
  • Via letter to the Danish Agency for Digital Government, Landgreven 4, 1301 Copenhagen K with the title "Processing of MitID Personal data".

You can also at any time view the personal data that the Danish Agency for Digital Government has registered about you. This is done through self-service on MitID.dk. Here, you can also generate an automatic GDPR report, where you can see the information registered in MitID about you.

Right to rectification (correction)

You have the right to have incorrect information about yourself corrected.

You can change your email address and mobile phone number at any time via self-service on MitID.dk. The same applies if you have provided an address as an alternative to the CPR address. For the correction of other information that may be incorrect, such as errors in CPR information, you should contact Citizen Service.

Right to erasure

The Danish Agency for Digital Government stores and processes your personal data for as long as it is necessary for the purpose of issuing, administering, and using MitID to access digital services.

However, you can always request the deletion of information about your email address, alternative address, and/or mobile number. If you use the MitID app, please note that if you delete your mobile number, you will no longer be able to use the MitID app.

Right to restriction of processing

In certain cases, you have the right to have the processing of your personal data restricted.

However, restricting the processing of your personal data may mean that you cannot use MitID.

If you want to request restriction of the processing of your personal data, you should contact the Danish Agency for Digital Government. See contact information below.

Right to object

In special situations, you have the right as a user to object to the processing of the personal data that the Danish Agency for Digital Government has registered about you.

You can contact the Danish Agency for Digital Government in one of the following ways:

  • Via Digital Post to the Danish Agency for Digital Government.
  • Via letter to the Danish Agency for Digital Government, Landgreven 4, 1301 Copenhagen K. with the title "Complaint about the processing of MitID personal data".

Right to transmit information (data portability)

This right does not apply to MitID, as the processing takes place as part of the exercise of authority, which the data controller is required to by law.

The right to withdraw consent

The right to withdraw consent is relevant in relation to support. When you request support, you may be asked to consent to the processing of your personal data for customer satisfaction analysis, screen sharing, and call analysis. If you choose to withdraw your consent, it does not affect the legality of our processing of your personal information based on your previously given consent and up to the time of withdrawal. If you withdraw your consent, it only takes effect from that point forward.

Please note that there are exceptions to these rights, and you may not always be able to exercise all of your rights. This is because, as public authorities, we often process personal data as part of our exercise of authority, and certain exceptions apply.

11. Complaint to the Danish Data Protection Agency

You have the right to file a complaint with the Danish Data Protection Agency (Datatilsynet) if you are dissatisfied with the way we process your personal information. You can find the contact information for the Danish Data Protection Agency at www.datatilsynet.dk

You are also welcome to contact the Danish Agency for Digital Government.

Here you can read the current version as well as earlier versions of the MitID privacy notice