Siden er ikke tilgængelig på det valgte sprog
Siden er ikke tilgængelig på dit ønskede sprog. De tilgængelige sprog er nævnt nedenstående.
The page is not available in the selected language
Unfortunately, the page is not available in the selected language. The page is available in the languages listed below.

Privacy notice

Version 1. 4

Information about our processing of your personal  data, etc.

Introduction

This privacy notice for MitID describes how the Danish Agency for Digital Government processes your personal data in connection with the use of MitID, and your rights in that regard.

If you are a business user and is using a separate MitID for business, you are referred to the privacy notice for MitID Erhverv at mitid-erhverv.dk.

1. We are the data controller - how to contact us?

The Danish Agency for Digital Government is acting as data controller for the processing of your personal data.

You will find our contact information below:

The Danish Agency for Digital Government
Landgreven 4
1301 København K
CVR no..: 34 05 11 78
Phone: +45 33 92 52 00
Mail: digst@digst.dk

2. Contact information of the Data Protection Officer

The Ministry of Finance has appointed a Data Protection Officer who provides guidance on the data protection regulation within the area of the Ministry of Finance. The task of the Data Protection Officer is to support the Ministry of Finance's compliance with the rules on the processing of personal data.

The Data Protection Officer can guide you on your rights in connection with the processing of your personal data within the area of the Ministry of Finance. If you wish to contact the Data Protection Officer by email, please do not include your CPR number or other sensitive/confidential information in the correspondence.

The Danish Agency for Digital Government
Att.: Data Protection Officer
Landgreven 4
1301 København K
dpo@digst.dk

3. Purpose and legal basis of the processing of your personal data

The purpose of the Danish Agency for Digital Government's processing of your personal data is:

  • Issuance, administration and, utilisation of MitID to be able to access digital services

The legal basis for our processing of your personal data is based on:

  • Law on MitID and NemLogin (law no. 783 May 4th, 2021, regarding MitID and NemLog-in) and the EU General Data Protection Regulation Article 6, para 1, litra e, related to the processing of ordinary personal data and the Danish Data Protection Act § 11, para 1, litra 1, related to the processing of personal identification number (CPR.no.).

The Danish Agency for Digital Government does not process your personal data for purposes that are not related to the issuance, administration and use of MitID.

4. Categories of personal data

We are processing the following categories of personal data about you:

  • Full name (mandatory)
  • Date of birth (mandatory)
  • User ID (mandatory)
  • Contact information
    - Email address (optional)
    - Mobile phone number (mandatory when using the MitID app)
    - Address of residence (retrieved automatically from CPR)
    - Postal address (optional)
  • Information about the identification documents used when getting MitID
  • Pseudonymised value of identification number, e.g. passport number, driving license number or residence permit number
  • Data used for verification of an identity or reactivation of a temporarily blocked authenticator through MitID app:
    - Photo and personal data from the photo page in a passport (or other ICAO compatible identification).
    - Video for detection of whether a real face is used (liveness) for verification.
    - 3D facial recognition attributes.
  • Risk data
    - Log-in location information, the device used for log-in, network information and identity and recent usage information.
  • Authentication response
    - contains your name, your unique identification key, unique session ID, your used session identifiers, risk data, and other attributes in the form of contact data, identity data, and authentication data.
    - Contains your name, your unique identification key, unique session-ID, your utilised authenticators in the session, risk data and further attributes in form of contact data, identification, and authentication data.
  • Information from The Danish Civil Registration System (CPR)

4 A. Witnesser

  • If you are a witnesser for a person applying for MitID
    - Information about witnesses include e.g. identification document type, identification document number, The Danish Civil Registration System number (CPR), Danish Central Business Register number (CVR) and witnesser type

5. Recipients or categories of recipients

We transfer or hand over your personal information to the following recipients:

In certain cases, the Danish Agency for Digital Government may be obliged to transfer information to other public authorities. The transfer will be limited to the personal data necessary for the exercise of authority.

Nets DanID is the Supplier of the MitID-solution and is acting as data processor on behalf of the Danish Agency for Digital Government in this regard.

RA’s are acting as registration units and sub processors in the MitID solution.

The Danish Agency for Digital Government passes on information about risk data and authentication responses about the specific and individual transaction to a public authority or a company in the role of MitID Broker for validation and securement of appropriate level of security.

In some cases, MitID Brokers may also be acting as sub processors in the MitID-solution.

The Danish Agency for Digital Government has assigned data processors, who will be providing support related to maintenance and administration of IT services related to the MitID solution.

The Danish Agency for Digital Government discloses IP-adresses, URL for visited websites including timestamps (related to an IP-adress), geographic position based on IP-adress and information about browser version/engine, and operating system version/engine to Akamai Denmark (Akamai Technologies Denmark ApS, CVR 36 02 66 50). This is done for purposes of traffic and security analysis of MitID as a part of the continuously improvement of their solution in order to avoid cyberattacks on MitID, and for problem resolution and support. This is in particuler to ensure that Akamai Denmark is able to provide their service accordingly.

6. Transfer to recipients in third countries, including international organizations

In general, we do not transfer your personal information to recipients outside the EU and the EEA.

Please notice if your MitID is issued in Greenland: When transferring personal data to Greenland, the legal basis is standard data protection clauses pursuant to EU General Data Protection Regulation Article 46, para 1, litra c).

The Danish Agency for Digital Government uses the sub-data processor, InnoValor Software B.V, to process personal data read from a passport that has not been issued in Denmark when verifying your identity in the MitID app or in case you need support via telephone. Data that are processed by InnoValor for the purposes of verification will be stored at a maximum of 15 minutes, after which they are deleted by InnoValor. The InnoValor solution is hosted on an Amazon Web Services (AWS) cloud-platform in Ireland. AWS does not have technical access to any personal data in clear text as data are encrypted by using strong encryption. In case it is necessary for AWS to disclose personal data (encrypted) in order to comply with a legal obligation under law or order from a public authority in USA, personal data cannot be disclosed by AWS in clear text, as the encryption key is unavailable for AWS.

7. Collection of your personal data

The RA (registration authority) or bank, where you submitted your request for issuing of MitID, is collection your personal data for this specific purpose directly from you.

If you are ordering an authenticator online prior to or in connection with your registration as MitID user, your personal data is collected directly from you. Your personal data is also collected directly from you if you use the MitID app to complete verification of your identity.

In connection with administration of your utilisation of MitID, your data is synchronized with your CPR-information on an ongoing basis. Your optional extra information related to postal address, email address and mobile phone number is kept updated by means of your registered updates to this information.

As part of the processing of your personal data, information is also obtained from central public registers like the passport/driver’s license registry, CPR registry and the Danish address registry.

8. Storage of your personal data

The Danish Agency for Digital Government stores and processes your personal data for as long as is necessary in relation to the stated purpose of the processing.

When verifying an identity through the MitID app, personal data from registration of liveness and 3D face recognition, as well as personal data from the photo page in a passport (or other ICAO compatible identification) that has not been issued in Denmark, is stored encrypted for a maximum of one day, after which the data is deleted. Personal data from the photo page in a passport issued in Denmark is stored encrypted in temporary memory while the session is active, and for a maximum of one hour, after which the data is deleted.

9. Processing of personal data in connection with the support of MitID

The Danish Agency for Digital Government is also data responsible for any personal information processed about you if you contact MitID Support. MitID Support helps users find information about MitID and how to use the MitID solution. With MitID Support, users can get help via telephone, e-mail and screen sharing.

The purpose of The Danish Agency for Digital Government’s processing of personal data when users contact MitID Support is:

To provide support in connection with the use of MitID.

The legal basis for our processing of your personal data is based on:

  • The legal basis for our processing of your information in connection with inquiries by
    telephone or e-mail is based on the EU General Data Protection Regulation Article 6, para 1, litra e, related to the processing of ordinary personal data in the exercise of public authority.
  • The legal basis for processing your information in connection with screen sharing and/or phone recordings follows Article 6 of the Data Protection Regulation, para 1, litra a, on consent.
  • The legal basis for our processing of your information, if you enter your CPR number in the support's telephone menu, is section 11 of the Data Protection Act, para 1, for processing of CPR.

In connection with screen sharing, the supporter will be able to see the personal information that may appear on the page where you need support.

You can withdraw your consent at any time.

As far as possible, we will forward e-mails to the appropriate authority that have been sent
incorrectly to MitID Support.

Retention of your personal information in connection with MitID support

  • With consent, the telephone call is recorded and stored for 30 days, after which it is deleted. The telephone call is recorded to contribute to education of supporters and quality assurance.
  • If you choose to enter your CPR number in the support telephone menu, your CPR number will be visible to the supporter when your call comes through. Your CPR number will not be saved and will disappear from the supporter's screen when the call ends.
  • In the telephone system, data about the calls are deleted after 90 days (data includes phone number, date and time for the call, call length, selections in telephone menu, possibly recalls, waiting time and name of supporter).
  • For statistical purposes, data is stored anonymized for up to 5 years.
  • By agreeing to screen sharing via the screen sharing tool, the video session is saved for 90 days, after which it is automatically deleted. The session is recorded to contribute to education of supporters and quality assurance.
  • All written inquiries are stored for 6 months and then deleted.
  • All written inquiries that MitID Support forwards to another authority are journalized and stored, including complaints.

10. Your rights

Under the Data Protection Regulation, you have certain rights in relation to our processing of information about you.

If you want to make use of your rights, you need to contact us.

Right to view information (right of access)

You have the right to access the information we process about you, as well as some additional information.

You can at any time see the personal information that the Danish Agency for Digital Government has registered about you. This is done via self-service on MitID.dk. You can also get an automatic GDPR-report, where you can access the information that has been registered about you in MitID.

If you do not have access to MitID self-service, you can send a request for insight to the Danish Agency for Digital Government:

You can contact the The Danish Agency for Digital Government in one of the following ways:

  • Send Digital Post to the Danish Agency for Digital Government
  • Ordinary letter by post to the Danish Agency for Digital Government, Landgreven 4, 1301 Copenhagen with the title "Processing of MitID Personal Information".

Right to correction

You have the right to have incorrect information about yourself corrected.

You can change your e-mail address and mobile phone number at any time via self-service on MitID.dk. When correcting other information that may be incorrect, such as errors in civil
registration information, you must contact Citizen Service.

Right to erasure

The Danish Agency for Digital Government stores and processes your personal data for as long as is necessary in relation to Issuance, administration and, utilisation of MitID to be able to access digital services.

You can always delete or request to have information about your e-mail address, alternative
postal address and / or mobile number deleted. However, if you are utilising the MitID app, you must be aware that if you delete your mobile number, you will no longer be able to use the MitID app.

Right to restriction of processing

In certain cases, you have the right to have the processing of your personal data restricted.

If you have the right to have the processing restricted, we may only process the information - apart from storage - with your consent, or for the purpose of establishing, enforcing or defending legal claims, or to protect a person or important public interests.

However, limiting the processing of your personal data may mean that you cannot use MitID. If you want to request a restriction on the processing of your personal data, you must contact the Danish Agency for Digital Government. See contact info below.

Right to object

In certain situations, you have the right to object to the processing of the personal data that the Danish Agency for Digital Government has registered about you.

You can contact the Danish Agency for Digital Government in one of the following ways:

  • Send Digital Post to the Danish Agency for Digital Government
  • Ordinary letter by post to the Danish Agency for Digital Government, Landgreven 4, 1301 Copenhagen with the title "Complaint about the processing of MitID Personal Data".

Right to transmit information (data portability)

This right does not apply to MitID, as the processing takes place as part of the exercise of authority, which the data controller is required to by law.

11. Complaint to the Danish Data Protection Agency

You have the right to lodge a complaint with the Danish Data Protection Agency if you are
dissatisfied with the way we process your personal data. You will find the Danish Data Protection Agency's contact information at www.datatilsynet.dk.

You can also contact the Danish Agency for Digital Government.