Spring til indhold

Processing of personal data

The Danish Patient Safety Authority processes personal data about you in connection with the operation of the smitte|stop app. Below you will find further information about our processing of the personal data collected, why we collect the data and what your rights are.

The Danish Patient Safety Authority is the data controller and can be contacted in the following ways:

Styrelsen for Patientsikkerhed Islands Brygge 67
DK-2300 Copenhagen S
Tel.: 72 66 28 00
Email: stps@stps.dk

1. PURPOSE AND VOLUNTARY USE

The purpose of the app is to enable you to notify persons you have been in close contact with if you become infected with novel coronavirus (COVID-19). You can also be notified by others that you have been in close contact with a person who is infected with COVID-19. The purpose of the app is to make infection tracing faster and easier through the following:

  • It is possible for you to notify contacts you do not know.
  • You can notify contacts you cannot immediately remember yourself.
  • The process is faster, as the notification can be done directly from the infected person to the contacts without any other human interference.

Smitte|stop is also part of a European collaboration that allows for the official contact tracing apps in European countries to function together. This collaboration is called the “European Federation Gateway Service (EFGS)”. You can find more information about the EFGS here.

Downloading and using smitte|stop is completely voluntary. This means that you cannot be forced to use the app, and you will not be disadvantaged if you do not use the app. The app or data processed in this connection cannot be used to implement measures such as quarantine against users of the app. Even if you do not use the app, the Danish Patient Safety Authority can still help you with infection tracing.

When you use the app, other citizens or the Danish Patient Safety Authority cannot see who you are, where you have been, or who you have been in close contact with. Nor can you see or obtain information about the citizens that you have been in close contact with.

2. HOW SMITTESTOP WORKS

2.1 Contact registration

When you use the app, the Bluetooth connection on your smartphone is used to detect and store IDs of other users with the app installed that you are in close contact with. The app is based on a technology (APIs) developed by Google and Apple. You can read more about the technology here: Privacy-Preserving Contact Tracing and Exposure notifications.

Neither the Danish Patient Safety Authority nor other users of the app can see who you are, who you have been in contact with or when and where the contact has occurred. To ensure that other citizens or the Danish Patient Safety Authority cannot see who you are, your ID is regularly updated every 10 to 20 minutes. This ID is called your ‘rolling system-generated ID’. The reason why the ID is constantly updated is to make it extremely difficult to link the registered IDs on different phones and thus gain insight into contact patterns. The reason for this is that the app is designed so that it cannot be used to monitor users of the app, including the persons they are in contact with. Nor is it possible to see where users of the app are located.

You can read more about how the app works on our Q&A page.

2.2 Option of voluntarily disclosure of infection (infection notification)

If you test positive for novel coronavirus, you may voluntarily notify the other users of the app that you have been in close contact with. Users that you have been in close contact with will not be informed that you are the infected person.

To notify others, you must access the app by logging in with NemID, after which the Danish Patient Safety Authority performs a so-called infection verification. This means that, based on your NemID information, the Danish Patient Safety Authority will check who you are and that you are currently confirmed as positive for novel coronavirus. For this purpose, we receive information from Statens Serum Institut about who are currently infected with COVID-19. Once it has been verified that you have been infected, users who have been in close contact with you and who meet the criteria listed below will then receive a notification in the app that they have been in close contact with a person infected with COVID-19.

Only users who meet the following criteria will receive an infection notification:

  • The contact lasted for more than about 15 minutes (calculated based on the duration)
  • The distance between you was less than about one metre (calculated based on the signal strength of the Bluetooth connection)
  • The contact occurred within the period in which the infected person is expected to be infectious, i.e. within two days before and until eight days after the symptoms started, or that the person was tested if the person has not had symptoms (calculated based on the date from symptom onset and the time of the contact).

To assess whether the criteria have been met, the app calculates the information from the underlying contact registration. To calculate, for example, whether the distance was less than about one metre, the signal strength measurements are translated into an approximate distance.

When an infection notification is sent, it may, in exceptional cases, be possible to deduce who the sender of the infection notification is. This may be the case if a person is only in close contact with one person or very few other persons, and one of these persons sends an infection notification. This makes it possible to deduce that a specific person has sent the notification. However, this will not occur during normal use and it requires that you are almost completely isolated from other people and have only very few contacts during a day.

2.3 Option of receiving information about infection risk

In the same manner, you can receive a notification if you have been in contact with a user of the app who chooses to send infection notifications and you meet the above criteria. You will not get information about who you have been in contact with or the time of contact. The information that you have been in close contact with an infected person does not constitute a diagnosis of you or confirmation that you have been infected, but rather that you have been exposed to an infection risk.

If you receive an infection notification, you will also receive information about what to do. The information you receive in the notification will follow the health authorities’ current recommendations for how persons who have been exposed to a COVID-19 infection risk should act. The information is for guidance only, and it is voluntary for you whether you choose to follow it. As such, no measures can be taken against you if you do not follow the guidelines. However, the Danish Patient Safety Authority will encourage you to act in accordance with the guidelines.

You can read more about how smitte|stop works and the underlying technology here.

2.4 Sharing of information with the European Federation Gateway Service

Smitte|stop is part of the European Federation Gateway Service (EFGS). This means that when you report yourself as infected in Smitte|stop your rolling ID’s are also uploaded to the EFGS and distributed to the app users of other European contact tracing apps. Smitte|stop in turn receives the ID’s of users from other countries contract tracing apps.

EFGS is a service that allows for sharing of information between European contract tracing apps, and it is provided by the European Commission. The Danish Patient Safety Authority acts as a joint controller along with the other participating countries for the data processed in the EFGS.

A list of the joint controllers can be found here.

3. WHAT IS THE PURPOSE OF OUR PROCESSING OF PERSONAL DATA?

The purpose of the app is to prevent and contain the spread of COVID-19 by breaking chains of infection when it has been confirmed that a user of the app has COVID-19. The app’s purpose is to contribute to breaking chains of infection by alerting persons who have been in close contact with users with a confirmed COVID-19 infection and who are therefore at risk of being infected with COVID-19.

The purpose of the processing of personal data is described in section 1 of the Executive Order on the processing of electronically registered contacts in order to prevent and contain the spread of coronavirus (COVID-19)(‘the Executive Order’).

The Danish Patient Safety Authority can also use the data for statistical purposes to provide information, at an aggregated and anonymised level, about how many people have downloaded the app and how many people choose to give infection notifications to close contacts in the app. We use this information to evaluate the effect of the app. The personal data cannot be processed for purposes other than to support the Danish Patient Safety Authority’s infection tracing and for current evaluation of the effect of the solution, see section 1(2) of the Executive Order.

Your personal data will not be used to impose measures against you. This means that data collected through the app will not be used as a basis for ordering you to go into quarantine or other legal decisions.

4. LAWFULNESS OF PROCESSING OF PERSONAL DATA

The legal basis for storing and accessing the personal data stored on your phone is based on your consent, see section 3(1) and (2) of the Executive Order on Cookies. This consent only covers access to and storage of data on your phone.

The legal basis for the additional processing of personal data on the phone in connection with the contact registration and the calculation of infection risk as well as our processing of personal data in connection with infection verification and notification is based on the Executive Order on the processing of electronically registered contacts in order to prevent and contain the spread of coronavirus (COVID-19), Article 6(1)(e) and Article 9(2)(i and (g) of the General Data Protection Regulation as well as section 7(4) of the Danish Data Protection Act (Databeskyttelsesloven).

We process your civil registration number in accordance with section 11(1) of the Danish Data Protection Act when you use your NemID in connection with infection verification so that we can identify you unambiguously.

5. WHAT PERSONAL DATA ARE PROCESSED AND FOR HOW LONG ARE THEY STORED?

Smitte|stop processes the following personal data about you:

The following data are processed on your phone in connection with use of the app:

  • Your rolling system-generated ID (ordinary personal data)
  • The rolling system-generated ID on phones you have been near (ordinary personal data)
  • Data on infection notifications received (ordinary personal data)
  • If you provide information about this in connection with the sending of an infection notification: Information regarding the presence of symptoms of COVID-19, including information about symptom onset date (ordinary personal data).

The following data are processed by the Danish Patient Safety Authority:

  • In connection with the sending of an infection notification:

    • NemID data: Your civil registration number and your PID number (a number that can be ‘translated’ into your civil registration number (ordinary personal data)
    • Information regarding your rolling system-generated IDs for the past 14 days (ordinary personal data). These ID’s are also uploaded to the European Federatation Gateway Service.
    • Information regarding countries you have visited in the past 14 days if you provide this information during the infection notification process
    • The number of infection status verifications you have sent in the past 24 hours (ordinary personal data).
  • In connection with collection of data from Statens Serum Institut:

    • Your civil registration number (ordinary personal data)
    • Information about positive infection with COVID-19 (sensitive personal data)
    • Time of testing (ordinary personal data)
    • Date of onset of symptoms (ordinary personal data).
  • The following data are processed in the European Federation Gateway Service:

    • Information regarding your rolling system-generated IDs for the past 14 days (ordinary personal data). These ID’s are also uploaded to the European Federatation Gateway Service.
    • Information regarding the country of origin of the rolling system-generated IDs
    • Information regarding countries you have visited in the past 14 days if you provide this information during the infection notification process

Data collected in connection with login with NemID are erased after 24 hours, see section 6(1) para (1) of the Executive Order. Data collected from Statens Serum Institut are erased in line with Statens Serum Institut’s assessment that the infection status is no longer relevant, see section 6(1) para (3) of the Executive Order. Data on the number of infection status verifications are erased after 24 hours, see section 6(1) para (2) of the Executive Order. Data processed in the European Federation Gateway are deleted after 14 days, see section 8 of the Executive Order.

The necessity of the app and the data collected is evaluated on an ongoing basis. If it turns out that the app is no longer necessary, all the collected data will be erased.

6. WHAT ARE THE SOURCES OF YOUR DATA?

We process both data you send us yourself and data we collect from others.

The Danish Patient Safety Authority receives from Statens Serum Institut a list of persons currently infected with COVID-19. The Danish Patient Safety Authority receives this list to enable it to verify the infection status if you report that you are infected via the app.

In addition, we receive your rolling system-generated IDs if you choose to send an infection notification. These IDs are stored on your phone and are automatically generated by the app when it is used.

We register your NemID details (your PID number and civil registration number) when you log in with NemID in connection with infection status verification.

7. DISCLOSURE OF PERSONAL DATA TO OTHERS

As part of the supporting interoperability we transfer information regarding your rolling system generated IDs to the European Federation Gateway, see section 5(5) of the Executive Order. From here, the other participating countries will receive the information.

We may disclose your data to the Danish National Archives in accordance with the Danish Archives Act (Arkivloven).

The Danish Patient Safety Authority uses data processors to process the data:

  • The Danish Digitisation Agency acts as data processor for the Danish Patient Safety Authority in connection with the storage of your rolling system-generated IDs when you choose to send an infection notification. The Danish Agency for Digitisation uses the sub-processor Netcompany for the processing of personal data.
  • The Danish Health Data Authority acts as a data processor for the receiving of data from Statens Serum Institut and for the data registration that occurs when you log in using NemID. The Danish Health Data Authority uses Trifork as sub-processor.

8. YOUR RIGHTS

You have the right to request:

  • to see what data we process about you (right of access)
  • to have inaccurate or misleading data corrected (right to rectification);
  • to have data erased (right to be forgotten)
  • to have the processing of data stopped (right to restriction of processing)
  • to object to otherwise lawful processing (right to object).

You also have the right to withdraw your consent to storage of data on your phone. You can do this in the app by choosing Menu > Behandling af personoplysninger (Processing of personal data). Here you can withdraw your consent. You can also withdraw your consent by uninstalling the app. If you withdraw your consent, all stored data will be erased from your phone.

If you wish to exercise your rights, you must contact us by sending an email to informationssikkerhed@stps.dk. If you need to send us sensitive or confidential information you should contact us through eBoks instead. Here you can send a message and choose “Styrelsen for Patientsikkerhed” as recipient.

We will answer your request as soon as possible and within 30 days at the latest. In certain cases, it may be necessary to receive confirmation of your identity or further information from you before we can answer your request. We do this to ensure that we disclose personal data to the right person and not to someone pretending to be you.

You are also welcome to contact our Data Protection Officer by sending an email to databeskyttelse@sum.dk. Our Data Protection Officer is a joint data protection officer for the whole organisation of the Ministry of Health, and we would therefore request that you state in your inquiry that it concerns the Danish Patient Safety Authority.

9. HOW TO COMPLAIN

You may complain about our processing of your personal data to Datatilsynet.

The Danish Data Protection Agency is an independent authority which supervises compliance with the data protection rules in Denmark. You can find information about the Danish Data Protection Agency and how to complain on the Agency’s website.

If you wish to complain, you should first contact us. We will then have an opportunity to consider your inquiry and possibly change the way in which we process your data.

10. RELEVANT LEGISLATION

Executive Order on the processing of electronically registered contacts in order to prevent and contain the spread of coronavirus (COVID-19).

The Danish Data Protection Act and the General Data Protection Regulation.