Information on processing of personal data

Updated July 19, 2021

SSI (Statens Serum Institut) processes personal data about you in connection with the operation of the corona passport app. SSI is the data controller in connection with the processing of the personal data. Below, you will find more information about the personal data that are processed, why we process the data, and your rights in this respect.

The purpose of the app is to give you the possibility of easily and securely documenting and showing your personal, valid corona passport in Denmark and in connection with travel within the EU.

The download and use of the corona passport app is completely voluntary. The app and the data processed in this connection cannot be used to initiate measures, such as quarantine measures, against the users of the app. Nor can it be used for monitoring whether the users unlawfully gain access to places requiring a valid corona passport.

Creation and effect of the corona passport in the app

You can use your digital corona passport in the app when you have had the first dose or are fully vaccinated, if you have a negative COVID-19 test result, or if you have been infected with the COVID-19 virus.

When you use the app, data will be stored on your phone as to whether you are vaccinated against COVID-19, your test results, and any previous COVID-19 infection.

We use automated decision-making when creating and displaying your corona passport in the app on the basis of your data. You will get a valid corona passport in the following cases:

  • When you have had the first dose or are fully vaccinated with an approved COVID-19 vaccine.
  • If you have tested negative for COVID-19.
  • If you have been previously infected with the COVID-19 virus after having tested positive.

You can read more about how to obtain a valid corona passport and for how long it will be valid here:

Corona passport - where and how (coronasmitte.dk) (in Danish)

The effect of the decision as to whether you get a valid corona passport is whether you will gain access to the premises etc. that under Danish law require the presentation of a valid corona passport and whether you can travel within the EU or to other countries that accept the EU corona passport, as entry documentation regarding COVID-19 status.

You are not obliged to use the app or to get a corona passport. If you do not wish to use the app, you can get a physical corona passport instead if you comply with the conditions in this respect. For more information about the possibilities of getting physical documentation, please visit the page Corona passport.

Presentation of your corona passport in the app

When you use the app in Denmark, you do not have to disclose your data on vaccination, test results and previous infection to the official when the passport is checked. When you show your corona passport to anyone in Denmark, the app will indicate whether or not the corona passport is valid, but not why.

When you use the app in connection with travel, you are required to disclose more data when your passport is checked, including data on vaccination, test results and previous infection.

The app allows you to easily switch between two settings for use in Denmark and abroad, respectively, so that only necessary data are displayed.

Presentation of your children’s corona passport in the app

You can also access your children's corona passport in your app. You can access and display the corona passport for the child or children for whom you are registered as holding custody in the CPR register. However, this does not apply if name and address protection for the child has been registered in the Centralized Civil Register.

The display of your child's corona passport for control purposes functions in the same way as the display of your own corona passport.

The overall purpose of the corona passport app is to prevent and hinder the spread and infection of COVID-19. The purpose of the processing of personal data in the app is more specifically that the users of the app may obtain reliable, valid corona passports which they can present for verification of the validity of the passport and gain access to specific premises etc., including for border control in connection with travel.

The purpose of the processing of personal data in the Danish part of the corona passport app is described in section 1(2) of the Corona Passport Order, according to which the overall purpose is “to prevent and combat the spread and transmission of the coronavirus disease 2019 (COVID-19), and to support the reopening of society. In this connection, the solution aims to help ensure epidemic control by enabling users of the solution to present reliable digital evidence of their vaccination, test and recovery status so that they can access certain localities or travel to other countries by means of verification of the validity of their passport so that the risk of infection in this context is minimized”.

It further follows from section 1 and section 6(2) of the Corona Passport Order that SSI is not allowed to process data under the Order for other purposes than the purposes set out in the Order.

The purpose of the processing of personal data in the EU corona passport is described in Article 10 (2) of the Covid Certificate Regulation, under which the personal data in this part of the Corona passport app is processed solely for the purpose of accessing and verifying the information included in the certificate, in order to facilitate the exercise of the right of free movement within the Union during the COVID-19 pandemic.

Your personal data will therefore not be used for implementation of any measures against you. This means that information in the app will not become the basis for any orders on quarantine measures or other decisions.

The legal basis for the storage of and access to the personal data stored on your phone follows from you consent, see section 3(1)-(2) of the Cookie Order.

The legal basis for the additional processing of personal data carried out in connection with the corona passport app and the issuance of the corona passport follows from the Corona Passport Order, the COVID Certificate Regulation, Article 6(1), points (c) and (e) and Article 9(2), points (i) and (g) of the General Data Protection Regulation, cf. section 7(4) of the Danish Data Protection Act and the Danish Health Act section 222.

We process your CPR number (personal identification number) under the authority of section 11(1) of the Danish Data Protection Act when we use your NemID (common secure login on the Internet) in connection with the use of the app in order to unambiguously identify you.

The corona passport app processes the following personal data about you.

The following data are processed on your phone in connection with the use of the app:

  • Data regarding your name (surname(s) and first name(s)) and date of birth (non-sensitive personal data) as well as data about your COVID-19 vaccinations (sensitive personal data), including targeted disease or agent, vaccine/prophylaxis, vaccine pharmaceutical, holder of the marketing authorisation for the vaccine or the vaccine manufacturer, the number of a series of vaccinations/doses, the date of vaccination with indication of the date of the latest dose, Member State in which the vaccine has been given, the issuer of the certificate and a unique certificate identifier.
  • Data regarding your name (surname(s) and first name(s)) and date of birth (non-sensitive personal data) as well as data about your COVID-19 test and test results (sensitive personal data), including targeted disease or agent, test type, test name (optional in connection with NAAT tests), test manufacturer (optional in connection with NAAT tests), date and time of test, date and time of test result (optional in connection with quick antigen tests), test result, test centre or facility, Member State or third country in which the test was made, issuer of the certificate and a unique certificate identifier.
  • Data regarding your name (surname(s) and first name(s)) and date of birth (non-sensitive personal data) as well as data about your previous infection with COVID-19 (restoration) (sensitive personal data), including disease or agent from which the citizen has recovered, date of first positive test result, Member State or third country in which the test was taken, issuer of the certificate, date of validity, end date of validity (max. 180 days after the date of the first positive test result), a unique certificate identifier.

The following data will be processed at SSI:

  • NemID data: Your CPR number (personal identification number) and your PID number (a number "translatable" to your CPR number) (non-sensitive personal data).
  • Your CPR number (non-sensitive personal data).
  • The above list of data on vaccinations, tests and test results, as well as data on previous infection with COVID-19 (restoration) (sensitive personal data).

Personal data stored on your phone will be erased from your phone when:

  • You log out of the app; or
  • When data are renewed if you do not use the app actively or if you use the app on more than two mobile devices.

The data stored on your phone will also be erased from your phone if you withdraw your consent or if you delete the app.

The need for the app and the data collected will be assessed on an ongoing basis. If it is assessed that the app is no longer necessary, the processed data will be erased.

SSI collects personal data from the Danish Vaccination Register, which contains personal data on the vaccinations of Danish citizens. In addition, SSI receives personal data on COVID-19 test results and relevant data on test results from public and private treatment facilities, other independent enterprises, Regional Councils, Municipal Councils, and other operators in charge of testing individuals for COVID-19 infection.

We register your NemID data (your PID number and your CPR number) when you log in using the NemID app.

When you use your corona passport in the app and show it to an official in connection with checks of the corona passport, the official and the app will gain access to the data on your phone you choose to present via your QR code in the app. If the official scans your corona passport, the data disclosed to the official will not be stored on the official's device. When the official has to scan the QR code in connection with the control, the camera in the official's phone will gain access to scanning the QR code.

SSI uses data processors for the processing of the data:

The Danish Health Data Authority acts as the data processor for SSI for the storage and processing of personal data and the registration that takes place when you log in using the NemID. The Danish Health Data Authority uses sub-processors.

In connection with our processing of your personal data, you are entitled to:

  • Request access to the data that we process about you.
  • Request that incorrect data about you be rectified.
  • In certain cases, to have data about you erased.
  • In certain cases, to have the processing of data about you restricted.
  • In certain cases, to object to our lawful processing of data about you.
  • Complain to the Danish Data Protection Agency if you believe that we process personal data about you in breach of the data protection rules, see section 10 below.

You are also entitled to withdraw your consent to our storage of data in the app on your mobile device. You can do so in the app by selecting Menu > Processing of personal data. Here, you can withdraw your consent. You can also withdraw your consent by uninstalling the app. If you withdraw your consent, all the data stored will be deleted from your mobile device.

If you wish to exercise your rights, please contact us at [email protected]. For further information, please see the section below.

SSI can be contacted in the following ways:

Statens Serum Institut
Artillerivej 5
DK-2300 Copenhagen S
Tel.: 3268 3268
E-mail: [email protected]

If you have any questions about our processing of personal data or your rights in this connection, you can contact SSI via Borger.dk or by sending an e-mail to [email protected]. You can also contact our Compliance unit at [email protected], which mainly deals with questions about the processing of personal data.

The Danish Ministry of Health has a common data protection officer (DPO), Helle Ginnerup-Nielsen, who is employed in the Department of the Danish Ministry of Health. The tasks of the DPO include advice to the Ministry and the agencies on data protection and data protection rules. The DPO can be contacted by sending an e-mail to [email protected].

You can complain about issues relating to the corona passport to SSI.

You can complain about our processing of your personal data to the Danish Data Protection Agency (Datatilsynet). 

The Danish Data Protection Agency is an independent public authority which is responsible for monitoring compliance with the data protection rules in Denmark. You can find information about the Danish Data Protection Agency and the complaints procedure on their website www.datatilsynet.dk.

If you wish to complain, you should first of all contact us. This way we will be able to address your inquiry and possibly change the way in which we process your data.

If you use your corona passport in another country, including another EU country, you must be aware that the official or a relevant authority in the country where you use your corona passport is responsible for the processing of your personal data in connection with the control. The control of the corona passport is furthermore subject to the country's rules on the processing of personal data.

We therefore recommend that familiarize yourself with who is responsible for the processing of your information in connection with controls in country in question, as well as you familiarize yourself with the rules of the country in which you would like to use the corona passport. If the control takes place in an EU country, the control will be covered by the rules in the COVID Certificate Regulation and the Data Protection Regulation.

The Corona Passport Order (the Order no. 1521 of 30 June 2021 on the processing of personal data in the digital solution Coronapas):

The Corona Passport Order (retsinformation.dk) in Danish

The General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation):

The General Data Protection Regulation (europa.eu)

The Danish Data Protection Act (Act No. 502 of 23 May 2018 on Supplementary Provisions to the Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data):

The Danish Data Protection Act (retsinformation.dk) in Danish

The COVID Certificate Regulation (Regulation (EU) 2021/953 of the European Parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic):

The COVID Certificate Regulation (europa.eu)

The COVID Certificate Order regarding Third-country Nationals (Regulation (EU) 2021/954 of the European Parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) with regard to third-country nationals legally staying or residing in the territories of Member States during the COVID-19 pandemic):

The COVID Certificate Order regarding Third-country Nationals (europa.eu)

The Danish Health Act (Statutory Order no. 903 of 26 August 2019 of the Health Act with subsequent amendments):

The Danish Health Act (retsinformation.dk) in Danish