The Capital Region of Denmark collects and processes personal data in a manner that ensures protection of your privacy. The common regional information security policy is the framework of the region's own policies, guidelines etc. on information security.
The Capital Region of Denmark is responsible for a number of essential functions, including operating hospitals and patient treatment. Therefore, in cooperation with relevant national bodies, the region monitors its digital infrastructure and processes personal data for security purposes.
Data transmission to recipient countries outside the EU and EEA
The Capital Region of Denmark transmits personal data to recipients outside the EU and EEA in situations where it is appropriate and where it helps ensure you the get best possible course of treatment. Transmission includes both actual transmission of personal data and read-only access for support.
The Capital Region of Denmark works with researchers abroad in many contexts. Before the Region initiates research with collaboration partners in third countries, it ensures that the rules for the specific type of research are followed, and that it is legal to transmit personal data to the relevant country outside the EU and EEA.
Transmissions to third countries always depend on a specific assessment in accordance with Part 5 of the General Data Protection Regulation.
Data transmission by the Capital Region of Denmark to recipient countries outside the EU and EEA
The Capital Region of Denmark secures the basis for transmission by using standard EU contracts, and by observing supplementary technical and organisational measures.
The patient record system (Sundhedsplatform) for the Capital Region of Denmark is operated on servers located in Denmark, in which data is stored and processed. For support purposes, personal data is transmitted to the system supplier, EPIC, in the US.
The Capital Region of Denmark transmits data to third countries in connection with the use and support of different types of medico-technology e.g. Latitude, which is included in treatment for heart patients who have received a pacemaker/ICD, Abbott pacemaker/ICD, and Panther Link. Furthermore, the region transmits X-ray images sent for analysis to countries outside the EU and the EEA.
The Capital Region of Denmark uses a number of systems which use public cloud services (Microsoft Azure and Amazon Web Services (AWS)) for transmissions to countries outside the EU/EEA.
These systems are used to a very limited extent in patient treatment: Examples include: Care Orchestrator, which is used in the treatment of patients with respiratory diseases, Tidepool and Glooko, which are used in the treatment of patients with diabetes, Carelink, which is used to monitor patients at home who have a pacemaker/ICD, Cochlear Link, which is used to synchronize hearing settings for patients with cochlear implants, and AIDOC, which is used to help in decisions regarding identification of injury on X-ray images.
In research, the region uses Cortrium APEX, for example, for ECG measurements and diagnostics of cardiac problems.
The region also uses public cloud-based systems for administration, personnel and training, e.g. Microsoft O365, the HR-manager recruiting system, the Optima shift-planning system, Kursusportalen, and SimCapture, which is used in simulation training for clinicians.
We will notify you as quickly as possible should there be a personal data security breach which we determine entails a high risk to your rights, including discrimination, identity theft or fraud, financial loss, damage to reputation or social consequences.
We are obligated to inform you of your rights when we process your personal data. For example, you have:
- The right to access information regarding the region's processing of your personal data
- The right to correct incorrect personal data about you
- The right to restrict the processing of your personal data (e.g. if the accuracy of the data is unclear)
- The right to object
- The right to have your personal data stored by the region erased. However, note that, as a public authority, we are required to be able to document the basis on which we have based a ruling or a decision, and therefore we only have limited access to erase personal data.
Contact the Capital Region of Denmark if you are dissatisfied with the way in which we process your personal data.
You can also lodge a complaint directly with the Danish Data Protection Agency if you believe that the Capital Region of Denmark is processing your personal data contrary to data protection legislation. You should always contact the Capital Region of Denmark first.
The region's websites contain links to other websites. The region is not responsible for the content on those websites.