Your rights when the Region processes data about you

Right to be informed, when we process data about you (obligation to inform)

You have the right to be informed about the below-mentioned information, depending on whether the Region collects the information directly from you, or collects information from others.

When we receive personal data from you

When we receive personal information directly from you, the Region is obliged to inform you of the following:

1. Name and contact details on the data controller.
   The North Denmark Region is the data controller in relation to the information, which we process about you. The contact details of the Region are:
   
   The North Denmark Region
   Niels Bohrs Vej 30
   9220 Aalborg Oest
   
   CVR-nr.: 29190941
   
   Telephone: + 45 97 64 80 00
   
   Mail: region@rn.dk
   
   
2. Contact details (name, telephone number, e-mail address) of the Data Protection Officer.
3. The purposes of the processing of the information.
4. Description of the rules, which give the Region the right to process information about you.
5. Description of any recipients or categories of recipients of information about you.
6. Inform you, if the information about you will be transferred to a third country or to an international organization.
7. Inform you of the period during which the personal data will be stored, or the criteria used to determine this period.
8. The right to access.
9. The right to request rectification.
10. The right to request for deletion.
11. The right to request the restriction of processing of personal data.
12. The right to object to the processing of personal data.
13. The right to withdraw a consent.
14. The right to complain to the Danish Data Protection Agency.
15. Implementation of any automatic decisions (including profiling).
16. If you have an obligation to inform the Region of your personal data, the Region must inform you of this obligation. You must be informed about the legal basis and the consequences, if we are not provided with the necessary information.

Deadlines for fulfilling our obligation to inform

We shall provide you with the above-mentioned information at the time the personal data are collected about you or as soon as possible thereafter.

Exceptions to the obligation to provide information

In very rare cases, we shall not inform you about the processing of your personal data. This may be the case, for example, if you already know the information, which we process, or if there are decisive considerations in relation to public or private interests, which do make it inappropriate.

Further processing for other purposes

When the Region processes information about you, we do it for a specific purpose. If we want to process information for other purposes, we shall only do this if it is provided for by law.
If we process your data for another purpose than what we originally collected it for, we shall inform you before we start the further processing.

When we process personal data from others

When we receive your personal data from others, we shall inform you of the following:

1. Name and contact details on the data controller.
   The North Denmark Region is the data controller in relation to the data, which we process about you. The contact details of the Region are:
   
   The North Denmark Region
   Niels Bohrs Vej 30
   9220 Aalborg Oest
   
   CVR-nr.: 29190941
   
   Telephone: + 45 97 64 80 00
   
   Mail: region@rn.dk
   
   
2. Contact details (name, telephone number, e-mail address) of the Data Protection Officer.
3. The purposes of the processing of the information.
4. Description of the rules, which gives the Region a right to process information about you.
5. Description of any recipients or categories of recipients of information about you.
6. Inform you if the data about you will be transferred to a third country or to an international organization.
7. Inform you of the period during which the personal data will be stored, or the criteria used to determine this period.
8. The right to access.
9. The right to request rectification.
10. The right to request for deletion.
11. The right to request the restriction of processing of personal data.
12. The right to object to the processing of personal data.
13. The right to withdraw a consent.
14. The right to complain to Danish Data Protection Agency.   
15. Describe from where the personal data have been collected and if relevant if they have been collected from other public sources.
16. Implementation of any automatic decisions (including profiling).

Deadlines for fulfilling our obligation to inform

When we collect data about you from others, we shall comply with three deadlines – depending on for which purpose we use the data:

• The Region shall fulfill the obligation to inform you within a reasonable time (normally within 10 working days) after the collection of your personal data
• If we need the data in order to communicate with you, we shall fulfill our obligation to inform at the latest when we communicate with you for the first time.
• If we shall transfer the data to another recipient, we shall fulfill our obligation to inform, when we transfer the data at the latest.
• We shall fulfil our obligation to inform you within one month at the latest.

Exceptions to the obligation to inform

In very rare cases we shall not inform you about the processing of your personal data. This may be the case, for example, if you already know the information, which we process, or if there are decisive considerations in relation to public or private interests, which do make it inappropriate.

Further processing for other purposes

When the Region process information about you, we do it for a specific purpose. If we want to process information for other purposes, we shall only do this if it is provided for by law.
If we process your data for another purpose than what we originally collected it for, we shall inform you before we start the further processing.

If you wish further information concerning the obligation to inform

You can read more about the obligation to inform at the website of Danish Data Protection Agency. Alternatively you can call + 45 61 55 55 55 (week days between 9-14) or write an e-mail to the Data Protection Officer in the North Denmark Region with Digital Post.

You have the right to access information we process about you as well as a number of additional information.
You may be informed if the Region process information about you. Furthermore, you may receive a copy of the information, which the Region processes about you upon request.

In addition, the Region has an obligation to inform you of the following:The purposes of the processing of the information.

1. Description of the rules, which give the Region the right to process information about you.
2. Description of the categories of personal data, which are processed about you.
3. Who receives the personal data about you.
4. Inform you if the information about you will be transferred to a country or to an international organization outside the EU/EEA.
5. Inform you of the period during which the personal data will be stored, or the criteria used to determine this period.
6. The right to request rectification.
7. The right to request for deletion.
8. The right to request the restriction of processing of personal data.
9. The right to object to the processing of personal data.
10. The right to complain to Danish Data Protection Agency.
11. Any available information as to where the information comes from, if they have not been collected from you.
12. Implementation of any automatic decisions (including profiling).

Restrictions to the right to access

You should be aware of the fact that your right to access may be restricted due to decisive considerations to public or private interests.

Furthermore, you will not have a right to access information, which are solely processed for scientific or statistical purposes. The right to access may also be restricted if the information may be exempted from the right to access according to law.

Deadlines and administrative appeal

We are obliged to respond to your request for access as soon as possible and within one month following you request at the latest.

If your request is very complex, the deadline may be extended with further two months. If we extent the deadline, we shall inform you one month following your request at the latest. We also have an obligation to inform you of the reasons for the extension of the deadline.

If we cannot meet your request, we shall inform you immediately and at the latest one month after receiving your request. If we cannot meet your request, you may complaint to Danish Data Protection Agency.

Your possibility for access is free

Principally, it is free to request access. However, the Region may charge a fee in relation to the administrative costs in the case of repeated or exaggerated requests for access.

How to use your right to access

You can read more about the right to access at the website of the Danish Data Protection Agency.

If you want to know, whether the North Denmark Region processes information about you, you may call the Region’s Data Protection Officer on + 45 61 55 55 55 (week days between 9 and 14) or write an e-mail to the Data Protection Officer in the Region with Digital Post (Login with MitID).

In order to be able to handle your request about access, we need, as a minimum, the following information:

• Name, cpr. number
• Contact details (address and telephone number)
• Power of attorney if you request access on behalf of others (for example if you request access on behalf of a family member)
• If you request access on behalf of a deceased, you shall inform us of your relation with the deceased as well as your contact details, preferably both telephone number and e-mail address

If possible, we would further wish for:

• A delimitation in relation to at which hospitals or which departments the relevant person may have been    
• A time limit - preferably date and year - for the period for which you want access    
• Information about whether you are or have been employed at the North Denmark Region

The information, which the North Denmark Region has about you, must be correct and up-to-date. If we have incorrect information about you, you have the right to have them corrected. As a public authority, we must be able to document what we are doing in relation to the processing of your information. Often, the correction will be done by attaching a supplementary note with the correct information to your case.

If we receive a request for the correction of information from you, we will as far as possible, inform those persons who have received false personal information about you.

Deadlines and administrative appeal

We have an obligation to respond to a request for the correction of information as soon as possible and one month following your request at the latest.

If your request is very complex, the deadline may be extended with further two months. If we extend the deadline, we shall inform you one month following your request at the latest. We also have an obligation to inform you of the reasons for the extension of the deadline.

If we cannot meet your request, we shall inform you immediately and at the latest one month after receiving your request. If we cannot meet your request, you may file a complain to Danish Data Protection Agency.

Who should you contact in order to have your information corrected?

If you want to have rectified (corrected or updated information about you, you may contact the Region’s Data Protection Officers on + 45 61 55 55 55 (week days between 9 and 14) or write an e-mail to the Data Protection Officer in the Region with Digital Post (Login with MitID).

In order to be able to handle your request about rectification of information, we need, as a minimum, the following information:

• Name, cpr. number.
• Contact details (address and telephone number).
• A description of the information, which you wish to have changed. You may for example write, who has written, what you want to have changed and when it was written.
• Power of Attorney if you request rectification on behalf of others (for example if you request rectification on behalf of a family member). A written Power of Attorney may be attached to the e-mail.
• If you request rectification on behalf of a deceased, you shall inform us of your relation with the deceased as well as your contact details, preferably both telephone number and e-mail address.

You have the opportunity to ask for deletion of your personal data at the Region.

However, you should be aware that the Region is a public authority and that we therefore are obliged to be able to document the basis on which we have based a decision. Therefore, we only have a limited possibility to delete personal data.

Deletion in case of unjustified publication

If we unjustifiably have published personal data, we are required to delete the information, where it has been published. We are also obliged to notify as soon as possible those who have acquired the personal data and ask them to delete the information to the extent practicably possible.

Deadlines and administrative appeal

We have an obligation to respond to a request for deletion of information as soon as possible and within one month following your request at the latest.

If your request is very complex, the deadline may be extended with further two months. If we extend the deadline, we shall inform you one month following your request at the latest. We also have an obligation to inform you of the reasons for the extension of the deadline.

If we cannot meet your request, we shall inform you immediately and at the latest one month after receiving your request. If we cannot meet your request, you may file a complaint to Danish Data Protection Agency.

Who should you contact in order to have your information deleted?

Get more information about the possibility to have information deleted.

If you want to have deleted information about you, you may contact the Region’s Data Protection Officers on + 45 61 55 55 55 (weekdays between 9 and 14) or write an e-mail to the Data Protection Officer in the Region with Digital Post (Login with MitID).

In order to be able to handle your request about deletion of information, we need, as a minimum, the following information:

• Name, cpr. number.
• Contact details (address and telephone number).
• A description of the information, which you wish to have deleted. You may for example write, who has written, what you want to have changed and when it was written.
• Power of Attorney if you request deletion on behalf of others (for example if you request deletion on behalf of a family member). A written Power of Attorney may be attached to the e-mail.
• If you request deletion on behalf of a deceased, you shall inform us of your relation with the deceased as well as your contact details, preferably both telephone number and e-mail address.

Under very special circumstances, when special conditions are met, you have the right to have restricted the processing of your personal data.

A "restricted processing" means that we may only for the future store information or process information with your consent. You may not have restricted the processing of your information, if they are necessary to enforce legal requirements or to protect a person or important societal interests.

A request for restriction may relate to all forms of processing of your personal data - except our retention of the information.

Who should you contact in order to make use of your right to have restricted the processing of personal data?

Get more information about the right to restricted processing of personal data.

If you want to have restricted the processing of your personal data, you may contact the Region’s Data Protection Officers on + 45 61 55 55 55 (weekdays between 9 and 14) or write an e-mail to the Data Protection Officer in the Region with Digital Post (Login with MitID).

In order to be able to handle your request about restriction of processing, we need, as a minimum, the following information:

• Name, cpr. number.
• Contact details (address and telephone number).
• A description of the information, which you wish to have restricted. You may for example write, who has written, what you want to have restricted and when it was written.
• Power of Attorney if you request restriction of processing on behalf of others (for example if you request restriction of processing on behalf of a family member). A written Power of Attorney may be attached to the e-mail.
• If you request restriction of processing on behalf of a deceased, you shall inform us of your relation with the deceased as well as your contact details, preferably both telephone number and e-mail address.

Under very specific circumstances, you have the right to object to our processing of your personal data.

This may be, for example, if your name and address are protected, and therefore ask for the region to no longer process information about your name and address.

You should be aware of the fact that you will not be able to object, if the personal data is processed solely for scientific or statistical purposes.

Deadlines and administrative appeal

We have an obligation to respond to an objection as soon as possible and within one month following your request at the latest.

If your request is very complex, the deadline may be extended with further two months. If we extend the deadline, we shall inform you one month following your request at the latest. We also have an obligation to inform you of the reasons for the extension of the deadline.

If we cannot meet your objection, we shall inform you immediately and at the latest one month after receiving your request. If we cannot meet your objection, you may file a complaint to Danish Data Protection Agency.

Who should you contact if you want to object to processing of personal data?

Get more information about the objection to processing of personal data.
If you want to object to the processing of your personal data, you may contact the Region’s Data Protection Officers on + 45 61 55 55 55 (weekdays between 9 and 14) or  write an e-mail to the Data Protection Officer in the Region with Digital Post (Login with MitID).

In order to be able to handle your objection, we need, as a minimum, the following information:

• Name, cpr. number.
• Contact details (address and telephone number).
• A description of the information, which you want to object to the processing of. You may for example write, who has written, what you want to object to and when it was written.
• Power of Attorney if you want to object to the processing on behalf of others (for example if you object to processing on behalf of a family member). A written Power of Attorney may be attached to the e-mail.
• If you want to object to the processing on behalf of a deceased, you shall inform us of your relation with the deceased as well as your contact details, preferably both telephone number and e-mail address.

An automatic decision is a decision made without human intervention. In some cases, you have the right to not be subject to an automatic decision. In many cases, you do not have this right when the Region makes decisions about you. This is so because the tasks, which the Region solves, are provided for by law.

Who should you contact if you want to know more about restrictions of automatic decisions?

Read more about the right to restriction of automatic decisions.
Alternatively, you may contact the Region’s Data Protection Officers on + 45 61 55 55 55 (weekdays between 9 and 14) or write an e-mail to the Data Protection Officer in the Region with Digital Post (Login with MitID).

 In order to be able to handle your objection, we need, as a minimum, the following information:

• Name, cpr. number
• Contact details (address and telephone number)
• A description of the decision you have been subject to. You may for example write, who has signed the decision and when it was made.
• Power of Attorney if you request not to be subject to an automatic decision on behalf of others. A written Power of Attorney may be attached to the e-mail.
• If you request to not be subject to an automatic decision on behalf of a deceased, you shall inform us of your relation with the deceased as well as your contact details, preferably both telephone number and e-mail address.

At the North Denmark Region, the protection of personal data is an integrated part and a high priority of the care for you as a citizen both now and in the future. In rare cases, information security breaches nevertheless occur.

If such breaches happen, it is important that we as a Region hear from you. When you share your knowledge with us, we have the opportunity to rectify any misunderstandings and get the opportunity to correct the situation by learning from your particular inquiry.

Report a breach of the Information Security

If there has been a breach of the information security concerning information about you, you will be informed in an e-mail sent to you in e-Boks.

Need more information or help?

If you want to know further about breaches of information security or need help to filling out the form, you may contact the Data Protection Officer at the North Denmark Region or  send an e-mail with Digital Post (Login with MitID) or call + 45 61 55 55 55 on weekdays between 9 am and 2 pm.

Furthermore, you may read more in the Guidelines from the Danish Data Protection Agency concerning breaches of information security.

Especially for the Data Processors at the North Denmark Region

The North Denmark Region sometimes uses external suppliers, who have access to personal data (Data Processors). The Data Processors are subject to security requirements, which shall ensure that, for example, personal data about citizens are protected, regardless of whether the information is processed by the North Denmark Region or by a Data Processor.

Should a breach of security occur at a Data Processor, the Data Processor is obliged to report the breach to the North Denmark Region immediately. This is also done via the above form, where more fields appear when crossing "report as Data Processor".

If you are dissatisfied with the way in which the North Denmark Region processes information, you may contact the North Denmark Region’s Data Protection Officer on telephone +45 61 55 55 55 (weekdays between 9 am and 2 pm) or write an e-mail to the North Denmark Region's Data Protection Officer with Digital Post (Login with MitID).

You may also file a complaint to Danish Data Protection Agency, if you are dissatisfied with the way in which, the North Denmark Region processes your personal data via the website of Danish Data Protection Agency.

When you are in contact with the North Denmark Region, we process personal information about you.

The region shall not store this personal data about you for any longer than what is necessary.

There is a difference in for how long it is necessary to store personal data. This depends on for which purpose the Region has been collecting the information.

To clarify for how long it is necessary to store personal data, one or more of the following criteria are taken into account

• The information is kept for as long as the North Denmark Region considers that there is an objective consideration to keep the information.
• The information is kept for as long as the North Denmark Region is obliged to keep the information in accordance with applicable law.
• The information is kept for as long as the information is necessary in the light of documentation of the work of the North Denmark Region as a public authority.

Below you will find examples as to how long different types of personal data is stored:

Information in your patient record

According to the law, the Region is obliged to keep the information for at least 10 years. The law does not specifically indicate when information in patient records should be deleted.

At the North Denmark Region, it is a professional assessment that information in the patient record is not deleted, principally. The reason why the information is not deleted is that there may be a need for information about deceased family members, for example in relation to genetic examinations of the deceased's descendants.

Applications for jobs at the North Denmark Region

When an application is submitted for a position at the North Denmark Region, a profile is set up in the North Denmark Region's Career Center. The profile is deleted after 6 months of inactivity. Application and CV are kept for 6 months from the date on which the application deadline expires. After this, the documents will be deleted.

Head of Department, Karin Bruhn Termannsen, has the role and assumes responsibility as Data Protection Officer. In addition, there are two Data Protection Managers, whose task it is to assist the Data Protection Officer in the day-to-day work of anchoring the Data Protection Regulation. Together with the Data Protection Officer, they will constitute the DPO function in the North Denmark Region.