Report undesirable effects from the use of cosmetic products

We process your personal data for the following purposes:

• The Danish Environmental Protection Agency (DEPA) collects and processes your personal data in order to enable the DEPA to monitor and assess whether, in some areas of cosmetic products or chemicals in such products, there is a need for better information or new legislation to prevent such serious undesirable effects. The company responsible for the product (the responsible person) will also be informed of the report. The information from reporting is used to keep statistics on what type of serious effects have been seen and from what type of products.
• If the DEPA finds that the information is of a serious undesirable nature, the information is shared with the other EU member states, so that a cross-border overview can be obtained of all the serious undesirable effects that have arisen throughout the EU through the use of cosmetic products. When a serious undesirable effect is reported to the DEPA or the authorities in another EU Member State, only personal data about age, gender and health data are disclosed to the other Member States.
   
  In this context, your personal information is subject to the necessary case processing, e.g. journaling in accordance with the Public Access to Information Act, just as your information is stored in accordance with the Danish Archive legislation.

Legal basis for processing personal data:

• The DEPA processes your personal data on the basis of the regulatory tasks in accordance with the Cosmetic Regulation (Regulation (EC) No 1223/2009), including in order to fulfill the purpose of the Regulation, which is to ensure the functioning of the internal market and a high level of protection of human health by complying with the provisions of the Regulation. Therefore, among other things, serious undesirable effects must be reported by the responsible person and distributors and end-users also have the possibility to report undesirable effects to the DEPA so that the authority can monitor the market and take the necessary measures, cf. Articles 22, 23 and 34 of the Cosmetics Regulation, cf. Section 4 of the Cosmetics Order (Act no 803 of 21/06/2013).
• The processing is thus based on Article 6(1)(e) of the General Data Protection Regulation (Regulation (EU) 2016/679), which states that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• The DEPA processes any sensitive personal data, in the form of health data that you have provided yourself, on the basis of Article 6(1)(e) and 9(2)(g) of the General Data Protection Regulation, which states that processing is necessary for reasons of substantial public interest on the basis of EU or Member State law and is proportionate to the objective pursued, respects the essence of the right to data protection and ensures appropriate and specific measures to protect the fundamental rights and interests of the data subject. The DEPA is, among other things, obliged to record your personal data in accordance with the rules of the Public Access to Documents Act.

We process the following categories of personal data about you (who have experienced an undesirable effect and who self-report):

General information, e.g.:

• Name
• E-mail
• Telephone number
• Gender
• Year of birth

We only process information about your health in cases where you inform us about, for example information about undesirable effects and course of illness.

If you make a report for another person, as a contact person, we only process general personal data about you in form of:

• Name
• E-mail
• Telephone number

We can disclose personal data to the following recipients:

• The Danish Environmental Protection Agency does not disclose information about name, e-mail and telephone number to external parties.
• However, the DEPA discloses information about year of birth, health data and gender (voluntary) to the company in question, which is responsible for the product.
• In the case of a report of a serious undesirable effect, the information on year of birth, health data and gender (voluntary) is transmitted via the European Commission communication system about market surveillance (ICSMS) to the other EU Member States in order to obtain a cross-border overview of all the serious nuisances that have arisen throughout the EU from the use of cosmetic products.
• The Environmental Protection Agency also leaves your personal data in the care of our data processors, such the Agency for Governmental IT Services (Statens IT).

We do not transfer your personal data to recipients outside of the EU/EEA.

The Danish Environmental Protection Agency receives your personal data through your reporting of serious undesirable effects from cosmetic products on the website lifeindenmark.dk, where you as reporter on your behalf or as a contact person can provide information such as your name, e-mail, telephone number, etc.

As a public authority, we are obliged under the rules of the Danish Public Access to Document Act to journaling all documents and information that are relevant to a case or case handling in general.

The Environmental Protection Agency’s cases are also subject to the Archives Act and are transferred to the National Archives in accordance with the rules of the Archives Act and the relevant provisions of the State Archives.

For a period after the end of the journal period during which the case has been closed and transferred for storage in the National Archives, cf. above, the Environmental Protection Agency will continue to have access to search for the information in a historical version of the journal period, as appropriate.

Under the Data Protection Regulation, you have rights in relation to our processing of your personal data.

If you want to exercise your rights, you can contact us via Public Digital Post (e-Boks). 

If you do not have access to e-Boks, you can contact us via e-mail. If you contact us via e-mail (mst@mst.dk) make sure not to send sensitive personal information, confidential information or information regarding criminal offenses.

In the subject field, please indicate which right you wish to exercise.

Right of access

You are entitled to be informed which data we process about you as well as access to said information.

Right to rectification

You are entitled to have your personal data rectificated.

Right to erasure

In certain cases, you are entitled to have information about you erased before the designated retention period has ended.

Right to restriction

In certain cases, you are entitled to have the processing of your personal data restricted. If you exercise your right to have processing restricted, we may in the future only process information – apart from storage – with your consent, for the purpose of establishing, enforcing or defending legal claims, to protect a person or public interests.

Right to objection

If our processing of your personal data is based on article 6(1)(e) - public interest or exercise of public authority, you are entitled to object to our processing of your personal data of reasons that may relate to your particular situation.

Find more information about your rights as a data subject on the Danish Data Protection Agency’s website. 

The Danish Environmental Protection Agency has adopted internal policies and guidelines on information security and data protection, which contain instructions and measures in order to protect your personal data against loss or altering as well as unauthorized publication or access.

The DEPA is obliged to comply with the information security standard ISO 27001 and to implement several technical measures. Organizational and technical measures are continuously adapted based on risk assessments.

To the extent that the DEPA uses external contractors to process personal data, these are subject to written instructions and continuous control.
 
In the event of a security breach which results in a high risk you for, such as a risk of identity theft, we will notify you of the security breach as soon as possible in order for you to take necessary 

Updated the 29th of August 2025.