The personal data policy of the Environmental Protection Agency
The General Data Protection Regulation requires the adoption of a personal data policy to ensure compliance with the General Data Protection Regulation.
The protection of the rights and freedoms of natural persons with regard to the processing of personal data requires that appropriate technical and organisational measures be taken to ensure that the requirements of the Regulation are met. In order to demonstrate compliance with the Regulation, the Environmental Protection Agency must adopt internal policies and implement measures that comply with the principles of data protection by design and by default, including in connection with purchase and development of systems.
Such measures may include minimisation of processing of personal data, pseudonymisation of personal data and transparency as regards the function and processing of personal data so that the data subject can follow the processing of data, as well as the Environmental Protection Agency's integration of the necessary safeguards into the processing and ongoing improvement thereof.
The personal data policy set out below has been submitted to and approved by the management and is distributed through relevant channels in connection with other awareness measures and training of General Data Protection Regulation rules.
The Environmental Protection Agency often processes personal data when we carry out our tasks. The Environmental Protection Agency's personal data policy explains how we process your data. The Environmental Protection Agency is data controller and our contact details are the following:
The Environmental Protection Agency (Miljøstyrelsen)
DK-5000 Odense C
Collection and purpose
The collection and processing of personal data are necessary for administrative procedures, conclusion of contracts and employment agreements, or for other purposes in accordance with our statutory objective and our duty to file and store data in accordance with the archives rules of the Danish State.
We only collect the personal data that are necessary to meet our obligations.
The personal data we collect and process are primarily contact data as follows:
• phone number
• user ID
• CPR number (personal identification number)
• CVR number (business registration number)
• IP address
• domain name
• invoice numbers
• credit note numbers
• Information about properties and geographical areas traceable to persons
• Information about businesses traceable to persons
The Environmental Protection Agency collects and processes information in connection with the use of the self-service solutions provided by the Environmental Protection Agency.
The Environmental Protection Agency may also contact you on its own initiative to collect and process updated personal data in connection with verification of contact information and identity of registrants as well as for validation of contact information through search in the CPR and CVR registers. This is done to ensure that the personal data we process about you are accurate, which is a requirement under the Book-Keeping Act and the General Data Protection Regulation. It is therefore also important that you yourself regularly update your personal data in our systems.
Fair and transparent processing of personal data
When collecting data about you, you will as a general rule be informed within 10 working days which data we process and for what purpose.
Security of information
Information security has high priority with the Environmental Protection Agency. We focus on how to protect data, systems and services. Through our high information security standards we protect critical and sensitive data and information systems from being compromised or used by unauthorised parties. We ensure that your personal data are not destroyed by mistake, lost, altered, published without permission, and that unautorised third parties do not gain access to or knowledge of the data.
To ensure the best protection of your data we assess whether our processing of your data will entail a high risk for you, for example in connection with sensitive data.
Data processing agreements
We enter into data processing agreements with suppliers that process personal data on our behalf, and we make sure that our data processors meet the high standard of information security and data protection that is required by us.
Erasure of personal data
We erase your personal data when they are no longer necessary for the purpose for which they were collected, processed and stored with due consideration of our storage obligation under the Danish Public Administration Act and submission to the Danish National Archives under the archives rules. This means that we are not allowed to erase data even if you withdraw your application or if you disagree with our decision and are subsequently proved right, since we are obliged to document our proceedings and to submit information to the Danish National Archives every five years. If, for example, the data are required to establish a legal claim arising out of a contractual arrangement or if other legislation requires storage for a longer period of time, we may store the data longer than 5 years. We will continuously review the need to keep the data so that we do not store them longer than necessary.
Exchange of information
The Environmental Protection Agency will not submit personal data to any third party for marketing purposes or other commercial use.
Right of access
You are entitled to be informed of the data we have registered about you. Upon receipt of a request for access to your own data, we will require proof of identity in order to protect you and to prevent unauthorised access.
At your request, we may inform you about the data we process about you. However, access may be restricted due to the privacy protection of other persons, trade secrets or intellectual property rights.
If you wish to access your personal data, please write to and indicate ”Access to personal data” in the subject field.
Right of erasure or rectification of your personal data
If you believe that we process personal data about you that are incorrect, you will be entitled to have them rectified. If so, we kindly ask you to contact us and inform the nature of the inaccuracies and how to rectify them.
In some cases we are obliged to erase your personal data. If you believe that your data are no longer necessary for the purpose for which we collected them, you are entitled to request that they be erased. You may also contact us if you believe that your personal data are processed in breach of the law or other legal obligations.
After having received your request to have your personal data rectified or erased, we will examine whether the conditions are fulfilled and, if so, we will perform the changes or erasures as soon as possible.
Right to object
You are entitled to object to our processing of your personal data. If your objection is justified, we will cease the processing of your personal data.
Please note, however, that the processing of your personal data may be required in order to enter into a contract with the Environmental Protection Agency or to have your matter processed or as part of an employment relationship since we, as a public authority, may be obliged to collect information, e.g. under the tax regulations.
While an objection or a request for erasure/rectification is being processed, the Environmental Protection Agency is obliged to minimise the processing of the data concerned. As a general rule, we are only allowed to use data in connection with requests for access to documents, but we may ask your permission to use the data for other purposes.
Complaints of the Environmental Protection Agency's processing of personal data are to be lodged with:
The Danish Data Protection Agency
Borgergade 28, 5
DK-1300 Copenhagen K
Tel.: 3319 3200