MitID Privacy Policy

1. Introduction

1.1 As a certified MitID broker, Criipto ApS, CVR: 35142207 (“Criipto”, “we”, “us”, “our”) acts as an intermediary between the Danish Agency for Digital Government, Danish banks, and MitID service providers. Criipto is considered data controller in the process when you are using MitID for authentication and/or electronic signing purposes.

1.2 MitID is a collaborative effort between the Danish Agency for Digital Government and Danish banks. Your personal data is collected during the registration and usage process. You consent to the terms and conditions of MitID during registration and activation.

2. The data we collect, the purpose and the legal basis for processing

2.1 When you use MitID to log in, the Danish Agency for Digital Government may provide us with authentication responses, including risk data, related to your specific transaction. Based on this information, we will determine, through automated decision-making, whether we can validate your identity and approve the transaction.

2.2 Upon reaching a decision regarding the approval or denial of the login attempt, we will disclose the relevant information to the service provider associated with your transaction. Consequently, the service provider assumes the role of an independent data controller of the information.

2.3 When validating your identity and determining whether the transaction may be carried out, we will process the following personal data:
  • Name
  • Age
  • CPR number (with consent)
  • IP address
  • User agent data (e.g., browser type)

2.4 Criipto is subject to Act 2021-05-04 no. 783 (Lov om MitID og NemLog-in) which states that Criipto, as a MitID broker, is considered an independent data controller of the processing activities carried out when determining whether to approve the transaction or not. Act 2021-05-04 no. 783, grants Criipto the legal basis to collect and process your data and to disclose the authentication response to the relevant service provider.

3. How is your personal data collected

3.1 We receive data about you directly from the Danish Agency for Digital Government. Our processing of authentication responses may also be enriched with other data we have collected about you. The data with which the authentication response can be enriched can, for example, be the email address and date of birth used to identify you to the service provider's digital self-service solution.

4. Disclosure of your personal data

4.1 Your personal data is disclosed to third parties who process personal data on behalf of us and under our instruction, e.g., hosting of data and therefore acts as our data processors. We have entered into data processing agreements that comply with article 28 of the GDPR with all our data processors to ensure that such data processors implement appropriate organisational and technical security measures in such a way that the processing complies with the requirements of the GDPR and ensures the protection of your rights.

4.2 In compliance with applicable laws, regulations, or upon receiving an order from a public authority, we may disclose your personal data to authorities.

5. Transfer of your personal data to third countries

5.1 We will not transfer your personal data to recipients outside the EU or EEA unless we have ensured compliance with GDPR Chapter V.

5.2 Some of our third-party service providers are established outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA. However, to ensure that your personal information receive an adequate level of protection we have ascertained that sufficient safety measures have been implemented to allow for the transfer, including where the European Commission have deemed the country to provide an adequate level of protection for personal data; or by use of specific contracts approved by the European Commission (Standard Contractual Clauses) which give personal data essentially equivalent protection as it has in Europe.

5.3 If you require further information about our current data processors established outside the EEA and the safety measures in place to allow for the transfer of personal data, you can request it from us – please send your request to us by email using the contact information in Section 8.

6. Your rights

6.1 Under certain circumstances, you have one or more of the following rights:
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restriction of processing
  • The right to data portability
  • The right to object
  • The right to withdraw your consent
  • The right to lodge a complaint: You have the right to complain to your local data protection authority if you are unhappy with our data protection practices. In Denmark you can lodge a complaint with Datatilsynet at: https://www.datatilsynet.dk/borger/klage/-saadan-klager-du.

7. Data Retention

7.1 Once we have determined whether to approve or deny the transaction and disclosed the response to the service provider, all information used to carry out the response is deleted. We will therefore not obtain any of that information. If you consent to having us remember your CPR number, we will retain that for 1 year after you have given consent.

8. Contact information

8.1 If you have any questions regarding this privacy notice or wish to exercise your rights pursuant to Section 6, please use the contact information set out below:

Criipto ApS
Business registration number (CVR): 35142207
Gammel Kongevej 3E, 1.
1610 København V
Denmark

privacy@criipto.com