Data Protection Policy

As a body governed by public law and which operates as a data controller processing personal data relating to natural persons, the Nordic Council of Ministers’ Secretariat (the NMRS) considers itself to be covered by the General Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016). Since it is based in Denmark, the NMRS also endeavours to process personal data as per the Danish Data Protection Act (Consolidated Act no. 289 of 8 March 2024). 

The national governments set up the NMRS to support inter-governmental co-operation on the Nordic Council of Ministers as per the Agreement on Co-operation between Denmark, Finland, Iceland, Norway and Sweden of 23 March 1962 (the Helsinki Treaty). The Secretariat processes data in pursuit of this objective, both in its contacts with external actors and in its internal administration and role as an employer.  

The NMRS processes personal data based on the above legislation, and the processing is limited to what is necessary for the specific purpose. 

This policy provides details about the processing of personal data for which the NMRS is responsible as the data controller. It also seeks to fulfil the duty of disclosure to data subjects by referring to the privacy policy in links, etc.

The Nordic Council of Ministers’ Secretariat processes personal data about natural persons who: 

• take part in Nordic co-operation as representatives of governments, official bodies and other organisations or as private individuals, e.g. attending meetings and other events organised, administered or facilitated by the NMRS or who come into contact with it, e.g. asking questions or submitting requests for access to files concerning the Council of Ministers’ activities
• supply or submit offers to sell goods or services to the Nordic Council of Ministers as representatives of organisations, companies or private individuals
• are employed or recruited by the NMRS and, in some cases, family members and/or other relatives of employees and individuals applying for jobs with the NMRS
• submit or report information to the NMRS whistleblower scheme and persons mentioned in or affected by such information or reports
• visit the NMRS premises in the Nordic House in Copenhagen.

The NMRS defines “personal data” as any type of information that can be used to identify a natural person, either alone or along with other available information, e.g. name, address, phone number, nationality, social security number/CPR number, IP address, login details or other information that could identify the person’s geographical location.

Most of the ordinary personal data that the NMRS processes fall under Article 6 of the General Data Protection Regulation (GDPR, such as names, contact details and, where relevant, images or films produced in contexts representative of the Nordic Council of Ministers’ work or made as part of a recruitment process.  

Within the framework of the NMRS’ activities as an employer, it also processes the special categories of personal data referred to in Article 9 of the GDPR, e.g. health, trade union membership and personal data considered confidential under Danish law – social security number/CPR number. Special categories of personal data may also be processed in other contexts, e.g. as part of the administration of the NMRS whistleblower scheme.

The NMRS processes personal data in order to communicate with relevant stakeholders as part of its job of supporting inter-governmental co-operation by the Nordic Council of Ministers. This includes data associated with meetings and other activities that form part of Nordic co-operation, including registering participants and issuing materials.

The NMRS also processes personal data as part of its general interest in disseminating information about the work of the Nordic Council of Ministers and to meet specific requests from the public for information about the Council of Ministers’ activities, e.g. to receive newsletters or gain access to other Council of Ministers’ documents.   

The Secretariat also needs to process personal data in order to evaluate applications for financial support from funds under the Nordic Council of Ministers’ budget and to purchase the goods and services that the Council of Ministers needs for its activities.  

The NMRS also processes personal data in order to conduct business and fulfil its responsibilities as an employer, including for the purpose of determining employees’ rights under the Nordic Council of Ministers’ staff regulations. The NMRS also processes personal data to administer the Nordic Council of Ministers’ whistleblower function, i.e. to investigate potential illegalities or irregularities in the Council of Ministers’ activities.

The national governments set up the NMRS to support their co-operation on the Nordic Council of Ministers. It is governed by public law. In many cases, the legal basis for the NMRS processing personal data is, therefore, carrying out duties in the public interest, cf. Article 6 (1) (e) of the GDPR, e.g. when it communicates with partners and the public or when it holds meetings or other activities within the scope of the Nordic Council of Ministers’ work, processes applications for financial support or requests for access to documents as per the Nordic Council of Ministers open access rules. The NMRS also processes information submitted to its whistleblower scheme. The NMRS also processes information submitted to its whistleblower scheme.

In some cases, it may be necessary for the NMRS to process personal data in order to pursue legitimate interests, cf. Article 6 (1) (f) of the GDPR, e.g. personal data about suppliers of goods and services that the NMRS may need to acquire or when it processes data about its staff and their family members. This GDPR provision applies when the Secretariat’s interest is considered to outweigh the data subject’s interest and right not to have their personal data processed.  

When the NMRS processes personal data associated with procuring goods and services, it does so based on Article 6 (1) (b) of the GDPR to fulfil the terms of a contract to which the data subject is a party (e.g. a supplier and contracting party) or for the implementation of measures taken at the request of the data subject prior to entering into a contract (e.g. a bidder in a competitive tender organised by the NMRS). This GDPR provision can also serve as the legal basis for the NMRS to process personal data about its employees or persons applying for jobs with the it.    

In some cases, the NMRS processes confidential personal data such as social security number/CPR number and special categories of personal data as referred to in Article 9 of the GDPR, such as health data or information about trade union membership. When the NMRS processes this type of data in its capacity as an employer, it falls under Article 9 (1) (b) of the GDPR on compliance with its obligations under labour and social law and Article 9 (1) (f) on legal claims. Processing information submitted to the NMRS whistleblower scheme falls under Article 9 (1) (g) of the GDPR on important public interests based on EU or national law and section 22 of the Danish Whistleblower Protection Act (Act no. 1436 of 29 June 2021). Processing personal identification numbers/CPR numbers falls under section 7(2) of the Danish Data Protection Act, cf. section 11 (2) (1) and (4).

The NMRS usually collects personal data from the person to whom it relates, including, in some cases, information about other persons associated with the individual, e.g. family members/relatives. The NMRS also collects information from third parties, i.e. organisations, individuals or public bodies.

In some cases, the NMRS may disclose personal data to third parties. However, it only does this when there is a legal basis for doing so. 

The NMRS can disclose personal data to stakeholders it works with as part of its duty to support co-operation in the Nordic Council of Ministers, e.g. ministries and official bodies in the Nordic countries, the pan-Nordic institutions or other organisations.

some cases, the NMRS may disclose personal data to those who request access to public documents as per the Nordic Council of Ministers’ open access rules.

The NMRS also discloses personal data to national bodies when required to do so by law or when it is in the legitimate interests of the NMRS or of the person to whom the personal data relates.

The NMRS discloses personal data to its data processors (e.g. IT suppliers).

The NMRS stores personal data for as long as necessary for the purpose(s) for which it was acquired and processed. 

The NMRS draws up internal guidelines for storing personal data that take into account the obligations to which it is subject by law, including documentation and audit requirements, as well as the needs and interests of the NMRS and the data subjects in storing the data. 

Applications for jobs at the NMRS that contain personal data are stored for eight months after the application deadline. 

The NMRS has an agreement to transfer data from its electronic case and document management system to the Danish National Archives for storage. For this reason, personal data is also stored as per the legislation on archives.

Data subjects have a number of when the NMRS processes personal data under articles 15-21 of the GDPR. Any data subject wishing to exercise these rights must contact the NMRS using the details provided in point 10 below. 

Under the GDPR, you have the following rights: 

• to access data held by the NMRS about you and a range of additional information 
• to have inaccurate information about your corrected 
• in exceptional cases, to have data about you deleted before the NMRS deadline for doing so 
• in some instances, to restrict processing of your personal data by the NMRS so that in future, it is only able to process the data – apart from storing it – with your consent or for the purpose of establishing, exercising or defending legal claims, or to protect a person or important public interests, In this context, please note that archiving is considered an important public interest. 
• in certain cases, to object to the otherwise lawful processing of your personal data by the NMRS  
• in certain cases, to receive a copy of your personal data or to have it transferred from the NMRS to another data controller (the right to data portability). 

If you have consented to the NMRS processing your personal data, you may withdraw that consent at any time by contacting it using the details provided in section 10 below. Withdrawing consent does not affect the legality of the processing prior to the point at which consent was withdrawn, i.e. it does not apply retroactively.

Please contact the NMRS at personoplysninger@norden.org if you wish to exercise your rights as described above in section 9 or have any questions about the privacy policy.  

Please submit any complaints about the processing of your personal data by the NMRS to the DPO, Christian Søndergaard Christensen, at chrson@norden.org.

This policy is updated regularly. The last amendments were made on 30.05.2024