NORDIC GDPR

Nordic Data Protection — Personnummer & CPR Tools

Sweden (IMY — Integritetsmyndigheten), Denmark/Norway (Datatilsynet), Finland (Tietosuojavaltuutettu). Detect & validate SE Personnummer (Luhn), DK/NO CPR (Modulus-11), FI HETU, IS Kennitala. Entity detection with checksum validation per country.

Detect Nordic Entities Back

Nordic Authorities & Laws

🇸🇪 Sweden — IMY

Integritetsmyndigheten (Swedish Data Protection Authority)

  • Personnummer (12-digit Luhn)
  • Samordningsnummer (alternative)
  • Swedish passport
  • Organisationsnummer (org ID)

🇩🇰 Denmark — Datatilsynet

Datatilsynet (Danish Data Protection Authority)

  • CPR-nummer (10-digit Modulus-11)
  • CPR encodes birth date
  • Danish passport
  • CVr-nummer (business)

🇳🇴 Norway — Datatilsynet

Datatilsynet (Norwegian Data Protection Authority)

  • Fødselsnummer (11-digit mod-11)
  • D-nummer (alternative)
  • Norwegian passport
  • Organisasjonsnummer

🇫🇮 Finland — Tietosuojavaltuutettu

Tietosuojavaltuutettu (Finnish Data Protection Ombudsman)

  • HETU (11-digit personal ID)
  • HETU encodes birth date
  • Finnish passport
  • Business ID (Y-tunnus)

🇮🇸 Iceland — Persónuvernd

Persónuvernd (Icelandic Data Protection Authority)

  • Kennitala (10-digit checksum)
  • Birth date encoded
  • Icelandic passport
  • Organisation ID

📞 Regional Contacts

  • Email (all regions)
  • Phone (DK/FI/NO)
  • Postal address
  • Regional variations

The EU AI Act is the world's first comprehensive AI regulation. It reaches full applicability on August 2, 2026, requiring GPAI providers to document training data handling. Anonymizing PII before AI processing ensures Article 10 compliance.

NIS2 (Network and Information Security Directive 2) expands cybersecurity obligations across the EU. It applies to essential and important entities in 18 sectors. Compliance requires incident reporting within 24 hours and supply chain security measures.

Yes. Properly anonymized data falls outside GDPR scope (Recital 26). Since 2018, EU DPAs have imposed over €5.88 billion in fines. Anonymization reduces your data protection risk and simplifies DSAR responses.

Validation Algorithms Explained

🇸🇪 Personnummer (Luhn)

Format: YYMMDDNNNCC
Example: 890315-1234

Luhn algorithm:
- Multiply odd positions by 2
- If result > 9, sum digits
- Sum all, mod 10, subtract from 10

🇩🇰 🇳🇴 CPR/Fødselsnummer (Modulus-11)

Format: DDMMYYNNNNC
Example: 150699-1234 (Denmark)

Modulus-11:
- Multiply by weights: 4,3,2,7,6,5,4,3,2
- Sum products
- (11 - sum % 11) % 11 = checksum

🇫🇮 HETU (11-digit)

Format: DDMMYY±NNNXC
Centuries: + (1800s), - (1900s), Y (2000s)

Example: 010695-904Y

Checksum: (6-digit + 3-digit) % 31

🇮🇸 Kennitala (10-digit)

Format: DDMMYYCCCCC
Weights: 3,2,7,6,5,4,3,2

Example: 0105694989

Checksum: 11 - (sum % 11)

Use Case: Nordic Customer Database

Vulnerability: CPR/Personnummer Leaks

Customer import across Nordic markets (15K customers):
- Sweden: Personnummer 890315-1234 (Luhn encoded)
- Denmark: CPR 150699-1234 (Modulus-11, birth date inside)
- Norway: Fødselsnummer (same format, mod-11)
- Finland: HETU 010695-904Y (31-bit checksum)

Risks:
- GDPR Art. 32 breach if stored plaintext
- Re-identification via birth date + checksum
- IMY/Datatilsynet audit failure

Protection Applied

Detect + validate per-country algorithms
- SE: Luhn validation, extract birth date
- DK/NO: Modulus-11 validation
- FI: 31-bit checksum

Anonymize by region:
- Sweden: 890315-████ (partial redaction)
- Denmark: 150699-████
- Finland: 010695-████Y

Result: Safe for analytics, no re-identification risk

Entity Coverage (285+)

National IDs

  • SE Personnummer (Luhn)
  • DK/NO CPR/Fødselsnummer (Mod-11)
  • FI HETU (31-bit)
  • IS Kennitala (weighted sum)
  • Passports (all regions)

Business & Contact

  • Organisationsnummer (SE)
  • CVr-nummer (DK)
  • Organisasjonsnummer (NO)
  • Y-tunnus (FI)
  • Email, phone (all)

See GDPR Anonymization In Action

Watch how anonym.legal detects EU personal data and anonymizes it

Start Detecting Nordic Entities

Analyze text with Personnummer, CPR, HETU, Kennitala. Validate checksums per algorithm. Anonymize safely. GDPR compliant across Nordics.

Detect Nordic Entities

Also from anonym.legal

Global Anonymization Platform → Legal Redaction Suite → Enterprise DLP for AI → Developer Privacy API → Compliance Command Center → Customer Data Protection → Privacy-as-a-Service →

Frequently Asked Questions

Swedish IMY, Danish Datatilsynet, Norwegian Datatilsynet, and Finnish Tietosuojavaltuutettu enforce GDPR independently. Nordic DPAs are known for strict enforcement — Sweden's IMY fined Spotify 5M€ for DSAR failures in 2023.

Swedish Personnummer (10 digits, Luhn), Danish CPR (10 digits, Modulus-11), Norwegian Fødselsnummer (11 digits, Modulus-11), Finnish HETU (11 characters), and Icelandic Kennitala (10 digits). All with country-specific validation algorithms.

Published by George Curta, Founder of anonym.legal ·