August 2023

1. Governing Texts

In Denmark, Act no. 502 of 23 May 2018 on supplementary provisions to the regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ('the Act') supplements the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') which is applicable in Denmark. The Act also implements some of the special provisions of the GDPR that must be implemented in each member state in order to enter into effect.

While the Act was drafted in direct response to the GDPR entering into force, the Act largely reflects the same principles as contained in the previous Personal Data Act (Act no. 429 of 31 May 2000) which implemented the previous Data Protection Directive (Directive 95/46/EC).

The Danish Data Protection Agency ('Datatilsynet') is the Danish supervisory authority that supervises compliance with the rules on protection of personal data in Denmark. The Datatilsynet also provides guidance, deals with complaints, and carries out inspections.

1.1. Key acts, regulations, directives, bills

As described above, the Act is a supplement to the GDPR as it sets out supplementary national provisions to the extent permitted by the GDPR.

Furthermore, Act no. 410 of 27 April 2017 on the processing of personal data by law enforcement authorities ('the Law Enforcement Act') implements the Law Enforcement Directive (Directive (EU) 2016/680) and applies to the processing of personal data carried out by the Danish Police, the Prosecution Service, the Danish Military Prosecution Service, the Danish Prison and Probation Service, the Independent Police Complaints Authority, and the Danish Courts.

Further, consolidated Act no. 182 of 24 February 2023 on video surveillance ('the Video Surveillance Act') (only available in Danish here), supplements the GDPR and the Act. The Video Surveillance Act governs the use of video surveillance by public authorities, private organizations, as well as private citizens.

However, the Datatilsynet only supervises compliance with the provisions of the Video Surveillance Act which concern disclosure and erasure of recordings (Sections 4(c) and 4(d) of the Video Surveillance Act). However, as the Video Surveillance Act supplements the GDPR and the Act, the Datatilsynet is the competent authority regarding any violations of the GDPR and the Act in relation to the use of video surveillance.

1.2. Guidelines

In Denmark, the Datatilsynet (sometimes in collaboration with the Danish Ministry of Justice ('the Ministry of Justice'), the Agency for Digital Government, the Council for Digital Security, and the Danish Business Authority) has published the following guidelines:

• 12 questions to ask yourself about the GDPR (only available in Danish here);
• Guidance on codes of conduct and certification (only available in Danish here);
• Danish accreditation requirements for a GDPR code of conduct monitoring body;
• Danish accreditation requirements for certification bodies;
• Guidance on certification (only available in Danish here);
• Guidance on warning registers (only available in Danish here);
• Terms for warning registers (only available in Danish here);
• Guidance on processing of personal data of  website visitors (only available in Danish here);
• Guidance on security of processing and data protection by design and by default (only available in Danish here);
• Guidance on penalties concerning natural persons and penalties on legal entities (only available in Danish here and here);
• Guidance on the use of cloud;
• Guidance on data controllers and data processors (only available in Danish here);
• Guidance on data protection in employment (only available in Danish here);
• Guidance on data protection rules in connection with election campaigns (available in Danish here);
• Guidance on data protection officers ('DPOs') (only available in Danish here);
• Guidance on records of processing activities (only available in Danish here);
• Guidance on handling personal data breaches (only available in Danish here);
• Guidance on data protection impact assessments (DPIAs) (only available in Danish here);
• A list of the kind of processing operations that require a DPIA  (only available in Danish here);
• Guidance on credit reporting agencies (only available in Danish here);
• Guidance on disclosure to credit reporting agencies of information about public debt (only available in Danish here);
• Guidance on recording of phone conversations (only available in Danish here);
• Guidance on transfer of personal data to third countries (only available in Danish here);
• A quick guide to personal data (only available in Danish here);
• Guidance on the rights of data subjects (only available in Danish here):
  • Guidance on complying with data subject rights (only available in Danish here);
  • Guidance on the right to erasure (only available in Danish here);
  • Guidance on the right of access (only available in Danish here);
  • Guidance on the obligation to provide information (only available in Danish here); and
• Guidance on the distribution of roles, when private companies are suppliers to the public sector (only available in Danish here);
• Guidance on consent (only available in Danish here);
• Guidance on lists containing blocked payment cards (only available in Danish here):
  • Terms on lists containing blocked payment cards (only available in Danish here);
• Guidance on supervision of data processors (only available in Danish here);
• Checklists for schools' use of images and video (only available in Danish here);
• Checklists for day cares and kindergartens when using images and videos (only available in Danish here); and
• Guidance on exchange of personal data with the police (only available in Danish here).

Furthermore, the Ministry of Justice has published the following guidelines:

• Frequently asked questions about the processing of personal data by voluntary organizations (only available in Danish here);
• Exchange of personal data as part of the coordinated efforts of the authorities to combat rocker and gang crime (only available in Danish here);
• Guidance on processing of personal data in the cooperation between the school, the police and the Social Services Administration (only available in Danish here);
• Guidance on localization requirements in the Act (only available in Danish here); and
• Guidelines on the exchange of personal data as part of efforts to combat radicalization and extremism (only available in Danish here).

1.3. Case law

The number of GDPR-related cases brought before the national courts in Denmark is not high. The few cases that have been brought before the courts will be reviewed in the section on enforcement decisions below.

Please note that Datatilsynet is not allowed to impose administrative fines. This is also discussed in more detail in the sections on penalties and enforcement decisions below.

2. Scope of Application

2.1. Personal scope

The Act applies to information regarding all identifiable natural persons, cf. (Section 1 of the Act). Section 2 of the Act expands the scope of the Act compared to the scope of the GDPR, as Section 2(1) prescribes that specific provisions apply when personal data is manually disclosed to another administrative authority.

Further, Section 2(2) states that both the GDPR and the Act apply to information relating to legal entities when the processing of personal data is performed on behalf of credit rating agencies. Furthermore, Section 2(3) of the Act also prescribes that Chapter 4 of the Act, which concerns disclosure of personal data to credit rating agencies, also applies to information concerning companies.

In Denmark, the GDPR and the Act apply to the processing of information relating to deceased individuals for 10 years after the person's death (cf. Section 2(5) of the Act).

The Act also contains exceptions to the GDPR, which are set out in Section 3. Among other things, Section 3 exempts the processing of personal data carried out by the media to a certain extent. Section 3 of the Act will be elaborated further below.

2.2. Territorial scope

The Act applies to the processing of personal data for a data controller or data processor, who is established in Denmark (Section 4(1) of the Act). This applies regardless of whether the processing takes place in the EU, i.e., the determining factor is if the controller or processor is established in Denmark. The processing of personal data for Danish diplomatic representations also falls within the scope of the Act according to Section 4(2) of the Act.

Lastly, the Act also applies extraterritorially to data controllers or data processors who are not established in the EU, if the processing of personal data concerns supply of goods or services and the affected data subjects are in Denmark (Section 4(3) of the Act). Further, the Act applies to controllers and processors who are not established in Denmark if they carry out processing activities which entail monitoring of the behavior of data subjects in Denmark.

2.3. Material scope

The material scope of the Act is largely the same as the material scope of the GDPR, i.e., the Act applies to processing of personal data which is fully or partially carried out by use of automatic means. The Act also applies to non-automated processing of personal data, which is or is supposed to be stored in a register.

Furthermore, the Act as well as Chapters II-VII and Chapter IX of the GDPR do not apply, in the following circumstances:

• processing of personal data solely for journalistic artistic or literary purposes (Section 3(8) of the Act), importantly, Articles 28, 32(1), and 32(2) of the GDPR do, however, still apply;
• processing carried out by or on behalf of the Danish Police and the Danish Defense Intelligence Service (Section 3(2) of the Act). Instead, the Law Enforcement Act applies to such processing activities;
• processing carried out as a part of the Danish Parliament's ('Folketinget') work; and
• processing subject to Act no. 430 of 1 June 1994 on information databases of mass media (only available in Danish here) as amended by Act no. 429 of 31 May 2000, (only available in Danish here), Act no. 433 of 31 May 2000 (only available in Danish here), and Act no. 503 of 23 May 2018 (only available in Danish here).

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Datatilsynet is the national supervisory authority in Denmark. It is an independent authority established under the Ministry of Justice and consists of a council and a secretariat. A director heads the secretariat. The minister of justice establishes the council, which consists of one chairperson, who must be a High Court judge or a Supreme Court judge, and seven other members. To ensure the independence of the members, it is only possible to dismiss a member in cases of serious misconduct, or if a member no longer fulfils the conditions of the position.

The Datatilsynet acts as a supervisory authority regarding processing carried out by public authorities, private organizations, and natural persons (to the extent their processing of personal data is not excepted from the data protection legislation on grounds of being purely of a personal or household-related matter).

As for processing carried out by the national courts in Denmark, the Datatilsynet is not the supervisory authority. Instead, the Court Administration has the role in instances where the courts do not act in their capacity of courts. On the other hand, when the courts do act in their capacity of courts, the relevant decisions are made by the relevant court. This decision may be lodged with a higher court.

3.2. Main powers, duties and responsibilities

As mentioned above, Datatilsynet does not have the authority to issue administrative fines. Instead, the Datatilsynet decides on the matter and, if it finds that a fine should be issued, the Datatilsynet files a report with the police with a recommendation as to the size of the fine. From this point, it is for the police to investigate the case and for the prosecutor to take the case to the national courts like in any other criminal case. Currently, all cases where a controller or processor is reported to the police for a violation of the GDPR and/or Act must be tried in the courts, i.e., it is not possible to accept a proposed fine outside the courts. The Act does, however, as described in the section on penalties below, allow for the acceptance of fines without the involvement of the courts, but this requires an established practice.

While the Datatilsynet does not have the authority to issue fines for violations of the GDPR and/or the Act, the Datatilsynet, like other EU Member State supervisory authorities, has other powers, duties, and responsibilities under Articles 57 and 58 of the GDPR, namely to:

• monitor and enforce the application of the GDPR, including by imposing warnings, reprimands, orders, bans, and suspensions;
• promote public awareness and understanding of the risks, rules, safeguards, and rights in relation to processing as well as controllers' and processors' obligations under the GDPR;
• advice the Folketinget, the Government of Denmark, ('Regeringen'), and other institutions and bodies on legislative and administrative measures relating to data privacy;
• provide information to data subjects with regard to their rights under the GDPR, upon request;
• handle complaints and cooperate with other supervisory authorities;
• conduct investigations on the application of the GDPR and monitor developments that may affect the protection of personal data;
• adopt standard contractual clauses ('SCCs');
• establish and maintain a list of the requirements for DPIAs and provide advice on processing operations that are subject to DPIAs;
• encourage the drawing up of and approval of codes of conduct and certification mechanisms;
• approve binding corporate rules ('BCRs');
• contribute to the activities of the European Data Protection Board ('EDPB'); and
• keep internal records of infringements of the GDPR and any steps taken.

In addition, under the Act, the Datatilsynet has the power to:

• demand all information that is important for its activities (Section 29 of the Act);
• at any time upon appropriate proof of identity, and without a court warrant, have access to all premises from where a personal data processing operation is carried out;
• in exceptional cases,  the authority to, prohibit, restrict, or suspend the transfer of special categories of data comprised by Article 9(1) of the GDPR, to a third country or an international organization (Section 31 of the Act); and
• investigate whether a data processing that takes place in Denmark is lawful, even if the processing in question is subject to the legislation of another Member State. (Section 32 of the Act).

Furthermore, according to Section 28 of the Act, it is a requirement that an opinion from the Datatilsynet is obtained when bills, executive orders, circulars, or similar general regulation of importance for the protection of privacy in connection with the processing of personal data are being drafted. Therefore, the Datatilsynet has the responsibility to consider whether for example a suggested bill complies with the GDPR.

4. Key Definitions

Data controller: The Act does not derogate from the definition of the GDPR.

Data processor: The Act does not derogate from the definition of the GDPR.

Data subject: The Act does not derogate from the definition of the GDPR.

Personal data: The Act does not derogate from the definition of the GDPR.

Sensitive data: The Act does not derogate from the definition of the GDPR. However, please note that Danish data protection operates with an unofficial additional category of 'confidential personal data' which covers personal data which is not considered special category personal data but which the data subject otherwise reasonably would consider to be kept secret. Examples of confidential personal data are national identification numbers ('CPR numbers'), criminal convictions and offenses, financial information, significant social issues, passport and other identification documents, divorce, among others.

Health data: The Act does not derogate from the definition of the GDPR.

Biometric data: The Act does not derogate from the definition of the GDPR.

Pseudonymization: The Act does not derogate from the definition of the GDPR.

5. Legal Bases

5.1. Consent

Children's personal data

According to Section 6(2) of the Act, basing the processing of personal data concerning a child on the child's consent in connection with the offering of social media services to children is lawful, provided that the child is not younger than 13 years old. In this context, processing of personal data relating to a child under the age of 13 requires the consent of a person with custody of the child.

Direct marketing

Section 13 of the Act prescribes that a company's disclosure of personal data concerning a consumer to another company for the purpose of direct marketing or the use of personal data for direct marketing on behalf of another company may only take place if the consumer has provided their consent for such disclosure. However, disclosure or use of personal data may take place without the consumer's consent if the personal data disclosed constitutes non-confidential and non-special category customer data which forms the basis for classification into customer categories. However, it is a requirement that the conditions in Article 6(1)(f) of the GDPR are complied with.

5.2. Contract with the data subject

The Act does not contain any national variations in relation to the performance of a contract as a legal basis.

5.3. Legal obligations

The Act does not contain any national variations in relation to legal obligations as a legal basis.

5.4. Interests of the data subject

The Act does not contain any national variations in relation to the use of interests of the data subject as a legal basis.

5.5. Public interest

The Act does not contain any national variations in relation to the use of public interests or tasks as a legal basis.

5.6. Legitimate interests of the data controller

The Act does not contain any national variations in relation to the use of legitimate interests of the data controller or a third party as a legal basis.

5.7. Legal bases in other instances

Legal information systems

Section 9 of the Act provides a legal basis for the processing of personal data included in Article 9 (special categories of personal data) and Article 10 (criminal offenses and convictions) of the GDPR, if the processing takes place for the sole purpose of operating legal information systems of significant public importance, and the processing is necessary for operating such systems.

Statistical and scientific studies

Section 10 of the Act provides a legal basis for the processing of personal data included in Article 9 (special categories of personal data) and Article 10 (criminal offenses and convictions) of the GDPR if the processing takes place for the sole purpose of carrying out statistical or scientific studies of significant importance to the society. Also, in this case, the processing must be necessary to carry out the studies.

National identification numbers

Section 11 of the Act contains special legal bases for the processing of national identification numbers ('CPR numbers'). According to this provision, public authorities may process national identification numbers for unambiguous identification.

Private organizations may process national identification numbers if one of the following criteria is met:

• it in accordance with national legislation;
• the data subject's consent has been obtained;
• the processing takes place solely for scientific or statistical purposes; or
• one of the criteria in Section 7 of the Act for processing special categories of personal data is met.

As for disclosing a national identification number, Section 11(2)(3) of the Act states that this may take place where the disclosure is required by a public authority or the disclosure happens as a part of the ordinary operation of the enterprise, and the disclosure is of crucial importance for the identification of the data subject.

Publication of national identification numbers is only allowed with prior consent from the data subject.

When basing the processing of national identification numbers on Section 11 of the Act, the data controller is not obliged to establish a legal basis in Article 6 of the GDPR.

Criminal convictions and offenses

The Act contains a national variation in Section 8 concerning the processing of personal data about criminal convictions and offenses. The legal bases are different for public authorities and private organizations. However, for both private organizations and public authorities, information concerning criminal records and offenses may be processed, if the criteria for processing special categories of personal data are met (Sections 7 and 8(5) of the Act).

Public authorities

Section 8(1) of the Act states that public authorities may only process information concerning criminal convictions and offenses where the processing of such information is necessary for carrying out the authority's tasks.

According to Section 8(2) of the Act, public authorities are prohibited from disclosing information relating to criminal convictions and offenses unless one of the following derogations apply:

• the data subject's explicit consent has been obtained;
• the disclosure takes place for the sake of public or private interests which clearly override the interests which call for secrecy, including the interests of the data subject;
• the disclosure is necessary for the tasks of the public authority or for a decision that the authority is required to make; or
• the disclosure is necessary for a person or company's performance of a task on behalf of the public.

Private organizations

Section 8(3) of the Act sets out the legal bases which private organizations may rely upon when processing information relating to criminal convictions and offences. According to this Section, such processing is lawful if:

• the data subject's explicit consent has been obtained; or
• the processing is necessary for a legitimate interest that clearly overrides the interests of the data subject.

Private organizations are prohibited from disclosing information concerning criminal records and offenses unless the data subject's explicit consent has been obtained or the disclosure takes place for the sake of public or private interests which clearly override the interests that call for secrecy, including the interests of the data subject (Section 8(4) of the Act).

According to Section 8(4) of the Act, disclosure of personal data by private individuals is prohibited without consent from the data subject.

Personal data in the employment context

According to Section 12 of the Act, the processing of both common personal data and special categories of personal data in an employment context may take place if it is necessary for the purpose of observing and respecting the employment law obligations and rights of the controller or of the data subject as laid down by other law or collective agreements. Regarding special categories of personal data, this legal basis is also found in Section 7(2) of the Act.

Section 12 of the Act also allows the processing of personal data in an employment context if the processing is necessary to enable the data controller or a third party to pursue a legitimate interest that arises from other legislation or collective agreement unless the data subject's interests or rights exceed this legitimate interest.

Finally, processing of personal data in an employment context may also take place based on consent from the data subject, (Section 12(3) of the Act).

When basing the processing of personal data on Section 12 of the Act, the data controller is not obliged to appoint a legal basis in Article 6 of the GDPR or an exception in Article 9(2) of the GDPR

6. Principles

The Act does not contain any national variations in relation to the principles of the GDPR.

7. Controller and Processor Obligations

7.1. Data processing notification

Information databases operated by the mass media

According to Section 3(4) of the Act, the GDPR and the Act do not apply if the processing of personal data is covered by the Act on information databases operated by mass media. However, for the processing of personal data to be covered by the Act on information databases, the database must be reported to the Datatilsynet. If the database is not reported, both the Act and the GDPR apply.

Obligation to obtain approval from the supervisory authority in special cases

Under certain circumstances, private sector data controllers are obliged to obtain the approval of a processing activity from the Datatilsynet prior to the processing. This follows from Section 26(1) of the Act and applies in one of the following circumstances:

• where the processing of personal data is carried out for the purpose of warning others against having business relations or accepting employment with a data subject;
• where the processing is carried out for the purpose of commercial disclosure of personal data for the assessment of financial standing and creditworthiness; or
• where the processing is carried out exclusively for the purpose of operating legal information systems.

Processing necessary for reasons of substantial public interest

According to Section 7(4) of the Act, authorization from the Datatilsynet is required where the processing of special categories of personal data is necessary for reasons of substantial public interest pursuant to Article 9(2)(g) of the GDPR, and the processing is not carried out on behalf of a public authority.

Statistical and scientific studies

Section 10(3) of the Act prescribes further special situations where prior approval from the Datatilsynet for the processing of personal data is required. This applies in relation to the disclosure of personal data where the processing takes place for the sole purpose of carrying out statistical or scientific studies of significant importance to society and the processing is necessary in order to carry out these studies, provided that:

• the disclosure is carried out for the purpose of processing outside the territorial scope of the GDPR;
• the disclosure is related to biological material; or
• the disclosure is made for the purpose of publication in a recognized scientific journal or similar.

7.2. Data transfers

The Act does not contain any national variations from the GDPR concerning the transfer of personal data to third countries or international organizations.

However, Section 31 of the Act prescribes that the Datatilsynet in exceptional cases may prohibit, restrict, or suspend the transfer to a third country or an international organization of special categories of data comprised by Article 9(1) of the GDPR if a decision has not been adopted concerning the adequacy of the level of protection under Article 45 of the GDPR.

7.3. Data processing records

The Act does not contain any national variations concerning data processing records.

7.4. Data protection impact assessment

The Act does not contain any national variations on the duty to carry out a DPIA. However, Datatilsynet has published a guideline on DPIAs (only available in Danish here). Further, Datatilsynet has published a list (only available in Danish here)  of processing activities that are likely to always entail a high risk to the data subjects' rights and freedoms, which entails that a DPIA should be carried out.

The processing activities that are likely to always be subject to the requirement of a DPIA are:

• processing of biometrical data for the purpose of identifying a natural person in connection with at least one other criterion from the Article 29 Working Party's guidelines ('the Guidelines');
• processing of location data in connection with at least one other criteria from the  Guidelines;
• processing using new technologies in connection with at least one other criterion from the Guidelines;
• processing that leads to decisions on a natural person's rights to a product, a service, a potential possibility, or benefit, and which is based on any type of automated decision-making (including profiling);
• processing that includes profiling of natural persons on a large scale as defined in the Guidelines;
• processing of personal data of vulnerable data subjects or where processing of special categories of personal data is involved, and profiling or other forms of automated decision-making is used; and
• processing where a personal data breach may have a direct effect on the physical health or safety of a natural person.

The Datatilsynet has not published a list with processing activities that are not subject to a DPIA.

7.5. Data protection officer appointment

The Act does not contain any national variations with regard to the appointment of a DPO

However, Section 24 of the Act contains a confidentiality rule which prescribes that a data protection officer may not without justification, disclose or exploit data in which they have obtained insight in connection with the exercise of their duties as data protection officers.

7.6. Data breach notification

According to Section 22(6) of the Act, Article 34 of the GDPR does not apply where the supply of information to data subjects may specifically be assumed to impede the investigation of criminal offenses. Only the police are allowed to make any decision regarding the application of the provision.

7.7. Data retention

The Act does not contain any national variations on data retention.

7.8. Children's data

Please see the section on the legal basis of consent above.

In addition, Sections 6(2) and 6(3) of the Act contain provisions regulating the processing of children's data. Section 6(2) provides that the processing of personal data concerning a child on the child's consent pursuant to Article 6(1)(a) of the GDPR in connection with the offering of information society services directly to children is lawful, provided that the child is no younger than 13 years old.

The consent of the holder of parental custody of the child is needed for the processing to be lawful if the child is under 13 years old. (Section 6(3) of the Act)

7.9. Special categories of personal data

Please see the section on legal bases above. In addition, Section 7 of the Act governs the processing of special categories of personal data. The provision prescribes that the processing of special categories of personal data will be permitted where one of the following exceptions applies:

Section 7(1) of the Act prescribes that special categories of personal data may be processed if the conditions personal data laid down in Article 9(2)(a), (c), (d), (e) or (f) of the GDPR apply. Furthermore, Section 7(2) of the Act implements the part of Article 9(2)(b) of the GDPR concerning the processing of personal data, which is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment law. The part of Article 9(2)(b) of the GDPR governing processing in relation to compliance with social security and social protection law is not implemented and does, as such, not apply in Denmark.

Section 7(3) of the Act implements Article 9(2)(h) of the GDPR by prescribing that processing of special categories of personal data may take place if the processing is necessary for the purposes of preventive medicine, medical diagnoses, the provision of care of treatment, or the management of medical and health care service when the data is processed by a health professional subject under law to the obligation of professional secrecy. Finally, Section 7(4) of the Act prescribes that processing of special categories of personal data may take place if the processing is necessary for reasons of substantial public interest. However, it is a condition that the supervisory authority has given its prior approval to the processing if the processing is not carried out on behalf of a public authority.

When basing the processing of special categories of personal data on one of the exemptions mentioned above, the data controller is obliged to also appoint a legal basis in Article 6 of the GDPR.

Article 9(2)(i) of the GDPR has not been implemented through the Act. Therefore, this provision cannot be used as a legal basis for processing special categories of personal data in Denmark. However, it is assumed in the legislative preparation documents that the processing activities that would be covered by Article 9(2)(i) are also covered by Article 9(2)(g) which has been implemented in the Act as described above.

Further, Article 9(2)(j) of the GDPR has not been implemented in the Act with direct reference either. However, the provision is indirectly implemented through Sections 9,10, and 14 of the Act which allow the processing of special categories of personal data if:

• the processing is carried out solely for the purpose of operating legal information systems of significant public importance and the processing is necessary for operating such systems;
• the processing takes place for the sole purpose of carrying out statistical or scientific studies of significant importance to society and where such processing is necessary in order to carry out these studies (please refer to section above on data processing notification for further information concerning disclosure in this regard); or
• the personal data is transferred to be archived under the rules laid down in the legislation on archives.

When basing the processing of special categories of personal data in Sections 9, 10 or 14 of the Act, the data controller is not obliged to appoint a legal basis in Article 6 of the GDPR.

Criminal convictions and offenses

As described above on the section on legal bases in other instances, Section 8 of the Act regulates the processing of personal data related to criminal convictions and offenses.

According to Section 8(5) of the Act processing of personal data concerning criminal convictions and offenses is lawful if the conditions laid down in Section 7 of the Act, which concerns the processing of special categories of personal data covered by Article 9(1) of the GDPR, are satisfied.

Section 8(1) of the Act concerns the processing of such personal data by public authorities. It follows that personal data concerning criminal convictions and offenses may only be processed on behalf of a public administrative authority if the processing is necessary for the performance of the tasks of the authority.

Section 8(2) of the Act prescribes that public authorities are prohibited from disclosing personal data concerning criminal records and offenses unless one of the following exemptions apply:

• the data subject has given their prior explicit consent;
• disclosure takes place for the purpose of safeguarding private or public interests that clearly override the interest of secrecy, including the interests of the person to whom the personal data relates;
• disclosure is necessary for the performance of activities of an authority or required for a decision to be made by that authority; or
• disclosure is necessary for the performance of tasks carried out by a person or an enterprise on behalf of a public authority.

Section 8(3) and (4) of the Act contain special provisions concerning the processing of personal data relating to criminal convictions and offenses by private sector organizations. Private sector organizations may rely on the following legal bases when processing information relating to criminal convictions and offenses:

• the data subject's explicit consent has been obtained; or
• the processing is necessary for a legitimate interest that clearly overrides the interests of the data subject.

Private organizations are prohibited from disclosing information concerning criminal records and offenses unless the data subject's explicit consent has been obtained or the disclosure takes place for the sake of public or private interests that clearly override the interests that call for secrecy, including the interests of the data subject (Section 8(4) of the Act).

7.10. Controller and processor contracts

The Act does not contain any national variations on requirements for a contract between the data controller and a data controller.

8. Data Subject Rights

In Denmark, the opportunity in Article 23 of the GDPR to restrict the scope of the obligations and rights provided in specific Articles of the GDPR is utilized in Sections 22 and 23 of the Act.

Furthermore, Section 3(5)-3(8) of the Act contains provisions that entail that Chapter III on the rights of the data subjects in the GDPR does not apply. This applies to:

• information databases that exclusively include already published periodicals or sound and image programs covered by Sections 1(1) or 1(2) of the Media Liability Act, or parts thereof, provided that the data is stored in the information database in the original version published;
• manual files of cuttings from published printed articles exclusively processed for journalistic purposes;
• processing of data that otherwise takes place exclusively for journalistic purposes; and
• processing of data for the sole purpose of artistic or literary expression.

8.1. Right to be informed

Section 22 of the Act prescribes that the provisions in Articles 13(1)-(3), 14(1)-(4) ,15, and 34 of the GDPR do not apply if:

• the data subject's interest in being informed is found to be overridden by essential considerations of private interests, including the consideration for the data subject (Section 22(1) of the Act). However, this exemption only applies if notification of the data subject cannot be omitted under the exemption provisions of Article 13(4) and Article 14(5) of the GDPR; or
• the data subject's interest in obtaining the information is found to be overridden by essential considerations of public interests, in particular the same interests as stated in Article 23(1)(a)-(j) of the GDPR (Section 22(2) of the Act).

Another exception to the right to be informed is prescribed in Section 22(4) of the Act. This provision states that Articles 13, 14, and 15 of the GDPR do not apply when personal data is processed on behalf of the courts when the courts are acting in their judicial capacity.

Section 23 of the Act also contains an exception to the right to be informed. It states that the duty to provide information under Article 13(3) and Article 14(4)  of the GDPR shall not apply in cases where public authorities further process personal data for another purpose than the purpose for which they were collected, and the further processing takes place on the basis of rules laid down under Section 5(3) of the Act, which authorizes the Minister of Justice and the competent minister to lay down more detailed rules on the topic. However, the authorization for the Minister of Justice to lay down rules in this regard has not been utilized yet.

8.2. Right to access

Section 22 of the Act prescribes that the provisions in Article 15 of the GDPR do not apply if:

• the data subject's interest in the information is found to be overridden by essential considerations of private interests, including the consideration for the data subject (Section 22(1) of the Act);
• the data subject's interest in obtaining the information is found to be overridden by essential considerations of public interests, in particular, the same interests as stated in Article 23(1)(a)-(j) of the GDPR (Section 22(2) of the Act);
• the personal data is being processed on behalf of a public administrative authority in the course of administrative procedure and may be excepted from the right of access under the rules of Sections 19-29 and Section 35 of the Open Administration Act which contains the following exceptions (only available in Danish here);
• personal data is processed on behalf of the courts when the courts are acting in their judicial capacity (Section 22(4) of the Act); or
• the processing of personal data takes place exclusively for scientific or statistical purposes (Section 22(5) of the Act).

8.3. Right to rectification

The right to rectification is restricted in Section 22(5) of the Act which states that the right to rectification does not apply if the processing of personal data takes place exclusively for scientific or statistical purposes.

8.4. Right to erasure

There are no national variations besides Section 3(5)-3(8) of the Act, which is described above.

8.5. Right to object/opt-out

The right to object is restricted in Section 22(5) of the Act which states that the right to object does not apply if the processing of personal data takes place exclusively for scientific or statistical purposes.

8.6. Right to data portability

There are no national variations besides Section 3(5)-3(8) of the Act, which is described above.

8.7. Right not to be subject to automated decision-making

There are no national variations besides Section 3(5)-3(8) of the Act, which is described above.

8.8. Other rights

Right to restriction of processing

According to Section 22(5) of the Act, Article 18 of the GDPR about the data subject's right to restriction of processing shall not apply if the processing of data takes place exclusively for scientific or statistical purposes.

9. Penalties

Part 12 of the Act contains provisions on penalties for not complying with the data protection rules.

Compensation

According to Section 40 of the Act, a person who has suffered a material or non-material loss because of an unlawful processing activity or any other processing contrary to the provisions of the Act shall be entitled to compensation according to Article 82 of the GDPR.

Only very little practice on the right to compensation exists. On May 11, 2021, the City Court of Glostrup decided on seven cases that were co-processed in the court, against Gladsaxe Municipality and which concerned the right to compensation. The case concerned a stolen laptop which contained a spreadsheet with information concerning 20,620 citizens, including information such as name, address, national identification number, and summary information relating to health and housing benefits. The laptop was protected with a username and password, but the hard disk was not encrypted. The court found that the citizens were not entitled to compensation for nonmaterial damage as there was insufficient basis for determining that the data subjects had been subject to damages that would justify their claim. The City Court of Glostrup's news on the case is only available in Danish here.

The impositions of fines and imprisonment

Section 41 of the Act regulates the imposition of fines and imprisonment.

Under Section 41 of the Act  a person shall be liable to a fine or imprisonment for a term not exceeding six months if that person infringes one of the following provisions:

• the data controller's obligations under Articles 8, 11, 25 – 39, 42, or 43 of the GDPR;
• the certification body's obligations under Articles 42 or 43 of the GDPR;
• the supervisory body's obligations under Article 41(4) of the GDPR;
• the fundamental principles of processing, including the conditions for consent set out in Articles 5 – 7 and 9 of the GDPR;
• the rights of data subjects under Articles 12 – 22 of the GDPR;
• the transfer of personal data to a recipient in a third country or an international organization under Articles 44 – 49 of the GDPR;
• Sections 5(1), 5(2), 6, 7(1) – (4),  8,  9(1), 9(2), 10(1) – (4), 11, 12, 13(1) – (7), 20, 21, or  26(1), and 26(5) of the Act;
• Article 10 of the GDPR, unless the infringement is subject to Section 8 of the Act;
• Article 58(1) of the GDPR by preventing the supervisory authority from gaining access;
• Article 58(2) of the GDPR by failing to comply with an order or a provisional or definitive limitation of processing or the supervisory authority's suspension of the transfer of data;
• if a person fails to comply with an order from the supervisory authority as referred to in Article 58(2) of the GDPR;
• if a person fails to comply with Datatilsynet's requirements according to Sections 29(1) or 32(1), second sentence, read with Section 29(1) of the Act;
• if a person prevents the Datatilsynet from gaining access under Sections 29(2) or 32(1), second sentence, read with Section 29(2) of the Act; or
• if a person fails to comply with the Datatilsynet's decisions under the Act in other respects or sets aside the Datatilsynet's terms of authorization according to the Act.

However, if a higher penalty may be imposed under other legislation, the legislation containing the higher penalty applies. Section 41(4) of the Act also prescribes that a violation of Section 24 of the Act on the duty of confidentiality for DPOs shall result in a fine unless a higher penalty may be imposed under other legislation.

According to Article 83(7) of the GDPR each member state may lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that member state. Based on this, Section 41(6) of the Act prescribes that public authorities and institutions that are subject to Section 1(1) or (2) of the Public Administration Act may be punished for infringements committed in their performance of activity that does not correspond to or cannot be considered equal to an activity carried through by private entities. 

Denmark has utilized the possibility in Article 83(9) of the GDPR to decide that the supervisory authority cannot provide administrative fines. The Datatilsynet only recommends fines to the prosecutor and may also report a data processor to the data controller, and in the end, the national courts decide whether a fine should be imposed. In several cases, Datatilsynet has criticized or severely criticized the processing of personal data by both some private companies and public authorities.

However, Section 42 of the Act contains an exception to the fact that the Datatilsynet does not have the competence to impose fines. If the party who committed the infringement admits to being guilty and declares acceptance of a fine, Datatilsynet may indicate by a fixed penalty notice that the case may be settled without legal proceedings. This does, however, require an established practice. As such sufficient practice has not yet been established, all cases where the Datatilsynet recommends a fine is currently subject to legal proceedings at the courts.

9.1 Enforcement decisions

As Datatilsynet cannot impose administrative fines, the cases described below are cases that have been tried by the national courts.

ID Design (appealed)

The first fine for breach of the GDPR was issued by the District Court in Aarhus in February 2021. The defendant was the Danish company IDdesign A/S (now Ilva A/S). Ilva A/S was accused of violating Article 5(1)(e) of the GDPR by storing the personal data of about 385,000 customers for longer than was necessary in an older and partly phased-out costumer data system.

The Datatilsynet recommended to the prosecution that the case should be settled with a fine of DKK 1.5 million (approx. $219,000) which the prosecutor later agreed to. However, the court decided that the fine should only be of DKK 100,000 (approx. $14,600). The decision has been appealed to the High Court by the prosecutor and is currently awaiting legal proceedings. The Datatilsynet's news on the case is only available in Danish here.

Arp-Hansen Hotel Group (appealed)

In this case, the District Court in Lyngby in February 2022, imposed a fine of DKK 1.1 million (approx. $160,687) on Arp-Hansen Hotel Group A/S for a violation of the GDPR. As in the ID Design case described above, Arp-Hansen was found guilty of violating Article 5(1)(e) of the GDPR by storing personal data longer than was necessary for the purpose for which the personal data was collected. However, Arp-Hansen was only given a warning due to mitigating circumstances. The prosecutor has appealed the District Court's decision to the High Court and is currently awaiting legal proceedings. The Datatilsynet's news on the case is only available in Danish here.

Taxa 4X35 (appealed)

This case from  January 2023 also concerned a violation of Article 5(1)(e) of the GDPR. Taxa 4X35 a taxi company, kept information about their customers for longer than necessary according to the purpose for which the personal data was collected. The court decided that Taxa 4X35 had stored the personal data longer than necessary for the purpose for which the personal data was collected. The prosecutor proposed a fine of DKK 1.5 million (approx. $219,230) but due to several mitigating circumstances and long processing time, the fine was reduced to DKK 100,000 (approx. $14,600). The decision has been appealed to the High Court by the prosecutor and is currently awaiting legal proceedings. The Datatilsynet's news on the case is only available in Danish here.

Nordbornholms Byggeforretning

In this case, Nordbornholms Byggeforretning– a local building contractor on the Danish island of Bornholm – was charged with breaching the GDPR by disclosing information concerning previous employees' criminal offenses to two of the contractor's customers. In particular, the contractor had by email, informed two customers that a specified previous employee had admitted to having committed criminal offenses during his employment with the contractor. The prosecutor recommended a fine of DKK 400,000, (approx. 58,477) but the fine was reduced to DKK 100,000 (approx. $14,600). The decision has not been appealed. The Datatilsynet's news on the case is only available in Danish here.

Hørsholm Municipality

In this case, Hørsholm Municipality was charged with breaching the GDPR by failing to encrypt the hard disks of the municipality's employee laptops. This led to a critical personal data breach as a laptop containing national identification numbers and special category personal data belonging to around 1,600 citizens was stolen. The Helsingør Court, imposed a fine of DKK 50,000, (approx. $7,300) on the Municipality for failing to implement technical and organizational measures appropriate to the level of risk posed by the theft of the employee's laptop, since employees' laptops were used to process personal data that was not protected by encryption. The decision has not been appealed. The Datatilsynet's news on the case is only available in Danish here.

JobTeam

In this case, JobTeam was charged with breaching the GDPR by deleting personal data subject to a data subject access request. The prosecutor proposed a fine of DKK 50,000 (approx. $7,300). However, as the court found that it had not been proven that JobTeam had deleted the personal data after receiving the data subject's request for access but before responding to that request, JobTeam was found not guilty.

Lejre Municipality

In this case, Lejre Municipality was charged for breaching the GDPR by uploading minutes from meetings containing special category personal data concerning individuals under the age of 18 to an employee portal which was accessed by a large number of employees in the municipality. As a result, the Court of Roskilde imposed a fine of DKK 50,000 (approx. $7,300) on the municipality. The decision has not been appealed. The Datatilsynet's news on the case is only available in Danish here.

Guldborgsund Municipality

In this case, Guldborgsund Municipality was charged with breaching the GDPR by sending a decision containing the whereabouts of a child to the child's father who had been denied custody of the child. The prosecutor proposed a fine of DKK 50,000, (approx. $7,300), which the court agreed to. The decision has not been appealed. The Datatilsynet's news on the case is only available in Danish here.