Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Denmark - Data Protection Overview
Back

Denmark - Data Protection Overview

April 2022

1. Governing Texts

Act No. 502 of 23 May 2018 on Supplementary Provisions to the Regulation on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data ('the Data Protection Act'), implementing the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), entered into force on 25 May 2018. The Data Protection Act repeals the previous Act on processing of personal data, which had implemented the Data Protection Directive (95/46/EC).

1.1. Key acts, regulations, directives, bills

  • the Data Protection Act
  • the GDPR

1.2. Guidelines

The Danish Data Protection Agency ('Datatilsynet') has published a number of GDPR guidelines (only available in Danish here). These include a number of templates and guidelines in order to aid companies with GDPR-compliance. The non-exhaustive list below sets out some of the more notable guidelines on Datatilsynet's website:

  • Templates for data processing agreements;
  • Guidelines for data protection officers ('DPOs') (only available in Danish here) ('DPO Guidance');
  • Guidelines on information security and the prevention of data breaches;
  • Guidelines on consent;
  • Guidelines on third country transfers:
  • Overview of the Schrems II decision;
  • Overview of special rules for the police and courts of law;
  • Guideline on the level of fines imposed for GDPR-breaches;
  • Guidelines on data protection in employment;
  • Guidelines for surveillance;
  • Guidelines for internet, media and applications;
  • Guidelines on data subject rights;
  • Guidelines on data controllers and data processors (including principles on when substitutes and consultants are data controllers);
  • Guidelines on supervision of data processors and sub-processors;
  • Guidance on risk assessments (only available in Danish here);
  • Guide on risk assessments (only available in Danish here);
  • Guidelines on the records of processing activities;
  • Guidelines on Data Protection Impact Assessments ('DPIA') (only available in Danish here) ('DPIA Guide');
  • Guidance on impact assessments (only available in Danish here);
  • Guidelines on codes of conduct and certifications;
  • Closure of the Electronic Notification System (only available in Danish here);
  • List of the Types of Processing Activities that are Subject to DPIAs (only available in Danish here); and
  • Guide on DPIAs (only available in Danish here).

Furthermore, the European Data Protection Board ('EDPB') has published the following Opinion for Denmark:

Opinion 24/2018 on the draft list of the competent supervisory authority of Denmark regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR).

1.3. Case law

Datatilsynet has issued 179 decisions in total from August 2018 to 26 January 2022, including a majority of cases where Datatilsynet expressed criticism, and in some cases issued injunctions.

We have set out a number of the more noteworthy decisions. All decisions issued by Datatilsynet after 25 May 2018 (only available in Danish here). As set out further in section on penalties below, Datatilsynet is quite active in recommending fines for breaches of the GDPR. As of 28 January 2022, Datatilsynet have recommended fines in 19 cases with the amounts spanning from DKK 50,000 (approx. €6,720) to DKK 1.5 million (approx. €201,680). The full list of fine notices issued by Datatilsynet thus far can be found here.

Taxa 4x35

Following an inspection by Datatilsynet in October 2018, Datatilsynet reported the taxi company, Taxa 4x35, to the police. Datatilsynet recommended a fine of DKK 1.2 million (approx. €160,000) for violation of the GDPR. Datatilsynet found that Taxa 4x35 had only implemented superficial procedures that did not ensure compliance with the requirements of data retention and deletion as set out in the GDPR. This conclusion was primarily based on the premise that Taxa 4x35 claimed to anonymise personal data after a two-year retention period by deleting only the name of data subjects, and by deletion of telephone numbers only after a period of five years. When Datatilsynet carried out its inspection, Taxa 4x35 had information about in excess of 8.8 million taxi trips, which were older than two years.

IDdesign A/S

Following an inspection by Datatilsynet in October 2018, Datatilsynet reported the furniture company, IDdesign A/S, to the police. Datatilsynet recommended a fine of DKK 1.5 million (approx. €200,000) for violation of the GDPR. Prior to the inspection IDdesign A/S had provided Datatilsynet with an overview of systems used to process personal data.

Furthermore, IDdesign A/S informed Datatilsynet that an older system was utilised in three separate stores ('IDEmøbler'), which had been replaced by a new system for all other stores. In the old system, personal data including the names, addresses, telephone numbers, emails, and purchase history of approximately 385,000 customers were processed. IDdesign A/S had not addressed and taken a position on when personal data in the old system was no longer necessary to fulfil the purpose for which they were collected, and had not set deadlines in respect of retention and deletion of such personal data.

The City Court in Aarhus decided to fine the company DKK 100,000 (approx. €13,445), which was a significantly smaller fine than what the prosecution had claimed. In particular, the City Court in Aarhus emphasised that this was:

  • a negligent breach of the GDPR;
  • the company did not have previous infringements of the GDPR;
  • the personal data affected was general information;
  • no data subject had suffered damage; and
  • the company had committed themselves to comply with the GDPR in their new system.

The fine was determined on the basis of the company's turnover alone and not on the basis of the worldwide turnover of the entire group, which Datatilsynet had prepared for. The prosecution has now appealed the judgment.

The IT University's (ITU) use of a supervisory application

The Datatilsynet has made a decision in a case where the Datatilsynet - based on a telephone inquiry - decided to investigate the IT University's ('ITU') use of a supervisory program in an online examination in more detail.

Because of the COVID-19 situation, ITU had been required to host classes and exams online. The ITU assessed that in a single subject, it was necessary to supervise the students by means of a supervision program that during the three-hour exam made video, audio and screen recordings, and registration of browser search history from the students' computers.

Specifically, the Datatilsynet found in the case that ITU's use of the supervisory program had been made within the framework of the data protection rules.

In its decision, the Datatilsynet emphasised, among other things, the following circumstances:

  • ITU had made a concrete necessity assessment of the need for examination supervision in relation to the subjects offered by ITU, and that ITU had assessed the need for a single subject;
  • in selecting the monitoring program, ITU had chosen a program that was the least intrusive in relation to the specific circumstances;
  • ITU had briefed the students on the extraordinary processing of personal data; and
  • ITU had taken a number of security measures in connection with the monitoring program's processing of student information.

Additional cases where Datatilsynet has issued injunctions or expressed serious criticism include the following:

  • Datatilsynet prohibited a large telecommunications company (namely, TDC A/S) from recording telephone conversations for internal training without consent, and in that respect ordered TDC A/S to refrain from recording such conversations until they had a technical solution that would enable TDC A/S to collect consent in compliance with the GDPR;
  • Datatilsynet severely criticised an IT-provider sector (namely, Rejsekort A/S) that provides travel cards and IT-infrastructure for the use of such travel cards in the public transport. Rejsekort A/S failed to rectify location data as the technical solution chosen by Rejsekort A/S did not sufficiently enable Rejsekort A/S to do so;
  • Datatilsynet severely criticised TDC A/S as their registration of telecommunication traffic - and localisation data did not live up to the principle of data minimisation set out in Article 5(1)(c) of the GDPR;
  • Datatilsynet severely criticised the University of Copenhagen for failing to handle personal data in compliance with Articles 32(1), 33(1), and 34(1) of the GDPR when a medical student lost a video recorder containing interviews with patients for the purpose of his studies. Datatilsynet found that the University of Copenhagen was the data controller in respect of the information collected by the student. The University subsequently failed to inform Datatilsynet and the patients whose data security had been compromised;
  • Datatilsynet severely criticised the Danish Meteorological Institute as its solution to obtaining user-consent with regard to processing of personal data on its website did not meet the requirements for consent in Article 4(11) of the GDPR. Furthermore, Datatilsynet found that the collection of personal data and the subsequent handling -over of the data to Google was a breach of the principle of lawfulness under Article 6 of the GDPR;
  • Datatilsynet expressed severe criticism to DSB (i.e. Danish State Railways) as it did not perform its duties stated in Articles 12(2), 12(3), and 15(3) of the GDPR, when it failed to provide a citizen with a copy of the personal data undergoing processing in good time, and did not provide such data in its full extent. In connection to the case, Datatilsynet emphasised that a requirement cannot be made for a registered person to explicitly request access to the personal data that a data controller may process in connection to CCTV surveillance. The data controller must provide such information on its own initiative;
  • Datatilsynet criticised Statistics Denmark for their failure to update personal data on a citizen who had requested to be included on a list of citizens who do not wish to participate in Statistics Denmark’s voluntary surveys;
  • Datatilsynet expressed serious criticism of the Danish Serum Institute ('SSI') for their failure to implement sufficient data protection measures, and failure to enter into a data processing agreement in due time regarding high risk sensitive health information which was to be shared with an expert group. In this matter it was a mitigating circumstance that the processing took place during an international crisis situation (Covid-19), and that it took place in the interest of general public health; and
  • 25 November 2021, Datatilsynet published a decision in which it stated serious criticism of Silkeborg Municipality for sending an unencrypted email including sensitive information (only available in Danish here). Datatilsynet found that Silkeborg Municipality could not document that the email in question was sent encrypted. Therefore, Datatilsynet found that Silkeborg Municipality violated Articles 5(1)(f), 5(2), and 32(1) of the GDPR. 

Data controllers and data processors may have recourse to the Danish courts under the current Data Protection Act (as well as the former Act), should they have cause to believe that a Datatilsynet decision is not correct. Even though recourse to the courts is a possibility, there is a very limited amount of court cases.

2. Scope of Application

2.1. Personal scope

The Data Protection Act applies to any processing of personal data, except for the exemptions as stipulated in the Act. Further, the Data Protection Act applies to deceased persons for ten years after the person's death. Exemptions to the Data Protection Act are listed in Section on data protection authority . Some notable exemptions to the Data Protection Act's applicability include if enforcement of the Data Protection Act breaches human or basic rights, the work of national security agencies, parliamentary processing, and/or the work of journalists.

2.2. Territorial scope

The Data Protection Act and any rules or guidelines issued in relation hereto apply to any processing of personal data related to activities carried out on behalf of a data controller or data processor who is established in Denmark, regardless of whether or not the processing takes place in the European Union. It also applies to processing as carried out by Danish diplomatic delegations or representatives.

The Data Protection Act further applies to processing by a data controller or data processor outside EU, if the personal data being processed relates to a person located in Denmark, and the processing concerns the exchange or offering of goods or services in the EU or the surveillance of a person, if the activities being monitored take place in Denmark.

2.3. Material scope

The Data Protection Act applies to all processing of personal data carried out, in full or in part, by the means of automatic data processing, and to any other non-automatic processing of personal data that are or are intended to be contained in a filing system. With the exceptions as listed in Article 2(2)(b) to (d) of the GDPR and Section 3 of the Data Protection Act.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Datatilsynet is the authority in relation to data protection, and the agency is responsible for monitoring compliance with data protection rules. Datatilsynet consists of a council and a secretariat.

3.2. Main powers, duties and responsibilities

Datatilsynet oversees any type of processing, which is covered by the Data Protection Act, the GDPR, or any other legislation which is within the scope of special rules for the processing of personal data in the GDPR (Section 27 of the Data Protection Act). It also advises public authorities and private persons on matters relating to personal data, handles complaints, and carries out inspections in both the private and public sectors.

4. Key Definitions

Data controller: No national law variations.

Data processor: No national law variations.

Personal data: No national law variations.

Sensitive data: No national law variations.

Health data: No national law variations.

Biometric data: No national law variations.

Pseudonymisation: No national law variations.

5. Legal Bases

5.1. Consent

Section 12(3) of the Data Protection Act sets out how the processing of personal data in matters of employment may be carried out using consent from the employee as the legal basis for processing.

5.2. Contract with the data subject

The Data Protection Act does not implement variations of the GDPR on the performance of a contract as a legal basis.

5.3. Legal obligations

The Data Protection Act does not implement variations of the GDPR on a legal obligation as a legal basis.

5.4. Interests of the data subject

The Data Protection Act does not implement variations of the GDPR on the protection of the interests of the data subject as a legal basis.

5.5. Public interest

The Data Protection Act does not implement variations of the GDPR in relation to carrying out a specific task in the public interest as a legal basis.

5.6. Legitimate interests of the data controller

The Data Protection Act does not implement variations of the GDPR in relation to legitimate interests as a legal basis.

5.7. Legal bases in other instances

Article 89 of the GDPR has not as such been implemented into Danish legislation. No other regulations, opinions, or guidelines elaborating on how Article 89 of the GDPR is to be interpreted have been issued.

As such there are no further requirements or exemptions to the processing of personal data for scientific or historical research purposes than those stipulated in the GDPR.

Processing of personal data by credit rating agencies

The Data Protection Act extends regulatory scope to credit rating agencies. In this respect, it imposes restrictions on the categories of personal data which can be processed by credit rating agencies in relation to credit rating (Sections 19-21 of the Data Protection Act). This includes the following restrictions:

  • only data categories necessary for credit rating and evaluation of an individual's financial standing can be processed;
  • credit rating agencies cannot process special categories of personal data, or information about criminal convictions or offences;
  • personal data more than five years old that may indicate that credit should not be granted and must not be processed unless it is assessed that the information is of crucial importance to the credit rating of the individual; and
  • information about financial standing or the credit rating of individuals can only be communicated to third parties in writing, unless the data is aggregated and the information of the receiver's name and address is stored by the credit rating agency for at least six months.

6. Principles

The Data Protection Act is enacted to supplement the rules, and thus principles, as set forth in the GDPR.

7. Controller and Processor Obligations

7.1. Data processing notification

Prior authorisation

Article 7(4) of the Data Protection Act stipulates that pursuant to Article 9(g) of the GDPR, the processing of special categories of personal data may take place if the processing is necessary for reasons of substantial public interest. Article 7(4) of the Data Protection Act states that the supervisory authority must give its authorisation for this purpose if the processing is not carried out on behalf of a public authority.

Furthermore, Article 19 of the Data Protection Act notes that a person who wishes to carry on business involving the processing of data for assessment of financial standing and creditworthiness for the purpose of disclosure of such data (credit information agency) must obtain authorisation to do so from the Datatilsynet prior to commencing such processing.

In addition, the permission of Datatilsynet must be obtained where the processing of personal data is carried out for a private data controller and when the processing (Section 26 of the Data Protection Act):

  • is carried out in order to warn others against business connections or employment with the data subject;
  • is carried out for purposes of commercial disclosure of personal data for the assessment of financial standing, or creditworthiness; or
  • takes place solely for the purpose of maintaining a legal information system.

The Data Protection Act gives the Danish Minister of Justice the power to introduce regulations to require data controllers to pay charges to Datatilsynet in order to help with funding Datatilsynet's tasks. No such regulations have been passed to date.

In this regard, the Data Protection Act stipulates that unless a higher penalty must be imposed under other legislation, a person shall be liable to a fine or imprisonment for a term not exceeding six months if that person infringes the prior authorisation requirements under Articles 7(4) and 26(1) of the Data Protection Act or if that person fails to comply with the Datatilsynet's decisions under the Data Protection Act in other respects or sets aside the Datatilsynet's terms of authorisation according to the Data Protection Act (Article 41(2)(1) and 41(2)(8) of the Data Protection Act).

7.2. Data transfers

The Ministry of Justice, in collaboration with the appropriate minister, has the authority to issue an Executive Order determining that personal data processed in specific IT systems may only be stored in Denmark. The provision should be limited to personal data processed as part of public administration and the information must be of particular interest for a foreign power. In particular, the provision is expected to apply to at least major national systems such as the CPR register, particular tax systems, and some other special registers, and public e-mailing systems. The Minister of Justice has issued an Executive Order (only available in Danish here) containing such a list together with guidance setting out when the purchase of new IT systems must be assessed by the Ministry of Justice to determine if such systems should be added to the list.

7.3. Data processing records

The GDPR requires a record of all data processing activities to be kept. The Data Protection Act does not deviate from the GDPR on the matter of records of processing activities.

7.4. Data protection impact assessment

Datatilsynet has the power to draw up a list of processing activities, which constitute 'high risk' processing (Section 26(4) of the Data Protection Act). The list (only available in Danish here), provides the following types of processing operations requiring a DPIA, where two of the following criteria are met:

  • processing of biometric data for the purpose of uniquely identifying a natural person in consistency with at least one additional criterion from the WP29 DPIA Guidelines [Guidelines on DPIA and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679 | WP 248 rev.01 (13 October 2017) ('the WP29 DPIA Guidelines')];
  • processing of genetic data in the context of at least one additional criterion from the WP29 DPIA Guidelines;
  • processing of location data in the context of at least one additional criterion from the WP29 DPIA Guidelines;
  • processing using new technologies in the context of at least one additional criterion from the WP29 DPIA Guidelines;
  • processing that leads to decisions about a natural person's rights to a product, service, a potential opportunity or favour based on any form of automated decision making (including profiling);
  • processing involving profiling on a large scale about individuals as defined in the WP29 DPIA Guidelines;
  • processing of personal data of vulnerable persons or where the data processed is sensitive information (special categories) and where profiling or other forms are used for automated decisions; and
  • processing where a breach of personal data security can have a direct effect on a person's physical health or on the safety of a natural person.

Datatilsynet has not issued a list of activities which do not require a DPIA ('Whitelist').

Furthermore, in connection with obtaining permission in accordance with Section 26 of the Data Protection Act, it will be necessary to conduct a DPIA, as it is necessary to demonstrate that the appropriate and necessary risk mitigation measures have been taken.

7.5. Data protection officer appointment

The DPO Guidance stipulates in Section 3.1 that in most cases, the private sector does not need to appoint a DPO. Only private companies that, as part of their core business, process sensitive information or information on criminal offences on a large scale, or carry out regular and systematic monitoring of persons, to a large extent, are required to appoint a data protection adviser. The obligation for private companies to appoint a DPO applies to both the controller and the processor.

Section 3.1.1 of the DPO Guidance further notes that ordinary processing of personal data does not in itself constitute a 'core activity'. They can instead be considered a 'secondary activity', as the information is processed in order to support the main activity of the company.

When a company processes personal information as a secondary activity, the company is not required to appoint a DPO. The DPO Guidance outlines that the following types of processing constitute examples of secondary processing:

  • customer contact or support;
  • HR information;
  • Sales;
  • customer database;
  • online booking system;
  • loyalty cards;
  • processing of client information such as lawyers and engineers; and
  • IT support.

Section 3.1.1 of the DPO Guidance further outlines that the following types of processing constitute examples of core processing activity:

  • cloud computing;
  • hosting of websites/data;
  • private hospitals;
  • insurance companies;
  • advertising agencies that offer marketing surveys;
  • search engines;
  • telecommunications or Internet service providers; and
  • applications/mobile services based on personal information.

Role

The DPO Guidance stipulates in Section 5.4 that a DPO must not be instructed by others on how to perform their tasks, must not be dismissed or sanctioned for performing their duties, and must additionally report directly to the top level of management. The DPO Guidance also states that, under the Danish Act on Public and Private Limited Companies ('the Companies Act'), it is the board of directors that is the supreme governing body of companies that have both a board of directors and an executive board. In practice, this will mean that the executive board must inform the board of directors of essential issues pointed out by the DPO.

Moreover, DPO's in Denmark may not, without justification, disclose or exploit data into which they have obtained insight in connection to the exercise of their duties as DPO's (Section 24 of the Data Protection Act).

Violation of this rule is punishable by a fine unless a higher maximum penalty is provided for in other legislation (Section 41(6) the Data Protection Act). In the public sector, the Public Administration Act No. 145 of 24 February 2020 (only available in Danish here) and the Penal Code (Act No. 1851 of 20 September 2021) (only available in Danish here) set out an obligation of secrecy, which if not complied with, may be punished by imprisonment.

Notification

The Datatilsynet has previously announced that organisations may notify it with regard to the appointment of a DPO by sending an email to [email protected] with the DPO's contact details (name, phone number and e-mail address).

Section 5.5 of the DPO Guidance states that the unfair dismissal of a DPO will be sanctioned with a fine. However, the DPO may be dismissed on a factual basis under the normal rules of law.

7.6. Data breach notification

The Data Protection Act introduces a specific exemption to the obligation to notify data subjects of a data breach if the data subject's interest in receiving the information is assessed to be overridden by essential considerations of private interests, including the interests of the data subject (Section 22(2) of the Data Protection Act). Further, the notification obligation does not apply if the police authorities assess that notification may complicate or hinder criminal investigations (Section 22(6) of the Danish Data Protection Act).

Datatilsynet has issued guidance on the handling of a personal data breach (only available in Danish here) ('Data Breach Guidance'), in which it elaborates on the circumstances where it is unlikely that a breach constitutes a risk for natural persons' rights and freedoms, and where notification is therefore not required. According to the Data Breach Guidance, it is not necessary to notify neither Datatilsynet nor the data subjects when the personal data which has been compromised was appropriately encrypted or in other ways safeguarded in a way where it is not possible to link the information to the individual without further information, which is not available, i.e. if the data has been pseudonymised. Additionally, notification to data subjects is not necessary if the data controller has implemented safeguards after the breach, ensuring that the high risk to the rights and freedoms of physical persons is likely to no longer exist. It must be noted that it is the data controller who makes the assessment of whether notification should be conducted, and is responsible for such a decision. Lastly, even if it is assessed that a data breach is likely to result in a high risk for the rights and freedoms of the data subject, it is not necessary to notify each data subject if it is assessed that such notification would require disproportionate effort or is impossible. It is the data controller who makes such an assessment and is responsible for such a decision. If the data controller decides that such notification would require disproportionate effort or is impossible, the data controller must instead provide a public announcement or similar, to ensure that the data subjects are notified in an effective manner.

Data controllers in certain sectors may be required to inform sectoral regulators of any breach, for example, financial services firms may be required to inform the Danish Financial Supervisory Authority ('DFSA') of any breach.

Further, data controllers who are operators of essential services or digital service providers are required to notify the competent authority of incidents having a significant impact on the core services they provide according to the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive').

7.7. Data retention

The GDPR requires the deletion of data when the processing of the data is no longer required for the relevant purposes. The Data Protection Act does not deviate from the GDPR on the matter of data retention.

7.8. Children's data

The processing of data concerning children in connection with the direct offering of information society services is lawful provided the child is no younger than 13 years old (Section 6(2) of the Data Protection Act). The processing of data of children aged 13 and under is lawful to the extent that consent is given or approved by the holder of parental responsibility for the child (Section 6(3) of the Data Protection Act).

When assessing if a child under the age of 18 can provide consent, the data controller must take the maturity of the child into consideration. According to the guidelines on consent from Datatilsynet (see section on guidelines above), a child aged 15 will generally be sufficiently mature to provide consent on their own.

7.9. Special categories of personal data

In relation to the processing of data on criminal convictions and offences, public authorities are allowed to process such data if the processing is necessary to perform the tasks incumbent on the authority.

Private data controllers are allowed to process data on criminal convictions and offences when:

  • the data subject provides its express consent;
  • the processing of such data is necessary for the purpose of a legitimate interest which clearly overrides the interest of the data subject (Section 8(3) of the Data Protection Act). The collection of data pursuant to this requirement must be used carefully, as the area of use of the section is projected to be very limited, e.g. private data controllers can record information on theft, for the purpose of providing the information to the police; or
  • if the processing is based on one of the exceptions available for processing special categories of personal data.

In relation to processing of national identification numbers (in Denmark each individual has a unique identification number known as CPR-number), public authorities are allowed to process these with the purpose of identifying the individual or as a case-number. Private data controllers can process a national identification number only if (Section 11 of the Data Protection Act):

  • they are obliged by law to do so;
  • the data subject has consented to the processing;
  • the processing is conducted solely for scientific or statistical purposes;
  • if the identification number is transferred to another data controller and such transfer is a usual part of the private data controller's business and such transfer is necessary to ensure identification of the data subject or the transfer is required by a public authority; or
  • if the processing is based on one of the exceptions available for processing special categories of personal data.

7.10. Controller and processor contracts

Any data controller who has a data processor acting on their behalf must have a data processing agreement in place. The following content should be included:

  • the purpose of why the data processor is processing personal data on behalf of the data controller;
  • the duration for how long the data processor will process the personal data on behalf of the data controller;
  • the type of personal data that the data processor will be processing on behalf of the data controller;
  • the categories of data subjects (which are the natural persons, which the personal data regards);
  • the obligations and rights of the data controller;
  • the data processor shall only process personal data on documented instruction from the data controller (the only exception may be if the data processor is required to do so by applicable laws of an EU country and in such a case, the data processor shall inform the data controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest);
  • the data processor must not engage another data processor without the prior written approval of the data controller, or the data processor shall inform the data controller of any intended changes concerning the addition or replacement of sub-processors, and provide the data controller the opportunity to object to such changes;
  • the data processor must not transfer personal data out of the European Economic Area ('EEA') without the prior written authorisation of the data controller. If approval is granted: the data processor must comply with any requirements established by any data protection authority or any other governmental authorities necessary for the granting of approval by such authorities for the transfer of personal data outside of the EEA, including by entering into the European Commission's Standard Contractual Clauses ('SCCs') of 4 June 2021;
  • the data processor shall ensure that the same data protection obligations as set out in the data processing agreement shall be imposed on the sub-processors;
  • the data processor shall remain liable where the sub-processor fails to fulfil its data protection obligations; and
  • the data processor shall ensure that the employees of the data processor who have access to personal data have committed themselves to confidentiality.

8. Data Subject Rights

8.1. Right to be informed

The right of information to be provided to a data subject does not apply if the data subject's interest in receiving the information is assessed to be overridden by essential considerations of private interests, including the interest of the data subject itself (Section 22(1) of the Data Protection Act). Such private interests can be both third parties' interests as well as the data controller's own interests. Examples of interests which may give reason for not providing information are essential considerations of a data controller's trade secrets or of third parties, including other natural persons e.g. an underage child of the data subject. Further, the right to information does not apply where personal data is processed by courts and where the courts act in their capacity as such in relation to the processing activity in question (Section 22(4) of the Data Protection Act).

8.2. Right to access

The right of access to be provided to a data subject does not apply if the data subject's interest in receiving the information is assessed to be overridden by essential considerations of private interests, including the interest of the data subject itself (Section 22(1) of the Data Protection Act). Such private interests can be both third parties' interests as well as the data controller's own interests. Examples of interests which may give reason for not granting the right to access are essential considerations of a data controller's trade secrets or of third parties, including other natural persons e.g. an underage child of the data subject. Further, the right to access does not apply where personal data is processed by courts and where the courts act in their capacity as such in relation to the processing activity in question (Section 22(4) of the Data Protection Act).

8.3. Right to rectification

The Data Protection Act does not implement variations of the GDPR on the right to rectification.

8.4. Right to erasure

The Data Protection Act does not implement variations of the GDPR on the right to erasure.

8.5. Right to object/opt-out

The Data Protection Act does not implement variations of the GDPR on the right to object/opt-out.

8.6. Right to data portability

The Data Protection Act does not implement variations of the GDPR on the right to data portability.

8.7. Right not to be subject to automated decision-making

A data subject can be subject to a decision based solely on automated processing, if the decision is authorised by Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests (Article 22(2)(b) of the GDPR). The Ministry of Justice has indicated that it constitutes a suitable and sufficient guarantee for the data subject's rights that citizens can appeal an automated decision to a superior authority which does not make its decision via an automated process and thus interprets Section 22(2)(b) of the GDPR to be in accordance with already applicable law. Automated decisions are authorised in Act No. 1037 of 30 August 2017 on State Education Grants (only available in Danish here) and Act No. 6 of 7 January 2022 on Recovery of Public Debt (only available in Danish here), among others.

8.8. Other rights

The right to restriction of processing does not apply if personal data is solely processed for scientific or statistical purposes (Section 22(5) of the Data Protection Act).

9. Penalties

Datatilsynet may, in accordance with the GDPR, impose fines for infringements of the GDPR. However, under Danish law, Datatilsynet does not have the direct competence to issue fines. Instead, Datatilsynet is granted the right to issue a fine notice. Despite this right, Datatilsynet cannot issue a fine notice until court practice on the level of the fines for certain violations of the GDPR has been established, this has been mitigated with guidelines on the level of fines as set out below. Thus currently, Datatilsynet will not issue a fine notice but will propose a fine, which must then be tried before the Danish courts.

The Datatilsynet, has composed guidelines on determining the amount of fines for companies' breaches of the GDPR and the Danish Data Protection Act. The guidelines were issued on 29 January 2021 (only available in Danish here).

The intention behind the guidelines is to promote a greater level of transparency on how the agency determines the amount for the fines to be proposed for GDPR breaches. The guidance is a working document that will be continuously improved as the Datatilsynet, the prosecution, and the courts handle more criminal cases in the area.

The guidelines outline the basic amounts for six different categories of violations. In summary, the guidance sets the following model for determining the amount of fines to be proposed by Datatilsynet:

  1. Basic amount of the fine – 75/150 million DKK or 2/4% of the world wide annual turnover (however adjusted for company size)
  2. Adjustment based on a specific assessment of the nature, gravity and duration of the infringement
  3. Aggravating circumstances 
  4. Mitigating circumstances 
  5. The amount of the fine, taking into account the infringement and the circumstances of the case
  6. Possible adjustment to the maximum of the GDPR
  7. Possible adjustment according to solvency 
  8. Final amount of the GDPR fine

In addition to fines, Datatilsynet may criticise data controllers and data processors or order them to comply with the GDPR and the Data Protection Act in relation to their obligations.

Furthermore, the Data Protection Act provides that violations are punishable by up to six months' imprisonment.

The limitation period for infringements of the Data Protection Act is five years, this being equal to the statute of limitation for claims under the GDPR.

9.1 Enforcement decisions

See section on case law above.