Denmark: Health and Pharma Overview
1. Governing Texts
Due to Denmark's EU membership, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is directly applicable in Denmark. The GDPR is the main governing act regarding the processing of personal data in almost all sectors.
Prior to the adoption of the GDPR, Denmark already had numerous statutes in place for the protection of personal data within the health and pharmaceutical sector. These statutes have now been reviewed in light of the GDPR and amended accordingly. The GDPR thus acts as the main governing act for data protection in the health and pharmaceutical sector with other statutes complementing it, especially the Danish Data Protection Act (2018-05-23, no. 502) ('the Data Protection Act') and the Danish Health Act (2019-08-26, no. 903) (only available in Danish here) ('the Health Act').
The following acts are the key governing acts concerning the health and pharmaceuticals sector, as well as privacy and data protection:
- The Data Protection Act;
- The Health Act;
- The Danish Medicines Act (2018-01-16, no. 99) (only available in Danish here) ('the Medicines Act');
- The Danish Medical Equipment Act (2016-02-15, no.139) (only available in Danish here) ('the Medical Equipment Act');
- The Danish Act on Clinical Trials of Medicinal Products (2016-06-08, no. 620) ('the Clinical Trails Act');
- The Danish Act on the ethical treatment of health science research projects and health data science research projects (2020-09-01, no.1338) (only available in Danish here) ('the Committee Act');
- The Danish Criminal Code (2020-11-17, no.1650) (only available in Danish here) ('the Criminal Code’);
- The Danish Public Administration Act (2014-04-22, no. 433) (only available in Danish here) ('the Public Administration Act'); and
- The Danish Public Access to Information Act (2020-02-24, no.145) (only available in Danish here) ('the Access to Information Act').
- Executive Order (2016-06-12, no. 695) on good clinical practice in clinical trials with medicinal products in humans (only available in Danish here) ('the Clinical Trials Executive Order');
- Executive Order (2011-03-01, no. 1) on reporting of unintended incidents in the health service, etc. (only available in Danish here);
- Executive Order (2015-12-15, no. 1823) on the reporting of side effects with medicines, etc. (only available in Danish here);
- Executive Order (2019-04-04, no. 359) on information and consent in connection with patient treatment and when transferring and obtaining health information, etc. (only available in Danish here) ('the Executive Order on Patient Consent'); and
- Executive Order (2021-06-08, no. 1225) on the patient records of authorised healthcare professionals (record keeping, storage, disclosure, and transfer, etc.) (only available in Danish here) ('the Executive Order on Patient Records').
1.2. Supervisory authorities
The Danish data protection authority ('Datatilsynet') is the national independent supervisory data protection authority in Denmark with responsibility for upholding the fundamental right of protecting personal data. Its statutory powers, functions, and duties derive from, among other things, the Data Protection Act and the GDPR.
- examines complaints from individuals in relation to potential infringements of data protection law;
- conducts inquiries and investigations regarding infringements of data protection legislation, including within sector-specific areas such as the health and pharmaceuticals sector, and takes enforcement action where necessary;
- through consultations with organisations, assists in identifying risks to personal data protection; and
- cooperates with other data protection authorities.
The Health Authority
The Danish Health Authority ('the Health Authority') is responsible for advising and supporting the general population, the Ministry of Health ('the Ministry'), the regions and the municipalities on health issues, and for ensuring the best possible quality of healthcare and elderly care across the country.
The Danish Medicines Agency ('the DMA') contributes to developing policies and regulations in the pharmaceutical area, both in Denmark and in dialogue with the EU's other regulatory authorities and forms part of the Ministry and it, among others:
- authorises and inspects pharmaceutical companies, and licenses medicinal products in the Danish market;
- monitors adverse reactions from medicinal products;
- authorises clinical trials;
- decides which medicines are eligible for reimbursement;
- monitors medical devices available in Denmark and supervises adverse incidents involving medical devices; and
- appoints proprietary pharmacists, organises the pharmacy structure, and supervises pharmacies and retailers.
The Clinical Trials Regulation entered into force on 31 January 2022 and the DMA will monitor its compliance.
The Health Data Authority
The National Danish Health and Medicines Data Authority ('the Health Data Authority') creates coherent health data and digital solutions for the benefit of patients and clinicians, as well as research and administrative purposes in the Danish health care system and it, among others:
- provides health data on activity, finances, and quality for health professionals, administrators in regions, and municipalities, as well as citizens and other key users;
- strengthens the overall digitalisation and promotes a coherent data and IT architecture in the healthcare system with a focus on information security;
- ensures in a number of areas comprehensive and valid health data for patient treatment and research;
- strengthens the coordination of the overall digitalisation of the Danish healthcare system; and
- coordinates the work with health data and IT across the Danish healthcare system and sets common goals in the form of strategies, agreements, and IT architecture.
The Research Committee
Denmark has a health research ethics committee system consisting of a national committee and 12 regional committees namely, the National Committee on Health Research Ethics ('the Research Committee'), whose tasks include:
- coordination of activities in the regional committees;
- laying down guidelines;
- giving opinions on issues of a fundamental nature, if this is not related to the approval of a concrete research project;
- acting as a board of appeal in connection with findings in the regional committees;
- monitoring the development of research within the health sector and promoting the understanding of ethical problems resulting from the development of health services and biomedical research environments; and
- considering whether the Research Committee is to make recommendations to relevant ministries; these provisions deal with specific, new fields of research.
The Patient Safety Authority
The Danish Patient Safety Authority ('the Patient Safety Authority') performs a number of tasks to strengthen patient safety. These tasks include to:
- supervise authorised health professionals and health organisations;
- offer advice about communicable diseases, health conditions relevant in the issuance of driving licences, and conducting inquests, among others;
- issue registrations in 17 different healthcare professions to both Danish and foreign healthcare professionals;
- issue permissions to practice independently as a medical doctor, dentist, or chiropractor;
- issue specialist registrations in the 38 medical specialities and specialist registrations in the two dental specialties;
- handle the central administration of the reporting system for adverse events in the health service and contribute to using knowledge about adverse events and knowledge from patient and compensation cases in a preventive way; and
- give advice about the right to medical assistance in other countries pursuant to Danish legislation, EU regulation, and other international agreements.
The Datatilsynet has published numerous guidelines concerning the processing of personal data in Denmark. Some of these specifically concern the health sector. These guidelines and general guidance are accessible in Danish on the Datatilsynet's website. The following guidelines are particularly relevant:
- Guidelines regarding research and statistics (only available in Danish here);
- Guidelines regarding health (only available in Danish here); and
- Guidelines regarding categories of personal data (only available in Danish here).
The European Data Protection Board ('EDPB') has adopted several guidelines and opinions concerning the application of the GDPR which are relevant in the health and pharmaceutical sector. Since the GDPR acts as the main legal act for data protection in the health and pharmaceutical sector in Denmark with other statues complementing it, the guidelines from the EDPB are also of great importance.
Further, the Research Committee has several guides and questions and answers regarding health research. The publications are mainly in Danish but some English versions can also be found on its website. Please note that the Research Committee is in the process of updating its guidelines relating to the GDPR and health research information.
Many research projects involve processing large amounts of personal data, including sensitive information. Therefore, it is crucial that the rules in the research area are complied with in order to be able to take into account the individual data subjects.
The Datatilsynet is therefore initiating a broad effort in both areas of supervisory activities and more concrete and targeted guidance.
The Datatilsynet also stated that in Denmark, there is wide access to conducting extensive research, and it provides an opportunity to conduct important research. But the broad access to conducting research is based on the premise that it is done in a responsible way, where the rules are complied with, so that Danes can have confidence that their information is processed properly when they are part of a research project.
Against this background, the Datatilsynet has initiated a number of supervisory activities in the research area.
On 22 June 2020, the Datatilsynet published news that the DMA would take a closer look at Kammeradvokatens (the primary attorney to the Danish state) reports on Statens Serum Institut's (SSI) processing of personal data for research use. Based on the preliminary conclusions in Kammeradvokatens' reports, only available in Danish here, the Datatilsynet decided to take up a case against SSI for, among other things, the unlawful transfer of personal data to the US without proper legal basis. In this regard, the Datatilsynet asked the institute to explain a number of the issues that recur in the preliminary reports.
In order to investigate whether the same issues as with SSI are recurring with other similar data controllers, the Datatilsynet initiated a number of written inspections of public authorities that carry out research. The audits focus on:
- roles and responsibilities (data responsibility);
- basis for processing;
- transfer of personal data to recipients in European Economic Area ('EEA') countries and to recipients in countries outside the EEA;
- supervision of data processors;
- the Datatilsynet's possible permission for disclosure, as required under Article 10(3) of the Data Protection Act,
- records of processing activities, as required under Article 30 of the GDPR; and
- policies/guidelines on data protection in connection with the implementation of research projects.
Based on the challenges mentioned in Kammeradvokatens' report on the SSI's processing of personal data for research use, the Datatilsynet has also decided to prepare new guidelines in the research area.
Special categories of personal data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural persons sex life or sexual orientation (Article 9(1) of the GDPR).
Special Danish regulation applies regarding so-called 'confidential information'. Confidential information is a special category of information/personal information that is not explicitly mentioned in the GDPR or the Data Protection Act, but where special protection needs may be relevant in the application of data protection regulation. Furthermore, confidential information will often be subject to special regulation in other legislation. Social security numbers (CPR number) is an example of such confidential information that is separately regulated in the Data Protection Act.
The decisive factor for whether information is to be considered confidential will be an assessment of whether the information should, in the general opinion of the society, be required to be withheld from the public (Section 152 of the Criminal Code in conjunction with Section 27 of the Public Administration Act). On the other hand, confidential information is not always to be considered as sensitive information in the sense of Article 9(1) of the GDPR
Non-sensitive personal information may be confidential in certain situations. Depending on the circumstances, this applies to information on income and assets, employment, education, and employment conditions. The same applies to information about internal family relationships, including information about, for example, suicide attempts and accidents. Information that can be attributed to certain persons and that cannot be refused to be disclosed under the Access to Information Act will not be of a confidential nature. This applies to for example, information of a purely objective nature, such as information on the issuance of passports, driving licences, hunting licences, among others.
Biometric data : Personal data resulting from specific technical processing related to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Article 4(14) of the GDPR).
Genetic data: Personal data in relation to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which results, in particular, from analysis of a biological sample from the natural person in question (Article 4(13) of the GDPR).
Data concerning health: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status (Article 4(15) of the GDPR).
The Health Act defines health information as information about a patient's health condition and other confidential information related to the treatment of the patient or the treatment of other patients.
Research: Includes 'technological developments and demonstration, fundamental research, applied research, and privately funded research' (Preamble 159 of the GDPR).
In the Committee Act, health scientific research is defined as 'a project, which involves experiments on live-born human individuals, human gametes intended for use in fertilisation, human fertilised eggs, embryos and fetuses, tissue, cells and genetic components from humans, fetuses and the like, or deceased. This includes clinical trials with medical products on humans, and clinical trials of medical devices'.
Clinical trials: Means 'any investigation in human subjects intended to discover or verify the clinical, pharmacological and/or other pharmacodynamic effects of one or more investigational medicinal products and/or to identify any adverse reactions to one or more investigational medicinal products and/or to study the absorption, distribution, metabolism and excretion of one or more investigational medicinal products with the object of ascertaining their safety and/or efficacy' (the Clinical Trials Act).
Consent: Any freely given, specific, informed, and unambiguous indication of the data subjects wishes in which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data in relation to him or her (Article 4(11) of the GDPR).
The conditions for valid consent are clarified in Article 7 and preamble 32 of the GDPR. In short, consent can only be freely given, and thereby valid, if the data subject is offered a genuine choice when giving their consent for processing, and a refusal is not met with a disadvantage for the data subject.
There are specific requirements regarding informed consent in relation to health scientific research, these are further described under the section on Biobanking below.
Biobank: Danish legislation does not contain a legal definition of 'biobanks'. In general, it is recognised as a structured collection of human biological material that is available according to certain criteria and where information bound in the biological material can be attributed to individuals.
Medicinal product: Means 'any product that is presented as a suitable medicinal product for the treatment or prevention of diseases in humans or animals; may be used in or administered to humans or animals to recover, change or affect physiological functions by having a pharmacological, immunological and metabolic effect, or to make a medical diagnosis' (the Medicines Act).
Non-interventional studies: Means 'a study in which the medicinal product or medicinal products are prescribed pursuant to clinical practice and in accordance with the terms of the marketing authorisation. The prescription of the medicine is clearly separated from the decision to include the patient in the study' (the Clinical Trials Executive Order).
Currently, clinical research and clinical trials in Denmark are regulated by a number of acts, mainly the Clinical Trials Act, the Clinical Trials Executive Order, the Committee Act, the Medicines Act, the GDPR, and the Data Protection Act.
These acts are to a large extent, besides the GDPR and the Data Protection Act, based on Directive 2001/20/EC on Implementation of Good Clinical Practice in the Conduct of Clinical Trials on Medicinal Products for Human Use ('the EU Clinical Trial Directive') and Directive 2001/83/EU on the Community Code relating to Medicinal Products for Human Use ('the Medicinal Products Directive').
The EU has since adopted Regulation (EU) No 536/2014 of 16 April 2014 on Clinical Trials on Medicinal Products for Human Use, and Repealing Directive 2001/20/EC ('the Clinical Trials Regulation'), which entered into force in June 2014 and which will constitute a major change in how clinical trials are conducted within the EU. However, the application of the Clinical Trials Regulation is pending upon the development of a fully functional EU clinical trials portal and database known as the Clinical Trials Information System ('CTIS'), which has been postponed due to technical difficulties. The portal will be maintained by the European Medicines Agency ('EMA'). In brief, the Clinical Trials Regulation will require an application for a clinical trial to be submitted to the CTIS. After an application has been submitted to the CTIS, all communication between sponsors (i.e. the individual, institution, company, or organisation that is responsible for initiating, managing, or financing the clinical trial, but does not actually conduct the investigation) and the Member State(s) concerned will go through the CTIS. Each concerned Member State will grant permissions, announce conditions attached to the permissions, or deny permissions, in one single decision only. The CTIS went live on 31 January 2022.
The Clinical Trials Regulation foresees a three-year transition period. Member States will work in CTIS immediately after the system goes live. For one year, until 31 January 2023, applicants can still choose whether to submit their application to start a clinical trial according to the current system under the Clinical Trial Directive or according to the Clinical Trials Regulation. From 31 January 2023 onward, submission according to the Clinical Trials Regulation becomes mandatory and by 31 January 2025, all ongoing trials approved under the current Clinical Trials Directive will need to transition to the new Regulation and to the CTIS.
Notably, danish-specific regulation will change upon the full application of the Clinical Trials Regulation.
All clinical trials in Denmark are registered in the European Clinical Trial Register ('EudraCT'). Before applying to the DMA, the applicant must order an EudraCT number. The EudraCT number is an identification number for the clinical trial, which applies throughout the EU. The number can be ordered here.
Clinical trials of medicinal products and application process
The sponsor is the applicant. Pursuant to the Medicines Act, the sponsor is the person, company, or institution which undertakes the responsibility for the initiation, management, and possibly the financing of a clinical trial. The sponsor may delegate the task of applying for authorisation for a clinical trial. In such cases, a document that confirms this relation must be submitted.
The sponsor or the sponsor's legal representative must have a permanent address in an EU/EEA country as required under Section 88(7) of the the Medicines Act,
Companies, including Contract Research Organisations ('CROs') engaged in clinical trials of medicines in humans, can apply for authorisation of clinical trials and submit notifications about ongoing trials to the DMA via the DMA's access-controlled extranet DKMAnet.
Moreover, an application must be submitted to the DMA, for authorisation to conduct clinical trials with medicinal products (Section 88 (1) of the Medicines Act).
Clinical trials with medicinal products must only be conducted when the DMA has given its authorisation. Furthermore, trials of medicinal products in humans must be conducted in accordance with the Good Clinical Practice quality standards.
The application must be submitted by the organisation or person with overall responsibility for the trial, but it must always be a doctor or a dentist who is in contact with the participants in the trial.
The obligation to apply for an authorisation under the Medicines Act comprises all prospective trials in the clinical assessment of medicinal products.
The obligation to apply also extends to radiopharmaceuticals, herbal medicinal products, as well as strong vitamin and mineral preparations. The obligation to apply includes clinical trials carried out at one or more sites, whether in one or more Member States.
According to the Medicines Act, the obligation to apply for authorisation does not apply to non-interventional studies.
The assignment of the patient to a particular therapeutic strategy is not decided in advance by a trial protocol but falls within current practice. No additional diagnostic or monitoring procedures shall be applied to the patients and epidemiological methods shall be used for the analysis of collected data.
Some trials have the sole objective of studying the physiological mechanisms of the body, and in which the medicinal product is used as a tool to induce a physiological response. In this type of trial, the medicinal product is administered solely to induce a known and well-documented pharmacological response, which is necessary to study the body's physiology.
In trials where a medicinal product is used as a tool, the decisive factor is that the trial's objective is not to study the therapeutic, preventive, or diagnostic effects and safety of the medicinal product or to obtain new knowledge about the medicinal product's pharmacological effects.
Trials in which the medicinal product is used as a tool are not subject to the obligations in the Medicines Act. In cases where a medicinal product is only intended to be used as a tool and no marketing authorisation has been issued, or the medicinal product is not marketed, it is required that a compassionate use permit be obtained from the DMA before any study is initiated (Section 29 of the Medicines Act).
Clinical trials must also be notified to a Research Ethics Committee ('REC'). The REC primarily evaluates the ethical aspects of the trial as well as the information that is made available to the trial participants. The REC must authorise the trial as well.
As the GDPR is directly applicable in Danish law, the Data Protection Act only includes provisions that supplement the GDPR in areas where Member States, within the framework of the GDPR, are allowed to issue more detailed provisions, and areas where it is left to Member States to decide on specific issues.
The nature of clinical trials widely concerns the trial subject's health, genetic, and possibly biometric data, which are all viewed as special categories of personal data according to Article 9(1) of the GDPR. Processing of such data is permitted under certain circumstances laid out in the GDPR and the Data Protection Act.
The use of personal data and tissue samples for clinical trials and research purposes in Denmark is governed by a cluster of legal regulations. Apart from the GDPR and the Data Protection Act, the Health Act, the Committee Act, and a number of Executive Orders have an impact. Whereas the GDPR and the Data Protection Act apply to the processing of all kinds of personal data for any kind of research purpose, the two other acts specifically target data processing in the field of health purposes and clinical trials/health research. The three legal areas are interwoven and partly overlapping with regards to the data processing.
The specific character of the research project determines the legal regime. In this regard, it is necessary to distinguish between:
- research which involves participation of the research participant; and
- research exclusively based on already collected data or tissue samples.
In the first category, the legal regulation depends on whether a physical/psychological intervention is involved, or whether the project only involves surveys or interviews. In the second category, it has importance whether tissue samples are involved. Bioinformatic data based on genomic analyses of a tissue sample may also be covered by other special regulations.
As various laws are involved and have an impact on processing of personal data, it is necessary to establish how the GDPR and the Data Protection Act relate to provisions in other laws regulating the processing of personal data. According to the Data Protection Act, it does not apply if other laws give the data subject a higher level of data protection. All health research projects involving human research subjects or human tissue in biobanks must be authorised by a REC before it can commence (Article 14(1) of the Committee Act). In contrast, research based exclusively on personal data from health records or databases does not need, and cannot obtain, authorisation (Article 14(2) of the Committee Act).
The aim of the Committee Act is to ensure a balance between the interests and protection of research subjects and the interests of society and science. Its main focus, therefore, is on scientific quality, risk assessment, and respect for research participants' autonomy and right to self-determination. It is stressed that in balancing the respective interests, the priority should be given to the interests of the research participant. Data protection issues are not explicitly mentioned in the Committee Act, but they are part of the risk assessment, and they are also addressed in the Executive Order on Patient Consent and when transferring and obtaining health information which is issued with a legal basis in the Committee Act.
In situations where a research project includes research participants who will, as part of their participation, have their data collected (including data from health records) and maybe also tissue samples taken, the informed consent of the participant is mandatory. The Reseach Committee will ensure that the participant receives proper information about the aim of the collection of data/tissue, the predicted future use, and the storage period, and will also make an ethical assessment of the general framework for the sample collection. In this situation, the research participant has stronger protection of the right to determine the use of data for research purposes than what follows from the Data Protection Act, and the informed consent requirement under the Committee Act.
Other issues related to the processing of the data collected as part of the research project are, however, governed by the provisions in the GDPR and the Data Protection Act, and the processing of personal data must be in accordance with the said data protection regulation, including the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, and storage limitation (Article 5 of the GDPR).
If the research participant is a patient, and where research participation is part of the treatment, there may be additional requirements regarding e.g. information provided to the research participant based on the rules of informed consent stipulated in the Health Act. Research-based on identifiable tissue samples from a biobank is also subject to the requirement of prior authorisation from a REC . The normal rules of the Committee Act apply to biobank research projects, which imply that the tissue donor's informed consent is required.
However, with regard to biobank research, the Committee Act provides for derogations from this legal principle, and the REC may decide to make an exception, provided the project does not pose any risks or if it would be impossible or disproportionately difficult to obtain consent or proxy consent. In situations where the REC decides to make an exemption from the informed consent requirement, the data subject/research participant is in the situation stipulated under Article 10 of the Data Protection Act, regarding processing of data for research purposes, which can take place without the consent of the data subject provided that the data is not used for purposes other than research. Accordingly, in this situation, the REC will make an assessment of the ethical aspects of the research projects, which will normally also include data protection concerns, before an authorisation is granted.
Finally, research projects which are exclusively based on personal data stored in databases or patient records fall outside the scope of the Committee Act. Such projects are subject to the GDPR, the Data Protection Act, and the Health Act.
According to Article 46 of the Health Act the authorities (regional councils in one of the five Danish regions) must approve disclosure of information in patient records for research purposes if the research project has not obtained an authorisation from a REC. It is a condition that the project has a significant societal interest, and the regional councils can lay down further conditions for the processing of the data. It is furthermore a condition, that the data subject can only be contacted with the permission of the health care professional who has provided the treatment. Finally, the data may only be processed for scientific purposes, and any publication of the data must ensure that the data subject is not identifiable.
Personal data must be stored in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. When it is no longer necessary for the researcher to store the personal data, the data must be erased or anonymised in a way that precludes the identification of individuals.
There is no specific retention period for personal data collected in a clinical trial for scientific purposes other than the ones defined by the clinical trial protocol.
With regards to health records of patients, the Executive Order on Patient Records requires that doctors, dentists, chiropractors, midwives, clinical nutritionists, clinical dental technicians, and dental assistants must keep health records stored for a minimum period of ten years after the last recording in the record, (Article 35(1) of Executive Order on Patient Records). The storage period is normally five years for health records kept by other healthcare professionals (Article 35(2) of the Executive Order on Patient Records). If such other healthcare professionals share records with healthcare professionals as mentioned in Article 35(1), the record must be stored for ten years.
Personal data concerning health that is collected in a clinical context is protected by professional secrecy. However, this does not prevent the use of health data for research purposes. Dependent on the context, the researcher may have an obligation to observe professional secrecy, when the research project is carried out on patients who receive care as research participants. In other situations, there is no professional secrecy applicable to researchers as such. Researchers, who are public employees, are bound by professional secrecy due to their employment status, whereas this is not the case in the private sector. In case the researcher is not under an obligation to respect a special duty of professional secrecy, the general rules in the Criminal Code on protection of privacy, and the Data Protection Act are applicable.
In some situations, it is mandatory to obtain explicit consent from the data subject. This is the case when the data subject is taking part in a research project, and data or tissue samples are collected as part of the research project. The data collected can both be previously collected, data stored for example patient records, or be directly collected for the research purpose. This is governed by the Committee Act. In research projects based on tissue samples in biobanks, the RECs will often make an exemption from the requirement of obtaining explicit consent. However, in this situation Article 29 of the Health Act, entitles patients to opt-out with regards to further use of tissue samples for scientific purposes. To opt-out, patients must register in a special registry: the 'Use of Tissue Registry' (Vævsanvendelsesregisteret).
In regards to the use of data from minors, or persons under guardianship, it is also necessary to distinguish between situations, where the research participant is taking part in a research project, where data or tissue samples are collected as part of the research project, and situations where research is based on data or tissue stored in health records, databases, or biobanks. According to Articles 4 to 7 of the Committee Act, explicit informed consent from the guardian is required, and in the case of minors at the age of 15 years or older, also explicit consent from the minor is required. The same rules apply to biobank research, unless the REC decides to make an exemption from the consent requirement under Article 10 of the Committee Act. In this case, no consent is needed.
According to Article 10 of the Data Protection Act, there is no consent requirement in situations where a research project is based on data in health records and databases.
Notification to authorities
Following the introduction of the GDPR and the Data Protection Act, there is no longer an obligation to notify the Datatilsynet before a research project is initiated.
However, all public research projects where personal data is processed when the Danish regions are data controller(s) must continue to be notified to and approved by the region(s). This requirement is to meet the requirement in the GDPR regarding the data controller maintaining an internal record of all processing of personal data that takes place in the organisation.
A research project is considered public when it is carried out under the auspices of the individual Danish region(s), and with the use of the region's resources (PCs, servers, man-hours, etc.). The notification must be made to the unit or contact person who manages the notification in the region where the research is performed. If the research is carried out in several regions, it must be notified in the region where the sponsor is employed.
It is the responsibility of the data controller that the research is notified to the regions. In public research projects, the individual region is a data controller, but the sponsor is responsible for the project being notified.
The data controller for a research project must, as a general rule, comply with the general data protection rules and is responsible for demonstrating that personal data is processed in accordance with these.
2.3. Data obtained from third parties
Furthermore, processing for a purpose other than that for which the personal data has been collected is governed by Article 6(4) of the GDPR. In particular, this Article tries to address how to measure whether or not the purpose of the further processing is 'compatible'.
This is particularly relevant to data obtained from third parties or in relation to the use of big data. Article 6(4) of the GDPR establishes a test to measure such compatibility. If the legal basis for the processing of data is based on the data subject's consent (e.g. Article 6(1)(a) or Article 9(2)(a) of the GDPR), the assessment of compatibility will rely on an interpretation of the scope of the consent. Where processing is based on a legal basis in the EU or Member State law, the compatibility assessment relies on an interpretation of the legal basis. Where the processing is not based on the data subject's consent, or the EU or Member State law, but on another legal basis, the controller will ascertain the compatibility of the purpose of processing with the initial purpose stated during the data collection. To do so, the data controller must take several elements into account, in particular:
- any link between the initial purpose and the further purpose of processing;
- the context of the collection and the relation between the data subject and the controller; and
- the nature of the data, in particular if it is considered to be sensitive data under Article 9 of the GDPR.
The data controller must also consider the possible consequence of further processing for the data subject and the existence of appropriate safeguards. If the result of the test is positive for the data controller and shows none of the elements have been significantly altered to make the further processing unfair or illicit, no further legal basis is necessary for further processing. If this is not the case, then further processing will have to rely on a separate legal basis. If this test is successfully met, then further processing is possible. However, it will be up to the data controller to demonstrate the compatibility of the purposes.
The primary piece of legislation governing medicinal products in Denmark is the Medicines Act which implements various EU legislation, including the Medicinal Products Directive. The Medicines Act is supplemented by numerous executive orders and guidelines governing various aspects of medicinal products, including manufacturing, distribution, sales, and advertising. Further, the Clinical Trails Act implements, among others, the Clinical Trials Regulation.
There are four different procedures for obtaining marketing authorisation for medicinal products in Denmark:
- the centralised procedure - where the application is submitted to the ('EMA') and the medicinal product is authorised by the European Commission in the entire EU simultaneously. This procedure is mandatory for certain kinds of medicinal products, including biological medicinal products;
- the decentralised procedure - where companies can apply for authorisation in more than one EU or EEA country. One country is chosen as the 'reference Member State' and will be responsible for the procedure and the scientific evaluation of the application;
- the mutual recognition procedure - where marketing authorisation has already been obtained in another EU or EEA Member State and this authorisation forms the basis for authorisation in another EU or EEA country; and
- the national procedure - where the application is submitted to the DMA, which authorises the medicinal product to be marketed solely on the Danish market.
When a marketing authorisation for medicinal products has been granted, there are a number of post-market monitoring mechanisms that must be in place to ensure the ongoing safety and efficacy of the medicinal products. A market authorisation holder must operate a pharmacovigilance system to:
- monitor medicinal product safety;
- assess the possibilities for mitigating risks; and
- take appropriate measures.
This entails appointing a qualified person responsible for pharmacovigilance who must meet certain requirements with regards to education and qualification. Among others, the marketing authorisation holder must:
- keep a detailed description of the applied pharmacovigilance system (pharmacovigilance system master file) and on request make a copy of such description available to the DMA;
- keep records of suspected adverse reactions and make these available to the DMA;
- electronically report information on suspected serious adverse reactions to the EMA's database for adverse reactions within 15 days of receiving the knowledge of such suspected reaction;
- electronically report information on suspected non-serious adverse reactions to the EMA's database for adverse reactions within 90 days of receiving the knowledge of such suspected reaction; and
- prepare and submit periodic safety update reports to the DMA.
In general, the GDPR and the Data Protection Act are applicable to the processing of personal data in connection with conducting safety monitoring.
In contrast to several other countries, there is no special biobank legislation in Denmark. The regulation of biobank research relies on a cluster of acts, which include the Committee Act, the Data Protection Act, and the Health Act.
In order better to understand how the different pieces of legislation interact, it is important to know how tissue samples are collected, and how they can end up in biobank research. Most tissue samples are collected when patients seek diagnosis and treatment from healthcare service providers. The right of self-determination is an important patients' right in Denmark, and collecting tissue samples will normally require the patient's informed consent, as it involves an intrusion of the body (Section 15 and Section 16 of the Health Act).
The general provision regarding informed consent is concerned with consent to treatment and medical interventions and does not automatically imply a duty to inform the individual patient about the storage and possible future use of tissue samples. However, it is considered to be part of a general administrative service obligation owed to patients to provide general information for example in a general patient information leaflet. Patients' right to self-determination in relation to stored samples is also recognised in Section 29 of the Health Act, which entitles patients to opt-out with regards to the further use of samples, obtained in a clinical setting, for research purposes. This can be done by signing up to a special 'Use of Tissue Register'. There is no obligation to provide individual information to patients about the Use of Tissue Register, but it is expected that general information about the register is available, e.g. in a general patient leaflet. Further, it imposes a duty on biobanks to ensure that samples are not handed over for research purposes, when patients have registered in the Use of Tissue Register.
Another important setting for the collection of tissue samples is research projects, where tissue samples are taken from individuals who participate in a research project. The rights of research participants follow from the Committee Act, and participants must provide written, informed consent to research participation and to the interventions involved in the participation, and they must be provided with proper and comprehensive information about the project including the purpose of the collection of tissue, the predicted future use, and the storage period, prior to consenting. Consequently, in this situation, specific consent is required for both collection, storage, and further use of tissue samples. Tissue samples are also increasingly being collected outside the context of a specific research project, and the tissue samples can be used for unspecified future research projects. Collection for this purpose is taking place in both clinical and research settings, in which patients are asked to donate surplus samples to be stored specifically for future research. The Danish legislation on research ethics review of health research projects (only available in Danish here) does not apply in this situation, as it is restricted to assessing actual research projects. However, the collection of samples for those biobanks must comply with the provisions in the Health Act and in the Data Protection Act regarding informed consent.
In addition to the Health Act and the Committee Act, the Data Protection Act, and GDPR also have an impact on the collection of tissue samples. The Data Protection Act supplements the GDPR in areas where there is room for national discretion.
When the predecessor to the Data Protection Act came into force in the year 2000, it was debated and decided that tissue samples, which could be related to an identifiable person, should be considered as personal data under such law. The current Data Protection Act does not explicitly state, in the Act or the preparatory work, whether it generally applies to the processing of human tissue samples or not. However, the Data Protection Act has a specific provision concerned with the processing of tissues sample (Section 10(3) of the Data Protection Act). Accordingly, it is the general view that the current Data Protection Act applies to processing (e.g. collection and storage) of tissue samples, which can be related to an identifiable person. Collection and storage of tissue samples in healthcare services are authorised by Section 7(3) of the Data Protection Act which stipulates, that processing of data covered by Article 9(1) of the GDPR, can take place, if the processing is '…necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment, or the management of medical and healthcare services, and where those data are processed by a health professional subject under the law to the obligation of professional secrecy' (please also refer to the description in the section on Data Management below with regard to the limitation of Article 9 in Danish law). This implies, that no explicit consent is needed for the collection and storage of samples. However, there is an obligation to inform the individual about the collection and storage of the data.
In summarising, the collection of tissue samples will always require informed consent from the patient/research participant. The storage of samples in a biobank requires informed consent when samples are collected in a research project, whereas samples collected in a clinical context can be stored without consent. However, in certain situations, a patient has a right to retrieve the samples or demand their destruction according to the Health Act. Research participants are entitled to comprehensive information, including information regarding the storage of samples and the storage period. Patients are not entitled to this information according to the Health Act, but the GDPR requires that such information should be provided to all data subjects.
There is no complete register of all biobanks in Denmark, however, the Danish Biobank Register provides researchers with an overview of biological material in biobanks participating in the initiative.
The obligations and responsibilities regarding data management are governed by the GDPR. The data controller must always adhere to the principles set out under Article 5 of the GDPR when processing personal data.
Article 6 of the GDPR provides the requirements for handling data in a lawful manner. In addition, Article 9 of the GDPR provides further requirements for handling special categories of personal data in a lawful manner.
Most personal information regarding health and pharmaceuticals will fall under the special categories of personal data in Article 9 of the GDPR. Processing of such data is only permitted under certain circumstances laid out in Article 9(2)(a) to (j) of the GDPR. In Denmark, the scope of Article 9(2) of the GDPR has been limited further by the Data Protection Act.
Most notably, Article 9(2)(h) of the GDPR sets out circumstances under which health professionals can process special categories of personal data. This legal basis has also been limited, and under Danish law, it only includes preventive disease control, medical diagnosis, nursing or patient care, and management of medical and health services.
In addition, it is provided in both the GDPR and the Data Protection Act that processing, sharing, and disclosure in the above-mentioned instances, can only be carried out by medical professionals who are subject to confidentiality by law.
Furthermore, and as described above, when providing care for patients, health records for each patient must be kept in accordance with the Executive Order on Patient Records.
According to the Health Act, health professionals may pass on information to other health professionals about the patients' health condition and other confidential information in connection with the treatment of the patient. This can happen with the consent of the patient or under the circumstances set out under Section 41 of the Health Act, including in situations where healthcare personnel are participating in the care provided to the patient, or for any other reason where the information is needed to be able to conduct their work.
Personal data must not be kept in a form that permits identification of the data subject for a longer period of time than necessary for the purpose for which the personal data is processed. How long such a period will be depends on the circumstances.
Article 32 of the GDPR provides that the data controller (and when relevant, the data processor) shall implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The state of the art, the cost of implementation and nature, scope and context, and purposes of processing as well as the likelihood and severity for the rights and freedoms of natural persons must be taken into account, when determining what 'appropriate technical and organisational measures' are.
Article 32(1)(a) to (d) of the GDPR are examples of measures that can be taken, this is however not a complete list:
- the pseudonymisation and encryption of personal data;
- the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
Overall, the processing of personal data within healthcare must be organised so that it ensures patient safety and respects patients' and other data subjects' integrity and freedoms.
According to Article 37(1)(c) of the GDPR, a data protection officer ('DPO') must be designated when special categories of person data are processed on a large scale. The DPO shall be designated based on professional qualities and, in particular, expert knowledge of data protection law and practice, and the ability to fulfil the tasks set out under Article 39 of the GPDR.
Article 28 of the GDPR provides general requirements for outsourcing to a data processor. According to Article 28(1) of the GDPR, a data controller may only use a data processor who guarantees to implement the appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR and ensure the protection of data subjects' rights. If the processor adheres to an approved code of conduct or an approved certification mechanism, this may be used as an element to demonstrate compliance with these obligations.
The data controller and the data processor must enter into a contract or other legal act under EU or Member State law, that is binding on the processor with regard to the data controller. The contract or other legal act must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the data controller. Article 28(3)(a) to (h) of the GDPR lists the obligations of the data processor, which must be included in the contract or legal act between the parties.
The data processor is not allowed to engage a sub-processor without the prior specific or general written consent of the controller. In the case of general written consent, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes (Article 28(2) of the GDPR).
Since all EU Member States are obliged to follow the GDPR, the transfer of data within the EU must adhere to the principles and rules of the GDPR, consequently ensuring the protection of privacy rights for data subjects. The GDPR restricts the transfer of personal data outside of the EU/EEA. Personal data can only be transferred outside of the EU/EAA to third countries or international organisations if the conditions for transfer set out in Chapter V of the GDPR (Articles 44 to 50) are complied with.
Please note that special data transfer requirements apply in connection with research projects covered under Article 10(1) and (2) of the Data Protection Act where special categories of data may be processed for the sole reason of statistical and scientific purposes. There are further restrictions to secure purpose limitation, as well as restricting disclosure to other parties.
The Datatilsynet's prior approval will be required for data transfers in the following three cases:
- when the transfer takes place for processing outside the territorial scope of the GDPR, for example to the US;
- when transferring biological material, for example blood or tissue samples (the material in itself and not personal data generated on the basis of the biological material); and
- when the transfer is made for the purpose of publishing information in recognised scientific journals or the like.
In cases where the Datatilsynet's prior authorisation must be obtained, the Executive Order will be supplemented by the special conditions laid down by the Datatilsynet in the authorisation.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, the data controller must notify the supervisory authority within 72 hours, in accordance with Article 33 of the GDPR. The report must be filed online. It is possible to find further details of how to file such a report on the Datatilsynet's website.
Article 33 of the GDPR also provides the data controller with a list of information, which the report must include, such as estimated number of data subjects affected and a description of the likely consequences of the breach.
If the breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must also notify the data subject without undue delay (Article 34 of the GDPR). This will be the case in most situations where the relevant data is health data.
The Datatilsynet has issued a guideline for data controllers regarding the handling of data breaches (only available in Danish here).
9. Data Subject Rights
The rights of data subjects are primarily regulated by the GDPR and they include:
- Article 15: the right to access;
- Article 16: the right rectification;
- Article 17: the right to erasure;
- Article 18: the right to restriction of processing;
- Article 20: the right to data portability;
- Article 21: the right to object to processing; and
- Article 77: the right to lodge a complaint with a supervisory authority.
According to Chapter 8 of the Health Act, a patient can request their own patient records, and this access must be granted. The legal guardian of a minor can request the patient records of the minor, but the access can be limited when this is deemed to be in the best interest of the minor.
In Denmark, deceased persons are protected by the GDPR until ten years after their death. However, a healthcare professional can and must, upon request, give information about a deceased patients course of illness, cause of death, and manner of death to the deceased's next of kin, the deceased's general practitioner, and the doctor of the deceased, unless this goes against the wishes of the deceased or other private interests.
Breach of an organisations duties under GDPR may result in administrative fines up to €20 million or 4% of the company's annual global turnover, whichever is higher.
Article 83 of the GDPR provides information on which kind of breaches may result in fines.
Article 83(1) of the GDPR provides that the supervisory authority may issue administrative fines within the established framework for the size of these fines, and that the fines may then be brought before the courts.
The judicial system of Denmark is composed of a mostly unified, three-tiered court system, with the County Court in the first instance, the High Court in the second instance, and the Supreme Court in the third and last instance. Due to the Danish constitution, it is the courts that set the fines. This also raises the question of who is competent to issue fines.
In the Data Protection Act, competence is given to the Datatilsynet under some circumstances. The Datatilsynet may issue an administrative fine in cases where the data controller or the data processor plead guilty, and where the case is not complicated, and there are no evidential problems. It is also a requirement that there is enough case law from the courts so that the level of fines has been established (which is not the case currently). Under any other circumstances, breaches under the GDPR are sent to the police with a suggested fine. The prosecution will then build a case against the defendant, and the proceedings will be decided by the courts under the general rules of criminal procedures pursuant to the Danish Administration of Justice Act.
The Datatilsynet has made guidelines on how they evaluate breaches and calculate the size of the fines in relation to Article 83 of the GDPR (only available in Danish here). Currently, several court cases are awaiting trial, and the levels of the fines in the court system compared to the fines suggested by the Datatilsynet are highly awaited.
11. Other Areas of Interest
The usage of telemedicine in both diagnostics and treatment by a health professional or specialist who is not present, is regulated by the GDPR. Consequently, the responsible data controller must ensure to align the processing with the provisions of the GDPR and the Data Protection Act.
All patients in Denmark have digital access to their personal health data through their health records available on the public website sundhed.dk.The patient can access information regarding the following:
- their own doctor, e.g. contact information;
- medicine prescribed by their doctor and/or bought at the pharmacy;
- their records from the hospital;
- their entries in the donor register;
- their living will;
- laboratory results;
- allergies; and
- referrals written by their own doctor.
Each region are data controllers regarding the data they provide to the digital health record, however the Region of Northern Jutland acts as a system administrator.
It is worth noting, that Denmark is a highly digitised nation, also in regard to health and pharmaceuticals. As a result of this, the Data Protection Act provides that the Ministry of Justice can decide that an IT-system that contains personal data shall not be outsourced to another country, not even within the EU.
Operators of digital healthcare services and platforms must meet security requirements and this is done through certification by the organisation MedCom. MedCom is responsible for the healthcare sector's communication standards and is a non-profit collaboration between authorities, organisations, and private companies affiliated with the Danish healthcare sector.
Another result of the digitisation is that researchers have an easy access to health data, as it is possible to apply for access through 'Forskerservice' (roughly translated to 'Scientist Service'), which is administrated by the Authority, Statistics Denmark.
The DMA is the administrative and supervisory authority regarding medical devices in Denmark. They administer the legislation regarding medical devices. Denmark has implemented the EU directives on medical devices. This has been done through the Medical Equipment Act and the associated executive orders.
The Executive Order (2021-04-29, no. 957) on Medical Devices (only available in Danish here) provides that medical devices must be CE marked. CE marking shows that the equipment complies with the applicable EU legislation.
In addition, manufacturers, importers, and distributors of medical devices, as well as healthcare professionals, are obligated to report serious incidents and accidents involving medical devices to the DMA (please also refer to the section on Pharmacovigilance above).